Security - How Xaiku handles your data.

Xaiku stores three categories of data:

• Experiment content— the variants, templates, and voice profiles you create.
• Analytics events— impressions, conversions, and custom events sent through the SDK.
• Visitor data— anonymized by default. We track which variant a visitor saw and whether they converted. We do not store personal information about your visitors.

Xaiku acts as a data processor on your behalf. You remain the data controller. We process experiment and analytics data only to provide the service you signed up for.

We do not sell your data. We do not use it to train models. Your experiment content and analytics stay yours.

If your team requires a signed Data Processing Agreement before using Xaiku, reach out to [email protected] and we will work through it with you.

Xaiku runs on established, audited infrastructure:

• Hosting— Vercel (edge network, automatic HTTPS)
• Database— MongoDB Atlas (encrypted at rest)
• Cache— Redis (encrypted connections)
• Transport— all data in transit is encrypted via TLS

Access to production systems is restricted to the founder. There are no shared credentials or open admin panels.

What Xaiku measures— for each experiment, we track impressions and conversions per variant. These are the signals that determine which variant performs better.

How we judge a result— a variant is declared a winner when there is enough data to be statistically confident the difference is real, not noise.

Why a winner may still be uncertain— small sample sizes or close results mean we cannot always call a clear winner. When that happens, Xaiku tells you so. We would rather be honest than premature.

How forecasts differ from live results— the forecast scores (readability, relevance, urgency, specificity, trust) are directional indicators, not guarantees. They estimate how a variant is likely to perform based on its structure and language. Live results are what actually happened. Forecasts help you start strong. Results tell you what won.

Xaiku is built with GDPR principles in mind. Users can request data export or deletion by contacting us. We process data within EU infrastructure where possible.

For full details, see our Privacy Policy and Terms of Service.