Privacy
Privacy Policy
This Privacy Policy explains how XRAYED handles information users provide, content users create, public content users publish, private content users keep private, and data needed to operate and protect the service.
Last updated June 21, 2026
Scope
This policy applies to XRAYED websites, apps, public pages, account features, publishing flows, feedback forms, and related services. It does not apply to third-party websites, social platforms, identity providers, or services that XRAYED does not control.
Controller
VONDOU SRL is the data controller for personal data processed through XRAYED unless a specific feature or provider notice says otherwise.
XRAYED is operated by VONDOU SRL.
- Registered office
- Rue Baron de Castro 37, 1040 Brussels, Belgium
- Enterprise / VAT number
- BE 0758.768.048
Data XRAYED Collects
- Account and profile data, such as identifiers, contact details, usernames, display names, authentication state, and account settings.
- Content and media data, such as images, image links, captions, public publications, generated text, generated images, public profile content, and related metadata.
- Private product data, such as private uploads, private generated assets, saved preferences, private analysis, and account-scoped product history.
- AI and content-processing data, such as AI inputs and outputs, moderation signals, quality signals, usage information, diagnostic information, and security data needed to provide AI-assisted features.
- Usage, device, diagnostic, and security data, such as browser or device signals, request information, logs, error data, abuse-prevention data, and cookies or similar browser data.
- Feedback and support data, such as messages, contact details, request context, and information needed to respond to a request.
Public And Private Boundaries
Public Content can be viewed by other people, including logged-out visitors. It may be indexed, shared, copied, exported, reposted, screenshotted, or used in marketing as described in the Terms.
XRAYED's current in-app marketing featuring opt-in is narrower than that background license: it covers opted-in public publications, public Mirrors, and @handle on XRAYED-owned organic Instagram and TikTok only. Private saves, private Mirrors, and other non-public account information are excluded; the current program is never paid ads and never sold.
Private Content is not intended to be public unless XRAYED provides an explicit publish action and the user uses that action. XRAYED still processes Private Content as needed to provide, secure, support, and improve the service.
How XRAYED Uses Data
- To provide, operate, secure, troubleshoot, and improve XRAYED.
- To manage accounts, authentication, access, settings, and user-requested actions.
- To accept content, process images, generate outputs, create publications, display public pages, and support private product features.
- To operate AI-assisted, image-processing, moderation, personalization, and quality-control features.
- To meter usage, enforce limits, prevent abuse, detect suspicious activity, and maintain service reliability.
- To respond to feedback, support requests, rights-holder requests, takedowns, legal requests, and security reports.
- To promote XRAYED using Public Content where the Terms and applicable law allow it.
- To comply with legal obligations, enforce agreements, resolve disputes, and protect XRAYED, users, providers, and the public.
AI Processing
XRAYED may process images, text, generated outputs, and related context through AI-assisted systems and service providers to provide product features, moderation, personalization, quality control, safety, troubleshooting, and service improvement.
AI outputs may be inaccurate, incomplete, unexpected, biased, delayed, or unavailable. Provider behavior, retention, output, and security may vary by provider, configuration, and applicable terms.
Analytics And Diagnostics
XRAYED may use analytics and diagnostic services to understand product use, measure errors, diagnose performance, improve reliability, and understand whether features work as intended.
XRAYED may collect or share limited events, logs, error reports, diagnostic information, and performance data where needed to operate and troubleshoot the service.
How Data Is Shared
- Publicly, when you publish Public Content.
- With service providers and other third-party providers that help provide, protect, maintain, analyze, support, improve, or distribute XRAYED.
- With providers that process content, AI inputs and outputs, technical data, communications, analytics, security events, or support requests on XRAYED's behalf.
- With social platforms, marketing channels, press, app stores, or distribution partners when XRAYED uses Public Content for lawful promotion.
- With law enforcement, regulators, courts, rights holders, affected users, or security partners when required by law or reasonably needed to protect rights, safety, or the service.
- In connection with a merger, acquisition, financing, reorganization, asset sale, bankruptcy, or similar business transaction.
No Sale Of Personal Information
XRAYED does not currently sell personal information in the ordinary meaning of that phrase. XRAYED also does not currently use analytics data for cross-context behavioral advertising. If XRAYED later uses personal information in a way that applicable privacy law defines as a sale, share, or targeted advertising use, XRAYED will provide any required notices and controls.
Retention
XRAYED keeps data for as long as needed to provide the service, maintain public publications, support private user features, comply with legal obligations, resolve disputes, enforce agreements, secure the service, and maintain backups.
- Public publications remain public until deleted, hidden, archived, removed, or otherwise changed by an available product or operator path.
- Private Content is retained while the account or relevant product state exists, unless deleted through available product paths or support workflows.
- Account, authentication, legal-acceptance, support, and request records are normally retained while the account exists and then for as long as reasonably needed for security, abuse prevention, dispute resolution, accounting, legal compliance, and audit needs.
- Usage, operational, diagnostic, limit, and security records are normally retained for up to 24 months unless XRAYED reasonably needs them longer for abuse prevention, security review, legal compliance, accounting, audit, or service-integrity reasons.
- Deleted data may remain in backups, logs, caches, distributed copies, provider systems, or legal/security archives until those systems expire or are overwritten under their normal retention cycles.
- XRAYED may shorten or lengthen these defaults when required by law, user request, product deletion behavior, security needs, provider constraints, or a documented business need.
Deletion
Signed-in users may delete owned publications where the product provides a delete action. Signed-in users may also delete certain private product data where the product provides those actions.
Account deletion is handled through XRAYED's account lifecycle path and may remove or de-identify account data, authored content, private product data, feedback linked to the account, and user-scoped usage records where required or reasonably feasible. Some records may survive where retention is needed for legal, security, integrity, accounting, backup, abuse-prevention, or third-party dependency reasons.
To request account deletion, use the Account Deletion page. For privacy assistance, contact support@xrayed.co from the email associated with your account.
Security
XRAYED uses reasonable safeguards designed to protect data, including access controls, private handling for non-public content, limited public data exposure, abuse-prevention controls, operational monitoring, provider security expectations, and deletion or retention workflows. No safeguard can guarantee absolute security.
If XRAYED identifies a breach or provider incident that requires notice, XRAYED will investigate and notify affected people, regulators, providers, or other parties as required by applicable law.
International Processing
XRAYED and its providers may process data in the United States, the European Economic Area, and other countries. Data protection laws may differ from the laws where you live. Where required, XRAYED relies on appropriate transfer mechanisms, provider terms, data-processing terms, or other lawful bases.
Legal Bases
Where privacy law requires a legal basis, XRAYED may process data because it is needed to provide the service, because XRAYED has a legitimate interest in operating, securing, improving, and promoting the service, because you consented, because processing is needed for legal obligations, or because processing is needed to protect rights, safety, and the public.
Your Rights
Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. You may also have rights to withdraw consent, appeal a privacy decision, or complain to a regulator, including the Belgian Data Protection Authority where applicable.
XRAYED will not discriminate against users for exercising privacy rights where applicable law prohibits discrimination. To make a request, contact support@xrayed.co. XRAYED may need to verify your identity before responding.
Children
XRAYED is not intended for children under 13. XRAYED does not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to XRAYED, contact support@xrayed.co.
Changes
XRAYED may update this Privacy Policy from time to time. The updated date shows when it was last revised. Continued use of XRAYED after an update means the updated policy applies to your use of the service.
Contact XRAYED at support@xrayed.co. XRAYED is operated by VONDOU SRL, Rue Baron de Castro 37, 1040 Brussels, Belgium. Enterprise / VAT number: BE 0758.768.048.