Privacy Policy
Last updated: June 20, 2026
This Privacy Policy explains how Xellvio ("Xellvio," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the Xellvio platform and the website at https://xellvio.com (together, the "Service"). It also describes the rights and choices available to you.
Xellvio is operated by Xellvio, Address available on request ("we"). For privacy questions or to exercise your rights, contact us at privacy@xellvio.com.
1. Our Two Roles: Controller and Processor
Xellvio plays two different roles depending on whose data is involved:
- As a controller — for personal information about our Customers (the businesses and individuals who sign up) and website visitors, we decide how and why the data is processed. This policy governs that processing.
- As a processor — when our Customers upload contact lists and send campaigns, the personal information of their recipients ("End User Data") is controlled by the Customer. We process it only on the Customer's documented instructions to provide the Service, as described in our Data Processing Addendum. End Users with questions about a specific message should contact the business that sent it.
2. Information We Collect
Account and business information — name, business name, email, phone number, business address, business registration details, role, and login credentials.
Billing information — billing contact, transaction history, and payment details (processed by our payment provider; we do not store full card numbers).
Customer content and End User Data — contact phone numbers and names, consent records, message content, campaign configurations, segments, and delivery and engagement data, all uploaded or generated by Customers.
Usage and device data — IP address, browser and device type, operating system, log files, timestamps, pages and features used, and referring URLs.
Communications — messages you send to our support team and related metadata.
Cookies and similar technologies — see our Cookie Policy.
What we collect, why, and our legal basis
| Category | Examples | Purpose | Legal basis (where GDPR/UK GDPR applies) |
|---|---|---|---|
| Account data | Name, email, business details | Create and manage accounts; authenticate | Contract; legitimate interests |
| Billing data | Billing contact, transactions | Process payments; manage credits | Contract; legal obligation |
| Customer content | Contacts, messages, campaigns | Deliver the Service | Contract (and, for End User Data, our role as processor) |
| Usage/device data | IP, logs, feature usage | Operate, secure, and improve the Service | Legitimate interests |
| Compliance data | Verification, identity, consent records | Meet legal and carrier requirements; prevent abuse | Legal obligation; legitimate interests |
3. How We Use Information
We use personal information to operate, maintain, and secure the Service; create and authenticate accounts; deliver messages on Customers' behalf; process payments and manage credit balances; provide support; detect, investigate, and prevent fraud, abuse, and violations of our Acceptable Use and Anti-Spam policies; comply with legal, regulatory, and carrier obligations (including messaging registration and verification); and analyze and improve the Service.
4. Mobile Information and Text Messaging — Important Disclosure
No mobile information (including phone numbers and SMS opt-in or consent data) will be shared with or sold to third parties or affiliates for marketing or promotional purposes. All categories of data sharing described in this policy exclude text-messaging originator opt-in data and consent; this information will not be shared with any third parties for their own marketing purposes.
Mobile and consent information is used only to deliver the messaging requested by you or by the Customer whose list you joined, and to meet telecommunications-compliance obligations.
5. How We Share Information
We share personal information only as described here:
- Subprocessors and service providers — including our messaging infrastructure provider (Twilio), cloud hosting and database provider, payment processor, email and analytics providers. They act on our instructions under contract. A current list is maintained in our Subprocessor List. Delivering a message necessarily transmits the recipient's number and message content to telecommunications carriers.
- Legal, safety, and compliance — where required by law, regulation, legal process, carrier rules, or to protect the rights, property, or safety of Xellvio, our Customers, End Users, or the public, and to enforce our terms.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
We do not sell personal information, and we do not share mobile opt-in or consent data for third-party marketing.
6. Data Retention
We retain personal information for as long as an account is active and as needed to provide the Service, then only as long as necessary to comply with legal obligations, resolve disputes, maintain security, and enforce our agreements. Customers may request deletion as described in Section 8 and in our Data Processing Addendum.
7. Data Security
We maintain administrative, technical, and organizational safeguards designed to protect personal information, including encryption of sensitive credentials, access controls, and tenant isolation. No system is perfectly secure, and we cannot guarantee absolute security.
8. Your Rights and Choices
Depending on your location, you may have the right to access, correct, delete, or port your personal information; to restrict or object to processing; and to withdraw consent. To exercise these rights, contact privacy@xellvio.com; we may need to verify your identity. End Users should direct requests to the Customer who controls their data, and we will support that Customer in responding.
Opt out of messages at any time by replying STOP to any message; reply HELP for assistance.
Region-specific rights
EEA / United Kingdom (GDPR / UK GDPR). You have the rights listed above and the right to lodge a complaint with your supervisory authority. Where we rely on legitimate interests, you may object. International transfers are protected by appropriate safeguards such as Standard Contractual Clauses.
California (CCPA / CPRA). You have the right to know, access, correct, and delete personal information, and to opt out of "sale" or "sharing" — we do not sell or share personal information as those terms are defined. We will not discriminate against you for exercising your rights.
Nigeria (NDPR) and other regions. Where local data-protection laws apply, we honor the rights and obligations they provide. Contact us for region-specific requests.
9. International Data Transfers
We and our subprocessors may process personal information in countries other than yours. Where required, we apply appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
10. Children's Privacy
The Service is intended for businesses and is not directed to individuals under 18 (or the age of majority where they live). We do not knowingly collect their personal information.
11. Cookies
We use cookies and similar technologies to run the Service, maintain sessions, remember preferences, and analyze usage. See our Cookie Policy for details and choices.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised version with a new "Last updated" date and, where appropriate, provide additional notice of material changes.
13. Contact Us
Xellvio Address available on request Email: privacy@xellvio.com