Privacy Policy

1.1 Welcome to XPOSTO

This Privacy Policy ("Policy") governs the collection, use, storage, disclosure, and processing of personal information by Xposto ("XPOSTO," "we," "us," or "our") in connection with your access to and use of our website located at https://xposto.com (the "Website"), our web-based software-as-a-service platform (the "Platform"), and all related services, features, content, and applications (collectively, the "Services").

1.2 Acceptance of This Policy

By accessing, browsing, or using our Website or Services, or by registering an account with XPOSTO, you ("User," "you," or "your") acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree to this Policy in its entirety, you must not access or use our Website or Services.

1.3 Relationship to Terms of Service

This Policy is incorporated into and made part of our Terms of Service ("Terms"). Your use of the Services is also governed by the Terms. In the event of any conflict between this Policy and the Terms, the provisions of this Policy shall prevail with respect to privacy and data protection matters.

1.4 Controller Information

For purposes of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Xposto is the data controller responsible for the processing of your personal information.

2.1 Defined Terms

• 2.1"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: name, email address, postal address, phone number, IP address, device identifiers, payment information, and any other information that can be used to identify, contact, or locate a person.
• 2.2"Processing" means any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, transmission, alignment, combination, restriction, erasure, or destruction.
• 2.3"Data Subject" means an identified or identifiable natural person whose personal data is processed.
• 2.4"Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
• 2.5"Third Party" means any natural or legal person, public authority, agency, or body other than the Data Subject, the controller, the processor, or persons authorized to process personal data under direct authority of the controller or processor.
• 2.6"Services" means all services provided by XPOSTO, including but not limited to social media scheduling, content creation tools, AI-powered content generation, analytics, and related functionalities.
• 2.7"Account" means a registered user account on the XPOSTO Platform required to access and use the Services.
• 2.8"Linked Services" means third-party social media platforms, including but not limited to X (formerly Twitter), that Users connect to their XPOSTO accounts for the purpose of scheduling and publishing content.

3.1 Information You Provide Directly

• (a)Account Registration Information: When you create an XPOSTO account, we collect your name, email address, and password. If you register through a Third-Party Service (such as Google or X/Twitter), we may collect information authorized by that service.
• (b)Profile Information: You may voluntarily provide additional information for your profile, including but not limited to your company name, profile picture, and communication preferences.
• (c)Payment Information: When you purchase a subscription or any paid Services, we collect billing information, including your billing address and payment card details. Payment processing is handled by our third-party payment processors, and we do not store complete payment card numbers on our servers.
• (d)Customer Support Information: When you contact our support team or submit a help request, we collect information you provide, including your name, email address, and the content of your inquiry.
• (e)Communications: We collect information when you communicate with us, including through support tickets, email, or other channels.
• (f)User Content: We collect content you create, upload, or submit to the Platform, including scheduled posts, images, videos, text, and other materials ("User Content").

3.2 Information Collected Automatically

• (a)Device Information: Including your device type, operating system, browser type, unique device identifiers, and mobile network information.
• (b)Usage Data: Including pages visited, time spent on pages, links clicked, features used, and other interaction data.
• (c)IP Address and Location Data: We collect your IP address, which may indicate your general geographic location. We may also collect precise location information if you enable location-based features.
• (d)Log Data: Including access times, referring/exit URLs, and crash reports.

3.3 Information from Third-Party Sources

• (a)Linked Services: When you connect your X/Twitter account to XPOSTO, we may collect information authorized by the Linked Service, including your profile information and published content.
• (b)Third-Party Analytics Providers: We receive usage data from analytics providers to help us understand how users engage with our Services.
• (c)Marketing Partners: We may receive information from marketing partners to help us target our advertising.
• (d)Fraud Prevention Services: We receive information from third-party fraud detection services to help prevent fraudulent activity.

4.1 Direct Collection

We collect information directly from you when you: (a) register for an account; (b) complete your profile; (c) subscribe to our Services; (d) submit content for scheduling; (e) contact customer support; (f) participate in surveys or promotions; (g) communicate with us.

4.2 Automated Collection

We use automated technologies to collect information: (a) Cookies and Similar Technologies: See Article 6 for detailed information. (b) Web Beacons: We use web beacons to track user behavior and collect usage data. (c) Server Logs: Our servers automatically log certain information when you access our Services.

4.3 Third-Party Collection

We receive information from Third Parties as described in Section 3.3.

5.1 Primary Purposes

• (a)To Provide and Improve Our Services: We use your information to deliver, maintain, and improve the functionality of our Services, including processing your transactions, providing customer support, and responding to your requests.
• (b)Account Management: We use your information to create, maintain, and manage your Account, including authentication, authorization, and access control.
• (c)To Process Payments: We use payment information to process subscriptions, purchases, and refunds.
• (d)To Communicate with You: We use your contact information to send you administrative information, respond to your inquiries, provide customer support, and send service-related notifications.
• (e)To Personalize Your Experience: We use your information to personalize content, recommendations, and features based on your preferences and usage patterns.
• (f)To Facilitate Content Publishing: We use your information to schedule, post, and manage content on Linked Services on your behalf.
• (g)To Provide AI Features: We use your information and User Content to power our AI-powered content generation tools, including training and improving our AI models (subject to any separate AI-specific terms).

5.2 Marketing and Advertising

• (a)To send promotional emails about new features, products, or services;
• (b)To conduct targeted advertising on third-party platforms;
• (c)To personalize advertisements based on your interests;
• (d)To measure the effectiveness of our marketing campaigns.

You may opt out of marketing communications at any time as described in Article 12.

5.3 Legal Basis for Processing (EEA/UK Users)

• (a)Consent: Where you have provided Consent for specific processing activities;
• (b)Contract Performance: Where processing is necessary for the performance of a contract to which you are a party;
• (c)Legal Obligation: Where processing is necessary for compliance with a legal obligation;
• (d)Legitimate Interests: Where processing is necessary for our legitimate interests, balanced against your rights and freedoms.

6.1 Types of Cookies We Use

• (a)Essential Cookies: These cookies are strictly necessary to provide our Services and cannot be switched off.
• (b)Performance/Analytics Cookies: These cookies help us understand how visitors interact with our Website and Services.
• (c)Functional Cookies: These cookies enable enhanced functionality and personalization.
• (d)Targeting/Advertising Cookies: These cookies may be set through our site by our advertising partners.

6.2 Cookie Management

You can control or delete cookies through your browser settings. Please note that blocking essential cookies may impact your ability to use our Services.

6.3 Third-Party Analytics

We use third-party analytics providers, including but not limited to Google Analytics, to help us understand how users engage with our Services. These providers may use cookies and similar technologies to collect information about your use of our Services.

6.4 Do Not Track

We do not currently respond to Do Not Track signals from web browsers, as there is no standardized industry framework for such signals.

7.1 Overview

Our Services include integrations and connections to Third-Party Services, including social media platforms (Linked Services), payment processors, analytics providers, and other tools.

7.2 Linked Services

• (a)You authorize us to access and interact with those accounts on your behalf;
• (b)We collect information authorized by the Linked Service, including profile data and published content;
• (c)Your use of Linked Services is governed by the Linked Service's own terms and privacy policies;
• (d)We are not responsible for the data practices of Linked Services.

7.3 Third-Party Service Providers

• (a)Hosting and Infrastructure: Cloud service providers host our Platform and store data;
• (b)Payment Processing: Payment processors handle transaction processing;
• (c)Customer Support: Help desk providers support our customer service operations;
• (d)Analytics: Analytics providers help us understand user behavior;
• (e)Email Communications: Email service providers deliver our communications.

7.4 Third-Party Links

Our Website and Services may contain links to third-party websites, services, or applications that are not operated by XPOSTO. We are not responsible for the privacy practices of these Third Parties, and we encourage you to review their privacy policies.

8.1 Sharing Overview

We may share your personal information in the following circumstances:

8.2 Service Providers

We share personal information with third-party service providers who perform services on our behalf. These service providers are contractually obligated to protect your personal information and to use it only for the purposes for which we disclose it to them.

8.3 Legal Requirements

We may disclose personal information when required to do so by law or in response to valid requests by public authorities, including: (a) To comply with legal obligations; (b) To respond to governmental requests or legal process; (c) To protect our rights, privacy, safety, or property; (d) To protect against illegal activity or fraud; (e) To enforce our Terms or this Policy.

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar transaction, personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

8.5 Aggregated and De‑Identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. Such data may be used for research, analytics, benchmarking, and marketing purposes.

8.6 With Your Consent

We may share personal information with Third Parties when you explicitly consent to such sharing.

8.7 Prohibited Disclosures

We do not sell your personal information to third parties for their marketing purposes without your explicit consent.

9.1 Retention Periods

We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

9.2 Specific Retention Periods

• (a)Account Data: Retained for the duration of your active Account and for up to 30 days after Account deletion.
• (b)User Content: Retained for the duration of your subscription and in accordance with your subscription tier. Upon Account deletion, User Content is permanently removed within 30 days, except as required by law.
• (c)Transaction Data: Retained for a minimum of 7 years for tax and accounting purposes.
• (d)Marketing Data: Retained until you withdraw consent or object to processing.
• (e)Log Data: Retained for a period of 12 months.

9.3 Deletion of Data

Upon Account deletion, we will delete or anonymize your personal information in accordance with applicable law, unless we are required to retain it for legal, tax, or regulatory purposes. After the retention period expires, personal information will be securely deleted or anonymized.

10.1 Security Measures

• (a)Encryption: Data transmitted between your browser and our servers is encrypted using TLS/SSL technology. Sensitive data at rest is encrypted using industry-standard encryption protocols.
• (b)Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis.
• (c)Authentication: We use multi-factor authentication and other authentication mechanisms to protect Accounts.
• (d)Regular Security Audits: We conduct regular security assessments and vulnerability scans.
• (e)Employee Training: Our employees receive training on data protection and security practices.
• (f)Incident Response: We maintain incident response procedures for handling security incidents.

10.2 Limitations

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your personal information. You are responsible for maintaining the confidentiality of your Account credentials and for any unauthorized access resulting from your failure to protect your credentials.

10.3 Security Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, in accordance with applicable law.

11.1 Transfers Worldwide

XPOSTO is a global entity, and your personal information may be transferred to, stored, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from your local laws.

11.2 Safeguards for International Transfers

• (a)Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses for transfers from the EEA/UK to third countries.
• (b)Adequacy Decisions: We rely on adequacy decisions where available.
• (c)Additional Measures: We implement technical and organizational measures to protect data during transfer.

11.3 Your Consent

By using our Services or providing personal information, you consent to the transfer of your information to countries outside your country of residence, including the United States, which may have different data protection laws.

12.1 Your Rights Overview

Depending on your location, you may have certain rights regarding your personal information. We are committed to respecting your rights and will respond to your requests in accordance with applicable law.

12.2 Access and Portability

• (a)Request access to your personal information;
• (b)Request a copy of your personal information in a structured, machine-readable format;
• (c)Request transfer of your personal information to another service provider.

12.3 Correction and Rectification

• (a)Request correction of inaccurate personal information;
• (b)Request completion of incomplete personal information.

12.4 Deletion

You have the right to request deletion of your personal information ("right to be forgotten") when: (a) The personal information is no longer necessary for the purposes for which it was collected; (b) You withdraw consent and there is no other legal basis for processing; (c) You object to the processing and there are no overriding legitimate grounds; (d) The personal information was unlawfully processed.

12.5 Restriction of Processing

You have the right to request restriction of processing in certain circumstances, including when: (a) You contest the accuracy of the personal information; (b) The processing is unlawful, but you oppose deletion; (c) We no longer need the data, but you require it for legal claims.

12.6 Objection to Processing

You have the right to object to processing of your personal information based on: (a) Our legitimate interests; (c) Direct marketing. For direct marketing, we will cease processing upon your objection.

12.7 Withdraw Consent

Where processing is based on your Consent, you have the right to withdraw Consent at any time. Withdrawal of Consent does not affect the lawfulness of processing based on Consent before its withdrawal.

12.8 Opt-Out of Marketing

You may opt out of receiving marketing communications from us by: (a) Clicking the "unsubscribe" link in any marketing email; (b) Updating your communication preferences in your Account settings; (c) Contacting us directly at support@xposto.com.

12.9 Exercising Your Rights

To exercise any of your rights, please contact us at support@xposto.com or submit a request through your Account settings. We will respond to your request within 30 days, unless more time is required by applicable law.

12.10 No Discrimination

We will not discriminate against you for exercising any of your privacy rights, including by denying services, charging different prices, or providing a different level of service quality.

13.1 Age Restrictions

Our Services are not intended for, and we do not knowingly collect personal information from, children under the age of 13 (or the minimum age required by applicable law in your jurisdiction).

13.2 Parental Controls

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at support@xposto.com. Upon verification, we will take appropriate steps to remove such information from our records.

14.1 California Consumer Privacy Act (CCPA)

• (a)Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• (b)Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• (c)Right to Opt-Out: You may opt out of the sale of your personal information. We do not sell personal information.
• (d)Right to Non-Discrimination: We will not discriminate against you for exercising your California privacy rights.

14.2 California Shine the Light

California residents may also request information about our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us at support@xposto.com.

14.3 Exercising California Rights

To exercise your California privacy rights, please contact us at support@xposto.com. We will verify your request and respond within 45 days, as required by law.

15.1 GDPR Applicability

This Article 15 applies to Data Subjects located in the European Economic Area (EEA) or United Kingdom.

15.2 Controller and DPO

Xposto is the data controller. Our Data Protection Officer can be contacted at support@xposto.com.

15.3 Legal Basis for Processing

We process personal information on the following legal bases (see Article 5.3 for details): (a) Consent; (b) Contract performance; (c) Legal obligation; (d) Legitimate interests.

15.4 Your Rights Under GDPR

In addition to the rights in Article 12, you have the right under GDPR to: (a) Lodge a complaint with a supervisory authority; (b) Receive your personal information in a portable format; (c) Object to automated decision-making and profiling.

15.5 International Transfers

For transfers outside the EEA/UK, we implement appropriate safeguards as described in Article 11.

15.6 Data Protection Representative

Our EU representative can be contacted at: support@xposto.com

16.1 Modifications

We may modify this Policy from time to time. We will provide notice of material changes by: (a) Posting the updated Policy on our Website with a new "Last Updated" date; (b) Sending you an email notification for significant changes (for registered users); (c) Displaying a notice within the Services.

16.2 Review Period

We will provide at least 30 days' notice before material changes take effect, except where: (a) Changes are required by law (which may take effect immediately); (b) Changes are necessary to address security, fraud, or abuse issues; (c) Changes do not materially affect your rights.

16.3 Acceptance of Changes

Your continued use of the Services after the effective date of any modified Policy constitutes acceptance of the modified Policy. If you do not agree to the modified Policy, you must stop using our Services and may delete your Account.

17.1 Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles.

17.2 Jurisdiction

Any disputes arising under or related to this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Delaware, United States, and you hereby consent to the personal jurisdiction of such courts.

18.1 Questions and Concerns

If you have any questions, concerns, or complaints about this Policy or our data practices, please contact us:

18.2 Data Subject Requests

For data subject access requests, deletion requests, or other privacy-related inquiries, please contact us at support@xposto.com.