Incident & Breach Disclosure Policy

This policy explains how Xenith detects, responds to, and communicates about security incidents and personal-data breaches. We take any incident seriously and aim to be transparent with affected users.

A security incident is any event that compromises, or has a reasonable likelihood of compromising, the confidentiality, integrity, or availability of your data or the Service. A personal-data breach is an incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your personal data.

• Detect & contain — investigate the report or alert, contain the issue, and stop further exposure.
• Assess — determine what data and which users were affected and the level of risk.
• Remediate — fix the root cause, rotate credentials where needed, and restore secure operation.
• Notify — inform affected users and any required authorities.
• Review — conduct a post-incident review and strengthen controls to prevent recurrence.

If a breach is likely to affect your personal data, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of it. Notifications are sent by email to the address on your account and, where appropriate, shown in the app. Our notice will describe, to the extent known:

• The nature of the incident and the data involved.
• The likely consequences and the steps we have taken.
• Recommended actions you can take to protect yourself.
• How to contact us for more information.

Where required by applicable law, we will report qualifying breaches to the relevant data protection authority within the legally mandated timeframe.

If you believe your account has been compromised or you have noticed a security problem, contact us immediately at security@xenith.life. For privacy-specific questions, you can also reach privacy@xenith.life.