Privacy Policy

1. Data Controller

DATAXYZ CONNECT is a trading name of Dataxyz Ltd, a company registered in the United Kingdom. We act as the data controller for the personal data processed through our website and services (dataxyzconnect.com). For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is Dataxyz Ltd.

Data Protection Officer contact: peter.pirisola@dataxyz.co.uk

2. Legal Basis for Processing (Article 6 UK GDPR)

We process your personal data under the following legal bases:

• Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics 4), marketing communications (newsletter), Sentry error monitoring and session replay. You may withdraw consent at any time via cookie preferences or account settings.
• Contract (Art. 6(1)(b)): Account creation and authentication, payment processing (Stripe) for XYZDojo subscriptions, service delivery including AI-powered tools (Design Studio, BPA Generator, DriftKit, XYZDojo, Chat), and learning progress tracking.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and maintaining platform integrity. We have conducted balancing tests to ensure our interests do not override your fundamental rights.

3. Data We Collect

We collect and process the following categories of personal data:

• Account data: Email address, display name, and profile information provided through OAuth (Google, GitHub, or Microsoft) or email/password registration.
• Payment data: Processed securely by Stripe. We store your Stripe customer ID and subscription status but never store card numbers, CVVs, or full payment details on our servers.
• Learning progress (XYZDojo): Flashcard review history, quiz scores, spaced-repetition schedules, topic progress, and learning preferences stored in Supabase.
• AI conversation data: Prompts and messages you send through the Chat widget, BPA Generator, Design Studio, and XYZDojo AI Tutor. These are sent to Anthropic’s Claude AI for processing (see Section 5 for details).
• Activity and usage data: Page views, feature interactions, session duration, bookmarks, and navigation patterns tracked for analytics and service improvement.
• Contact form submissions: Name, email address, and message content submitted through our contact form.
• Newsletter subscriptions: Email address and topic preferences.
• Device and technical data: Browser type, operating system, IP address (anonymised where possible), and error/crash data collected by Sentry.

4. Cookies and Tracking Technologies

Our website uses the following cookies and tracking technologies, grouped by purpose. You can manage your preferences at any time using the cookie preferences link in the footer.

• Necessary (always active): localStorage for application state (theme, session data, auth tokens). These are essential for the site to function and cannot be disabled.
• Analytics (opt-in): Google Analytics 4 (GA4) for usage analytics and Cloudflare Web Analytics (cookieless, privacy-focused). These are only activated after you grant consent.
• Monitoring (opt-in): Sentry for error tracking, performance monitoring, and session replay. 10% of sessions and 100% of error sessions are recorded to help us identify and fix bugs. Session replays may capture page interactions but are configured to mask sensitive input fields.

5. AI Data Processing Disclosure

Several features in DATAXYZ CONNECT use artificial intelligence powered by Anthropic’s Claude API. When you use the following features, your input is sent to Anthropic for processing:

• Chat widget: Conversational messages are sent to Claude for generating responses.
• BPA Generator: Model metadata and rule descriptions are sent to Claude for best-practice rule generation.
• Design Studio: Theme descriptions, brand briefs, and design prompts are sent to Claude for generating themes, layouts, backgrounds, and prototypes.
• XYZDojo AI Tutor: Questions and learning context are sent to Claude for personalised tutoring responses.

AI conversations are processed in real time and are not stored on Anthropic’s servers after processing. We do not store the full text of AI conversations on our servers beyond the duration of your active session. Anthropic’s data processing practices are governed by their privacy policy at anthropic.com/privacy.

6. Sentry Session Replay Disclosure

We use Sentry for error tracking and debugging. Sentry’s session replay feature records 10% of normal user sessions and 100% of sessions in which an error occurs. Replays capture page interactions (clicks, scrolls, navigation) to help our development team reproduce and fix bugs. Sensitive form fields (passwords, payment inputs) are masked in recordings. Session replay is only activated after you grant monitoring consent via our cookie banner.

7. Third-Party Processors (Article 28 UK GDPR)

We share your personal data with the following third-party processors, each bound by data processing agreements:

• Firebase / Google Cloud (USA): Authentication, Firestore database, Cloud Functions, and hosting.
• Supabase (USA): XYZDojo learning platform data storage (topics, flashcards, quizzes, user progress).
• Stripe (USA): Payment processing for XYZDojo premium subscriptions. Stripe is PCI DSS Level 1 certified.
• Anthropic (USA): AI processing — user prompts are sent to the Claude API for Chat, BPA, Design Studio, and Dojo tutor features.
• Sentry (USA): Error tracking, performance monitoring, session replay, and structured logging.
• Cloudflare (USA): CDN, DDoS protection, and cookieless web analytics.
• SendGrid / Twilio (USA): Transactional and marketing email delivery.
• Google Fonts (USA): Font loading (Instrument Serif, Manrope, JetBrains Mono). Google may log IP addresses when fonts are requested.
• Cal.com: Meeting and consultation scheduling.

8. International Data Transfers

Your personal data may be transferred to and processed in the United States by the third-party processors listed above. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office, or by the processor’s participation in recognised data protection frameworks. We ensure that all international transfers comply with Chapter V of the UK GDPR.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

• Account data: Retained while your account is active. Deleted upon account deletion (you can request this via account settings or by contacting us).
• Payment data: Stripe retains transaction records as required by financial regulations. Our records of your subscription status are deleted with your account.
• Learning progress: Retained while your account is active and deleted upon account deletion.
• AI conversations: Ephemeral — processed in real time and not stored on our servers after your session ends.
• Activity and analytics data: Aggregated analytics are retained indefinitely. Individual activity events are retained for 12 months.
• Contact form submissions: Retained for 2 years, then deleted.
• Newsletter subscriptions: Retained until you unsubscribe.
• Error tracking data (Sentry): Session replays and error data are retained for 90 days per Sentry’s default retention policy.

10. Your Rights (Articles 15–22 UK GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you. You can export your data from your account settings.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account from account settings, which triggers deletion of all associated data.
• Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest. You can also object to direct marketing at any time.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact us at peter.pirisola@dataxyz.co.uk or use the relevant features in your account settings. We will respond to your request within one month as required by law.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS/HTTPS), Firebase Security Rules for database access control, Stripe’s PCI-compliant payment infrastructure, and role-based access controls for administrative functions. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

12. Children’s Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at peter.pirisola@dataxyz.co.uk and we will promptly delete such information.

13. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website. We encourage you to review this policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer: