Privacy Policy

1. Introduction

Xlne (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy of our users and their clients. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you use the Xlne platform and related services (the “Service”).

This policy applies to all users of the Service worldwide and addresses the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable data protection laws.

2. Data Controller & Processor Roles

Xlne as Data Controller: When we collect your account information (name, email, billing details), we act as the data controller and are responsible for determining how and why your personal data is processed.

Xlne as Data Processor: When you store your clients’ personal data in the Service (contacts, contracts, survey responses), Xlne acts as a data processor on your behalf. You, the user, are the data controller for your clients’ data and are responsible for ensuring lawful collection and processing, obtaining necessary consents, and providing required privacy notices to your clients.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

Full name and business name
Email address
Password (stored encrypted; we cannot access your plaintext password)
Business type and industry

3.2 Billing Information

Payment information (credit card numbers, bank account details) is collected and processed directly by our payment processor, Stripe, Inc. We do not store or have direct access to your full payment card details. We receive only a truncated card number, card type, and billing address from Stripe for reference purposes.

3.3 Client Data (Processor Role)

Data you store about your clients may include:

Names, email addresses, phone numbers, mailing addresses
Project details, event dates, and preferences
Contract content, electronic signatures, and signing metadata (IP address, timestamp, consent records)
Payment history and invoicing records
Survey responses and feedback
Communication history and notes
Tags, categories, and custom fields

3.4 Usage Data

We automatically collect:

Pages visited and features used within the Service
Device information (browser type, operating system, screen resolution)
IP address and approximate geographic location
Dates and times of access
Referring URLs

3.5 Email Engagement Data

For transactional and automated emails sent through the Service, we may track delivery status, open rates, and click-through rates to provide analytics and ensure deliverability.

4. How We Use Your Information

We use the information we collect to:

Provide the Service: Operate and maintain your account, process transactions, deliver emails, and execute electronic signatures
Improve the Service: Analyze usage patterns to improve features, fix bugs, and develop new functionality
Communicate with you: Send account notifications, billing receipts, security alerts, and service updates
Provide support: Respond to your inquiries and resolve technical issues
Ensure security: Detect, prevent, and address fraud, abuse, and security threats
Comply with law: Fulfill our legal obligations and respond to lawful requests from authorities

We do not use your personal data or your clients’ data for advertising, sell your data to third parties, or use your data to build profiles for unrelated purposes.

5. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, manage your account, and process payments
Legitimate Interests (Art. 6(1)(f) GDPR): Processing for service improvement, security, fraud prevention, and analytics, where our interests do not override your rights
Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable law, such as tax obligations or legal requests
Consent (Art. 6(1)(a) GDPR): Processing based on your freely given, specific, informed consent, such as marketing communications. You may withdraw consent at any time

We share your personal data only with the following categories of third parties, solely as necessary to provide the Service:

Provider	Purpose	Data Shared
Supabase	Database hosting & authentication	Account data, client data, application data
Stripe	Payment processing	Name, email, billing address, payment details
Vercel	Application hosting & CDN	IP address, usage data, page views
Resend	Transactional email delivery	Recipient email, name, email content

We may also disclose your information:

To comply with a legal obligation, court order, subpoena, or governmental request
To protect our rights, property, or safety, or that of our users or the public
In connection with a merger, acquisition, or sale of assets (you will be notified of any change in data controller)

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

We will delete or anonymize your data within 30 days, except where retention is required by law
Billing and transaction records may be retained for up to 7 years for tax and legal compliance
Electronic signature audit trails may be retained as long as legally required to support the enforceability of signed documents
Aggregated, de-identified data may be retained indefinitely for analytics purposes

8. Cookies & Tracking Technologies

We use the following tracking technologies:

Essential Cookies: Required for authentication and session management. These cannot be disabled.
Analytics (Vercel Analytics): We use Vercel Analytics to collect anonymized, aggregate usage data. Vercel Analytics is privacy-friendly and does not use cookies or track individual users across sites.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share data
Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions
Right to Correct: You may request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA. Therefore, there is no need to opt out
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@xlne.net. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Categories of personal information collected in the preceding 12 months: identifiers (name, email), commercial information (billing records), internet activity (usage data), and professional information (business name, industry). We have not sold any personal information.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR/UK GDPR:

Right of Access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of it
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your data (“right to be forgotten”), subject to legal retention requirements
Right to Restriction (Art. 18): Request that we restrict processing of your data under certain circumstances
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint: File a complaint with your local data protection authority (supervisory authority)

To exercise these rights, contact us at privacy@xlne.net. We will respond within 30 days as required by the GDPR.

10.1 International Data Transfers

Your data is primarily stored and processed in the United States. If you are located outside the United States, your data will be transferred to the US. We protect international transfers using:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Technical and organizational security measures

10.2 Data Processing Agreement (DPA)

If you require a Data Processing Agreement for GDPR compliance, please contact us at privacy@xlne.net and we will provide one.

11. Additional Jurisdiction-Specific Rights

11.1 New York

New York residents may exercise their privacy rights under applicable New York law. The New York SHIELD Act requires us to implement reasonable safeguards to protect private information of New York residents. We comply with these requirements through encryption, access controls, regular security assessments, and incident response procedures.

11.2 Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, and obtain a copy of their personal data, and the right to opt out of targeted advertising, sale of data, and profiling. We do not engage in any of these activities.

11.3 Colorado (CPA) & Connecticut (CTDPA)

Residents of Colorado and Connecticut have similar rights to those described above. Contact us at privacy@xlne.net to exercise your rights.

11.4 Canada (PIPEDA)

Canadian users’ personal information is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access, correct, and withdraw consent for the collection and use of your personal information.

11.5 Australia (Privacy Act 1988)

Australian users’ personal information is handled in accordance with the Australian Privacy Principles. You may access and correct your personal information by contacting us. Complaints may be directed to the Office of the Australian Information Commissioner.

12. Artificial Intelligence Features

The Service includes an AI-powered feature called “Ace” (Studio Manager AI) that uses third-party large language models to provide business advice, draft emails, and analyze your business data. When you use Ace:

Your messages and relevant business context (bookings, contracts, pipeline data) are sent to our AI provider (Anthropic) for processing
AI-generated responses may be inaccurate, incomplete, or outdated. You should independently verify any important information before acting on it
Your conversations with Ace are stored locally on your device and are not used to train AI models
You can clear your chat history at any time using the refresh button in the Ace chat interface

13. Children’s Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal data from a child under the applicable age, we will take steps to promptly delete such data. If you believe a child has provided us with personal information, please contact us at privacy@xlne.net.

14. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Secure authentication with password hashing (bcrypt/argon2)
Row-level security policies for multi-tenant data isolation
Regular security reviews and vulnerability assessments
Strict access controls and principle of least privilege
Audit logging for sensitive operations

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

15. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

Notify affected users within 72 hours of becoming aware of the breach, as required by GDPR (where applicable)
Notify the relevant supervisory authorities as required by applicable law
Provide information about the nature of the breach, the data affected, and steps you can take to protect yourself
Comply with all applicable state breach notification laws, including California (Cal. Civ. Code § 1798.82), New York (N.Y. Gen. Bus. Law § 899-aa), and others

16. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Since there is no industry-standard interpretation of DNT signals, we do not currently alter our data practices in response to DNT signals. However, as stated above, we do not engage in cross-site tracking or third-party advertising tracking.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: privacy@xlne.net
General support: support@xlne.net
Legal matters: legal@xlne.net
Website: xlne.net

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.