1. What are cookies?
Cookies are small text files stored on your device when you visit xelia.ai. They allow us to remember your preferences, keep your session active, and understand how you use our platform so we can improve it.
We do not collect personal data through cookies without your explicit consent.
2. Who is responsible?
Aerosync Corporate Services SAPI de CV
Address: Avenida Division del Norte, Colonia Lomas de Memetla, Postal Code 05330, Alcaldia Cuajimalpa de Morelos, Mexico City, Mexico
Website: https://xelia.ai
Privacy contact: privacidad@xelia.ai
Data Protection Officer (DPO): Leonardo Abad Galan
Email: cibscyc@proton.me
3. Types of cookies we use
3.1 Strictly Necessary Cookies
These do not require your consent. Without them, the platform cannot function.
| Cookie | Purpose | Duration |
|---|---|---|
xelia_session | Keep your session active after logging in | Session duration |
xelia_tenant | Identify which organization you belong to (multi-tenant) | Session duration |
xelia_csrf | Protection against cross-site request forgery (CSRF) attacks | Session duration |
xelia_consent | Remember your cookie preferences | 12 months |
3.2 Performance and Analytics Cookies
These require your consent. They help us understand how you use the platform so we can improve it.
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
_cf_bm | Cloudflare bot protection | 30 minutes | Cloudflare |
__cf_clearance | Security verification completed | 30 minutes | Cloudflare |
Currently, XELIA does not use Google Analytics, advertising pixels, or any third-party advertising trackers. If this changes in the future, we will update this policy and request your consent before activating them.
3.3 Functional Cookies
These require your consent. They enhance your experience by remembering your preferences.
| Cookie | Purpose | Duration |
|---|---|---|
xelia_lang | Remember your language preference (ES/EN) | 12 months |
xelia_theme | Remember your visual theme preference | 12 months |
xelia_sidebar | Remember whether the sidebar is collapsed or expanded | 12 months |
3.4 Marketing Cookies
These require your consent. Currently, XELIA does not use marketing or advertising cookies. We do not track your activity on other websites. We do not sell or share your data with advertising networks.
4. Third-party cookies
The only third parties that may set cookies when you use XELIA are:
| Third Party | Purpose | Privacy Policy |
|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, web security | cloudflare.com/privacypolicy |
| Stripe, Inc. | Payment processing (only on checkout pages) | stripe.com/privacy |
Stripe only sets cookies when you interact with the payment form. These cookies are necessary for fraud prevention and secure processing of your transaction.
Note on AI providers: The artificial intelligence providers used by XELIA (Anthropic, OpenAI, Google, Perplexity) process data through server-to-server APIs and do not set cookies in your browser. For more information about these providers, please see our Privacy Notice.
5. Your rights and options
5.1 Manage your preferences
You can change your cookie preferences at any time by clicking the "Cookie Settings" link available in the footer of xelia.ai, or from Settings > Privacy in the dashboard.
5.2 Reject cookies
You can reject all non-essential cookies. The platform will continue to function fully. You will only lose your language and visual theme preferences, which will reset on each visit.
5.3 Delete cookies
You can delete cookies stored on your device at any time through your browser settings:
- Chrome: Settings > Privacy and security > Cookies and other site data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Preferences > Privacy > Manage Website Data
- Edge: Settings > Privacy, search, and services > Cookies
5.4 "Do Not Track" Signal
XELIA respects the "Do Not Track" (DNT) signal from your browser. If your browser sends this signal, we will not activate analytics or functional cookies without your explicit consent.
5.5 Global Privacy Control (GPC)
XELIA recognizes and respects the Global Privacy Control signal. If your browser sends GPC, we treat it as a request not to track your activity.
6. Legal basis
| Cookie Type | Legal Basis (GDPR) | Legal Basis (LFPDPPP 2025 Mexico) |
|---|---|---|
| Strictly necessary | Legitimate interest (Art. 6.1.f GDPR) | Legal relationship (Art. 12 LFPDPPP) |
| Performance / Analytics | Explicit consent (Art. 6.1.a GDPR) | Consent (Art. 8 LFPDPPP) |
| Functional | Explicit consent (Art. 6.1.a GDPR) | Consent (Art. 8 LFPDPPP) |
| Marketing | Explicit consent (Art. 6.1.a GDPR) | Consent (Art. 8 LFPDPPP) |
7. International transfers
XELIA operates with infrastructure in Germany (Falkenstein) and the United States, and uses services from companies with a global presence. International transfers of cookie-related data are carried out under the following safeguards:
| Provider | Location | Transfer Mechanism |
|---|---|---|
| Cloudflare, Inc. | Global (distributed CDN) | EU-U.S. Data Privacy Framework |
| Stripe, Inc. | United States | EU-U.S. Data Privacy Framework + PCI DSS |
| Hetzner Online GmbH | Falkenstein, Germany | EU jurisdiction (GDPR adequacy) |
Aerosync Corporate Services SAPI de CV ensures that all international transfers comply with the requirements of the LFPDPPP (Chapter V) and the GDPR (Chapter V) where applicable.
8. Retention
| Type | Maximum Retention |
|---|---|
| Session cookies | Deleted when the browser is closed |
| Consent cookies | 12 months |
| Preference cookies | 12 months |
| Security cookies (Cloudflare) | 30 minutes |
9. Minors
XELIA is a business-to-business (B2B) service. We do not knowingly collect data from individuals under the age of 18. If you are a minor, you must not use our platform.
10. Changes to this policy
When we modify this policy:
- We will update the "Last Updated" date at the top of this page.
- If the changes are significant (new types of cookies or new third parties), we will notify you by email and through a banner on the platform.
- We will request your consent again if the changes affect cookies that require authorization.
11. Contact
If you have questions about this cookie policy or how we handle your data:
Data controller:
Aerosync Corporate Services SAPI de CV
Email: privacidad@xelia.ai
Data Protection Officer:
Leonardo Abad Galan
Email: cibscyc@proton.me
If you believe your rights have not been addressed, you may file a complaint with:
- Mexico: National Institute of Transparency, Access to Information and Personal Data Protection (INAI) — inai.org.mx
- European Union: The data protection authority of your country of residence
12. Commitment statement
XELIA, operated by Aerosync Corporate Services SAPI de CV, uses the minimum number of cookies necessary to operate. We do not monetize your data. We do not sell it. We do not share it with advertising networks. Your information exists to provide you with a better service, not to build an advertising profile.
This policy complies with the General Data Protection Regulation (GDPR) of the European Union, Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP 2025), and SaaS industry best practices in 2026.
Last updated: March 2026
Version: 1.0