Privacy Policy.

XEROWAIT is a SaaS platform operated from Karachi, Pakistan. When you sign up for an account, subscribe to a paid plan, or process customer messages through our AI, we act as a data processor for your end customers and as a data controller for your own account information.

We collect three categories of information.

Account information

When you create an account we collect your name, business email address, business name, country, and a hashed password. If you subscribe to a paid plan we also collect billing contact, postal address (for tax invoices), and limited card metadata returned to us by Lemon Squeezy (last four digits and brand only, never the full card number).

Usage information

We log how the service is used: IP address (hashed and peppered before storage), browser and device user agent, pages visited, features used, AI replies generated, errors and timestamps. We use this to keep the service running, to catch abuse, and to improve product quality. Log data is retained for ninety days and then deleted.

Customer data you process through us

When your end customers send a message through your XEROWAIT channels (chat, voice, email, WhatsApp), we receive and store: the message content, the sender's identifier (phone, email, or anonymous chat ID), any attachments, the conversation thread, and metadata such as Shopify order numbers and refund history when you connect those accounts. You decide what gets stored and you can delete any record at any time from your dashboard.

We use the information we collect to:

• Operate and provide the Service to you.
• Generate AI replies through OpenAI on your behalf.
• Authenticate users and protect accounts from abuse.
• Send transactional emails (account, billing, security).
• Detect bugs and performance issues, and to fix them quickly.
• Comply with legal obligations such as tax invoices and law enforcement requests issued under Pakistani law.

We never sell your data to advertisers, and we never use customer messages to train AI models that other tenants get to share.

We share data only with vendors who help us run the Service. Each is bound by a written processing agreement that limits use to the purposes we specify.

• OpenAI — to generate AI replies, summarise tickets, and classify intent. Customer messages are sent for inference only and OpenAI does not use them to train its public models.
• Lemon Squeezy — to process subscription payments. They receive your billing details directly and we never see full card numbers.
• Resend — to deliver transactional emails (login codes, invoices, account notifications).
• Stripe Identity — for KYC and merchant verification on Enterprise plans where we need to confirm a counterparty before processing high value transactions.
• LiveKit — for the Live Voice Agent on the Scale tier. Audio streams are processed in real time and never stored on LiveKit infrastructure.
• AWS — our primary infrastructure, where your tenant database, file storage and logs sit at rest.
• Plausible — for privacy first analytics on our marketing pages. Plausible does not use cookies and does not collect personal data.

We may also disclose data when required by Pakistani law, a valid court order, or to protect our rights and the safety of the public.

Account information is kept for as long as your account is active. After cancellation we keep customer data available for export for thirty days, after which it is permanently deleted from production systems. Backups are encrypted, locked down, and rotate out within ninety days. Anonymised aggregate metrics (like total replies per month) may be kept for business reporting indefinitely.

Even though Pakistani law does not currently mandate a GDPR style framework, we honour the same rights for every customer:

• Access — see what we hold about you and your tenant.
• Rectification — correct anything that is wrong.
• Deletion — ask us to delete your data (subject to legal duties to retain billing records).
• Portability — export your data in a structured format (JSON or CSV).
• Objection — opt out of any non essential processing.

To exercise any of these rights, write to privacy@xerowait.com from the email on your account. We respond within fourteen days.

We protect your data with the following measures:

• All traffic between you and the Service is encrypted in transit with TLS 1.3.
• Customer data is encrypted at rest with AES 256 on AWS managed keys.
• Each tenant has an isolated Postgres schema. We do not co mingle conversations between brands.
• Passwords are hashed with Argon2id. We never store plain text passwords.
• Sessions are signed JWTs with short expiry, rotated on every login.
• Production access is limited to a small group of engineers, enforced with hardware security keys and audit logged.
• We run automated dependency scanning and quarterly third party penetration tests.

If you discover a vulnerability, please report it to security@xerowait.com. We acknowledge reports within forty eight hours.

Your data is hosted on AWS in Bahrain (me-south-1) by default. European customers can opt into Frankfurt (eu-central-1). Some of our processors (such as OpenAI and Resend) are based in the United States, which means data may be transferred outside Pakistan. Where this happens, we rely on Standard Contractual Clauses or equivalent safeguards to protect the transfer.

Our marketing site uses two kinds of cookies: essential cookies needed to keep you logged in and to remember your preferences, and analytics. We use Plausible for analytics because it does not set tracking cookies and does not collect personal data. We do not use Google Analytics, Facebook Pixel, or any advertising tracker on our marketing site.

Inside the product dashboard we set a session cookie and a CSRF token. Both are first party and expire when you log out. You can clear them from your browser at any time.

XEROWAIT is a business to business product. The Service is not intended for and is not directed at anyone under 18. We do not knowingly collect data from children. If you believe a child has given us data, write to privacy@xerowait.com and we will delete it.

We may update this policy as the Service evolves. If a change is material we will email account owners at least thirty days before it takes effect. The current version is always available at xerowait.com/privacy and is dated at the top of this page.

Questions, requests or complaints about privacy go to privacy@xerowait.com. For legal matters write to legal@xerowait.com. For security disclosures write to security@xerowait.com.