Privacy Notice
ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V.
Version 3.0.2 — In effect from 30 April 2026
Coverage: Mexico · Colombia · Argentina · Chile · Ecuador · Spain · European Union
1. Data Controller and Contact Information
1.1 Data Controller
ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. (operating commercially under the brand "XELIA") (hereinafter "XELIA", the "Controller" or "we"), with registered office at Avenida División del Norte, Colonia Lomas de Memetla, Postal Code 05330, Cuajimalpa de Morelos, Mexico City, Mexico, is the Controller of personal data collected through our website, platform, and other channels associated with the domain https://xelia.ai.
Ministry of Economy Registration Code: A202603021045123709. Federal Taxpayer Registry (RFC) pending issuance by the Mexican Tax Administration Service (SAT); will be published upon issuance.
1.2 Privacy Contact / Data Protection Officer (DPO)
For any question or request related to personal data protection:
- Data Protection Officer: Leonardo Abad Galán
- Official email: privacidad@xelia.ai
- Backup DPO (personal): cibscyc@proton.me
- Postal address: as indicated in 1.1
1.3 Dual role: Controller and Processor
XELIA operates in two distinct roles depending on the context:
- CONTROLLER: with respect to personal data of website users, demo users, registered users, direct clients, and prospects identified by XELIA for its own marketing purposes.
- PROCESSOR: with respect to personal data that our Clients (tenants) upload, generate, or manage through the XELIA platform regarding their own clients, prospects, and contacts.
When XELIA acts as Processor, the Client shall sign a Data Processing Agreement (DPA) upon contracting the service. The DPA establishes specific obligations under GDPR Article 28 and equivalent standards in Mexico (LFPDPPP), Colombia (Law 1581 of 2012), Argentina (Law 25.326), and other applicable jurisdictions.
1.4 EU representative (where applicable)
When ALTHAGIZ reaches the threshold requiring an EU representative pursuant to GDPR Article 27, the representative's designation and contact details shall be added herein and notified to users.
2. Personal Data We Process
Depending on how you interact with XELIA, we may process the following categories of personal data:
2.1 Website browsing (pre-registration)
- IP address and online identifiers (cookies, session IDs)
- Browser type, operating system, device, language
- Referral URL, pages visited, timestamps
- Technical events (error logs, performance)
Purposes:
- Maintaining security (abuse and fraud detection)
- Technical operation of the website
- Usage analytics and service improvement
2.2 During the free demo (no payment)
Voice data (considered sensitive biometric data):
- Audio captured by your microphone during the demo
- Speech-to-text transcriptions
- Metadata: duration, language, timestamps
Interaction data:
- Text messages sent to the assistant
- System-generated responses
- Basic demo configuration (language, type)
By default, audio and its transcriptions shall be deleted upon termination of the demo session. If you grant explicit consent through a SEPARATE AND SPECIFIC CHECKBOX (not included in the general acceptance of terms), XELIA may retain this data for up to 24 months to improve AI models. You may revoke this consent at any time.
2.3 During registration and contracting
Identification and contact:
- Full name
- Email address
- Company, role, country
- Phone number (optional)
Account and subscription:
- Username, credentials (password hashed with bcrypt + salt)
- Subscription plan (Impulso, Pro, Max, Enterprise)
- Registration date, renewal, subscription status
- Billing configuration (currency, tax ID where applicable)
Payment (via Stripe, Inc.):
Stripe processes card data as an independent controller/processor. XELIA does not store card numbers or CVCs. XELIA stores only:
- Stripe customer ID (customer_id)
- Payment and subscription IDs
- Amount, date, and status of payment
- Billing history and tax receipts
2.4 During service use (post-purchase)
Interactions:
- Text conversations
- Voice recordings (when the feature is active and with consent)
- Transcriptions and generated responses
- Files or data integrated through the platform
Assistant configuration:
- Assistant name, prompts, flows, business rules
- Language preferences
- Enabled integrations (CRM, helpdesk, etc.)
Metrics and logs:
- Frequency and volume of interactions
- Performance statistics
- Technical and error logs
2.5 Our own marketing data (optional)
- Communication preferences
- Email interactions (opens, clicks)
- Contact forms
2.6 B2B outbound prospecting data
Public data sources used:
- DENUE (National Statistical Directory of Economic Units) of the National Institute of Statistics and Geography (INEGI) — Mexico
- RUES (Unified Commercial and Social Registry) — Colombian Chamber of Commerce
- Google Places API — global
- Official public directories of each country of operation
- Publicly accessible professional platforms (public LinkedIn, corporate websites)
Types of data collected (business data only, NEVER from random individuals):
- Business trade name
- Public commercial address
- Public commercial phone
- Public commercial email (where available)
- Corporate website
- Commercial sector / industry
- Public information about commercial offerings
Legal basis:
Legitimate interest (GDPR Article 6(1)(f), LFPDPPP Article 10, and equivalents) for B2B commercial contact with businesses whose data is published as a commercial contact channel. XELIA maintains documented Legitimate Interest Assessments (LIAs) balancing such interest against data subjects' rights.
Important: XELIA does NOT conduct cold outbound to individual consumers (B2C). Outbound operates exclusively toward businesses with public commercial contact information.
2.7 Social Listening data (public)
XELIA monitors public platforms to detect openly expressed purchase intent:
- Reddit (public subreddits)
- Public reviews on Google Business Profile
- X/Twitter (public posts, when enabled)
- Public Facebook and LinkedIn groups (roadmap)
The data processed is limited to information freely published by authors in public contexts. XELIA does NOT respond directly to these users; it generates suggestions so that the Client-tenant may respond manually from their own account, if they so decide. The decision to contact is always human.
3. Legal Basis for Processing
We process personal data on the following legal bases, depending on the type of data and the nature of the relationship with you:
3.1 Performance of contract
- Creating and administering your account
- Providing the contracted services
- Managing payments and support
3.2 Compliance with legal obligations
- Retention of accounting and tax information
- Handling requests from authorities
- Compliance with obligations under consumer protection laws
3.3 Legitimate interest
- Platform security and fraud prevention
- Basic usage analytics for service improvement
- B2B outbound prospecting to businesses (see 2.6)
- Communication with administrative users of B2B accounts
3.4 Consent
- Non-essential cookies (analytics, marketing)
- Direct marketing where required by law
- Use of biometric voice data (explicit and separate consent)
- Training AI models with user data
- Outbound contact in jurisdictions requiring prior consent (Spain)
Consent may be withdrawn at any time without retroactive effect.
4. Voice Data and Artificial Intelligence Processing
4.1 Biometric voice data — granular consent
Voice data constitutes SENSITIVE PERSONAL DATA pursuant to GDPR Article 9 and the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP). Its processing requires explicit and specific consent.
For this reason, XELIA implements TWO separate checkboxes during onboarding:
- [ ] I accept the Terms of Service and the Privacy Notice
- [ ] EXPLICIT consent for the processing of my voice as biometric data during demos and service use
The second checkbox is NOT automatically activated and may be revoked at any time through account settings or by writing to privacidad@xelia.ai.
4.2 Country-aware AI disclosure policy
XELIA implements an AI disclosure policy that respects both the legal obligations of each country and the right to a natural customer service experience.
OUTBOUND calls (XELIA contacts the data subject):
In ALL outbound calls, regardless of country, XELIA shall audibly declare at the start: "Hello, good morning/afternoon. I am calling on behalf of [business name]. I am an artificial intelligence assistant. May I have a moment?"
INBOUND calls (the data subject calls the business):
In jurisdictions where the law requires disclosure (Spain, European Union, and any future jurisdiction with equivalent AI Act legislation), XELIA shall declare itself as AI at the start of each inbound call.
In jurisdictions without legal disclosure obligation for inbound calls (Mexico, Colombia, Argentina, Chile, Ecuador), XELIA responds with a natural professional greeting from the business, prioritising the experience of the customer who voluntarily initiated the contact. Example: "Dr. García's clinic, this is XELIA, how may I help you?"
Immutable honesty rule:
XELIA shall NEVER deny being an AI assistant. If any interlocutor directly asks whether it is human, robot, person, AI, or similar, XELIA shall ALWAYS respond truthfully. This rule is hardcoded in the system and cannot be disabled by any Client, configuration, custom prompt, or external instruction.
Recording notice:
All calls (inbound and outbound, in all countries) include notice that the call may be recorded for service quality and AI model training purposes (where applicable with consent).
4.3 Multi-AI Orchestration
XELIA uses an orchestration system that routes requests to the most suitable AI provider based on the task:
| Provider | Location | Use |
|---|---|---|
| Anthropic, PBC (Claude) | United States | Conversation analysis, lead evaluation, complex reasoning, response generation |
| OpenAI, L.L.C. (GPT, Whisper, Moderation) | United States | Real-time voice, transcription, moderation, embeddings |
| Google LLC (Gemini) | United States | Long context, summaries, translations. Paid tier without training |
| Perplexity AI, Inc. (Sonar) | United States | Real-time search, verification, market analysis |
| Deepgram, Inc. | United States | Speech-to-Text and Text-to-Speech in production |
All providers act as PROCESSORS under contracts with protection clauses equivalent to Standard Contractual Clauses (SCCs). None of them uses data submitted via commercial APIs to train their own models, pursuant to their current commercial terms.
4.4 Safeguards implemented
- Automatic sanitisation of sensitive data (national ID numbers, tax IDs, card numbers, bank account numbers, emails, phone numbers) before transmission to external providers
- Content filtering through OpenAI's moderation API
- Persistent audit log of each AI interaction (provider, task type, whether personal data was involved)
- Mandatory disclaimers on every AI-generated report indicating the need for human review
5. B2B Outbound Contact and Country-Specific Compliance
XELIA enables its Clients to conduct B2B commercial contact campaigns with businesses identified through public sources. ALL campaigns comply with the following principles:
5.1 Universal principles
- Mandatory AI disclosure at the start of each call
- Immediate opt-out mechanism (contacted person may request not to be contacted again)
- Opt-out registry respected across ALL channels (voice, WhatsApp, email)
- Contact hours respected according to country and local time zone of the contact
- Prior verification against national Do-Not-Call registries (where applicable)
- Fail-closed: if the compliance system cannot verify, NO contact is made
5.2 Mexico
Legal framework: Federal Consumer Protection Law + LFPDPPP 2025
XELIA's automated outbound contact is directed primarily to businesses with publicly available commercial phone numbers (B2B), identified through official sources such as DENUE (INEGI) and Google Places. For this type of contact, the Public Registry to Avoid Advertising (REPEP) of PROFECO has limited application pursuant to PROFECO's criterion, given that REPEP is primarily designed to protect individual consumers who register their phone numbers to avoid receiving telemarketing advertising.
When XELIA detects that a number corresponds to an individual consumer registered in REPEP (for example, when a Client-tenant provides us with its own contact lists), XELIA shall respect such registration and block the contact.
XELIA implements fail-closed technical architecture for REPEP verification. Formal ingestion of PROFECO's official lists is scheduled for completion once the Federal Taxpayer Registry (RFC) of ALTHAGIZ SERVICES NAT is obtained, currently pending with the SAT. In the meantime, Client-tenants uploading their own consumer lists assume responsibility for having verified REPEP in accordance with their own obligations.
- Mandatory AI Disclosure at the start of each outbound call (hardcoded).
- Immediate opt-out mechanism across each channel (voice, WhatsApp, email).
- Permitted hours: 9:00 to 20:00 local time. No contact on Sundays or official holidays.
- ARCO rights: the data subject may exercise Access, Rectification, Cancellation, and Objection through privacidad@xelia.ai.
- Supervisory authority: National Institute for Transparency, Access to Information and Personal Data Protection (INAI) — inai.org.mx
5.3 Colombia
Legal framework: Law 1581 of 2012 + Decree 1377 of 2013
- XELIA respects the National Database Registry (RNBD) of the Superintendence of Industry and Commerce (SIC).
- Habeas Data: the data subject may query, update, rectify, and delete their data. This right is FREE OF CHARGE.
- Permitted hours: 7:00 to 21:00 local time (Mon-Fri); 8:00 to 15:00 (Saturdays). No Sundays or holidays.
- Supervisory authority: Superintendence of Industry and Commerce (SIC) — sic.gov.co
5.4 Argentina
Legal framework: Law 25.326 on Protection of Personal Data + Law 26.951 "Do Not Call"
- XELIA shall consult the "No Llame" (Do Not Call) Registry of the Agency for Access to Public Information (AAIP) before each contact.
- Applicable consent-first mode: in cases of ambiguity, an informative WhatsApp is sent with opt-in before any call.
- Permitted hours: 8:00 to 21:00 local time. No Sundays or holidays.
- Potential fine for non-consultation: up to 100,000 Contributive Units.
- Supervisory authority: Agency for Access to Public Information (AAIP) — argentina.gob.ar/aaip
5.5 Chile
Legal framework: Law 21.719 on Protection of Personal Data (in force since December 2024)
- Mandatory DPO designation (Leonardo Abad Galán — cibscyc@proton.me).
- Data subjects have ARSOPOL rights (Access, Rectification, Suppression, Opposition, Portability, Opposition to automated decisions, Limitation).
- Prior consent required for marketing. B2B outbound to businesses based on public data with documented legitimate interest.
- Permitted hours: 9:00 to 20:00 local time. No Sundays.
- Supervisory authority: Personal Data Protection Agency (fully operational in 2026)
5.6 Ecuador
Legal framework: Organic Law for Personal Data Protection (LOPDP) 2021
- Principles of lawfulness, purpose, proportionality, pertinence, confidentiality.
- Prior consent for direct marketing. B2B outbound under documented legitimate interest.
- Permitted hours: 8:00 to 20:00 local time. No Sundays or holidays.
- Supervisory authority: Superintendence of Personal Data Protection — spdp.gob.ec
5.7 Spain
Legal framework: GDPR + LOPDGDD + LSSI-CE + General Telecommunications Law
MANDATORY CONSENT-FIRST MODE: since 29 June 2023, all commercial calls without prior consent are unlawful pursuant to Article 66.1.b) of the General Telecommunications Law, REGARDLESS of being on the Robinson List.
- XELIA does NOT call prospects in Spain directly. It first sends an informative WhatsApp/SMS requesting explicit consent: "Would you be interested in receiving a call about [service]? Reply YES so we may contact you."
- Only if the prospect responds affirmatively shall the call proceed. This consent is stored with timestamp and evidence as legal proof.
- XELIA consults the Robinson List (managed by ADIGITAL) before each contact.
- Permitted hours: 9:00 to 21:00 local time. No holidays or weekends.
- Potential fines: up to €20 million (GDPR) or €600,000 (LSSI).
- Supervisory authorities: Spanish Data Protection Agency (AEPD) — aepd.es; National Commission for Markets and Competition (CNMC)
5.8 United States — NOT OPERATIONAL
XELIA does NOT operate outbound in the United States due to restrictions under the Telephone Consumer Protection Act (TCPA) and the 2024 FCC ruling requiring prior written consent for automated calls using AI. The platform technically blocks campaigns attempting to contact U.S. numbers.
6. International Transfers and Storage
6.1 Main infrastructure
XELIA hosts its platform on infrastructure provided by Hetzner Online GmbH. The exact location of production servers is kept up to date in the Technical Documentation section and is available upon request by writing to privacidad@xelia.ai.
6.2 Providers and locations
| Provider | Country | Purpose | Data |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Primary hosting | All platform data |
| AWS | USA (us-east-1) | Email (SES), backups | Transactional emails, backup data |
| Anthropic | USA | AI analysis, lead scoring | Conversation text (sanitised) |
| OpenAI | USA | Voice, transcription, moderation | Audio, transcriptions |
| Google (Gemini) | USA | Long context, summaries | Long documents (sanitised) |
| Perplexity | USA | Real-time search | Queries (sanitised) |
| Deepgram | USA | STT and TTS in production | Audio, text |
| Stripe | USA | Payments | Payment and billing data |
| Twilio | USA | Voice (telephony) and WhatsApp | Numbers, call metadata, messages |
| Cloudflare | Global (CDN) | Security and CDN | Web traffic, IPs |
| Meta Platforms | USA | WhatsApp Business Platform | WhatsApp messages (end-to-end encrypted) |
6.3 Transfer mechanisms
- Transfers from Mexico: under Chapter V of the LFPDPPP with contracts containing clauses providing an adequate level of protection.
- Transfers from the EU/EEA: under Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.
- Sanitisation of sensitive data applied before transmission to external providers.
7. Data Subject Rights
Depending on your country of residence, you have the following rights regarding your personal data:
7.1 Mexico — ARCO Rights + LFPDPPP 2025
- Access, Rectification, Cancellation, Objection
- Limitation of use
- Withdrawal of consent
- Not to be subject to automated decisions without human intervention (new LFPDPPP 2025 articles)
7.2 European Union (GDPR)
- Access, Rectification, Erasure, Portability
- Limitation, Objection
- No automated decisions without human intervention (Article 22)
- Lodge a complaint with the AEPD (Spain) or other local supervisory authority
7.3 Colombia (Law 1581 — Habeas Data)
- Know, update, rectify
- Request proof of consent
- Be informed about the use of data
- Withdraw consent or request deletion
- Complaint before the SIC
7.4 Argentina (Law 25.326)
- Access, rectification, update
- Deletion or blocking
- Confidentiality
- Complaint before the AAIP
7.5 Chile (Law 21.719)
- ARSOPOL: Access, Rectification, Suppression, Objection, Portability, Objection to automated decisions, Limitation
- Right to "digital disconnection"
7.6 Ecuador (LOPDP 2021)
- Access, rectification, update
- Deletion, objection
- Portability
7.7 How to exercise your rights
Send an email to privacidad@xelia.ai with:
- Full name and means of contact
- Document evidencing your identity
- Right(s) you wish to exercise
- Clear description of the data involved
Response periods:
- Mexico: 20 business days + 15 additional business days for execution
- EU: 1 month (extendable in complex cases)
- Other countries: pursuant to their local regulations
8. Retention Periods
We apply the principle of storage limitation:
| Type of data | Retention period |
|---|---|
| Navigation and security logs | 12-24 months |
| Demo data (if consent revoked) | Immediately upon session end |
| Demo data (with consent for AI improvement) | Up to 24 months |
| Active account and subscription | Duration of the account |
| Post-cancellation conversations | 90 days (unless immediate deletion requested) |
| AI audit logs | 24 months |
| Automated decision records | 36 months |
| Backups | 30 days (encrypted) |
| Tax and accounting data | Up to 10 years (Mexican Federal Tax Code) |
| Outbound lead not contacted (rejected) | 30 days (only to avoid re-contact) |
| Contacted outbound lead with opt-out | Permanent in opt-out list |
| Consents granted (evidence) | Duration of the relationship + 3 years |
9. Automated Decisions and Profiling
9.1 Activities involving automated processing
- Lead scoring (automated prospect evaluation with AI)
- Analysis of voice and text conversations
- Generation of automated recommendations
- Automated content moderation
- Automatic classification of sentiment and objections
9.2 Nature of decisions
ALL evaluations and recommendations generated by XELIA's AI are DECISION-SUPPORT tools for human judgement. In no case do they produce legal effects on their own, nor do they replace human judgement in decisions that significantly affect individuals.
Generated reports automatically include a disclaimer stating: "This analysis was generated by artificial intelligence and must be reviewed by a human before making commercial, contractual, or employment decisions."
9.3 Your rights regarding automated decisions
- Be informed when an evaluation was generated by AI
- Request human intervention
- Express your point of view
- Contest the decision
- Obtain an explanation of the general logic
10. Security Measures
- TLS/SSL encryption in transit (HTTPS)
- At-rest encryption using AES-256 for sensitive data
- Password hashing with bcrypt + salt
- Two-factor authentication (2FA) available
- Firewall and WAF via Cloudflare
- Granular access control (multi-tenant RBAC)
- Auditable security event logs
- Encrypted backups with 30-day retention
- Documented incident management procedures
- Breach notification within applicable legal timeframes
11. Minors
XELIA is a B2B platform directed exclusively at professionals and businesses. It is not directed to minors under 18 years of age and we do not intentionally collect data from minors. If we detect minors' data, we shall delete it and block access.
12. Updates to This Notice
We shall publish updated versions at https://xelia.ai/en/privacy/ with the date of the latest update. Substantial changes shall be notified by email and/or banner within the platform. Where legislation so requires, we shall request renewed consent.
12.1 Cookies
Please consult our specific Cookie Policy at https://xelia.ai/en/cookies/ for detailed information on types, purposes, periods, and cookie management.
13. Contact and Data Protection Officer
ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V.
Avenida División del Norte, Colonia Lomas de Memetla, Postal Code 05330, Cuajimalpa de Morelos, Mexico City, Mexico
- DPO: Leonardo Abad Galán
- Privacy email: privacidad@xelia.ai
- Backup DPO (personal): cibscyc@proton.me
- General email: hola@xelia.ai
- Support: soporte@xelia.ai
- Website: https://xelia.ai
14. Jurisdiction and Governing Law
This Privacy Notice shall be governed by the laws of the United Mexican States. For matters concerning data subjects in the European Union, the General Data Protection Regulation (Regulation (EU) 2016/679) and the applicable national implementing legislation shall prevail.
For the interpretation and performance of this Notice, ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. and the data subject submit to the jurisdiction of the competent courts of Mexico City, Mexico, expressly waiving any other jurisdiction that may correspond to them by reason of their present or future domiciles, without prejudice to the rights of data subjects to lodge complaints before the supervisory authority of their country of residence.
Effective date: 30 April 2026 · Version: 3.0.2
© 2026 ALTHAGIZ SERVICES NAT, S.A.P.I. DE C.V. All rights reserved.