Privacy Policy

1. Introduction

XD's Cloud ("XD's Cloud", "we", "our", or "us") operates a cloud hosting platform (the "Services"). This Privacy Policy explains how we collect, use, store, and protect personal information in compliance with the Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), and applicable international privacy laws including GDPR, UK GDPR, CCPA/CPRA, and other regional data protection regulations where applicable.

By accessing, registering for, or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, you must not use the Services. This policy is binding and enforceable against you.

2. Definitions and Interpretations

"Personal Data" means information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, erasure, or destruction."Data Controller"means the entity determining purposes and means of Processing (XD's Cloud). "Data Processor" means third parties Processing Personal Data on our behalf.

3. Information We Collect

We collect the following categories of Personal Data:

• Identifying information: Name, username, user ID, and account identifiers
• Contact information: Email address, phone number (if provided), and other contact details
• Technical data: IP address, device identifiers, browser type, operating system, and device information
• Location data: Approximate geographic location derived from IP address and usage patterns
• Service usage data: Service and system logs, API calls, access timestamps, error reports, and usage statistics
• Payment information: Billing address, payment method details (processed by payment processors, not stored directly)
• Content data: Files, configurations, and data uploaded to the Services (processed at your direction)
• Communication data: Messages, support tickets, feedback, and communications with our team
• Behavioral data: Navigation patterns, feature usage, and interaction data with the platform

4. Legal Basis for Processing

We process Personal Data based on the following legal bases, as applicable under GDPR, Australian Privacy Principles, and other applicable laws:

• Contract Performance: Processing necessary to provide Services and fulfill contractual obligations
• Legal Compliance: Processing required to comply with legal obligations, court orders, and regulatory requirements
• Legitimate Interests: Processing necessary for security, fraud prevention, abuse detection, service improvement, analytics, and business operations, where not overridden by your rights
• Consent: Processing based on explicit consent where required by law, with the right to withdraw consent at any time
• Vital Interests: Processing necessary to protect health, safety, or vital interests of individuals
• Public Task: Processing necessary to perform tasks in the public interest or official authority

5. Authentication and Account Management

We use Clerkas our third-party Data Processor for authentication and identity management. Clerk processes identifying and contact information, including name and email address, for authentication, account security, and session management purposes under a Data Processing Agreement. XD's Cloud does not store, access, or process user passwords; authentication is managed entirely by Clerk.

Email addresses are used by XD's Cloud for account-related communications only, including verification, password resets, account notifications, billing updates, security alerts, incident notices, and legal compliance matters. You may adjust communication preferences through your account settings. Transactional and security-related emails cannot be disabled.

6. Database and Data Storage

We use Neon as our managed PostgreSQL database provider and Data Processor to store account metadata, configuration data, and Personal Data on our behalf under a Data Processing Agreement. Neon may process and store names, email addresses, service metadata, and usage information with industry-standard security protections.

Data is protected using encryption in transit (TLS/SSL) and at rest using AES-256 encryption where supported. Regular security audits, automated backups, and disaster recovery procedures are maintained. Access to databases is restricted to authorized personnel with authentication and audit logging.

7. Networking and Connectivity Services

We use Playit.gg as a Data Processor to provide networking, tunneling, and connectivity services for hosted services under a Data Processing Agreement. Playit.gg processes IP addresses, connection metadata, traffic information, and routing data to enable service delivery and network optimization.

This data is processed solely for technical purposes including traffic routing, network security, DDoS mitigation, and service availability. No logging of user content occurs at the networking layer.

8. Email Delivery and Communications

We use Mailtrap as a Data Processor for email delivery services under a Data Processing Agreement. Mailtrap processes email addresses, email content (for transactional messages), and metadata to deliver account notifications, security alerts, and service-related communications.

You may opt out of non-transactional communications through unsubscribe links or account settings. Transactional and security-related emails required for account operation cannot be disabled.

9. Payment Processing

We use Stripe as a Data Processor for payment processing and billing services under a Data Processing Agreement. Stripe processes payment information, billing address, transaction data, and related payment metadata to facilitate subscription billing, payment collection, and financial reporting for the Services.

Stripe does not store full credit card details on our servers. Payment information is processed securely by Stripe in accordance with Payment Card Industry (PCI) Data Security Standards. Stripe's privacy practices are governed by Stripe's Privacy Policy, and you may review their data handling practices at stripe.com/privacy.

10. Use of Information

Collected Personal Data is used for the following purposes:

• Provide, operate, maintain, and improve the Services
• Authenticate users and manage accounts securely
• Monitor performance, stability, availability, and service quality
• Detect, investigate, prevent, and respond to fraud, abuse, unauthorized access, security incidents, and policy violations
• Enforce our Terms of Service and other agreements and policies
• Comply with legal and regulatory obligations, court orders, and governmental requests
• Communicate with you about your account, Services, changes, and important notices
• Conduct analytics, research, and generate anonymized or aggregated statistics
• Personalize your experience and tailor Services to your needs
• Protect rights, privacy, safety, and property of XD's Cloud, users, and the public
• Facilitate business operations including accounting, auditing, and compliance

11. Service Monitoring and Logs

We maintain service logs and monitoring systems for operational, security, and diagnostic purposes. Logs may include IP addresses, timestamps, API endpoints, request methods, response codes, user agents, and error information.

Logging is never used for marketing, profiling, behavioral tracking, or any purpose beyond operational and security needs. Log data is aggregated and anonymized where possible. Access to logs is restricted to authorized personnel for legitimate operational purposes.

12. Children's Privacy

The Services are not intended for, and we do not knowingly collect Personal Data from, individuals under 13 years of age (or the applicable age of digital consent in your jurisdiction). If we discover that a child has provided Personal Data, we will delete such data promptly and terminate the child's account.

For minors who are of legal age (13+), we apply enhanced privacy protections. Parents or guardians may contact us to review, update, or delete a minor's Personal Data.

13. Data Sharing and Disclosure

Non-Sale of Data: We do not sell, rent, trade, or share Personal Data with third parties for monetary consideration.

Data Processors and Subprocessors: We share Personal Data with trusted Data Processors only when necessary to provide the Services, under written Data Processing Agreements with confidentiality and security obligations:

• Clerk (authentication and identity management)
• Neon (database storage and infrastructure)
• Playit.gg (network connectivity and tunneling)
• Mailtrap (email delivery services)
• Stripe (payment processing and billing)

We maintain a current list of all subprocessors and notify you of material changes to subprocessor arrangements. You may object to the use of new subprocessors by contacting us within 14 days of notification.

Legal and Regulatory Disclosure: We may disclose Personal Data to comply with applicable law, legal process, governmental requests, court orders, subpoenas, and regulatory requirements. We will provide notice where legally permitted.

Business Transfers:If XD's Cloud is acquired, merged, or sells assets, Personal Data may be transferred as part of that transaction. You will be notified of any change in ownership or control of your Personal Data.

Aggregated and Anonymized Data: We may share aggregated, anonymized, or de-identified data that cannot identify individuals for analytics, research, and business purposes without restriction or notice.

With Your Consent: We may share Personal Data with third parties only with your explicit, informed consent for purposes you have authorized.

14. Data Retention

We retain Personal Data only as long as necessary for the purposes for which it was collected or as required by applicable law. Retention periods vary by data category:

• Account data (name, email): Retained for the duration of your account, plus 7 years for legal, tax, and accounting compliance under Australian law
• Service logs (general): Retained for 90 days for operational and security monitoring
• Security incident logs: Retained for up to 7 years for forensic analysis and legal defense
• IP addresses and technical data: Retained for 30 days for security, abuse prevention, and fraud detection
• Payment and billing records: Retained for 7 years per Australian tax and accounting requirements
• Support and communication records: Retained for 3 years unless longer retention is legally required
• Deleted account data: Deleted within 30 days unless legal holds, litigation, regulatory investigations, or financial obligations require longer retention
• Aggregated and anonymized data: May be retained indefinitely

Even after deletion, residual copies may exist in backups for a limited period. We will make reasonable efforts to purge data from active systems. You may request earlier deletion subject to legal obligations.

15. Data Subject Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

• Right of Access: Request a copy of the Personal Data we hold about you in a structured, commonly-used format
• Right to Correction: Request correction of inaccurate or incomplete Personal Data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Data, subject to legal and operational constraints
• Right to Restrict Processing: Request that we limit processing of your Personal Data to storage only
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Data Portability: Request your Personal Data in a portable, machine-readable format (CSV, JSON, or XML) suitable for transfer to another provider
• Right to Withdraw Consent: Withdraw consent to Processing at any time (does not affect lawfulness of prior Processing)
• Right to Lodge a Complaint: File a complaint with the relevant data protection authority in your jurisdiction
• Right Not to Be Subject to Automated Decision-Making: Have decisions not made solely by automated means that produce legal or significant effects

To exercise these rights, contact us at contact@xdpxi.dev with sufficient identification. We will respond within 30 days (or as required by law). Some requests may incur reasonable fees for disproportionate or manifestly unfounded requests.

16. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for the following purposes:

• Essential/Strictly Necessary: Required for authentication, session management, security, and basic functionality
• Performance/Analytics: Used to monitor platform performance, error rates, user behavior patterns, and reliability
• Preference: Remember your settings and preferences for enhanced experience
• No Marketing Cookies: We do not use cookies for advertising, behavioral profiling, or third-party tracking

Cookie Management: You may configure your browser to block or delete cookies. Blocking essential cookies may prevent login, impair functionality, or disable security features. We provide cookie preference settings in your account.

Do Not Track (DNT): We honor Do Not Track signals sent by your browser. Users with DNT enabled will not be subject to analytical or performance tracking. Essential cookies required for authentication and security may still be used.

We use only first-party cookies; we do not allow third-party tracking cookies, web beacons, or pixels for advertising purposes.

17. Marketing and Communications Preferences

We may send you marketing communications, product updates, newsletters, and promotional content only with your consent (where required by law) or based on our legitimate interest in communicating about Services.

Opt-Out: You may unsubscribe from marketing communications by:

• Clicking the unsubscribe link in any email
• Updating communication preferences in your account settings
• Contacting us at contact@xdpxi.dev

Transactional emails (password resets, account notifications, security alerts, billing notices) cannot be disabled as they are essential for account operation.

18. Security Measures

We implement comprehensive security measures to protect Personal Data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 where supported)
• Authentication controls, multi-factor authentication (MFA) support, and access logging
• Regular security assessments, penetration testing, and code reviews
• Automated backups with encrypted storage and disaster recovery procedures
• Firewalls, intrusion detection, and DDoS protection
• Restricted personnel access with role-based access control (RBAC)
• Incident response procedures and security monitoring

While we maintain industry-standard security practices, no security system is impenetrable. We cannot guarantee absolute security against all threats. You are responsible for maintaining the confidentiality of your credentials and account access.

19. Data Breaches and Security Incidents

In the event of a confirmed data breach or security incident affecting Personal Data, we will:

• Notify affected individuals within 14 days of discovery (or as required by applicable law, which may be shorter such as 24-72 hours)
• Provide details of the incident, categories of Personal Data affected, and likely consequences
• Recommend protective measures and steps affected individuals should take
• Notify relevant data protection authorities and regulators as required by law
• Conduct a thorough investigation and implement remedial measures

We will not withhold notification except where expressly authorized by law enforcement or if the data is encrypted or rendered unintelligible. Notifications will be clear, understandable, and contain all material information.

20. Data Portability and Account Deletion

Data Portability: You have the right to request your Personal Data in a portable, machine-readable format suitable for transfer to another provider. We will provide data in CSV, JSON, or XML format within 30 days upon request.

Account Deletion: You may request deletion of your account and associated Personal Data at any time. Upon deletion request:

• All active account data will be deleted from production systems within 30 days
• Residual copies in backups will be deleted within 90 days unless legal holds or obligations apply
• Billing and transaction records will be retained for 7 years as required by tax law
• Security incident logs may be retained for investigation purposes
• Anonymized or aggregated data may be retained indefinitely

You may also request deletion of specific data categories subject to legal and operational constraints. Deletion requests must be submitted in writing with verification of identity.

21. Automated Decision-Making and Profiling

We do not use Personal Data for automated decision-making or profiling that produces legal or similarly significant effects on you, except as required for fraud detection and abuse prevention.

For automated fraud or abuse decisions, you have the right to obtain human review, express your perspective, and challenge the decision.

22. Third-Party Links and External Services

Our Services may contain links to third-party websites, applications, and services. We are not responsible for their privacy practices, content, security, or policies. We recommend reviewing the privacy policies of any third-party services before providing Personal Information.

Third-party service providers integrated with XD's Cloud (Clerk, Neon, Playit.gg, Mailtrap) operate under their own privacy policies and terms. You may review their privacy practices by visiting their respective websites. We are not responsible for their compliance with this Privacy Policy.

23. International Data Transfers

Personal Data may be transferred, stored, processed, and accessed in countries outside your country of residence, including countries that may not provide equivalent privacy protections to your home jurisdiction.

For EU/UK/EEA Residents: We ensure adequate safeguards for international transfers, including:

• Standard Contractual Clauses (SCCs) or similar legally recognized mechanisms
• Adequacy decisions where applicable
• Binding Corporate Rules (BCRs) where applicable

For California/CCPA Residents: We comply with CCPA restrictions on cross-border transfers and provide appropriate notice and consent mechanisms.

By using our Services, you explicitly consent to the transfer of your Personal Data outside your country of origin for processing and storage.

24. Legal Disclosures and Compliance

We may disclose Personal Data when required by law, including:

• Court orders, subpoenas, or legal process
• Government or law enforcement requests
• Regulatory investigations or compliance audits
• Establishment, exercise, or defense of legal claims
• Protection of vital interests or national security

We will provide notice where legally permitted and will challenge overly broad requests. We will not disclose Personal Data for surveillance purposes beyond legal requirements.

25. Regional Privacy Rights and Compliance

GDPR (EU/UK/EEA): If you are an EU, UK, or EEA resident, you have rights under GDPR including access, portability, erasure, restriction, objection, and the right to lodge complaints with your local data protection authority.

CCPA/CPRA (California): If you are a California resident, you have rights under CCPA/CPRA to know, delete, and opt-out of sale of personal information, and the right to non-discrimination for exercising your rights. Requests must be verified and authenticated.

LGPD (Brazil): If you are a Brazilian resident, you have rights under LGPD including access, correction, deletion, and portability. You may lodge complaints with the National Data Protection Authority (ANPD).

Australian Privacy Principles (APPs): We comply with APPs regarding collection, use, disclosure, data quality, data security, openness, access and correction, unique identifiers, anonymity, transborder data flows, sensitive information, health information, and complaints handling.

26. Privacy by Design and Default

We implement Privacy by Design and Default principles in our products and services:

• Minimization of data collection to necessary purposes only
• Encryption and pseudonymization of Personal Data
• User-friendly privacy controls and settings
• Regular privacy impact assessments and compliance audits
• Privacy training for personnel handling Personal Data

27. California Consumer Privacy Act (CCPA/CPRA) Specific Disclosures

If you are a California resident, California law provides additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of Personal Information we collect, sources, purposes, and recipients
• Right to Delete: You may request deletion of Personal Information collected from you, subject to exceptions
• Right to Opt-Out:You may opt-out of the "sale" or "sharing" of your Personal Information
• Right to Correct: You may request correction of inaccurate Personal Information
• Right to Limit Use: You may request that we limit use and disclosure to purposes reasonably necessary for Services
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at contact@xdpxi.dev or use the request forms in your account. We will verify your identity and respond within 45 days. You may designate an authorized agent to make requests on your behalf.

California Shine the Light Law (CA Civil Code 1798.83): California residents may request information about disclosure of Personal Information to third parties for direct marketing purposes.

28. Policy Updates and Changes

We may update this Privacy Policy periodically to reflect changes in practices, technology, law, or other factors. Material changes will be communicated to you via email or prominent notice on our website. The date of the last update will be displayed at the top of this policy.

Your continued use of the Services following notification of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with changes, you must discontinue use of the Services.

29. Contact and Accountability

For questions, requests to exercise your rights, complaints, or to report privacy concerns, contact us at:

Email: contact@xdpxi.dev

We will respond to inquiries within 30 days or as required by law. If you are dissatisfied with our response, you may lodge a complaint with your relevant data protection authority:

• EU/UK/EEA: Your national data protection authority
• Australia: Office of the Australian Information Commissioner (OAIC)
• California: California Attorney General or California Privacy Protection Agency
• Brazil: National Data Protection Authority (ANPD)

30. Document Information

Effective Date: This Privacy Policy is effective as of the date of last update below.

Last Updated: April 4, 2026

This Privacy Policy was drafted to provide comprehensive legal coverage under Australian Privacy Principles, GDPR, UK GDPR, CCPA/CPRA, LGPD, and other applicable international privacy laws.