PRIVACY

Your privacy, by design.

What we collect, what we never do, and how your data stays yours.

Last updated June 30, 2026

Who we are

Xaron is a privacy-focused gaming community platform. People use Xaron to join and create communities made up of text and voice/video channels, and to exchange direct messages — one-to-one and in groups, including voice and video calls.

This Privacy Policy is provided by Xaron LLC, a Delaware limited liability company ("Xaron," "we," "us," or "our"). It explains what information we collect, how we use it, who we share it with, and the choices and rights you have. It applies to the Xaron website at xaron.co and to the Xaron application and related services (together, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

How encryption works

Privacy is built into how Xaron handles your conversations, so it is important to understand exactly what we can and cannot access.

  • Direct messages are end-to-end encrypted. Your one-to-one and group direct messages, and your DM voice and video calls, are end-to-end encrypted using the MLS protocol. The keys are derived on your own devices and are never sent to our servers — so Xaron cannot read your direct messages or hear your DM calls. If you enable Ghost Mode for a conversation, those messages are not stored at all.
  • Community channel messages are not end-to-end encrypted. This is by design, so that community owners can moderate the spaces they run. Community messages are encrypted at rest using per-channel keys, so a database breach would not expose their plaintext — but Xaron and the community's owners and moderators can access community channel content. Community voice and video calls may use server-known media keys.

In short: your direct messages are platform-blind — we cannot see them. Community content is moderatable by the people who run the community, and is encrypted at rest.

Information we collect

Account information. When you sign up, we collect the username you choose during onboarding, the email address provided by your sign-in provider, and any profile information you add, such as an avatar and bio. You may optionally link a Steam account. Linking is link-only: we receive a snapshot of your public Steam profile and library, and we never receive your Steam password.

Content you create. We process the content you share on the Service:

  • Community messages (encrypted at rest) and any attachments or media you upload.
  • Direct messages, which are end-to-end encrypted — Xaron cannot read them.

Security and technical information. To keep accounts safe and prevent abuse, we collect your IP address and device/user-agent details. We use these for sign-in, for new-device and new-location security alerts, and for abuse prevention. The IP address and user-agent stored on security logs are automatically erased after approximately 90 days. We also keep session and device records, and we derive an approximate location (city and country) from your IP address. IP geolocation is provided by DB-IP.

Payment information. Payments are handled by our payment processor, Stripe. Xaron does not store full card numbers. We store your subscription status, Stripe customer and subscription identifiers, and payment history such as amounts and dates.

How we use information

We use the information described above to:

  • Provide, operate, and maintain the Service, including your account, communities, channels, and messaging.
  • Authenticate you and keep your account secure, including new-device and new-location alerts.
  • Detect, prevent, and respond to abuse, fraud, and violations of our terms.
  • Process payments, subscriptions, and creator payouts.
  • Send transactional and security-related emails.
  • Provide approximate location for security context, such as showing where a session is signed in.
  • Comply with our legal obligations and enforce our agreements.

What we never do

We want to be explicit about the things Xaron does not do:

  • We do not show advertising.
  • We do not sell, rent, or share your personal data.
  • We do not build behavioral profiles of you.
  • We do not mine your conversations for advertising or to train AI or machine-learning models.

Sharing & subprocessors

We do not sell or rent your personal data. We share information only with the service providers ("subprocessors") that help us run the Service, and only as needed for them to perform their function:

  • Stripe — payment processing and creator payouts (Stripe Connect).
  • Google — "Sign in with Google" authentication.
  • Cloudflare (R2) — media and file storage.
  • Resend — transactional and security emails.
  • LiveKit — real-time voice and video transport for community calls. DM calls remain end-to-end encrypted.
  • DB-IP — a local IP-geolocation database. No personal data is sent to DB-IP.

We host the Service on EU-based dedicated infrastructure provided by Hetzner in Finland. We may also disclose information where required to comply with applicable law, legal process, or a lawful government request, or to protect the rights, safety, and security of Xaron, our users, or the public.

Legal bases

Where the GDPR (EEA and UK) applies, we rely on the following legal bases to process your personal data:

  • Performance of a contract — to provide the Service you have signed up for, including your account, messaging, and payments.
  • Legitimate interests — to keep the Service and your account secure, to prevent and respond to abuse and fraud, and to operate our business, balanced against your rights and freedoms.
  • Consent — where we ask for it, such as for optional features; you may withdraw consent at any time.
  • Legal obligation — where we must process data to comply with the law, such as keeping certain financial records.

Cookies

We use only a small number of first-party cookies:

  • An HttpOnly session/refresh cookie that keeps you signed in.
  • Cookies that remember your theme and language preferences.

We do not use third-party advertising cookies or cross-site tracking cookies.

Data retention

We keep personal data only as long as we need it:

  • Security logs. The IP address and user-agent stored on security logs are erased after approximately 90 days.
  • Deleted accounts. When you delete your account, it is first soft-deleted and then anonymized or purged after 30 days. The one exception is accounts banned for violations, which we retain so that the ban remains enforceable. Account content is removed on deletion, subject to backups cycling out over time.
  • Financial records. We keep certain payment and financial records for as long as the law requires.

Security

We protect your data with measures including end-to-end encryption for direct messages and DM calls, encryption at rest for community content, HttpOnly session cookies, and security alerts for new devices and locations. No system can be guaranteed perfectly secure, but we work to protect your information. For more detail, please see our Security page.

International transfers

Xaron is based in the United States (Delaware) and runs its infrastructure on EU-based servers. As a result, your information may be processed in both the United States and the European Union, which may have data-protection laws that differ from those in your country. Where required, we put appropriate safeguards in place for such transfers.

Children

The Service is intended for users who are at least 13 years old (in the United States). Where local law sets a higher minimum age for digital consent — for example, 16 in parts of the EU/EEA — you must meet that age or have the consent of a parent or guardian. Xaron is not directed to children under 13, and we do not knowingly collect personal data from them. If you believe a child under the applicable age has provided us personal data, please contact us so we can address it.

Your rights & choices

You can exercise the following directly in the app, in most cases from your settings:

  • Access and export your data.
  • Correct inaccurate profile information.
  • Delete your account and associated data.
  • Manage sessions and devices, including signing out devices.
  • Opt out of certain security emails.

If you need help exercising any of these, contact us at privacy@xaron.co.

California privacy rights

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the following rights:

  • Right to know what personal information we collect about you and how we use and disclose it.
  • Right to delete the personal information we hold about you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the "sale" or "sharing" of personal information. Xaron does not sell or share your personal information, so there is nothing to opt out of.
  • Right to non-discrimination — we will not treat you differently for exercising any of these rights.

To exercise these rights, contact us at privacy@xaron.co.

EEA & UK rights

If you are in the European Economic Area or the United Kingdom, the GDPR gives you the following rights regarding your personal data:

  • Access — to obtain a copy of the personal data we hold about you.
  • Rectification — to correct inaccurate or incomplete data.
  • Erasure — to have your data deleted (the "right to be forgotten").
  • Portability — to receive your data in a portable format.
  • Objection — to object to processing based on our legitimate interests.
  • Restriction — to limit how we process your data in certain circumstances.

You also have the right to lodge a complaint with your local supervisory authority. To exercise any of these rights, contact us at privacy@xaron.co.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the date shown on this page and, where appropriate, notify you. Your continued use of the Service after an update means you accept the revised policy.

Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at privacy@xaron.co, or by mail at Xaron LLC, 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States.