Privacy Policy

NorthStar Technology — askxavier.ai

Effective Date: February 15, 2026

1. Our Core Data Principles

• We will never sell your personal data. Not to advertisers, not to data brokers, not to anyone. Ever.
• We will never share your data for third-party marketing. Your email, your portfolio information, and your usage patterns will never be handed to another company to sell you things.
• We use your data only to operate and improve Xavier for you. Every piece of data we collect has a specific purpose tied to making the platform work or making it better.
• We operate non-custodially. Xavier never holds, stores, or has access to your private keys or seed phrases. We cannot move your funds. This is by design, enforced by architecture, and non-negotiable.
• Your data interactions stay between you and Xavier. When Xavier provides financial guidance, it is a private conversation. We do not monetize the content of your interactions.

2. Information We Collect

2.1 Information You Provide

• Account registration information: name, email address, and password (hashed and salted; we never store plaintext passwords).
• Waitlist signups: email address and the page section where you signed up.
• Preferences you set within Xavier, such as risk tolerance, preferred chains, and communication settings.
• Messages you send to Xavier through the AI chat interface.

2.2 Information Generated by Your Use of Xavier

• Public wallet addresses associated with your account (public keys only — never private keys).
• Transaction history for wallets you connect or create through Xavier. This is on-chain data that is already publicly visible on the respective blockchains.
• Portfolio composition and balances derived from your connected wallets.
• Interaction data: which features you use, which AI recommendations you approve or decline, and how you navigate the platform. This helps Xavier learn your preferences and improve its advice.

2.3 Information Collected Automatically

• IP address (used for rate limiting and abuse prevention; not used for tracking or advertising).
• Browser type and device information (used for compatibility and debugging only).
• Timestamps of account activity.

2.4 Information We Never Collect

• Private keys or seed phrases. These are generated on your device and never transmitted to our servers.
• Government-issued identification. Xavier does not perform KYC. If a third-party partner requires identity verification, that occurs entirely within their system under their own privacy policy.
• Biometric data. We do not collect fingerprints, facial recognition data, or any biometric identifiers.
• Location data. We do not request or track your geographic location.

3. How We Use Your Information

We use collected information for the following purposes and no others:

• Providing the Xavier service: Authenticating your account, displaying your portfolio, generating AI-powered financial guidance, executing transactions you initiate, and maintaining your preferences.
• Improving Xavier: Analyzing aggregate usage patterns (never individual behavior sold to third parties) to improve the AI advisory system, refine the user experience, and fix bugs.
• Personalizing your experience: Xavier’s AI learns from your approved and declined recommendations to adapt its advice to your risk profile and investment style. This learning is private to your account.
• Security and abuse prevention: Detecting unauthorized access attempts, rate-limiting API abuse, and protecting the platform and its users.
• Communications you request: Sending waitlist updates, launch notifications, and account-related emails. We do not send unsolicited marketing.

4. How We Protect Your Information

• All data in transit is encrypted via TLS 1.2 or higher.
• Passwords are hashed using industry-standard algorithms before storage. We never store or log plaintext passwords.
• Database access is restricted to authenticated backend services only, with role-based access controls.
• Private keys are generated and stored exclusively on your device. Our servers never receive, process, or store private key material.
• Transactions are prepared by our server but signed on your device. We broadcast signed transactions to the blockchain but cannot alter them.
• Our infrastructure runs on isolated containers with health monitoring, non-root execution, and automated security updates.

No system is perfectly secure. We implement reasonable and appropriate measures to protect your data, and we are transparent about what those measures are.

5. Third-Party Services

Xavier integrates with a limited number of third-party services to function. Each integration is chosen deliberately, and we minimize the data shared with each.

5.1 Authentication

If you sign in with Google, we receive your name, email address, and profile picture from Google’s OAuth service. We do not receive your Google password. Google’s use of your data is governed by Google’s Privacy Policy.

5.2 Blockchain Networks

Xavier interacts with public blockchain networks through RPC providers. These providers process your public wallet address and transaction data. This data is inherently public on the blockchain.

5.3 AI Advisory Models

Xavier’s 4-AI Consensus system sends portfolio context and your questions to multiple AI model providers to generate financial guidance. We send only the information necessary to produce a response. We do not send your name, email, or private keys to AI providers.

5.4 Fiat On/Off-Ramp Partners

If and when Xavier integrates fiat currency services, those services are provided by third-party partners who operate under their own privacy policies and regulatory requirements. Xavier does not receive or store any identity documents you provide to those partners.

5.5 No Advertising Networks

Xavier does not integrate with any advertising networks, tracking pixels, or data brokers. We do not serve ads. We do not participate in behavioral advertising. We do not allow third parties to track you through our platform.

6. Data Retention

• Account data is retained for as long as your account is active.
• If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or necessary to prevent fraud.
• Transaction records stored in our database (distinct from on-chain records, which are permanent and immutable) will be deleted upon account deletion.
• Waitlist email addresses for unverified signups are automatically purged after 90 days.
• Aggregated, anonymized usage statistics that cannot be linked back to any individual may be retained indefinitely to improve the service.

7. Your Rights and Choices

You have the following rights regarding your data:

• Access: You may request a copy of the personal data we hold about you.
• Correction: You may request that we correct inaccurate personal data.
• Deletion: You may request that we delete your account and associated personal data.
• Export: You may request an export of your data in a machine-readable format.
• Withdrawal of consent: Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, contact us at the address listed in Section 12. We will respond within 30 days.

8. Cookies and Tracking Technologies

Xavier uses only essential cookies required for the platform to function:

• Authentication token: A session token stored in your browser’s local storage to keep you signed in. This is not a tracking cookie.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or any third-party tracking technologies. If this changes in the future, we will update this policy and notify you before any non-essential tracking is introduced.

9. Children’s Privacy

Xavier is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will delete that information promptly.

10. International Data Transfers

Xavier’s servers are located in the United States. If you access Xavier from outside the United States, your data will be transferred to and processed in the United States. By using Xavier, you consent to this transfer. We apply the same protections described in this policy regardless of where your data originates.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on askxavier.ai with a new effective date.
• Notify registered users by email at least 14 days before material changes take effect.
• Clearly identify what has changed.

Your continued use of Xavier after the effective date of a revised policy constitutes acceptance of the changes.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled: