Operator: Xelora Pty Ltd (ACN 692 975 107, ABN 96 692 975 107), incorporated in Australia on 18 November 2025, trading as Xelora Privacy contact: privacy@xelora.host (attention: the Privacy Officer) Last updated: 2026-05-09
1. Purpose of this Policy
This Privacy Policy explains how Xelora Pty Ltd (“Xelora”, “we”, “us”, “our”) collects, holds, uses, discloses, and protects personal information when you visit https://xelora.host, sign up for an account, or use our hosting, domain, and AI website builder services (the “Services”). It is written to comply with the Privacy Act 1988 (Cth) (as amended, including by the Privacy and Other Legislation Amendment Act 2024 (Cth)) and the Australian Privacy Principles (APPs). Where you are located in the EU/EEA or UK, references to “personal data”, “controller”, “processor”, and your rights under the GDPR / UK GDPR also apply.
This Policy should be read together with our Terms of Service and Cookies Policy.
2. Defined terms
- “Personal information” has the meaning given in the Privacy Act and includes “personal data” under GDPR/UK GDPR.
- “Sensitive information” includes information about health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and biometric data.
- “Customer Content” means data you upload, generate, or publish through the Services.
- “AI Output” means text, code, or media generated by the AI Builder.
3. APP 1 – Open and transparent management
We are committed to managing personal information openly. This Policy is freely available at https://xelora.host/privacy. Internal staff handling personal information are bound by confidentiality obligations and trained on the APPs.
4. APP 3 & APP 5 – What we collect and why; collection notice
4.1 Information you provide
- Account information: name, email, password (hashed), phone number (optional), business name, billing address.
- Billing information: processed by Stripe; we receive limited card metadata (last 4, brand, expiry) but not full card numbers, which are tokenised by Stripe.
- Identity / domain registration data: information required by domain registries (e.g. auDA-eligible name, ABN/ACN for
.audomains). - Support communications: the content of tickets, chats, and emails you send us, including conversations with the live chat.
- Customer Content and prompts: websites you build, files you upload, and prompts you submit to the AI Builder.
- Rebuild-from-URL source material: when you direct the AI Builder to rebuild from a public URL you specify, Xelora retrieves and processes the public-facing content of that URL — including HTML, text, images, fonts, video URLs, and other assets — and stores them as part of your project. We do not retrieve gated content (login, paywall,
robots.txt-disallowed). Personal information embedded in the retrieved material (e.g. photographs of individuals, employee bios, testimonials) is processed solely to generate your project. By submitting a URL you confirm you have the rights to that material — see Terms of Service clause 4.4.
4.2 Information collected automatically
- Service logs: IP address, user-agent, request URLs, timestamps, error traces.
- Usage analytics: features used, build counts, AI-token usage.
- Cookies and similar technologies: see the Cookies Policy.
4.3 Information from third parties
- Identity verification, fraud-screening, and abuse-detection signals from Stripe, registry partners, and security providers.
4.4 Sensitive information
We do not deliberately collect sensitive information. If you choose to publish sensitive information through Customer Content, you do so at your own discretion and remain the controller of that data.
4.5 Why we collect
Primary purposes: to provide the Services, bill you, provide support, secure the platform, prevent abuse, comply with law, and improve the product. Secondary purposes include sending product and security updates and (with consent or as otherwise permitted) marketing.
5. APP 4 – Unsolicited information
If we receive personal information we did not solicit and could not lawfully have collected, we will, where practicable, destroy or de-identify it.
6. APP 6 – Use and disclosure
We use personal information for the primary purpose for which it was collected and for related secondary purposes you would reasonably expect. We do not sell personal information.
We may disclose personal information to: - Service sub-processors (see section 8) — to host, secure, and operate the Services. - Payment processor — Stripe, to take payments and screen fraud. - Domain registries and registrars — where required to register, transfer, or maintain a domain (including WHOIS publication where applicable). - AI sub-processors — where you use AI features, the prompt text you submit (and selected context) is sent to the relevant AI model provider for processing. See section 7 and section 8. - Professional advisers — lawyers, auditors, accountants, under confidentiality. - Acquirers — in connection with a corporate transaction, subject to confidentiality. - Authorities — where required by Australian law, court order, or to protect rights, safety, or property.
7. AI features (Xelora AI) — specific notes
7.1 The AI-powered features within our platform — including the live chat, AI Website Builder, and rebuild-from-URL — are marketed under the brand name Xelora AI. The underlying large language models are supplied by third-party providers (see section 8).
7.2 What is sent to the AI providers: only the prompt text you submit to the AI feature, together with limited context that you have asked us to include (for example, the current page contents when you ask the AI to edit them). We do not send your account profile, billing records, support history, payment details, or other database records to the AI providers.
7.3 Training and storage: we do not use Customer prompts or AI Output to train Xelora’s own models. Anthropic is contractually prohibited under its commercial terms from training its models on customer content submitted through its commercial API. Ollama Cloud does not train models on, and does not retain or store, customer inference traffic submitted through its API, per Ollama Cloud’s published documentation and terms. If we add or change AI providers in the future, or if either provider’s policy changes, we will update this Policy and the sub-processor list before the change takes effect.
7.4 Safety scanning: we may scan prompts and AI Output for safety, abuse, and policy enforcement (for example, to detect attempts to generate illegal or infringing content). This scanning may be automated.
8. APP 8 – Cross-border disclosure
Some of our sub-processors are located outside Australia. By using the Services you acknowledge these overseas disclosures. The current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Australia Pty Ltd / Stripe Inc. | Billing and fraud screening | Australia / United States |
| Anthropic, PBC | AI features — Claude family models | United States |
| Ollama Cloud | AI features — hosted inference for non-Anthropic models (e.g. Kimi-family) | United States |
| Domain registrars and registries (varies by TLD) | Domain registration, transfer, renewal | Various |
Customer hosting data (websites, databases, uploaded files) is stored on infrastructure operated by Xelora in New South Wales, Australia. Outbound transactional email is sent from servers Xelora operates in Australia using its own SMTP infrastructure.
Before disclosing personal information overseas we take reasonable steps to ensure the recipient does not breach the APPs, including using contractual protections (e.g. Standard Contractual Clauses for EU/UK transfers).
9. APP 11 – Security and retention
9.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access using measures including: - TLS in transit, encryption at rest for production databases and backups; - least-privilege access controls and audit logging; - regular patching, vulnerability scanning, and incident response procedures; - segregation of customer data by tenant.
9.2 We retain personal information only as long as needed: - Account records: for the life of the account plus 7 years after closure for tax and corporate-records purposes. - Billing records: 7 years as required by Australian taxation law. - Customer Content / AI prompts: until you delete it or until 90 days after the account is suspended or closed, whichever is earlier, except where retention is required by law. - Server and security logs: generally 90 days.
9.3 If we suffer an eligible data breach, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act and notify you and the OAIC where required.
10. APP 12 & 13 – Access and correction
You may ask us at any time to: - access the personal information we hold about you; - correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
Send requests to privacy@xelora.host. We will respond within 30 days. We will not charge for access. If we decline, we will give written reasons and explain how to complain.
11. Your rights by region
Xelora markets the Services in English. Section 10 sets out the access and correction rights that apply to all users. Depending on where you live, additional rights may apply. The list below identifies the regimes most relevant to English-language markets as of the “Last updated” date at the top of this Policy. Privacy law is fast-moving; if your local law has been amended since that date — or if you are a resident of a jurisdiction not specifically named below (see the catch-all in section 11.12) — and that law grants additional rights, those rights still apply. To exercise any right, write to privacy@xelora.host with a description of the right you are exercising and the law you are exercising it under.
11.1 Australia (primary jurisdiction)
Rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs 1-13) apply as set out elsewhere in this Policy. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) — see section 15.
11.2 European Economic Area (EU/EEA)
If you are located in the EU/EEA, the General Data Protection Regulation (GDPR) applies. In addition to access and correction, you have rights to: - erasure (“right to be forgotten”); - restriction of processing; - data portability (machine-readable export); - objection to processing (including to direct marketing); - not to be subject to solely automated decision-making with legal effect; and - to withdraw consent at any time, where processing is based on consent.
Our lawful bases for processing include performance of a contract with you, our legitimate interests (security, product improvement, fraud prevention), compliance with legal obligations, and your consent (where applicable, e.g. for marketing). You may lodge a complaint with the supervisory authority in your country of residence (a directory is at https://edpb.europa.eu/about-edpb/about-edpb/members_en).
11.3 United Kingdom
The UK GDPR and the Data Protection Act 2018 grant you the same rights as in section 11.2. You may complain to the Information Commissioner’s Office (ICO) — https://ico.org.uk — 0303 123 1113.
11.4 California, USA
The California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”) applies to “businesses” that meet specific thresholds (broadly, US$25 million annual revenue, 100,000 or more California consumers, or 50% or more revenue from selling personal information). Xelora is below all three thresholds and is not formally subject to the CCPA at this time. We have nevertheless chosen to extend the CCPA’s substantive consumer rights to California residents as a matter of policy. If our circumstances change such that we become formally subject to the CCPA, this section will be updated accordingly. Enforcement is shared between the California Privacy Protection Agency (CPPA) (https://cppa.ca.gov — file a complaint) and the California Attorney General. Under those laws you have the rights to: - Know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties to whom we disclose it; - Delete — request deletion of personal information we have collected from you, subject to legal exceptions; - Correct — request correction of inaccurate personal information; - Opt-out of “sale” or “sharing” — Xelora does not sell or share personal information for cross-context behavioural advertising. See section 12 (“Do Not Sell or Share My Personal Information”); - Limit use of sensitive personal information — you may direct us to use sensitive personal information only as necessary to provide the Services. We do not use sensitive personal information for purposes beyond providing the Services; - Non-discrimination — we will not discriminate against you for exercising any of these rights; - Designate an authorised agent — you may use an authorised agent to make a request on your behalf, subject to verification.
To exercise these rights, email privacy@xelora.host with a description of your request. We will verify your identity (typically by matching information against our records) and respond within 45 days (extendable once by an additional 45 days where reasonably necessary). We do not charge for these requests unless they are manifestly unfounded or excessive.
If we deny your request, you may appeal by replying to our written response. If you are not satisfied with the appeal outcome, you may complain to the California Privacy Protection Agency (https://cppa.ca.gov) or the California Attorney General.
Shine the Light (Cal. Civil Code § 1798.83): California residents may, once per calendar year, request a list of any personal information we shared with third parties for the third parties’ direct-marketing purposes during the prior calendar year. We have not engaged in such sharing and have no such list to provide.
11.5 Other US states
The following US states have comprehensive consumer privacy laws in force or with effective dates passed: Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Florida (FDBR — large-data-broker scope), Indiana (INCDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MTCDPA), Nebraska (NDPA), New Hampshire (NHCPA), New Jersey (NJDPA), Oregon (OCPA), Rhode Island (RIDTPPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), Virginia (VCDPA). Residents of these states (and any other state whose law comes into force after this Policy was last updated) have rights substantially similar to the California rights in section 11.4: access, deletion, correction, portability, and to opt out of targeted advertising, sale, and (in most cases) profiling. Specifics — applicability thresholds, sensitive-data treatment, response timelines (typically 45 days, extendable) — vary by statute. To exercise these rights, email privacy@xelora.host and identify the state law you are invoking; we will apply that statute’s requirements. Complaints may be lodged with your state’s Attorney General.
11.6 Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs commercial activities in Canada. You have rights to access, correct, withdraw consent, and request deletion. Complaints may be lodged with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca). If you live in Quebec, the Act respecting the protection of personal information in the private sector (“Quebec Law 25”) additionally applies, and complaints may be lodged with the Commission d’accès à l’information (https://www.cai.gouv.qc.ca).
11.7 New Zealand
The Privacy Act 2020 grants New Zealand residents the rights set out in the 13 Information Privacy Principles (IPPs), including access, correction, and complaint rights. Complaints may be lodged with the Office of the Privacy Commissioner (https://www.privacy.org.nz).
11.8 South Africa
The Protection of Personal Information Act (POPIA) grants South African data subjects rights of access, correction, and deletion. Complaints may be lodged with the Information Regulator (South Africa): - Web: https://inforegulator.org.za - Email: enquiries@inforegulator.org.za - Phone: +27 10 023 5200
11.9 India
The Digital Personal Data Protection Act 2023 (DPDP Act) grants Indian data principals rights of access, correction, completion, deletion, and grievance redressal, and to nominate another individual to exercise those rights in case of death or incapacity. The Act’s implementing rules and the constitution of the Data Protection Board of India have been progressing in stages; until the Board is fully operational, the practical mechanism for complaints is Xelora’s own grievance contact (privacy@xelora.host) and, where relevant, the Ministry of Electronics and Information Technology. We will update this section once the Board’s complaint mechanism is operational.
11.10 Singapore
The Personal Data Protection Act 2012 (PDPA) grants Singapore residents rights of access, correction, withdrawal of consent, and complaint. Complaints may be lodged with the Personal Data Protection Commission (PDPC) (https://www.pdpc.gov.sg).
11.11 Hong Kong
The Personal Data (Privacy) Ordinance (PDPO) grants Hong Kong residents rights of access, correction, and complaint. Complaints may be lodged with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) (https://www.pcpd.org.hk).
11.12 Other jurisdictions (catch-all)
Xelora targets English-language markets, but customers from any country may sign up. If you live in a jurisdiction whose data-protection law grants you rights not specifically listed above — including (without limitation) the EU Member States other than Ireland, Switzerland (revFADP), South Korea (PIPA), Japan (APPI), Brazil (LGPD), Argentina, Mexico, Thailand, UAE, Saudi Arabia, Kenya, Nigeria, Turkey (KVKK), Israel, Caribbean and African nations, or any present or future legislation — those rights apply even if not listed by name. Email privacy@xelora.host and identify the law you are exercising rights under; we will apply that law’s requirements in good faith.
12. Do Not Sell or Share My Personal Information
Xelora does not sell your personal information, and does not share your personal information for cross-context behavioural advertising.
We do not engage in any “sale” of personal information as that term is defined in the CCPA/CPRA and equivalent US state laws, and we do not engage in “sharing” for the purpose of cross-context behavioural advertising. Because we do not sell or share, the “Do Not Sell or Share My Personal Information” link required of selling/sharing businesses by California law is not applicable to Xelora; this section is the equivalent disclosure.
If we ever change this practice, we will update this Policy and implement a clear opt-out mechanism (including the legally required link) before any sale or sharing begins.
If you have questions, email privacy@xelora.host.
13. Marketing
We will only send commercial electronic messages where permitted under the Spam Act 2003 (Cth). Every commercial message includes an unsubscribe link and the postal address shown at the top of this Policy. You can opt out of marketing at any time without affecting service messages.
14. Cookies
See the Cookies Policy.
15. Children
15.1 The Services are not directed to children, and we do not knowingly collect personal information from minors below the age set by the law that applies to them. The minimum ages we apply are:
- Under 13 for users in the United States, in line with the Children’s Online Privacy Protection Act (COPPA);
- Under 16 for users in the EU/EEA and the UK, in line with GDPR / UK GDPR Article 8 (subject to the lower national age set by some Member States);
- Under 16 in Australia and elsewhere, as a baseline.
15.2 If we learn that we have collected personal information from a child below the applicable minimum age without verifiable parental consent, we will delete that information promptly. If you are a parent or guardian and believe your child has provided personal information to Xelora, please contact privacy@xelora.host and we will delete it.
16. Complaints
If you believe we have breached the APPs, write to privacy@xelora.host (attention: the Privacy Officer). We will acknowledge within 7 days and respond within 30 days.
If you are dissatisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC): - Web: https://www.oaic.gov.au - Phone: 1300 363 992 - Post: GPO Box 5288, Sydney NSW 2001
EU/UK residents may also complain to their local supervisory authority.
17. Changes to this Policy
We may update this Policy. The “last updated” date at the top reflects the current version. Material changes will be notified by email or in-product notice. Older versions are available on request.
18. Contact
privacy@xelora.host · Xelora Pty Ltd (ACN 692 975 107, ABN 96 692 975 107) Postal address for privacy enquiries: 11 Sylvania Street, Mount Victoria NSW 2786, Australia Privacy Officer: Simon Marneros