Privacy Policy
Effective date: April 5, 2026 | Last updated: April 5, 2026
XPlus Technologies LLC ("XPlus Technologies", "we", "us", or "our") is a software product company incorporated and operating in the State of Florida, United States. This Privacy Policy describes how we collect, use, store, and share information when you visit www.xplustechnologies.com (the "Site") or interact with our services on this website, including the AI-powered chatbot and contact form.
This policy applies to visitors and users worldwide, including the European Economic Area (EEA) and California. Where applicable, we comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws.
This policy does not apply to XPlus Finance, XPlus AppSec, XPlus JewelDesk, or any other XPlus Technologies product. Each product operates under its own privacy policy.
1. Data Controller
The data controller for personal information collected through this website is:
- XPlus Technologies LLC
- State of incorporation: Florida, United States
- Privacy contact: [email protected]
2. Information We Collect
2.1 Contact Form
When you submit the contact form on this website, we collect:
- Your name
- Your email address
- Subject line and message content
- Your IP address and browser user agent (collected automatically by our server at the time of submission)
- Your browser language setting
2.2 AI Chatbot
Our website includes an AI-powered chatbot. When you use it, we collect:
- A session identifier assigned to your conversation (not linked to your identity unless you provide identifying information)
- Your IP address at the time of the conversation
- The messages you send and the responses generated
- Your browser language setting
Chatbot conversation content is transmitted to OpenAI's API to generate responses. OpenAI does not use data submitted through the API to train its models, per its API terms of service. See Section 4 for details.
2.3 Server Logs
Our web server automatically records standard technical data for every request, including:
- IP address of the requesting device
- Browser type, version, and operating system
- Referring URL and pages visited
- Date, time, and duration of the request
- HTTP status code and bytes transferred
This data is used for security monitoring, fraud prevention, and infrastructure diagnostics. We do not use server logs for behavioral profiling or advertising.
2.4 Browser localStorage (Not Cookies)
This website uses your browser's localStorage — not cookies — to remember your preferences. The following values are stored locally on your device:
- Language preference (
xplus-lang): Your selected language (EN or ES) - Theme preference (
xplus-theme): Your selected color theme (light or dark) - Cookie consent (
xplus-cookie-consent): Your analytics consent choice (all or essential)
This data is stored entirely on your device. It is never transmitted to our servers, never shared with third parties, and does not identify you personally. You can clear it at any time by clearing your browser's local storage for this site.
2.5 Website Analytics
If you consent to analytics cookies, we use Umami, a privacy-respecting, self-hosted analytics platform to understand how visitors use this website. Umami collects:
- Page URLs visited
- Referring website
- Browser and operating system type
- Device type (desktop, mobile, tablet)
- Country of origin (derived from IP; IP addresses are not stored)
Umami does not collect personal identifiers, does not use persistent cookies for tracking, does not track users across different websites, and respects the Do Not Track (DNT) browser signal. All analytics data is hosted on our own infrastructure — no data is sent to third-party analytics providers. Analytics are loaded only after you provide explicit consent via our cookie banner.
3. Legal Bases for Processing (GDPR)
For visitors in the EEA, we process personal data on the following legal bases under GDPR Article 6:
- Consent (Article 6(1)(a)): When you submit the contact form, your voluntary submission constitutes consent to use that information to respond to your inquiry.
- Contract performance (Article 6(1)(b)): Processing contact submissions where you are seeking to engage our services, to the extent necessary to respond and fulfill our obligations.
- Legitimate interests (Article 6(1)(f)): Processing server logs and Cloudflare security data to protect our infrastructure and users from attacks, unauthorized access, and abuse. We have assessed that this interest is not overridden by your rights and freedoms. Processing chatbot conversations to provide the chatbot service you have actively chosen to use.
- Legal obligation (Article 6(1)(c)): Retaining records where required by applicable law.
4. Third-Party Processors
We use the following third-party service providers that process personal data on our behalf or in connection with your use of this website. Each processor is bound by appropriate data processing agreements and transfer mechanisms.
4.1 Hetzner Online GmbH (Hosting)
- Purpose: Web hosting and server infrastructure
- Data processed: All data stored on our servers (contact submissions, server logs, chatbot session data)
- Location: Germany (Frankfurt) and Finland (Helsinki) — data remains within the European Union
- Transfer mechanism: No transfer outside the EU/EEA. Hetzner is subject to GDPR as an EU-established entity.
- Privacy policy: hetzner.com/legal/privacy-policy
4.2 Cloudflare, Inc. (CDN and Security)
- Purpose: Content delivery network, DDoS protection, bot management, DNS
- Data processed: IP addresses and request metadata for all traffic to this website. Cloudflare does not receive the content of contact form submissions or chatbot messages beyond standard HTTP request data.
- Location: United States (and global network edge nodes)
- Transfer mechanism: EU Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF). Cloudflare is a certified DPF participant.
- Privacy policy: cloudflare.com/privacypolicy
4.3 Resend, Inc. (Transactional Email)
- Purpose: Delivery of confirmation emails following contact form submissions
- Data processed: Recipient email address and email content
- Location: United States
- Transfer mechanism: EU Standard Contractual Clauses (SCCs)
- Privacy policy: resend.com/legal/privacy-policy
4.4 OpenAI, L.L.C. (Chatbot AI)
- Purpose: Generating responses to chatbot conversations via the OpenAI API
- Data processed: Message content you send to the chatbot and the session context
- Location: United States
- Transfer mechanism: EU Standard Contractual Clauses (SCCs)
- Model training: OpenAI does not use data submitted via the API to train or improve its models, per its API data usage policies.
- Privacy policy: openai.com/policies/privacy-policy
4.5 Umami Analytics (Self-Hosted)
- Purpose: Privacy-respecting website analytics to understand visitor patterns and improve the site
- Data processed: Page views, referrer URLs, browser type, device type, and country (derived from IP; IP addresses are not stored)
- Location: Self-hosted on our own infrastructure at analytics.xplustechnologies.com — no data is sent to third-party analytics services
- Consent: Analytics are loaded only after you explicitly consent via the cookie banner. If you choose "Essential Only," no analytics data is collected.
- Privacy design: Umami does not use personal identifiers, does not track users across websites, respects the Do Not Track (DNT) signal, and does not sell or share data with any third party.
- More information: umami.is/privacy
We do not sell, rent, or share your personal information with any third party for their own marketing or advertising purposes. We do not disclose personal information to law enforcement or government bodies except where required by a valid legal obligation.
5. International Data Transfers
XPlus Technologies LLC is based in the United States. If you access this website from the EEA or United Kingdom, certain personal data will be transferred to the United States for processing by Cloudflare, Resend, and OpenAI.
We ensure these transfers are protected by appropriate safeguards:
- EU Standard Contractual Clauses (SCCs): We have executed SCCs with our US-based processors as required under GDPR Chapter V. SCCs are the European Commission-approved mechanism for lawful transfer of personal data to third countries.
- EU-US Data Privacy Framework (DPF): Cloudflare participates in the DPF, which provides an additional adequacy basis for transfers to certified US organizations.
- EU-based hosting: Our primary data storage is on Hetzner infrastructure located in Frankfurt, Germany and Helsinki, Finland. Contact form submissions, chatbot session data, and server logs are stored within the EU.
You may request a copy of the applicable transfer mechanisms by contacting [email protected].
6. Cookies and Tracking
This website does not use cookies for advertising or behavioral tracking. We do not use Google Analytics, Meta Pixel, or any third-party tracking scripts.
6.1 Cookie Consent
When you first visit this website, a cookie consent banner gives you two choices:
- Accept All: Enables privacy-respecting analytics via Umami (see Section 2.5 and 4.5)
- Essential Only: No analytics are loaded; only browser localStorage is used for your theme, language, and consent preferences
You can change your choice at any time by clicking the "Cookie Settings" link in the footer of any page.
6.2 Analytics (Umami)
If you consent to analytics, we load Umami, a privacy-respecting, self-hosted analytics platform. Umami may use a session-scoped cookie to distinguish unique visits within a browsing session. This cookie does not contain personal identifiers, does not persist after you close your browser, and is not used for cross-site tracking. All analytics data is processed and stored on our own infrastructure at analytics.xplustechnologies.com — no data is sent to external analytics providers.
6.3 Browser localStorage
This website uses browser localStorage (not cookies) to store your language preference, theme preference, and cookie consent choice, as described in Section 2.4. localStorage data is stored entirely on your device and is never transmitted to our servers.
6.4 Cloudflare Security Cookie
Cloudflare may set a __cf_bm cookie as part of its bot management service. This is a strictly necessary security cookie. It does not track your behavior across websites, contains no persistent identifiers linked to you, and expires within 30 minutes of the last request. It cannot be disabled without disabling Cloudflare's bot protection for this site.
6.5 Do Not Track
We do not track users across third-party websites. Our Umami analytics installation respects the Do Not Track (DNT) browser signal — if your browser sends a DNT signal, Umami will not collect analytics data from your visit, even if you have consented to analytics cookies.
7. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Contact form submissions | 24 months | Business relationship; legal obligation if applicable |
| Chatbot session data | 12 months | Security review and quality assurance |
| Server access logs | 90 days | Security monitoring and incident response |
| Analytics data (Umami) | 24 months | Aggregate site improvement; no personal identifiers stored |
| Browser localStorage | Until cleared by user | Stored on your device only; we have no access |
When data is no longer needed for the stated purpose and no legal obligation requires retention, we delete or irreversibly anonymize it.
8. Your Rights
8.1 Rights Under GDPR (EEA Residents)
If you are located in the EEA, you have the following rights under the GDPR:
- Right of access (Article 15): Request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): Request deletion of your personal data where we have no legitimate or legal basis to retain it.
- Right to restriction of processing (Article 18): Request that we restrict processing of your data in specified circumstances, such as while accuracy is contested.
- Right to data portability (Article 20): Receive personal data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract.
- Right to object (Article 21): Object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint: You may lodge a complaint with the data protection authority (DPA) in your EU member state. A directory of EU DPAs is available at edpb.europa.eu. Given our Florida incorporation, you may also contact the relevant US privacy authority.
8.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources of collection, the business or commercial purposes, and the categories of third parties with whom we share it.
- Right to delete: Request deletion of your personal information, subject to exceptions required by law or necessary to complete a transaction or provide a service you requested.
- Right to correct: Request correction of inaccurate personal information we maintain about you.
- Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of.
- Right to limit use of sensitive personal information: We do not use or disclose sensitive personal information for purposes beyond those reasonably necessary to provide the requested service.
- Right to non-discrimination: We will not discriminate against you — in pricing, service level, or any other manner — for exercising any CCPA/CPRA rights.
California residents may submit requests by emailing [email protected] with the subject line "California Privacy Rights Request." We will respond within 45 days as required by law, with a 45-day extension available where permitted.
8.3 How to Exercise Your Rights
To exercise any of the rights above, email [email protected] with a clear description of your request. We may ask you to verify your identity before processing the request. We respond to GDPR requests within 30 days and CCPA requests within 45 days.
9. Children's Privacy
This website is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has submitted personal information through this site, contact us at [email protected] and we will delete it without undue delay.
10. Data Security
We implement technical and organizational measures appropriate to the risk, including TLS 1.2+ encryption for all data in transit, access controls on systems handling personal data, server-level intrusion detection, and encrypted backups. For a full description of our security practices, see our Security page.
No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we will notify you without undue delay if we become aware of a breach that is likely to result in high risk to your rights and freedoms, as required by GDPR Article 34.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will update the effective date at the top of this page and, where we have contact details for affected individuals, notify them by email. We encourage you to review this page periodically.
12. Contact
For privacy-related inquiries, data subject rights requests, or any questions about this policy:
XPlus Technologies LLC
Email: [email protected]
Legal inquiries: [email protected]
Website: www.xplustechnologies.com