Legal

Privacy Policy

Effective Date: 28 June 2026

Xacy Inc.

British Virgin Islands

This Privacy Policy explains how Xacy Inc. (“Xacy,” “we,” “our,” or “us”) collects, uses, stores, protects, and discloses information when customers access our website, APIs, managed VPN infrastructure, documentation, dashboard, support channels, and related services. Xacy provides managed B2B VPN infrastructure for companies that offer VPN, privacy, security, or related internet services to their own users. Xacy is not a consumer VPN application. By using Xacy, accessing our website, creating an account, integrating with our APIs, or otherwise using our services, you agree to the practices described in this Privacy Policy.

1. Scope of This Policy

This Privacy Policy applies to information we process in connection with:

  1. The Xacy website.

  2. Customer accounts and business relationships.

  3. API access and authentication.

  4. Billing and payment administration.

  5. Customer support and communications.

  6. Service monitoring, security, abuse prevention, and infrastructure operations.

  7. Managed VPN infrastructure provided to business customers.

This Privacy Policy does not replace the privacy policy of our customers. If you are an end user of a VPN app, privacy app, security app, or other service powered by Xacy infrastructure, your relationship is primarily with that company. You should review that company’s privacy policy to understand how it collects and uses your data.

2. Our No-Log VPN Activity Policy

Xacy follows a strict no-log policy for VPN activity.

We do not save, track, monitor, sell, or share VPN activity. This means we do not log:

  1. Websites visited through VPN sessions.

  2. Content viewed or accessed through VPN sessions.

  3. DNS queries made during VPN sessions.

  4. Applications or services used through VPN sessions.

  5. Browsing history.

  6. Traffic content.

  7. VPN activity profiles of end users.

  8. Records linking end-user browsing activity to a specific person.

Xacy is designed as privacy-first infrastructure for business customers. Our goal is to help VPN companies provide secure, high-speed VPN services without requiring Xacy to store VPN activity logs.

However, to operate a reliable B2B infrastructure platform, we may process limited business, account, API, billing, usage-volume, security, and operational information as described below.

3. Information We Collect

We collect only the information needed to provide, secure, bill, support, and improve our services.

3.1 Business Account Information

When a company signs up for Xacy or communicates with us, we may collect:

  1. Company name.

  2. Business contact name.

  3. Business email address.

  4. Business phone number, if provided.

  5. Company website.

  6. Billing address.

  7. Tax or company registration information, if required.

  8. Account login details.

  9. Customer plan, pricing, and service preferences.

  10. Communications with our sales, support, legal, or billing teams.

3.2 API and Authentication Information

To provide secure API access, we may process:

  1. API keys.

  2. Authentication tokens.

  3. Account identifiers.

  4. API request metadata.

  5. Endpoint accessed, such as add-peer or del-peer.

  6. Time of API request.

  7. Response status or error status.

  8. IP address of the customer server or system making the API request.

  9. Rate-limit, abuse-prevention, and security event data.

API metadata is used to operate and secure the service. It is not used to create VPN activity profiles of end users.

3.3 WireGuard Peer Information

To provide VPN infrastructure, customers may submit technical peer information through Xacy’s API, including:

  1. Client WireGuard public key.

  2. Requested country.

  3. Requested server.

  4. Requested nearby location.

  5. Requested exit IP, if applicable.

  6. Peer creation or deletion request.

  7. Technical configuration data required to generate a WireGuard configuration.

Xacy does not require the customer to submit an end user’s real name, email address, phone number, or identity to create a WireGuard peer. Customers should avoid submitting unnecessary personal information through the API.

3.4 Usage and Billing Information

Xacy may process limited usage data required for billing and infrastructure management, including:

  1. Egress traffic volume.

  2. Ingress traffic volume, where needed for infrastructure measurement.

  3. Account-level usage totals.

  4. Server or region-level usage totals.

  5. Billing period.

  6. Invoice amount.

  7. Payment status.

  8. Payment method details processed by our payment provider.

  9. Credits, discounts, refunds, or adjustments.

Xacy charges based on egress traffic, while ingress traffic may be free depending on the applicable plan or customer agreement. Usage-volume data is used for billing, capacity planning, security, and service operation. It is not used to track VPN browsing activity.

3.5 Website and Analytics Information

When you visit our website, we may collect limited technical information, such as:

  1. IP address.

  2. Browser type.

  3. Device type.

  4. Operating system.

  5. Pages viewed.

  6. Referring website.

  7. Approximate location based on IP address.

  8. Date and time of visit.

  9. Cookie or similar tracking information, where used.

We may use privacy-conscious analytics tools to understand website performance, improve landing pages, measure marketing effectiveness, and protect the website from abuse.

3.6 Support and Communications

If you contact us, we may collect:

  1. Name.

  2. Email address.

  3. Company name.

  4. Support messages.

  5. Technical details provided in the support request.

  6. Attachments or screenshots you choose to provide.

  7. Communication history.

Please do not send sensitive personal data, private keys, passwords, or confidential end-user information through support channels unless specifically requested through a secure process.

4. Information We Do Not Collect

Xacy does not intentionally collect or store:

  1. VPN browsing history.

  2. Websites visited by VPN users.

  3. DNS activity from VPN sessions.

  4. Content transmitted through VPN sessions.

  5. Application activity inside VPN sessions.

  6. End-user activity profiles.

  7. Private WireGuard keys from end users.

  8. Unnecessary personal identity information about our customers’ end users.

Customers are responsible for ensuring that they do not send unnecessary personal data to Xacy through API requests, support tickets, or other communication channels.

5. How We Use Information

We use information for the following purposes:

  1. To create and manage customer accounts.

  2. To provide access to Xacy’s managed VPN infrastructure.

  3. To authenticate API requests.

  4. To create, manage, and delete WireGuard peers.

  5. To generate WireGuard configurations.

  6. To route traffic through selected countries, servers, or exit IPs.

  7. To calculate usage and billing.

  8. To issue invoices and process payments.

  9. To provide customer support.

  10. To troubleshoot technical issues.

  11. To protect against fraud, abuse, attacks, and unauthorized access.

  12. To monitor infrastructure health, uptime, and performance.

  13. To improve our website, APIs, documentation, and services.

  14. To communicate service updates, security notices, billing notices, and policy changes.

  15. To comply with legal obligations.

  16. To enforce our Terms of Service and Acceptable Use requirements.

  17. To protect Xacy, our customers, our infrastructure, our providers, and the public.

We do not use VPN activity logs for advertising, profiling, resale, or behavioral tracking because we do not keep VPN activity logs.

6. Legal Bases for Processing

Depending on your location and applicable law, we may process personal information under one or more of the following legal bases:

  1. Contract performance: To provide the services requested by our customers.

  2. Legitimate interests: To secure our infrastructure, prevent abuse, improve services, communicate with customers, and operate our business.

  3. Consent: Where consent is required, such as for certain cookies or marketing communications.

  4. Legal obligation: To comply with applicable laws, court orders, tax rules, sanctions requirements, regulatory obligations, or valid legal requests.

  5. Protection of rights: To protect the rights, safety, property, and security of Xacy, customers, users, providers, and the public.

7. How We Share Information

Xacy does not sell VPN activity data. Xacy does not share VPN activity logs because we do not keep VPN activity logs.

We may share limited business, account, operational, billing, or technical information in the following circumstances:

7.1 Service Providers

We may use trusted service providers for:

  1. Cloud hosting.

  2. Data centers.

  3. Network infrastructure.

  4. Payment processing.

  5. Customer support.

  6. Email delivery.

  7. Security monitoring.

  8. Analytics.

  9. Accounting.

  10. Legal and compliance support.

These providers may process information only as necessary to provide services to Xacy and are expected to protect the information they process.

7.2 Legal and Compliance

We may disclose information if required by law or if we believe disclosure is necessary to:

  1. Comply with a valid legal request.

  2. Respond to a court order, subpoena, regulator, or law enforcement request.

  3. Enforce our Terms of Service.

  4. Investigate fraud, abuse, or security incidents.

  5. Protect the rights, safety, or property of Xacy, customers, providers, or others.

  6. Comply with sanctions, export control, tax, or regulatory obligations.

Because Xacy follows a strict no-log policy for VPN activity, we may not possess VPN activity logs to provide in response to such requests.

7.3 Business Transfers

If Xacy is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar business transaction, information may be transferred as part of that transaction, subject to appropriate confidentiality and privacy protections.

7.4 With Customer Direction

We may share information when a customer instructs us to do so, or when sharing is necessary to provide services requested by that customer.

8. Customer Responsibilities

Xacy’s customers are responsible for their own products, users, privacy disclosures, and legal obligations.

Customers must:

  1. Maintain their own privacy policy.

  2. Explain to their users how their product collects, uses, and shares data.

  3. Avoid sending unnecessary personal data to Xacy.

  4. Protect API keys and credentials.

  5. Use secure backend integration methods.

  6. Ensure their use of Xacy complies with applicable law.

  7. Respond to end-user privacy requests related to their own product.

  8. Maintain appropriate end-user terms and acceptable use policies.

  9. Ensure that their users do not misuse Xacy-powered infrastructure.

Xacy is not responsible for the privacy practices of customer applications, websites, support systems, analytics tools, payment processors, or end-user data collection practices outside Xacy’s control.

9. Cookies and Similar Technologies

Xacy may use cookies, pixels, local storage, or similar technologies on its website.

These technologies may be used to:

  1. Keep the website functional.

  2. Remember preferences.

  3. Improve website performance.

  4. Understand website usage.

  5. Protect against abuse or fraud.

  6. Measure marketing effectiveness.

You can control cookies through your browser settings. Blocking some cookies may affect website functionality. Where required by law, we will request consent before using non-essential cookies.

10. Data Retention

Xacy retains information only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods may vary depending on the type of information:

  1. Account information may be retained while the customer account remains active.

  2. Billing records may be retained as required for accounting, tax, audit, and legal purposes.

  3. Support communications may be retained for customer service, security, training, and legal purposes.

  4. API security metadata may be retained for a limited period to detect abuse, investigate incidents, and protect infrastructure.

  5. WireGuard peer information may be retained only as needed to provide the service and manage peer creation or deletion.

  6. Legal and compliance records may be retained as required by applicable law.

When information is no longer needed, we may delete, anonymize, aggregate, or securely archive it.

11. Security

Xacy uses reasonable technical, administrative, and organizational measures to protect information against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

Security measures may include:

  1. API authentication.

  2. Access controls.

  3. Credential protection.

  4. Infrastructure monitoring.

  5. Network security controls.

  6. Encryption where appropriate.

  7. Logging of security-relevant events.

  8. Internal access restrictions.

  9. Provider security reviews.

  10. Incident response procedures.

No system is completely secure. Customers are responsible for securing their own applications, backend systems, API keys, user databases, and integration logic.

12. API Key Security

Customers must keep API keys secure.

Customers must not:

  1. Publish API keys.

  2. Commit API keys to public repositories.

  3. Place secret API keys in client-side applications.

  4. Share API keys with unauthorized parties.

  5. Use weak internal access controls.

  6. Ignore suspected credential compromise.

If an API key is compromised, customers must rotate it immediately and notify Xacy if there is risk of abuse or unauthorized use.

Xacy may revoke, rotate, limit, or suspend API keys if we believe there is a security risk, abuse, billing issue, or violation of our Terms of Service.

13. International Data Transfers

Xacy is incorporated in the British Virgin Islands and may use infrastructure, service providers, personnel, and systems located in different countries.

By using Xacy, you understand that information may be processed in countries other than your own. These countries may have different data protection laws.

Where required, Xacy uses appropriate safeguards for international transfers of personal information.

14. Your Privacy Rights

Depending on your location and applicable law, you may have rights related to your personal information, including the right to:

  1. Request access to personal information.

  2. Request correction of inaccurate information.

  3. Request deletion of certain information.

  4. Request restriction of processing.

  5. Object to certain processing.

  6. Request a copy of certain information.

  7. Withdraw consent where processing is based on consent.

  8. Lodge a complaint with a data protection authority where applicable.

To exercise privacy rights, contact us using the details in the “Contact Us” section.

If you are an end user of a customer’s VPN app or service, you should first contact that company because Xacy may not have enough information to identify or verify you.

15. Marketing Communications

We may send business customers and prospective customers service updates, product information, security notices, pricing information, or marketing communications.

You may opt out of marketing emails by using the unsubscribe link or contacting us. Even if you opt out of marketing emails, we may still send important service, billing, legal, or security communications.

16. Children’s Privacy

Xacy is a B2B infrastructure provider and does not knowingly provide services directly to children.

Our services are intended for business customers. Customers are responsible for ensuring that their own products comply with laws related to children and minors.

If we learn that we have collected personal information from a child where prohibited by law, we will take reasonable steps to delete it.

17. Abuse, Security, and Network Protection

To protect Xacy, our customers, providers, and the public, we may process limited technical and security information to detect, prevent, and respond to:

  1. DDoS attacks.

  2. Malware activity.

  3. Spam.

  4. Credential abuse.

  5. Unauthorized access.

  6. API abuse.

  7. Network attacks.

  8. Fraud.

  9. Infrastructure misuse.

  10. Violations of our Terms of Service.

This security processing is designed to protect the service and does not involve logging VPN browsing activity.

18. Third-Party Links

Our website, documentation, dashboard, or communications may contain links to third-party websites or services.

We are not responsible for the privacy practices, security, or content of third-party websites or services. You should review their privacy policies before providing information to them.

19. Changes to This Privacy Policy

Xacy may update this Privacy Policy from time to time.

If changes are material, we may notify customers by email, dashboard notice, website notice, or another reasonable method.

The updated Privacy Policy will become effective when posted or on the date stated in the updated policy. Continued use of Xacy after the effective date means you accept the updated Privacy Policy.

Xacy

Company Registration Number: 2161939

Intershore Chambers, Road Town, Tortola, British Virgin Islands - VG1110.

© 2026 Xacy Inc. All Rights Reserved.

Terms of Service

Privacy Policy