Privacy

Xavier Coiffic, sole trader, registered in Mauritius, is the data controller for personal data collected through this website. There is no separate Data Protection Officer; data requests are handled directly by Xavier at hi@xavier.mu.

The contact form on this site collects four fields: your name, email address, subject, and message. These are the only personal data points the site asks you for.

If you start a voice call with the XAE AI assistant, the audio of the call and a transcript of the conversation are processed by ElevenLabs. This is described in detail in the ElevenLabs section below.

If you accept analytics, Google Analytics 4 collects standard pseudonymous interaction data: pages viewed, referring source, approximate location (country/city, derived from a truncated IP), device and browser type, and session duration. IP addresses are anonymised before storage. If you decline, no analytics cookies are set and no analytics events are sent.

Contact form data is processed on the basis of your request to be contacted (Article 6(1)(b) GDPR — pre-contractual steps) and Xavier's legitimate interest in replying to enquiries about his services (Article 6(1)(f) GDPR).

Voice conversations with the XAE AI assistant are processed on the basis of your explicit consent (Article 6(1)(a) GDPR), which is given when you start a call.

Analytics data is processed on the basis of your explicit consent (Article 6(1)(a) GDPR), given through the consent banner. You can withdraw it at any time on this page.

The site uses a small number of vetted processors. Each one only sees the data it needs to do its job:

Vercel (United States, with EU edge regions) hosts the website and stores standard server logs (IP address, request path, response code) for short-lived security and operations purposes.

Postmark (United States) delivers contact-form emails to Xavier's inbox. Postmark holds delivery metadata and the message body for the duration required by its retention policy.

Xavier's email inbox (hi@xavier.mu) receives and stores enquiry messages so that Xavier can reply and maintain the conversation.

ClickUp (United States) is used as the project management system. When an enquiry becomes an active engagement, your name, email, and the substance of the project may be added to a ClickUp workspace so the work can be tracked.

A CRM is used to keep track of contacts and conversations across active engagements. Your name, email, and the history of our exchanges may be stored there.

Cloudflare Turnstile (United States/global) is used on the contact form to filter out automated submissions. It receives a challenge token and basic browser signals; it does not see the contents of your message.

ElevenLabs (United States) powers the XAE AI voice assistant. When you start a call, the audio of your speech and a written transcript of the conversation are processed by ElevenLabs to operate the assistant. ElevenLabs may retain these recordings and transcripts in accordance with its own privacy policy. If you do not want this to happen, do not start a call.

Google Analytics 4 (Google Ireland Ltd / Google LLC) records pseudonymous usage data, only if you accept analytics in the consent banner.

Several of the processors above are based in the United States. Where personal data is transferred outside the European Economic Area, the transfer is covered by the EU–US Data Privacy Framework (where the processor is certified) or by Standard Contractual Clauses approved by the European Commission. Mauritius DPA 2017 transfer requirements are met by the same safeguards.

Contact-form messages and email exchanges are kept for as long as needed to reply and to maintain the conversation. If a project becomes an active engagement, related correspondence and CRM records are retained for the duration of the engagement and for 6 months after the engagement ends, after which they are deleted unless a longer retention is required by law (e.g. tax records).

Server logs are kept for the short retention period set by the hosting provider (Vercel — typically 30 days).

Google Analytics data is retained for 14 months, then automatically deleted.

ElevenLabs voice and transcript retention is governed by the ElevenLabs privacy policy. You can request deletion of your conversation by emailing hi@xavier.mu and the request will be forwarded to ElevenLabs.

The site sets one small functional item in your browser to remember your consent choice (xv-consent), so the banner does not reappear on every page. This is not a tracking cookie.

If you accept analytics, Google Analytics sets its standard _ga and _ga_* cookies for measurement.

If you reject analytics, no analytics cookies are set.

You can change your choice at any time using the Manage cookies button at the bottom of this page.

Under GDPR (and equivalent rights under the Mauritius DPA 2017), you have the right to: access the personal data held about you, ask for correction of inaccurate data, ask for deletion (the right to be forgotten), restrict or object to processing, withdraw consent at any time, and request a portable copy of your data. You also have the right to lodge a complaint with a supervisory authority — for EU residents, the data protection authority of your country; for Mauritius residents, the Data Protection Office.

To exercise any of these rights, email hi@xavier.mu. Identity verification may be requested before acting on the request. A response will be provided within 30 days.

The site is not directed at children under 16. No data is knowingly collected from anyone in this age group. If you believe a child has submitted personal data through the site, contact hi@xavier.mu and the data will be deleted.

This privacy notice may be updated to reflect changes in the tools used or the law that applies. The 'Last updated' date at the top of the page reflects the most recent change. Material changes will be communicated through the consent banner.

For any question about this notice, or to exercise your rights, write to hi@xavier.mu.