XOCOA

Privacy Policy

Effective date: May 6, 2026

XOCOA ("we", "us", "our") operates the XOCOA website, AI Chocolate Sommelier, account features, saved chocolates, and related services at xocoa.co. This policy explains what personal data we process, why we process it, how long we keep it, and your rights under the GDPR and applicable privacy law.

1. Information We Collect

When you use XOCOA without signing in, we may process:

  • Chat messages — the text you send to the sommelier to generate recommendations.
  • Session identifier — a randomly generated ID used to maintain conversation context.
  • Preference data — flavour preferences, dietary needs, and budget signals you share during the conversation.
  • Technical metadata — browser type, language, and approximate timezone, collected automatically to ensure the service functions correctly.

If you sign in with Google, we additionally process:

  • Account identity — your Google-provided email address, name, avatar, and provider metadata needed for authentication.
  • Profile data — display name, avatar URL, locale, account creation date, and update date.
  • Signup security data — your IP address captured once at signup and approximate country derived from that IP for fraud prevention and account-security auditing.
  • Saved chocolates — product identifiers from the XOCOA catalogue that you choose to save, plus optional notes if enabled.
  • Authenticated chat association — chat sessions may be associated with your account so you can keep context and use account features.

We do not collect payment card data, postal addresses, phone numbers, precise GPS location, browsing history outside XOCOA, device fingerprints, advertising identifiers, or demographic inferences.

2. How We Use Your Information

We use the data above to:

  • Generate personalised chocolate recommendations grounded in our product catalogue.
  • Maintain conversation context and authenticated sessions.
  • Provide account features such as Google sign-in, profile display, saved chocolates, data export, and account deletion.
  • Protect accounts and prevent abuse or fraud.
  • Improve the quality and accuracy of the sommelier over time (aggregated, non-identifiable analysis only).

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not build persistent user profiles or use your data for behavioural advertising.

3. Data Retention

Account profile data and saved chocolates are retained for as long as your account exists. You can delete your account from the XOCOA account page, which removes account-linked profile and favorites data. Chat sessions linked to your account are anonymised on account deletion by removing the account association. Deleted personal data may remain in encrypted backups for up to 30 days before being purged from backup storage.

4. Cookies

XOCOA uses strictly necessary cookies and browser storage to maintain authentication sessions, security, and service functionality. We do not use Google Analytics, advertising cookies, retargeting pixels, cross-site tracking, heatmaps, or session-replay tools. Because these cookies and storage mechanisms are necessary to provide the service you request, no cookie consent banner is required for them.

5. Third-Party Services

We use service providers only where necessary to operate XOCOA. Google provides OAuth sign-in. Supabase provides authentication and database hosting. Our AI inference providers, which may include Azure OpenAI, Groq, and Google Gemini, process chat messages solely to generate sommelier responses. Hosting providers process request data to deliver the website and application. A GeoIP provider may receive the signup IP once to derive approximate country.

  • Google OAuth — policies.google.com/privacy
  • Supabase — supabase.com/privacy
  • Microsoft Azure — azure.microsoft.com/en-us/support/legal/
  • Groq — groq.com/privacy
  • Google Gemini — policies.google.com/privacy

6. Your Rights (GDPR)

If you are located in the European Economic Area you have the right to:

  • Access — request a copy of personal data we hold about you. Logged-in users can self-serve at /sommelier/account via “Export my data”.
  • Rectification — request correction of inaccurate or incomplete personal data.
  • Erasure — request deletion of your personal data. Logged-in users can self-serve at /sommelier/account via “Delete account”.
  • Portability — your export is provided in JSON format for portability.
  • Restriction — request restriction of processing in specific cases.
  • Objection — object to processing based on legitimate interests.
  • Complaint — lodge a complaint with your local data protection authority.

For any request, contact us at hello@xocoa.co.

7. Changes to This Policy

We may update this policy as our service evolves. Material changes will be reflected in an updated effective date above. Continued use of XOCOA after a change constitutes acceptance of the revised policy.

8. Contact

Questions about this policy? Reach us at hello@xocoa.co.