Data practices, stated without euphemism.

The data controller for this website and for the WebWall platform is X and Me Technology AG, a Swiss joint-stock company registered in the Canton of Zurich. You can reach us at legal@webwall.ai for anything in this document, including exercising your rights. Our Data Protection representative in the EU can be reached through the same address; we will connect you with them directly on request.

This policy covers the marketing site at webwall.ai and associated subdomains, the operator surface that authenticated customer staff use to manage their WebWall deployment, and the telemetry that WebWall instances send back to us. It does not cover the personal data that you process as a controller through your WebWall deployment — for that, we act as a processor and the Data Processing Addendum applies.

The marketing site is deliberately lightweight. We currently process:

• Contact enquiries. When you send us the enterprise-access form, we store the name, work email, and one-line context you provide. Legal basis: pre-contractual steps at your request (GDPR Art. 6(1)(b)).
• Correspondence. Email you send us is retained in the inbox where it lands, for the period described in § 06. Legal basis: legitimate interest in running the business (Art. 6(1)(f)).
• Technical logs. Our edge receives the standard set of request headers, including IP address and User-Agent. These are retained in full for 14 days and in an IP-truncated aggregate for 13 months, solely for security and abuse-monitoring. Legal basis: legitimate interest (Art. 6(1)(f)) and, where applicable, Art. 32 obligations.
• First-party analytics. We do not use Google Analytics, Meta pixel, LinkedIn Insight, or any similar cross-site tracker. We may run a privacy-preserving first-party pageview counter that stores no cookies, no device fingerprint, and no IP address in clear text.

For authenticated users on the operator surface, we process:

• Account identifiers — work email, display name, tenant id, role, and SSO-provided subject identifiers
• Usage telemetry — which MCP endpoints you invoked, when, and the rule-ids or model-ids you operated on; we do not record verdict payloads themselves from the telemetry plane
• Support data — tickets, attachments, and call notes where you have engaged support
• Operator audit-log — PROV-O signed events for every change against a production kyl ruleset, retained for the duration of your subscription plus the agreed-upon archive horizon

Legal bases: performance of contract (Art. 6(1)(b)) for your account and the platform; legitimate interest (Art. 6(1)(f)) in product improvement and fraud prevention; and legal obligation (Art. 6(1)(c)) for the portions of the audit-log that are regulator-facing.

The marketing site sets one technical cookie that remembers your theme preference (theme=light|dark|system, 12 months, first-party, SameSite=Lax). That is all we set by default. No consent banner is shown because no consent is required for a preference cookie that you have actively toggled.

The operator surface sets the cookies necessary for authentication and session binding. Those are strictly necessary in the meaning of Art. 5(3) ePrivacy.

We share personal data only with the following categories:

• Infrastructure providers under written processor agreements, for hosting (Switzerland and EU), email delivery, and error monitoring. A current list is published at webwall.ai/security/subprocessors
• Professional advisers — lawyers, accountants, auditors — bound by professional confidentiality obligations
• Authorities where a valid legal order compels us. We publish an annual transparency summary of such disclosures
• Acquirers in the event of a merger or acquisition, subject to equivalent protection and advance notice to affected individuals

We do not disclose personal data to advertisers, data brokers, or AI training markets.

We apply the following retention defaults:

• Contact-form submissions — retained for 24 months from last activity, then deleted or aggregated
• Marketing-site edge logs — 14 days full, 13 months IP-truncated, then deleted
• Account data — duration of the subscription, plus 90 days to allow for reactivation, then a cryptographic shred of the tenant key which renders the archives unreadable
• Audit-log — duration of the subscription plus the archive horizon agreed in the order form (default 6 years for regulated-data customers)
• Billing records — 10 years, as required by Swiss and EU bookkeeping rules

Our primary hosting is in Switzerland, with EU failover. Where a sub-processor operates outside the EEA or Switzerland, we rely on:

• The European Commission's 2021 Standard Contractual Clauses, supplemented where required by a transfer-impact assessment
• The UK Addendum or Swiss FDPIC-approved clauses for the corresponding transfers
• Supplementary technical measures — at-rest encryption with customer-held or per-tenant keys, and transit encryption with modern ciphers — so that disclosure to foreign authorities requires the cooperation of a party inside our legal reach

If GDPR or the Swiss FADP applies to our processing of your data, you have the rights to access, rectification, erasure, restriction, portability, and objection. For processing based on legitimate interest or the performance of a task in the public interest, you may object at any time on grounds relating to your particular situation. Where processing is based on consent, you may withdraw that consent at any time; withdrawal does not affect the lawfulness of processing done before the withdrawal.

To exercise any of these rights, email legal@webwall.ai. We will respond within one month, extendable by two months for complex requests. If you believe our processing does not comply, you may lodge a complaint with the Swiss FDPIC or with your local EU supervisory authority.

We run WebWall on our own platform. Controls include tenant isolation with per-tenant keys, post-quantum signatures on verdicts and operator actions, MFA and hardware tokens for all staff access to production, annual penetration testing, and a published sub-processor register. ISO/IEC 27001 certification is pursued and its scope is published on request.

Decisions about your access to WebWall.ai's enterprise-access programme are made by humans. The platform itself makes automated decisions about network traffic on behalf of our customers — in that context, the customer is the controller and the DPA governs.

Material changes are announced by email to active contacts at least 30 days in advance and reflected in the version banner at the top of this page. A changelog of substantive revisions is maintained at webwall.ai/security/privacy-changelog.