Privacy Notice

PRIVACY NOTICE

Aerosync Corporate Services SAPI de CV

Last updated: April 2026

1. DATA CONTROLLER AND CONTACT INFORMATION

1.1 Data Controller

Aerosync Corporate Services, SOCIEDAD ANONIMA PROMOTORA DE INVERSION DE CAPITAL VARIABLE (commercially operating under the brand "XELIA") (hereinafter "XELIA", the "Controller" or "we"), with registered address at Avenida Division del Norte, Colonia Lomas de Memetla, Postal Code 05330, Alcaldia Cuajimalpa de Morelos, Mexico City, Mexico, is the data controller responsible for the processing of personal data collected through our website, platform, and other channels associated with the domain https://xelia.ai.

Federal Taxpayer Registry (RFC): Pending before the Tax Administration Service (SAT). This document will be updated once obtained.

1.2 Privacy Contact / DPO

For any questions or requests related to the protection of personal data, you may contact:

Privacy Officer: Leonardo Abad Galan

Email: privacidad@xelia.ai

Alternative email: info@xelia.ai

Where European Union regulations apply (Regulation (EU) 2016/679, "GDPR"), XELIA will act as the data controller for users located in the EU. If in the future we designate an EU representative (Art. 27 GDPR), their details will be included in the updated version of this Notice.

2. PERSONAL DATA WE PROCESS

Depending on how you interact with XELIA, we may process the following categories of data:

2.1 During website browsing (before registration)

IP address
Online identifiers (cookies, session IDs)
Browser type, operating system, device, language
Referring URL, pages visited, timestamps
Technical events (error logs, performance)

Purposes:

Maintaining platform security (abuse and fraud detection)
Enabling the technical operation of the website
Usage analytics and service improvement (where permitted by law and, where applicable, with your consent for non-essential cookies)

2.2 During the free demo (no payment)

Voice data:

Audio captured by your microphone during the demo
Voice-to-text transcriptions
Metadata: approximate duration, language, timestamps

Important note: Voice data constitutes biometric data and is considered sensitive personal data under Mexican law. Its processing requires the express consent of the data subject.

Interaction data:

Text messages sent to the assistant
System-generated responses
Basic demo configuration (e.g., language, test assistant type)

Golden rule implemented by XELIA:

By default, audio and transcriptions during the demo are processed temporarily and are deleted at the end of the demo session. However, if you grant your express consent via a specific checkbox, XELIA may retain this data to improve its artificial intelligence models and better understand consumer needs.

Primary purpose:

To provide the XELIA demonstration experience.

2.3 During registration and plan subscription

Identification and contact data:

Full name
Email address
Company and role (if provided)
Country
Phone number (optional)

Account and subscription data:

Username, credentials (hashed password)
Subscribed plan (Impulso, Pro, MAX)
Registration date, renewal date, subscription status
Billing configuration (currency, tax ID if applicable)

Payment data:

We process payments through Stripe, Inc.

Stripe receives and processes card data (number, expiration date, CVC, cardholder name) as an independent controller or processor, in accordance with its own privacy notices available at https://stripe.com/privacy.

XELIA does not store card numbers or CVC codes.

XELIA stores only:

Stripe customer ID (customer_id)
Payment and subscription IDs (payment_intent_id, subscription_id)
Amount, date, and payment status
Billing history and tax receipts (where applicable)

Purposes:

Creating and managing your account
Managing payments and recurring billing
Providing technical support and customer service
Fulfilling legal, accounting, and tax obligations (e.g., retention of receipts)

2.4 During service use (post-purchase)

Interactions with XELIA:

Text conversations
Voice recordings (when the feature is active)
Transcriptions and generated responses
Files or data that you or your organization integrate through the platform (depending on plan)

Assistant configuration data:

Assistant name, prompts, workflows, and business rules
Language preferences
Activated integrations (CRM, helpdesk, etc.)
Customization and training parameters (where applicable)

Usage data and metrics:

Frequency and volume of interactions
Performance statistics (response time, success rate, etc.)
Technical and error logs

Purposes:

Providing the contracted service (contract performance)
Improving the quality of the assistant and the platform
Personalizing the experience and results (to the extent you configure)
Developing new features and aggregated or anonymized statistical models
Maintaining the security, integrity, and availability of the service

2.5 Marketing and communication data (optional)

Communication preferences (important product announcements, updates)
Email interactions (opens, clicks)
Social media and contact forms (where applicable)

Purposes:

Sending commercial communications about XELIA where permitted by law or with your consent
Analyzing campaign performance (in aggregate)

3. LEGAL BASIS FOR PROCESSING (GDPR AND INTERNATIONAL STANDARDS)

Where EU or other countries' regulations with similar frameworks apply, we process personal data on the basis of:

Performance of a contract

To create and manage your account
To provide XELIA services according to the subscribed plan
To manage payments and customer support

Compliance with legal obligations

Retention of accounting and tax information
Responding to government authority requests

Legitimate interest

Platform security and fraud prevention
Basic usage analytics to improve the service (without disproportionate profiling)
Communication with administrative users of B2B accounts

When we rely on legitimate interest, we document a Legitimate Interest Assessment (LIA) to balance our interest with your rights and freedoms.

Consent

For non-essential cookies (analytics, marketing) under GDPR and ePrivacy laws
For direct marketing where required (e.g., in the EU and some US states)
For the use of voice data and content to train AI models beyond what is strictly necessary to provide the service
For purposes beyond those described in this notice

You may withdraw your consent at any time, without retroactive effect.

In Mexico, processing is carried out in accordance with the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability established in the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) enacted on March 20, 2025, including:

The obligation to identify purposes that require express consent.
Enhanced consent requirements for sensitive personal data (including biometric voice data).
The obligation to inform about the use of automated decisions that affect data subjects (see section 15).
Rules applicable to international transfers of personal data.
Notification obligations in case of security breaches.

Where the data subject is located in any of the following countries where XELIA operates, processing will additionally be governed by applicable local legislation:

Colombia — Statutory Law 1581 of 2012 and Regulatory Decree 1377 of 2013. Data subjects have the right to know, update, rectify, and delete their personal data, as well as to revoke their authorization. Competent authority: Superintendence of Industry and Commerce (SIC).
Argentina — Law 25,326 on Protection of Personal Data and its Regulatory Decree 1558/2001. Data subjects may exercise rights of access, rectification, deletion, and confidentiality. Competent authority: Agency for Access to Public Information (AAIP).
Chile — Law 19,628 on Protection of Private Life, supplemented by Law 21,719 (2024) which modernizes the personal data protection framework and introduces the Personal Data Protection Agency as the supervisory authority.
Ecuador — Organic Law on Protection of Personal Data (LOPDP, 2021). Data subjects have the right of access, rectification, deletion, objection, portability, and the right not to be subject to automated decisions. Competent authority: Superintendence of Personal Data Protection.
Spain — General Data Protection Regulation (RGPD/GDPR, EU 2016/679) and Organic Law 3/2018 on Protection of Personal Data and guarantee of digital rights (LOPDGDD). Data subjects may exercise the rights detailed in section 7.2. Competent authority: Spanish Data Protection Agency (AEPD).

4. VOICE AND AI DATA PROCESSING

4.1 Free demo

During the demo, we process your voice in the browser using the Web Speech API/Web Speech Synthesis (where available).

Audio and transcriptions are used only to generate demo responses in real time.

By default, we do not retain this data after the demo ends.

If during demo registration we request your express authorization via an independent checkbox to retain recordings and transcriptions for the purpose of model improvement and better understanding consumer needs, only then will we retain such data. You understand that you may revoke this consent at any time by writing to privacidad@xelia.ai.

4.2 Paid accounts

Depending on your organization's configuration, we may retain:

Audio recordings
Transcriptions
Generated responses

This data is used to:

Provide conversation history
Improve assistant personalization
Performance analytics (statistics, dashboards, etc.)
Automated conversation analysis using artificial intelligence (see section 15)
Automated prospect and lead evaluation (lead scoring) using artificial intelligence (see section 15)
Generation of summaries, reports, and action recommendations

4.3 Use of third-party AI services (Multi-AI Orchestration)

XELIA uses an intelligent orchestration system that routes requests to the most suitable artificial intelligence provider based on the type of task, with the goal of delivering the best possible result. This means your text, voice, or content data may be processed by one or more of the following providers, depending on the nature of the request:

a) Anthropic, PBC (Claude): Processing in the United States of America. Used for conversation analysis, lead evaluation, complex reasoning, and structured response generation. Privacy policy: https://www.anthropic.com/privacy

b) OpenAI, L.L.C. (GPT, Whisper, Moderation API): Processing in the United States of America. Used for real-time voice processing, audio transcription, content moderation, and embedding generation. Privacy policy: https://openai.com/privacy

c) Google LLC (Gemini): Processing in the United States of America. Used for extensive document analysis, summaries, translations, and bulk data extraction. XELIA exclusively uses the paid tier of the Gemini API with Cloud Billing enabled, which ensures that Google does not use data sent to train its models. Privacy policy: https://policies.google.com/privacy

d) Perplexity AI, Inc. (Sonar): Processing in the United States of America. Used for real-time information searches, fact-checking, and market analysis. Search results may contain information from public internet sources that could be inaccurate. Privacy policy: https://www.perplexity.ai/hub/legal/privacy-policy

e) Deepgram, Inc.: Processing in the United States of America. Used for speech recognition (speech-to-text) and speech synthesis (text-to-speech) in real time during phone calls. Privacy policy: https://deepgram.com/privacy

f) Twilio, Inc.: Processing in the United States of America. Used for programmable telephony, phone number provisioning, SMS, and WhatsApp messaging. Privacy policy: https://www.twilio.com/legal/privacy

All these providers act as data processors and only process data according to our contractual instructions and in accordance with the safeguards established in this Notice. XELIA maintains contracts with each provider that guarantee an adequate level of data protection.

XELIA's orchestration system includes the following protective measures:

Automatic sanitization of sensitive personal data (CURP, RFC, credit card numbers, CLABE interbank codes, email addresses, and phone numbers) before sending information to any external provider.
Prohibited content filtering through OpenAI's Moderation API (at no additional cost) and an internal validation system.
Audit log of each interaction with AI providers, including the provider used, task type, and whether personal data was processed.

No AI provider uses data sent through their commercial APIs to train or improve their models, pursuant to the current commercial terms of each provider (Anthropic Commercial Terms, OpenAI Business Terms, Google Gemini API Paid Terms, Perplexity API Terms).

If XELIA integrates additional AI service providers in the future, this section will be updated and you will be notified in accordance with section 12 of this Notice.

4.4 Consent for AI-powered outbound calls

Spain: In compliance with Law 34/2002 on Information Society Services (LSSI) and the GDPR, XELIA obtains explicit prior consent before making outbound calls with artificial intelligence. This consent is obtained via SMS or WhatsApp, stored with digital evidence (message identifier, date, and time), and may be revoked at any time by replying STOP to the same number or contacting privacidad@xelia.ai. Before making calls in Spain, XELIA verifies that the number is not listed on the Robinson List advertising exclusion registry. Calls are recorded, and at the start of each call, the recipient is informed that the communication uses artificial intelligence, in compliance with Regulation (EU) 2024/1689 (AI Act).

United States: In compliance with the Telephone Consumer Protection Act (TCPA) and 2024 Federal Communications Commission (FCC) rulings, XELIA requires prior express written consent before making any outbound calls with AI-generated voice. Such consent is obtained via SMS, and the recipient's affirmative response is stored as digital evidence. The recipient may revoke consent at any time through any reasonable means, including the words "stop", "quit", "end", "revoke", "opt out", "cancel", or "unsubscribe". XELIA checks the FTC's National Do Not Call Registry before placing calls and does not make calls outside the hours of 8:00 a.m. to 9:00 p.m. local time of the recipient. All calls include an AI usage disclosure at the beginning of the communication.

4.5 Data sources for commercial prospecting

To provide the prospect search and outreach service, XELIA exclusively consults public and official business information sources, including:

Mexico: National Statistical Directory of Economic Units (DENUE) of the National Institute of Statistics and Geography (INEGI).
Colombia: Single Business and Social Registry (RUES) administered by the Chambers of Commerce.
Argentina, Chile, Ecuador, Spain, United States: Google Places API and official public business directories.

XELIA does not purchase third-party databases nor perform automated extraction from private websites. All information used for prospecting is publicly available, accessible without restrictions, and used exclusively to connect our Users with relevant commercial prospects.

Prospect data obtained is stored in the User's account and is not shared between Users or with third parties. The User is responsible for complying with applicable legislation regarding unsolicited commercial communications when contacting prospects provided by XELIA.

5. INTERNATIONAL DATA TRANSFERS AND STORAGE

5.1 Infrastructure

XELIA uses servers at Hetzner Online GmbH, Ashburn, Virginia (United States of America) region to host the platform and databases.

Additionally, XELIA transfers data to the following service providers located outside Mexico:

Provider	Country	Purpose	Data Transferred
Hetzner Online GmbH	Germany	Platform and database hosting	All platform data
Amazon Web Services (AWS)	USA	Backups and auxiliary services	Backed-up data
Anthropic, PBC	USA	Conversation analysis, lead scoring	Conversation text, lead data (sanitized)
OpenAI, L.L.C.	USA	Real-time voice, transcription, moderation	Audio, transcriptions, text for moderation
Google LLC	USA	Summaries, translations, data extraction	Lengthy documents and texts (sanitized)
Perplexity AI, Inc.	USA	Real-time search, fact-checking	Search queries (sanitized)
Twilio, Inc.	USA	Telephony, SMS, WhatsApp, number provisioning	Call audio, phone numbers, call metadata
Deepgram, Inc.	USA	Speech recognition and synthesis	Call audio, transcriptions
Stripe, Inc.	USA	Payment processing	Payment and billing data
Cloudflare, Inc.	USA	CDN, DNS, security	Web traffic, IP addresses

Before sending data to AI providers, XELIA automatically applies a sanitization process that removes or masks sensitive personal data such as CURP, RFC, bank card numbers, CLABE interbank codes, email addresses, and phone numbers.

Data may be replicated or backed up in other regions for business continuity purposes, but always subject to this Notice and data protection contracts.

5.2 Transfers from Mexico to other countries

As a controller established in Mexico that stores data in the United States, we carry out international transfers of personal data.

We ensure that such transfers comply with the Federal Law on Protection of Personal Data Held by Private Parties, including:

Entering into contracts with clauses that guarantee an adequate level of protection
Informing the data subject of transfers and purposes in this Notice
Obtaining consent where required by law (especially for sensitive data)

5.3 Transfers from the EU to third countries (GDPR)

When we process data of subjects located in the EU/EEA:

We sign Standard Contractual Clauses (SCCs) and, where applicable, implement supplementary measures (e.g., robust encryption, pseudonymization, contractual limitations) with providers located outside the EEA, such as AWS, Stripe, OpenAI, and others.
Where a provider is covered by an adequacy mechanism (such as the EU-US Data Privacy Framework, if applicable to the provider), we rely on that mechanism.

6. RETENTION PERIODS

We apply the principle of storage limitation (only for as long as necessary).

Browsing data:

Security logs: 12-24 months, unless there are security incidents.
Cookies: see section 10 of this Notice ("Cookies and similar technologies").

Demo data (voice and text):

By default, deleted at the end of the session.
If you granted consent for retention for model improvement purposes: maximum 24 months.

Account and subscription:

While your account is active.

AI analysis results:

Lead scores, conversation analyses, and generated reports: while the account is active.
AI usage audit logs: 24 months from generation, or as required by applicable law.
Automated decision records: 36 months from generation, to comply with transparency and accountability obligations.
After account cancellation: audit logs are retained for the indicated period and then deleted.

After cancellation:

Billing data and receipts: up to 10 years due to Mexican tax and accounting obligations established in the Federal Tax Code.
Conversations and configurations: generally 90 days after cancellation, unless you request immediate deletion or there is a legal obligation to retain them.
Backup records: up to 30 additional days, with restricted access and deletion through backup rotation. Complete deletion in backups may take up to 30 additional days, during which the data will remain encrypted and without the possibility of selective restoration.

7. DATA SUBJECT RIGHTS (ARCO, GDPR, CCPA/CPRA)

7.1 Mexico - ARCO Rights and others

Under current Mexican legislation, you may:

Access: Know what data we hold about you and how we process it.
Rectification: Request the correction of inaccurate or incomplete data.
Cancellation: Request, where appropriate, the deletion of your data.
Objection: Object to certain processing activities (for example, marketing).

Additionally, you may request the limitation of the use or disclosure of your data and revoke consent previously granted, where applicable.

7.2 European Union / GDPR

If you are located in the EU/EEA, in addition to the above, you have the right to:

Data portability
Restriction of processing
Objection to processing, including direct marketing and automated decision-making
Not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you, subject to certain exceptions.

You also have the right to lodge a complaint with an EU supervisory authority. We will indicate the lead supervisory authority when we designate an EU representative.

7.3 California and other US privacy laws

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you, among others, the following rights regarding your "personal information":

Right to know what data is collected, used, disclosed, or sold
Right to request access and deletion
Right to request correction of inaccurate information
Right to opt out of the sale or sharing of personal information ("Do Not Sell or Share My Personal Information"), where the business engages in such activities
Right to limit the use of sensitive personal information
Right not to be discriminated against for exercising these rights

Currently, XELIA does not sell or share personal information as those terms are defined under the CCPA/CPRA. Should this change, we will update this Notice and enable the appropriate opt-out mechanisms.

7.4 Colombia, Argentina, Chile, Ecuador, and Spain

If you are located in any of these countries where XELIA operates, in addition to the rights described in section 7.1, you may exercise the following rights under your local legislation:

Colombia (Law 1581/2012): Right to know, update, rectify, and delete your data; revoke authorization; file complaints with the SIC.
Argentina (Law 25,326): Right to free access every 6 months, rectification, deletion, and confidentiality; file claims with the AAIP.
Chile (Law 19,628 + Law 21,719): Right of access, rectification, cancellation, and objection; right to data portability; file claims with the Personal Data Protection Agency.
Ecuador (LOPDP 2021): Right of access, rectification, deletion, objection, portability; right not to be subject to exclusively automated decisions; file claims with the Superintendence of Personal Data Protection.
Spain (RGPD + LOPDGDD): All rights in section 7.2, plus the right to a digital will and the digital rights recognized in Title X of the LOPDGDD; file claims with the AEPD.

To exercise any of these rights, send an email to privacidad@xelia.ai indicating your country of residence and the right you wish to exercise.

8. EXERCISING YOUR RIGHTS

To exercise your rights (ARCO, GDPR, CCPA/CPRA, or others):

Send an email to: privacidad@xelia.ai

Or use the alternative email: info@xelia.ai

Your request must include, at minimum:

Full name and means to communicate the response to you
Documents that verify your identity or legal representation
Clear description of the data with respect to which you wish to exercise the right
Right(s) you wish to exercise

Indicative response timelines:

Mexico: up to 20 business days to respond and, where applicable, up to 15 additional business days to execute the requested action (pursuant to the Law and criteria of the National Institute of Transparency, Access to Information and Protection of Personal Data, INAI).
GDPR: up to 1 month, extendable in complex cases (Art. 12.3 GDPR).
CCPA/CPRA: generally up to 45 days to respond.

Where we are unable to fully comply with your request for legal or technical reasons, we will explain this to you in detail.

9. SECURITY MEASURES

We adopt appropriate technical and organizational measures to protect personal data, which include:

TLS/SSL encryption in transit (HTTPS)
Access controls and authentication
Storage in secure AWS infrastructure with firewall protection
Password management using robust hashing algorithms (when full authentication is implemented)
Logging of relevant security events
Internal incident management procedures

Additional measures already implemented:

Encryption at rest at the database level using pgcrypto (AES-256)
Multi-factor authentication available via OAuth providers (Google, Apple)
Automated backups with 30-day retention
Fail2ban for brute-force attack protection
SSH hardening (no passwords, keys only)
Rate limiting on authentication endpoints
HMAC signature validation on webhooks (Stripe, Twilio)
Periodic API key rotation
Automated monitoring every 5 minutes with auto-healing

If we detect a security breach that significantly affects your data, we will notify you in the terms established by applicable regulations.

10. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies to:

Enable website operation and login (essential cookies)
Remember your preferences (e.g., language)
Perform usage analytics (when we implement Google Analytics or other tools)
Where applicable, marketing and remarketing (advertising pixels, Google Ads)

Current implementation status:

XELIA does not yet use third-party analytics tools or marketing cookies. However, in order to improve the service and user experience, XELIA plans to implement in the future:

Google Analytics
Advertising pixels (Facebook)
Google Ads
Other digital analytics and marketing tools

Where required by law (for example, in the EU/EEA or United Kingdom), we will display a cookie consent banner that allows you to:

Accept all cookies
Reject all non-essential cookies
Configure categories (analytics, marketing, etc.)

For more details on specific cookies, types, purposes, and how to manage them, see our Cookie Policy (following section of this Notice).

11. MINORS

XELIA is not directed at minors under the age of 18 and we do not intentionally collect data from minors.

If we detect that we have processed data of a minor without the required authorization, we will delete it as promptly as possible and, if necessary, take steps to block access.

12. UPDATES TO THIS PRIVACY NOTICE

We may modify this Notice from time to time to reflect changes in our data processing practices, new platform features, or updates to applicable legislation.

We will publish the updated version at https://xelia.ai, indicating the date of last update at the beginning of this document.

When changes are substantial (for example, new purposes, new data categories, new recipients), we will notify you via the email address registered to your account or through prominent notices on the platform.

In cases where regulations require it, we will request your consent again.

13. COOKIE POLICY

13.1 What are cookies?

Cookies are small text files that are stored in your browser or device when you visit a website. Cookies allow the website to recognize your device and remember information about your visit, such as your language preferences or login credentials.

13.2 What cookies do we use?

XELIA uses or plans to use the following categories of cookies:

Essential cookies (necessary)

Purpose: Login, session maintenance, security, basic site operation.

Legal basis: Legitimate interest / contract performance.

Examples:

Session cookies to keep your login active
Security cookies to prevent CSRF attacks
Technical cookies for load balancing

These cookies are strictly necessary for the site to function and do not require your consent.

Preference cookies

Purpose: Language, interface options, custom settings.

Legal basis: Legitimate interest or consent depending on jurisdiction.

Examples:

Selected language cookie
Visual theme cookie (light/dark)

Analytics cookies (when implemented)

Purpose: Usage analytics, traffic statistics, user experience optimization.

Tool: Google Analytics (planned)

Data collected: Pages visited, time on site, interaction events, aggregated demographic data.

Legal basis: Consent (EU/EEA); legitimate interest where permitted by law.

Third party: Google LLC. Privacy policy: https://policies.google.com/privacy

Marketing cookies (when implemented)

Purpose: Remarketing, conversion tracking, personalized advertising.

Planned tools:

Facebook advertising pixel
Google Ads
Other advertising platforms

Legal basis: Consent.

Third parties:

Facebook. Privacy policy: https://www.facebook.com/privacy/policy
Google LLC. Privacy policy: https://policies.google.com/privacy

13.3 How to manage cookies

Consent banner:

When we implement non-essential cookies, XELIA will display a cookie consent banner when you first access the site. From this banner you can:

Accept all cookies
Reject non-essential cookies
Configure your preferences by category

Browser settings:

You can also configure your browser to block or delete cookies:

Chrome: Settings > Privacy and security > Cookies and other site data
Firefox: Options > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Manage Website Data
Edge: Settings > Privacy, search, and services > Cookies

Please note that blocking all cookies may affect the functionality of the site.

13.4 Third-party cookies

XELIA may use third-party services that set their own cookies on your device:

Current:

Stripe (for payment processing and fraud prevention)
Cloudflare (for CDN and security)

Future:

Google (Analytics, Ads)
Facebook (advertising pixel)

We recommend reviewing the privacy policies of these third parties for more information about how they use cookies.

13.5 Updates to the Cookie Policy

This Cookie Policy is an integral part of the Privacy Notice and will be updated in accordance with section 12 hereof.

14. THIRD-PARTY TRANSFERS

XELIA shares personal data only in the following circumstances:

With service providers (data processors / sub-processors):

a) Stripe, Inc.: Payment processing and subscription management. Country: United States.
b) Amazon Web Services (AWS): Server and database hosting. Country: United States.
c) Cloudflare, Inc.: DNS management, CDN, and web security. Country: United States.
d) Anthropic, PBC: Conversation analysis, lead scoring, AI reasoning. Country: United States.
e) OpenAI, L.L.C.: Real-time voice processing, audio transcription, content moderation. Country: United States.
f) Google LLC: Extensive document analysis, summaries, translations. Country: United States.
g) Perplexity AI, Inc.: Real-time information search, fact-checking. Country: United States.
h) Deepgram, Inc.: Real-time speech recognition and synthesis. Country: United States.
i) Twilio, Inc.: Programmable telephony, number provisioning, SMS, and WhatsApp. Country: United States.

These providers act as data processors and only process data according to our instructions and contracts that guarantee an adequate level of protection. No AI provider uses data sent through their commercial APIs to train artificial intelligence models.

XELIA will notify you of significant changes to the sub-processor list in accordance with section 12 of this Notice.

By legal obligation:

We may disclose personal data when required by law, court order, or request from competent governmental authorities.

With your consent:

In any other case, we will request your express consent before sharing your personal data with third parties.

XELIA does NOT sell, rent, or commercially trade personal data to third parties for marketing purposes.

15. AUTOMATED DECISIONS AND PROFILING

15.1 Use of artificial intelligence in decisions and evaluations

XELIA uses artificial intelligence systems to perform the following activities that may involve automated processing of personal data:

a) Lead scoring (automated prospect evaluation): The AI system analyzes conversations, data provided by the prospect, and interaction context to generate a numerical score indicating the prospect's likelihood of conversion or level of interest. This score is generated as a decision-support tool for the XELIA client's sales team.

b) Conversation analysis: The AI system analyzes voice and text conversations to extract relevant information such as buying signals, objections, overall sentiment, mentioned contact details, and next-step recommendations.

c) Automated recommendation generation: Based on the analysis, the system may suggest actions such as scheduling a follow-up, sending an email, or adjusting the communication strategy.

d) Automated content moderation: The system automatically filters content that violates XELIA's and its AI providers' acceptable use policies.

15.2 Nature of automated decisions

The evaluations and recommendations generated by XELIA's AI systems are tools to support human decision-making. In no case do these evaluations produce legal effects on their own or replace human judgment in decisions that significantly affect the individuals evaluated.

Lead scoring and conversation analysis results must be reviewed by a human before making any commercial, contractual, or employment decision based on them. XELIA automatically includes notices to this effect in all AI-generated reports.

15.3 Your rights regarding automated decisions

Pursuant to Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP 2025), the European Union's General Data Protection Regulation (GDPR), and international best practices, you have the right to:

Be informed when an evaluation or recommendation about you has been generated by an artificial intelligence system.
Request human intervention in any decision that affects you and that has been assisted by artificial intelligence.
Express your point of view regarding any automated evaluation.
Challenge a decision and request that it be reviewed by a person.
Obtain an explanation of the general logic used by the AI system to generate the evaluation.

To exercise any of these rights, contact privacidad@xelia.ai.

15.4 Automated decision records

XELIA maintains an audit log of all AI-assisted evaluations and decisions, which includes: the AI provider used, the type of decision, the date, and whether human review is required. This log is available to regulatory authorities if required under applicable law.

15.5 Safeguards implemented

To protect your rights in relation to automated processing, XELIA implements the following safeguards:

Automatic sanitization of sensitive personal data before sending information to AI providers.
Mandatory inclusion of disclaimers in all AI-generated reports indicating that human validation is required.
Persistent audit log of all AI activity involving personal data.
Content filtering through moderation systems to prevent processing of prohibited content.
Periodic review of AI models and providers to verify compliance with quality and non-discrimination standards.

16. COMPARATIVE DATA PROCESSING TABLE BY PLAN

Data Category / Processing	Demo	Impulso	Pro	MAX
Registration data (name, email, company)	No	Yes	Yes	Yes
Payment / subscription data (via Stripe)	No	Yes	Yes	Yes
Text conversations	Yes (temporary)	Yes (persistent per configuration)	Yes (persistent + advanced analytics)	Yes (persistent + advanced analytics, custom dashboards)
Audio and transcriptions (voice)	Yes (not retained by default unless explicit consent)	Optional per configuration	Optional per configuration	Optional and adjustable by contract
Advanced assistant configuration	Limited	Basic	Advanced	Custom / tailored
Use for AI model improvement	Only with explicit consent	Only with explicit client consent	Same	Same, with possibility of specific agreements
Third-party integrations (CRM, helpdesk, etc.)	No	Limited	Multiple integrations	Custom integrations
Default conversation retention	Session	While account is active (deleted 90 days after cancellation)	Same	Same, with custom policy options
Custom privacy options (DPA, specific SCCs)	No	Yes (standard DPA)	Yes (standard EU/US DPA)	Yes (DPA + custom clauses)

17. CONTACT AND INQUIRIES

For any questions, comments, or requests related to this Privacy Notice or the processing of your personal data, you may contact us at:

Aerosync Corporate Services SAPI de CV

Address: Avenida Division del Norte, Colonia Lomas de Memetla, Postal Code 05330, Alcaldia Cuajimalpa de Morelos, Mexico City, Mexico

Privacy Officer: Leonardo Abad Galan

Privacy email: privacidad@xelia.ai

General email: info@xelia.ai

Phone: +52 56 2915 2081

Website: https://xelia.ai

We are committed to protecting your personal data and providing you with full transparency about how we process it.

Last updated: April 2026

Version: 2.2