Legal · 25 Alpha LLC
Privacy Policy
Effective: May 26, 2026
Entity: 25 Alpha LLC, a Delaware S-Corp
Contact: info@25xray.ai
1. Overview
This Privacy Policy describes how 25 Alpha LLC ("25 Alpha," "we," "us," or "our") collects, uses, discloses, and protects information when you use X.R.A.Y. (the "Platform") at app.25xray.ai and related domains.
This Policy is effective as of May 26, 2026. We will notify you of material changes via email at least 30 days before the effective date.
By using X.R.A.Y., you acknowledge that you have read and understood this Privacy Policy and our Terms of Service at 25xray.ai/terms.
2. Information We Collect
Account Information When you create an X.R.A.Y. account, we collect: name, email address, business name, business address, phone number (optional), and payment information (processed by Stripe — we do not store card numbers).
Business Configuration Data To deploy and configure your agent fleet, we collect: NAICS code(s), industry classification, operating zones, revenue range, employee count, registered states of operation, and business entity type.
Veteran Verification Data For VOSB20 discount verification, we collect: DD-214 (Certificate of Release or Discharge from Active Duty) or equivalent SBA/CVE certification documentation. This data is handled with elevated security and access restrictions.
Platform Usage Data We automatically collect: agent action logs, platform event logs, browser type, operating system, IP address, session duration, feature usage patterns, and error reports.
Communications If you contact us, we collect: the content of your message, your email address, and any attachments you provide.
AI Interaction Data Voice inputs to the Concierge feature (processed via Deepgram), text interactions with AI agents, and content you ask agents to process on your behalf.
3. How We Use Your Information
Platform Operation • Authenticate your identity and maintain your session • Configure and deploy your AI agent fleet based on your NAICS profile • Execute agent actions on your behalf across your authorized operating zones • Process payments and manage your subscription • Provide customer support
Platform Improvement • Analyze aggregate usage patterns to improve the Platform • Debug errors and improve reliability • Develop new features and agent capabilities
Compliance and Legal • Detect and prevent fraud, abuse, and security incidents • Comply with applicable laws and regulations • Respond to lawful government requests • Enforce our Terms of Service
Communications • Send billing notifications, security alerts, and critical Platform updates • Send product updates and feature announcements (opt-out available) • Respond to your inquiries
We do not sell your personal information to third parties. We do not use your business data to train AI models without your explicit written consent.
4. Third-Party Processors
We share data with the following third-party processors solely to operate the Platform:
Amazon Web Services (AWS) — Cloud infrastructure (ECS Fargate, RDS PostgreSQL, S3). All Platform data is hosted in AWS us-east-2 (Ohio). AWS is SOC 2 Type II and ISO 27001 certified.
Anthropic — AI model inference. Your prompts and agent instructions are processed by Anthropic's Claude models. Anthropic does not use API-submitted data for model training under their standard API terms. For more information: anthropic.com/privacy.
WorkOS — Authentication and identity management. WorkOS processes your email address and authentication credentials. WorkOS is SOC 2 Type II certified.
Stripe — Payment processing. Stripe handles all payment card data. Stripe is PCI DSS Level 1 certified.
Deepgram — Speech-to-text for Concierge voice input. Audio data is processed in real-time and not stored after transcription.
Neon (PostgreSQL) — Managed database infrastructure. Your business data is stored encrypted at rest in Neon's US-East-1 infrastructure.
Upstash (Redis) — In-memory caching for real-time Platform performance. Cache data is ephemeral and expires automatically.
CloudAMQP (RabbitMQ) — Event queue for agent task routing. Messages are transient and not persisted beyond processing.
Each processor is bound by data processing agreements and may not use your data for any purpose other than providing services to 25 Alpha LLC.
5. Data Isolation and Security
Tenant Isolation Every customer's data is isolated using PostgreSQL Row-Level Security (RLS). Your data is logically and technically separated from all other customers at the database query level. No cross-tenant data access is architecturally possible.
Encryption Data at rest: AES-256 encryption (AWS RDS and S3 default encryption). Data in transit: TLS 1.2+ on all connections. Database credentials: AWS Secrets Manager with automatic rotation.
Access Controls Platform access requires authentication via WorkOS. All API endpoints require valid session tokens. Administrative access to production systems requires multi-factor authentication and is logged.
Security Monitoring SENTINEL continuously monitors agent activity and Platform behavior for anomalies. Security events are logged and reviewed. We operate a responsible disclosure program — contact info@25xray.ai to report vulnerabilities.
Incident Response In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery, consistent with GDPR requirements and applicable state breach notification laws.
6. Veteran Data Protection
We recognize that veterans entrust us with sensitive personal and service records. Veteran-specific data protections:
DD-214 and Military Records DD-214 documents and other military service records submitted for VOSB20 verification are: • Stored with access restricted to authorized verification personnel only • Not shared with any third party except as required by law • Retained for the duration of the VOSB20 discount period plus 3 years • Eligible for deletion upon written request after verification period
SkillBridge Data Transitioning service member data processed via the SkillBridge pipeline is handled with the same elevated protections as military records.
We do not share veteran status, military branch, rank, or service history with any employer, agency, or platform without your explicit written consent.
7. Data Retention
Active account data is retained for the duration of your subscription.
Post-cancellation retention: • Business data and agent configuration: 90 days (for reactivation or export) • Platform event logs: 24 months minimum (regulatory requirement per LD-167c) • Financial transaction records: 7 years (IRS requirement) • VOSB verification documents: Duration of discount period + 3 years • Security incident logs: 7 years
After retention periods expire, data is permanently deleted from all production systems and backups within 90 days.
You may request early deletion of your data (subject to legal retention requirements) by emailing info@25xray.ai with subject line "Data Deletion Request."
8. Your Rights
Regardless of your location, you have the following rights:
Access: Request a copy of the personal information we hold about you. Correction: Request correction of inaccurate personal information. Deletion: Request deletion of your personal information (subject to legal retention obligations). Portability: Request your data in a machine-readable format. Objection: Object to processing of your personal information for certain purposes. Withdrawal: Withdraw consent where processing is based on consent.
To exercise any of these rights, contact info@25xray.ai. We will respond within 30 days.
GDPR (European Union and UK) If you are located in the EU or UK, you have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is: contract performance (delivering the Platform), legitimate interests (security and fraud prevention), and consent (marketing communications).
CCPA (California) California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.
We do not sell personal information as defined under the CCPA.
10. Children's Privacy
X.R.A.Y. is a business platform designed for adults operating registered business entities. We do not knowingly collect personal information from individuals under 18 years of age. If we learn that we have collected personal information from a child under 18, we will delete it immediately.
11. International Data Transfers
X.R.A.Y. is operated from the United States. All production data is stored and processed within the United States (AWS us-east-2). We do not transfer personal data to countries outside the United States except as required to provide the Platform (e.g., via Anthropic's API infrastructure).
For EU/UK customers, our data transfers are governed by Standard Contractual Clauses (SCCs) with our third-party processors. For more information, contact info@25xray.ai.
12. Contact and Complaints
Privacy Officer: 25 Alpha LLC, info@25xray.ai
For privacy requests: • Data access, correction, or deletion: info@25xray.ai — subject line "Privacy Request" • Security vulnerabilities: info@25xray.ai — subject line "Security Disclosure" • GDPR inquiries: info@25xray.ai — subject line "GDPR" • CCPA inquiries: info@25xray.ai — subject line "CCPA"
Response time: 30 days for standard requests. Emergency security disclosures receive a response within 72 hours.
25 Alpha LLC info@25xray.ai 567-25-ALPHA (567-252-5742) Delaware, United States
Privacy questions? Contact us at info@25xray.ai. This Policy was last updated May 26, 2026. © 2026 25 Alpha LLC. All Rights Reserved.