How is Xizor different from RevenueCat and Superwall?

Same category, different generation. RevenueCat and Superwall were built before coding agents existed; their AI is bolted on top of dashboards designed for human ops teams. Xizor is agent-native: every primitive — products, paywalls, App Store Connect, server notifications — is a signed, replayable MCP tool by default, and the dashboard runs the exact same operations for hands-on teams. Paywalls live on the CDN so the agent (or you) can mutate them without a rebuild. Pricing reflects the operating model: 1% flat, no seat fee, no monthly floor.

What does Xizor charge?

1% per transaction, billed separately as a SaaS fee. No monthly fee, no tiers, no floor, no ceiling. Apple takes 15–30%, Xizor charges 1%, you keep the rest.

Do I need an AI agent to use Xizor?

No. Every primitive — products, paywalls, App Store Connect, notifications — works in the dashboard. The MCP is the fast path for builders using Claude Code, Codex, or Cursor, not the only path.

Which platforms are supported in V1?

iOS via StoreKit 2 (Swift package + JS SDK for cross-platform stacks). Android / Play Billing and Stripe web checkout land in V2.

Where is my data stored?

Postgres on Supabase, in the EU. Every agent tool call is signed and replayable in the audit log.

← Back

Privacy

This notice describes what data Xizor collects, why, and how to exercise your rights under the GDPR.

1. Controller

The controller for the processing of personal data on this site is Valentin Lionel Weinert (Dr.-Rohmer-Weg 11, 65719 Hofheim am Taunus, Deutschland). Contact: hello@xizor.dev.

2. Waitlist & product updates (newsletter)

Purpose When you submit your email on xizor.dev, we add you to a waitlist so we can notify you when Xizor opens beta access and ships product updates.

Legal basis Your consent — Art. 6 (1)(a) GDPR. We confirm the consent through a double-opt-in: a confirmation link is sent to the address you entered, and your subscription is only stored as confirmed once you click that link. This is in line with BGH case law on § 7 (2) Nr. 3 UWG.

Data we store Email address, signup timestamp, confirmation timestamp, the consent text and version you agreed to, the IP address and User-Agent at signup and at confirmation (required as proof of consent under Art. 7 GDPR), and — if present — the UTM parameters of the page that referred you.

Recipients / processors Email delivery is performed by Resend (Resend, Inc., USA) on the basis of a data processing agreement (Art. 28 GDPR). Storage runs on Supabase (Supabase Inc., USA) with EU-region hosting (eu-central-1) and an Art. 28 DPA. Bot protection on the signup form is provided by Cloudflare Turnstile (Cloudflare, Inc., USA); on submit, Turnstile transmits your IP address and a set of non-identifying browser characteristics (user-agent, hardware indicators, rendering signals) to Cloudflare to distinguish a real browser from a bot. Legal basis is our legitimate interest in spam and abuse prevention (Art. 6 (1)(f) GDPR). See the Turnstile Privacy Addendum for details.

Retention Email and consent metadata are kept for as long as you stay subscribed. After you unsubscribe we retain the email address on a suppression list (so we never accidentally write again) and the consent record for up to three years thereafter to be able to disprove abusive complaints — then deleted.

Your rights You can withdraw your consent at any time with effect for the future, either via the unsubscribe link in every email (one-click) or by writing to hello@xizor.dev. You also have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), and data portability (Art. 20), and to lodge a complaint with a supervisory authority (Art. 77). The competent authority for Xizor is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden.

What goes in the confirmation mail Only the confirmation request and the imprint. No product copy, no promotional content — under settled German case law (e.g. LG Stendal, judgment of 12 May 2021, 22 S 87/20) any advertising element in the double-opt-in mail itself counts as unsolicited advertising under § 7 (2) Nr. 3 UWG.

3. Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1)(f) GDPR.

For us this concerns the use of Cloudflare Turnstile during form submission and our standard server logs. If you object, we will no longer process the affected data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing (e.g. our newsletter), you have the right to object at any time without justification — Art. 21 (2) GDPR. Use the one-click unsubscribe link in any of our emails or write to hello@xizor.dev.

4. Automated decision-making (Art. 22 GDPR)

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 (1) GDPR). Cloudflare Turnstile performs an automated bot/human classification, but a negative result only blocks the form submission — it does not produce legal or comparable effects. You can re-submit, contact us by email, or disable JavaScript-based protections by writing to hello@xizor.dev.

5. Site analytics, cookies, tracking

Xizor runs without third-party analytics, advertising cookies, fingerprinting scripts, or marketing pixels. The only network calls the marketing site makes are to Vercel (hosting) on page load and to Cloudflare Turnstile while you submit the waitlist form.

We do not store cookies or use any other technique covered by § 25 (1) TDDDG on page load. Cloudflare Turnstile sets storage entries on the user device only when you submit the form; this is strictly necessary to provide the service you explicitly requested (§ 25 (2) Nr. 2 TDDDG).

6. Hosting & infrastructure

The site is hosted on Vercel Inc. (USA), with EU edge regions for requests originating in Europe. Standard server logs (IP address, User-Agent, referrer, timestamp, response status) are retained for up to 30 days for security and abuse prevention on the basis of our legitimate interest (Art. 6 (1)(f) GDPR). An Art. 28 GDPR data processing agreement is in place.

7. International transfers

Personal data may be processed outside the EU/EEA, in particular in the United States, by the following providers:

Vercel, Inc. — hosting; certified under the EU-U.S. Data Privacy Framework (DPF).
Resend, Inc. — transactional email; certified under the EU-U.S. Data Privacy Framework (DPF).
Cloudflare, Inc. — bot protection (Turnstile); certified under the EU-U.S. Data Privacy Framework (DPF).
Supabase Inc. — database (EU-region storage). Where Supabase processes data outside the EU/EEA, transfers rely on the EU Commission's Standard Contractual Clauses.

The primary transfer mechanism is the European Commission's adequacy decision under the EU-U.S. Data Privacy Framework (Art. 45 (3) GDPR, Implementing Decision (EU) 2023/1795 of 10 July 2023). Where a provider is not DPF-certified, transfers rely on the EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) plus, where applicable, supplementary technical measures (encryption in transit and at rest).

Note on the U.S. CLOUD Act: where personal data is held by a U.S.-incorporated processor (such as Supabase Inc.), U.S. authorities may, in principle, compel disclosure regardless of EU storage location. We commit to challenge over-broad requests and to inform affected data subjects to the extent legally permitted.

8. Changes

We update this notice when our processing changes. The version currently in force is dated 2026-04-29.