Automate your WhatsApp conversations with Xilot AI — No code, no hassle.Get started free →
GDPR Compliance

GDPR Compliance

Xilot is committed to protecting the privacy rights of individuals under the General Data Protection Regulation (GDPR) and equivalent data protection laws.

Effective Date: 1 January 2026  · Last Updated: 23 February 2026

Contents

  1. 1. Our Role Under GDPR
  2. 2. Legal Basis for Processing
  3. 3. Your Data Subject Rights
  4. 4. Data We Collect
  5. 5. International Data Transfers
  6. 6. Data Retention
  7. 7. Security Measures
  8. 8. WhatsApp & Meta Processing
  9. 9. Children's Data
  10. 10. Data Processing Agreements
  11. 11. Supervisory Authority
  12. 12. Contact & Data Protection Queries

1. Our Role Under GDPR

Xilot acts as both a Data Controller and a Data Processor depending on the context:

Data Controller

When we collect and process your personal data to provide our services, manage your account, and communicate with you. We determine the purposes and means of processing.

Data Processor

When you (our customer) upload or process data about your own end-users or contacts through the Xilot platform. We process this data on your behalf under your instructions.

2. Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases to process personal data:

  • Contract Performance (Art. 6(1)(b))

    Processing necessary to fulfil our agreement with you — account creation, delivering services, billing, and customer support.

  • Legitimate Interests (Art. 6(1)(f))

    Processing for our legitimate business interests such as fraud prevention, security, improving our platform, and direct marketing to existing customers.

  • Legal Obligation (Art. 6(1)(c))

    Processing necessary to comply with applicable laws, tax obligations, and regulatory requirements.

  • Consent (Art. 6(1)(a))

    Where we rely on your consent (e.g. marketing emails to prospects, non-essential cookies). You may withdraw consent at any time without affecting the lawfulness of prior processing.

3. Your Data Subject Rights

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR / UK GDPR:

Right of Access

Obtain a copy of the personal data we hold about you (Art. 15).

Right to Rectification

Request correction of inaccurate or incomplete data (Art. 16).

Right to Erasure

Request deletion of your personal data ("right to be forgotten") where it is no longer necessary (Art. 17).

Right to Portability

Receive your data in a structured, machine-readable format and transfer it to another controller (Art. 20).

Right to Restriction

Request that we limit the processing of your data in certain circumstances (Art. 18).

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes at any time (Art. 21).

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without penalty.

Right to Lodge a Complaint

Complain to your national supervisory authority if you believe your rights have been violated.

To exercise any of these rights, contact us at info@crediblearena.com. We will respond within 30 days. No fee is charged unless the request is manifestly unfounded or excessive.

4. Data We Collect

We collect the following categories of personal data:

  • Identity data — name, job title, company name
  • Contact data — email address, phone number (if provided)
  • Account data — login credentials (passwords stored as cryptographic hashes), subscription tier, billing history
  • Usage data — pages visited, features used, timestamps, IP address, browser/device type
  • Communication data — messages sent via Xilot's WhatsApp integration (processed as Data Processor on your behalf)
  • Payment data — billing details processed securely by our payment provider (we do not store full card numbers)

5. International Data Transfers

Xilot is headquartered in Singapore. If you are accessing our services from the EEA or UK, your personal data may be transferred outside the European Economic Area. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) — EU Commission approved transfer mechanisms for data exported to third countries
  • Adequacy Decisions — where the destination country has been deemed to offer adequate data protection by the European Commission
  • Processor Agreements — binding data processing agreements with all sub-processors that include appropriate transfer safeguards

You may request a copy of the transfer safeguards by emailing info@crediblearena.com.

6. Data Retention

Data CategoryRetention Period
Account dataDuration of account + 90 days after deletion request
Usage & log dataUp to 12 months
Billing records7 years (legal / tax obligation)
Communication dataPer customer configuration; max 24 months
Marketing data (consent-based)Until consent is withdrawn
Support tickets3 years from resolution

7. Security Measures

Xilot implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Role-based access controls (RBAC) limiting internal data access
  • Regular security assessments and penetration testing
  • Multi-factor authentication for privileged systems
  • Incident response plan with 72-hour breach notification to supervisory authorities

8. WhatsApp & Meta Processing

Xilot integrates with the WhatsApp Business API provided by Meta Platforms Ireland Ltd. When you use our WhatsApp automation features:

  • Message content passes through Meta's infrastructure in accordance with Meta's terms
  • Xilot processes this data as Data Processor on behalf of you (the controller)
  • You are responsible for obtaining valid consent from your end-users for WhatsApp messaging
  • Data Processing Agreements (DPAs) are available on request for enterprise customers

9. Children's Data

Xilot's services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly. If you believe a child has submitted data to us, contact us immediately at info@crediblearena.com.

10. Data Processing Agreements

If you use Xilot to process personal data on behalf of your organisation and you are subject to GDPR (as a Data Controller), you may require a Data Processing Agreement (DPA) with us. Our DPA includes:

  • Description of processing activities, purposes, and data categories
  • Processor obligations under GDPR Articles 28 and 32
  • Sub-processor list and notification obligations
  • Standard Contractual Clauses for international transfers (where applicable)
  • Data breach notification procedures
  • Deletion / return of data upon contract termination

Request a DPA by emailing info@crediblearena.com with your organisation name and jurisdiction.

11. Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

For UK residents, the relevant authority is the Information Commissioner's Office (ICO).

12. Contact & Data Protection Queries

For all GDPR-related requests, DPA enquiries, or data subject rights requests:

Email: info@crediblearena.com

Address: 90, Carpmael Road, Singapore 429824

We will acknowledge your request within 72 hours and respond in full within 30 days (extendable by a further 60 days for complex requests with prior notice).