Privacy Policy

Last updated: March 27, 2026

Xale is a proprietary platform operated by Marketlube. Xale ("we," "our," or "us") operates the Xale CRM platform accessible at xale.in. This policy explains how we collect, use, and protect your information.

1. Information We Collect

Account Information

• Full name, email address, and phone number
• Password (stored securely in hashed form)
• Profile picture and organization details

Lead & Customer Data

• Contact information (name, email, phone, WhatsApp number, address)
• Sales pipeline stage, status history, and activity logs
• Notes, follow-up dates, payment records, and documents

Communication Data

• WhatsApp messages: Content, media files, delivery/read receipts, timestamps, and sender/recipient phone numbers
• Call logs: Recordings, duration, direction, status, and associated phone numbers
• Internal chat: Messages exchanged between team members within the platform

Data from Third-Party Integrations

• Meta (Facebook/Instagram) Lead Ads: Lead contact info submitted through your Meta Lead Generation Forms — names, emails, phone numbers, custom form responses, Page IDs, and access tokens
• WhatsApp Business API: Business Account ID, phone number, message templates, and all messages/media exchanged
• Google OAuth (Sign-In): Email address and display name from your Google profile
• Gmail API (gmail.send scope): Your Gmail email address, display name, OAuth refresh and access tokens (encrypted at rest), and metadata of messages you send through Xale (subject, recipients, send time, message ID returned by Google). Xale never requests, reads, indexes, or stores the contents of your inbox or received messages.
• TeleCMI: Call metadata, recordings, and agent assignment data

Automatically Collected

• IP address, browser type, device info, and usage patterns
• Login timestamps, session data, and cookies

2. How We Use Your Information

• Provide, operate, and maintain the CRM Service
• Sync leads from Meta Lead Ads, WhatsApp, and telephony providers
• Facilitate WhatsApp messaging — one-on-one and broadcast campaigns
• Enable call tracking, recording, and logging
• Provide analytics, reporting, and sales pipeline management
• Process payments and manage subscriptions
• Send transactional emails (OTP, notifications)
• Automate workflows and lead distribution
• Maintain audit trails and activity logs
• Improve and optimize the Service
• Comply with legal obligations

3. Meta Platform Data

• We access lead data from your Meta Lead Generation Forms solely to import and manage leads within your Xale workspace
• Meta data is used exclusively for lead management, follow-ups, and sales pipeline tracking — never for advertising, data brokering, or profiling
• Access tokens are stored securely and used only to maintain active sync between Meta and your workspace
• You may disconnect your Meta integration at any time from Lead Sources in your dashboard
• Upon disconnection or account deletion, all Meta-sourced data is deleted within 30 days, unless retention is required by law

4. WhatsApp Business Data

• Messages are processed solely to provide messaging capabilities within the CRM
• Message content, media, and receipts are stored to maintain conversation history for your business records
• We do not read, analyze, or use message content for any purpose other than delivering the service
• WhatsApp credentials and tokens are stored securely and used only for the integration
• You may disconnect your WhatsApp Business Account at any time

5. Gmail Integration & Google Limited Use

When you connect a Gmail account to Xale, we request only thehttps://www.googleapis.com/auth/gmail.sendOAuth scope. This scope grants Xale permission to send mail on your behalf. It does not grant access to read, list, modify, or delete messages in your Gmail inbox, drafts, sent folder, labels, or any other Gmail data.

How we use Gmail data:

• To deliver outbound emails composed by you (or by an automation you configured) to recipients you specify within your Xale workspace.
• To display a record of emails Xale itself has sent, alongside the associated lead or deal in your CRM. Only metadata and the body Xale composed are stored — never inbox content.
• To maintain the OAuth connection (refresh access tokens, surface a reconnect prompt if Google revokes access).

What we do NOT do with Gmail data:

• We do not transfer Gmail data to third parties except as necessary to provide or improve the user-facing features of Xale, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with appropriate notice.
• We do not use Gmail data for serving advertising, building advertising profiles, or any advertising purpose.
• We do not allow humans to read Gmail data, except (a) with your explicit consent for specific messages, (b) where necessary for security purposes such as investigating abuse, (c) where required by law, or (d) where the data has been aggregated and anonymized for internal operations such as service quality.
• We do not use Gmail data to train or improve generalized or third-party AI/ML models.

Token security:

• OAuth refresh and access tokens are encrypted at rest using AES-256-GCM before they are written to our database.
• Tokens are never logged, never displayed in the UI, and never returned in API responses.
• You can revoke Xale's access to your Gmail at any time from myaccount.google.com/permissions or by clicking "Disconnect" in Settings → Apps inside Xale. Upon disconnection, Xale revokes the refresh token with Google and deletes the encrypted tokens from our database. The historical record of emails Xale already sent is retained on the relevant lead/deal timeline (in line with Section 8 below); you can request its deletion at any time.

6. Data Sharing & Disclosure

We do not sell your personal data. We share information only:

• Service Providers: Cloud hosting (DigitalOcean), file storage (S3-compatible), payments (Razorpay), email (SMTP), telephony (TeleCMI) — bound by contractual data protections
• Platform Integrations: Data exchanged with Meta, WhatsApp, Google as needed for the features you enable
• Within Your Organization: Data accessible to team members based on role-based access control (Owner, Admin, Manager, Staff, Viewer)
• Legal Requirements: When required by law, regulation, or governmental request
• Business Transfers: In case of merger or acquisition, with prior notice

7. Data Storage & Security

• Passwords hashed using bcrypt — never stored in plaintext
• JWT-based authentication with expiration policies
• Files and media stored in encrypted cloud storage (S3)
• Multi-tenant architecture ensures strict data isolation
• Role-based access control restricts data to authorized users
• CORS policies, input validation, and security hardening

8. Data Retention

• Account data retained while your account is active
• Upon deletion, all data (leads, messages, recordings, documents) permanently deleted within 30 days
• Meta-sourced data deleted within 30 days of disconnection

9. Your Rights

Depending on your jurisdiction, you may:

• Access, correct, or delete your personal data
• Request data portability in a machine-readable format
• Withdraw consent or object to processing

Contact us at privacy@xale.in to exercise these rights.

10. Cookies

We use essential cookies for authentication and session management. You can manage preferences through your browser settings.

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy and will notify you by posting the revised version with an updated date. Continued use constitutes acceptance.

13. Contact Us