Privacy Policy
Multi-jurisdictional: Australia · European Union · United Kingdom · United States. Switch region in the top nav to see the equivalents in your market.
01Plain English summary (read this first)
We're an Australian-headquartered B2B SaaS company. Here's how we handle your personal information in 60 seconds:
- We collect — the minimum needed to run the service: your work email, the data your AI workflows produce, basic usage telemetry, what your customers (if any) sign off on.
- We use it for — running your workspace, producing your audit trail, improving the product (in aggregate), responding to you.
- We don't — sell your data, train AI models on your customer data, share with third parties beyond our disclosed sub-processors.
- Data residency — Australia by default; EU / UK / US options available per tier (see Data Sovereignty).
- You can — access, correct, delete, port, object, ask us anything by emailing privacy@xlooop.com (opens with a structured privacy-request template).
Full legal detail follows. We comply with applicable privacy law in Australia (APPs), EU (GDPR), UK (UK GDPR), and the United States (CCPA/CPRA + comparable state laws).
02Who we are
ADEVI PTY LTD (trading as Xlooop). ABN 80 627 916 698 (verifiable via ABN Lookup). ACN 627 916 698 (verifiable via ASIC Connect). Jurisdiction: Sydney, NSW, Australia. Registered office address: provided on request to legal@xlooop.com (operator-protected at Stage 1 per sole-director residential-address convention; supplied in any contract, NDA, or regulator response). Australian-headquartered. Available worldwide.
In this Policy, "Xlooop", "we", "us", "our" = ADEVI PTY LTD (trading as Xlooop). "You", "your" = the individual whose personal information we collect.
03Scope
This Policy explains how we handle personal information / personal data under:
- Privacy Act 1988 (Cth) + Australian Privacy Principles 1–13
- EU General Data Protection Regulation (EU 2016/679)
- UK GDPR + Data Protection Act 2018
- California Consumer Privacy Act / CPRA + comparable US state laws (Virginia · Colorado · Connecticut · Utah · Texas · Florida)
If a regional law gives you stronger rights than the AU baseline, the stronger right applies in your region.
04What personal information / data we collect
3.1 Information you give us directly
- Account information — first name · last name · work email
- Workspace metadata — company name · business registry identifier (ABN AU · Companies House UK · EU VAT · US EIN etc.) · sector · headcount estimate
- Interview answers — your responses to the Stage 3 onboarding questions; optional idiosyncratic context
- Pilot + contract information — name · role · contact details of authorised representatives
- Support correspondence — content of emails · chat · calls
3.2 Information we collect automatically
- Usage telemetry — pages visited · feature interactions · performance metrics (Cloudflare Web Analytics; privacy-first; no cookies; no IP storage)
- Device + technical information — browser type · OS · approximate geographic region from IP at country level (we do not store full IPs)
- Error + diagnostic data — when something breaks, what broke
3.3 Information we collect from public sources (Stage 1 passive sweep)
We collect public-source information about your business, not individuals, at Stage 1. Individuals' personal information enters our systems only when you sign up + connect tools.
3.4 Information we collect when you connect tools (Stage 2 onwards)
When you grant OAuth scope to your accounting platform or any later integration, we collect the data that scope permits — read-only.
3.5 Sensitive / special-category data
We do not intentionally collect sensitive / special-category data (health · biometric · racial · religious · criminal · trade-union membership · political opinion · sexual orientation). If your connected tools contain such data, our system flags it and does not process it without explicit additional consent.
05AI-specific disclosures
4.1 What AI we use
- Anthropic Claude (currently primary)
- (others as disclosed in our Sub-Processor List)
4.2 What AI does + doesn't do
4.3 Automated decision-making transparency
4.3.1 Australia — ADM transparency commencing 10 December 2026
Per the Privacy and Other Legislation Amendment Act 2024, we disclose ADM uses in advance of statutory commencement:
4.3.2 EU — Article 22 GDPR rights
Under EU GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We do not perform such fully-automated decisions on customers. All ADM uses above are decision-support, not decision-determinative — a human makes the final decision.
4.3.3 UK — same Article 22 rights under UK GDPR
UK GDPR Article 22 rights mirror EU GDPR.
4.3.4 EU AI Act transparency (Regulation 2024/1689)
Xlooop is not currently classified as a high-risk AI system under EU AI Act Annex III. We comply with applicable transparency obligations — disclosure to natural persons that they are interacting with AI, marking of AI-generated content in your audit trail, operator obligations under Article 50 where applicable. We monitor Annex III amendments.
4.3.5 US — Colorado AI Act 2026 + CPPA ADMT
For Colorado consumers, we comply with the Colorado AI Act's consequential-decision disclosure + impact-assessment requirements where applicable. For California consumers, we comply with the CPPA's ADMT rules.
4.4 AI output reliability
AI outputs are not guaranteed to be accurate. They are inputs to human review, not substitutes for human judgement. You remain responsible for the work delivered to your customers + the audit-grade record produced from your workspace.
06How we use personal information / data
- Operate the service — provision your workspace · run AI workflows · produce audit-grade records · process payments
- Maintain authority + governance — enforce the 6-role panel · audit-log every action · gate AI access by scoped authority
- Improve the product — analyse aggregate usage patterns · develop new features · debug
- Communicate with you — service updates · billing · support · (with opt-in only) occasional product news
- Comply with law — respond to lawful requests · meet statutory obligations · cooperate with regulators
- Protect Xlooop + customers — security · fraud prevention · enforcement of our Terms
We do not use personal information for: selling to third parties · training AI models · advertising or behavioural targeting · cross-customer benchmarking that identifies your business.
5.1 Lawful basis (EU GDPR + UK GDPR Article 6)
5.2 Sale + sharing (CCPA/CPRA + comparable state laws)
We do not sell or share personal information for cross-context behavioural advertising as defined under CCPA/CPRA. We do not process sensitive personal information for purposes that would require limited-use opt-out under CPRA. California residents have the right to direct us not to sell or share personal information at any time — since we don't sell, this is a standing commitment.
07Controller / processor distinction
6.1 We are the data controller for
- Information you give us directly about yourself (account info)
- Telemetry of your workspace use
6.2 We are a data processor for
Information about your customers + counterparties + employees that flows into the workspace through your connected tools at Stage 2+. When we act as processor, you remain the controller. Our handling is governed by the Data Processing Agreement (DPA) — a separate addendum incorporated by reference into our Terms of Service.
The DPA includes the EU GDPR Article 28 required elements + UK IDTA for UK personal data + EU SCCs (June 2021) Module 2 for controller-to-processor transfers + Module 3 where applicable.
09Cross-border data flows
Australia is our default location. Cross-border processing is disclosed, scoped to minimum necessary, and subject to applicable safeguards.
8.1 EU + UK customers — Standard Contractual Clauses (SCCs) + UK IDTA
For transfers of EU personal data outside the EEA: EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-processor); Transfer Impact Assessment (TIA) completed; supplementary measures applied where required (technical: encryption-in-transit + encryption-at-rest + access controls; contractual: SCC representations; organisational: data minimisation + retention discipline). For UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum.
8.2 AU customers — APP 8 accountability
We take reasonable steps to ensure overseas recipients of Australian personal information handle it consistently with the APPs. Contractual + technical + organisational + audit steps apply.
8.3 US customers — Privacy Shield successor frameworks
We rely on the EU-US Data Privacy Framework (where applicable) + the UK Extension to the same, plus contractual safeguards.
8.4 Per-customer data residency options
See Data Sovereignty.
10Data retention
11Your rights
Your rights vary by region. The AU baseline below is the minimum; your regional rights may exceed it.
10.1 AU baseline (APPs 11, 12, 13)
- Access · correct · delete (subject to legal-retention obligations) · restrict · object · port · lodge a complaint with the OAIC
10.2 EU rights (EU GDPR Articles 15–22)
- Right to be informed (Articles 13–14) · access (15) · rectification (16) · erasure (17) · restriction (18) · portability (20) · object (21) · ADM rights (22) · lodge a complaint with a supervisory authority (77): Germany — BfDI + Länder DPAs; France — CNIL; other EU Member States — respective national DPA
10.3 UK rights (UK GDPR + DPA 2018)
Same as EU GDPR rights. UK supervisory authority: Information Commissioner's Office (ICO).
10.4 US rights
California (CCPA/CPRA) — right to know · delete · correct · opt out of sale or sharing (we don't sell; standing-honoured) · limit use of sensitive PI · non-discrimination. VCDPA · CPA · CTDPA · UCPA · TDPSA · FDBR — comparable rights per each state's statute.
10.5 How to exercise rights — all regions
Email privacy@xlooop.com (opens with a structured privacy-request template you can adjust).
10.6 Response times
12Security
- Cloudflare Access OAuth (Google · Microsoft · email magic-link)
- TLS 1.3 for all transit; perfect-forward secrecy
- Per-tenant data isolation
- Daily cyber baseline checks (DMARC · TLS · HIBP)
- Write-only audit ledger
- 6-role boundary panel
- Pre-transmission audit (
scan_customer_safe_bundle.py)
We target alignment with industry standards (SOC 2 readiness · ISO/IEC 27001 · NIST AI RMF · Essential Eight ML1 floor). Specific attestations live in the Trust Center (when authored).
11.1 Breach notification
Internal detection target: ≤72 hours. Customer notification: ≤72 hours from detection (where feasible).
13Statutory + civil exposure awareness
- AU statutory tort for serious invasion of privacy (commenced 10 June 2025) — applies even under small-business exemption
- EU GDPR penalties — up to €20M or 4% global revenue
- UK GDPR penalties — up to £17.5M or 4% global revenue
- CCPA/CPRA — civil penalties + statutory damages
- EU AI Act penalties — up to €35M / 7% global revenue (prohibited) or €15M / 3% (high-risk non-compliance)
ADEVI PTY LTD maintains cyber + professional indemnity insurance. [operator to confirm specific policy details — insurer · cover amount · effective dates — before publication]
14Children’s privacy
Xlooop is a B2B service for regulated SMBs. We do not direct services to children + do not knowingly collect information from individuals under 18. Specific regimes we track:
- AU Children's Online Privacy Code (commencing 10 December 2026)
- EU GDPR Article 8 — consent age for information society services (varies by Member State; 13–16)
- UK Age-appropriate Design Code (ICO)
- US COPPA — Children's Online Privacy Protection Act (under 13)
15International users
Xlooop is operated from Australia + designed for regulated SMBs globally. Customers in non-AU jurisdictions sign under multi-jurisdictional terms (see Terms + DPA). We do not yet have local entities in EU / UK / US. We will appoint required local representatives (EU Article 27 representative · UK Article 27 representative) before opening GTM in those regions, and we will update this Policy with their details.
16Changes to this Policy
Material changes — we notify you ≥30 days in advance via email + in-workspace banner.
Non-material changes — take effect immediately + log in the change-log.
You may terminate without penalty if you disagree with a material change.
18Contact us
- Privacy: privacy@xlooop.com
- Security: security@xlooop.com
- Legal: legal@xlooop.com
- Press / PR: pr@xlooop.com
- AU Privacy Officer: Marat Basyrov (Founder & CEO, ADEVI PTY LTD) · privacy@xlooop.com
- EU Article 27 Representative: Not yet appointed (EU GTM not active at Stage 1). EU enquiries route to privacy@xlooop.com pending appointment.
- UK Article 27 Representative: Not yet appointed (UK GTM not active at Stage 1). UK enquiries route to privacy@xlooop.com pending appointment.
- US privacy inquiries: privacy@xlooop.com
- Post: ADEVI PTY LTD — registered AU office address provided on request to legal@xlooop.com; supplied in any contract, NDA, or regulator response. For routine privacy correspondence, email is the preferred channel.
Supervisory authorities:
- AU: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
- EU: Your Member State DPA (BfDI Germany · CNIL France · etc.)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- US (California): California Privacy Protection Agency — cppa.ca.gov
- US (FTC): Federal Trade Commission — ftc.gov
Three doors. Same destination: a firm whose AI work is provable.
Pick the one that fits where you are today — none commit you to anything.
Or simply email hello@xlooop.com — one human reads every message.