Privacy Policy

Article 1. What Information Do We Collect

Personal information you disclose to us

In short: We collect personal information that you provide to us directly — and we may also collect data about how you and your users interact with our Services.

We collect personal information that you voluntarily provide to us when you:

• Register for or log in to our Services,
• Express an interest in obtaining information about us or our products and services,
• Interact with our customer service or support,
• Use or interact with our applications and tools,
• Connect your social media accounts,
• Participate in user testing, surveys, or promotions,
• Or otherwise contact us.

Personal Information Provided by You

The type of personal information we collect depends on how you interact with us and what features of our Services you use. This may include, but is not limited to:

• First and last names
• Phone numbers
• Email addresses
• Physical and billing addresses
• Usernames and passwords
• Contact preferences
• Contact or authentication data
• Country, language, and IP address
• Sex or gender identity
• Job titles and company name
• Tax/VAT numbers (where applicable)
• Profile photos or avatars
• User agents and device fingerprinting data
• Any other information you voluntarily submit to us

Important: We may also collect data that you provide about your clients or end users, if applicable. If you are a business customer using our Services to manage or process personal data of others, you are responsible for ensuring that such data collection and transfer complies with applicable data protection laws (e.g., GDPR).

Sensitive Information

We do not intentionally collect or process sensitive personal data (such as health data, biometric information, religious or political beliefs) unless required by law or explicitly provided with your consent.

Payment Data

If you make purchases through our Services, we may collect data necessary to process your payment (e.g., credit/debit card number, billing address, and security codes).

All payment data is securely handled and stored by our third-party payment processor, Mollie. We do not store full payment details on our servers.

Social Media Login Data

If you choose to register or log in to our Services using a social media account (e.g., Facebook, X, Google), we may collect relevant profile information such as:

• Your name, email address, profile picture, user ID, location, and connections
• Any other data made available by the social media platform according to its privacy policy

Please refer to the section “HOW DO WE HANDLE YOUR SOCIAL LOGINS?” for more information.

Note: All personal information you provide must be accurate, complete, and kept up to date. You are responsible for notifying us of any changes.

Information automatically collected

In short: Some data is collected automatically when you use our Services, including data about your device, usage patterns, location, and interactions. We may also collect similar information about your users (if applicable).

When you use, access, or navigate the Services, we automatically collect technical and behavioral data. This information does not always reveal your specific identity, but it may include:

• Device information
• Browser type and settings
• IP address or proxy
• Operating system
• System configuration and hardware model
• Language preferences
• Device name and type
• Mobile carrier or ISP
• Dates and times of access
• Referring and exit URLs
• Clickstream behavior
• Session duration and mouse activity
• Device event logs (e.g., crash reports)

We use this information to:

• Maintain the performance, security, and integrity of our Services
• Prevent fraud and abuse
• Improve user experience
• Personalize content and marketing
• Generate usage analytics

Types of Automatically Collected Data

Log and Usage Data: Includes diagnostic, technical, and usage information logged by our servers when you use our Services. This may contain your IP address, device info, browser type, access times, pages visited, and the actions you take within the platform.

Device Data: We collect data about the device(s) you use, including browser fingerprinting, device ID, operating system, system settings, and connection type.

Location Data: Depending on your device and app settings, we may collect location data (precise or imprecise). We use IP-based geolocation or device GPS (if enabled). You may disable location tracking in your device settings, but this may affect service functionality.

Tracking Data: We use cookies, beacons, pixels, tags, scripts, and other similar technologies to monitor user activity, remember preferences, and analyze engagement. Please refer to our Cookies Policy for more information.

Google API

Our use of any data received from Google APIs complies with the Google API Services User Data Policy, including the "Limited Use" requirements.

If you connect your Google account or authorize integrations using Google services (e.g., Google Calendar, Gmail, Drive), we may access your Google user data solely to provide the requested features. This data is never sold or used for advertising purposes.

Future Data Collection

We reserve the right to collect additional types of personal, behavioral, and technical data in the future as we expand our Services or add new features.

This may include:

• Biometric authentication data (if applicable)
• Session recordings for UX improvement
• Voice or image recognition data
• New social login providers
• Data collected via AI-powered features or chatbots

We will update this Privacy Policy accordingly whenever such changes are implemented.

Article 2. How Do We Process Your Information

In Short:
We process your personal information to provide, improve, and manage our Services, communicate with you, ensure security and prevent fraud, comply with legal obligations, and with your consent, for other purposes.

We process your information for various purposes depending on how you use our Services, including but not limited to:

Account creation and management

We process your information to allow you to create and authenticate your account, keep your account active and secure, and manage your profile and settings.

Service delivery and facilitation

We use your data to provide the services you request, such as generating invoices, processing orders, or enabling features within the application.

Customer support

We process your information to respond to your questions, troubleshoot issues, and provide you with customer service.

Administrative communications

We may send you important updates regarding our products, Services, terms, policies, and other relevant notifications.

Order fulfillment

We process payment details, manage returns, exchanges, and billing, to efficiently handle transactions conducted through our Services.

User-to-user communications

If you use features that allow communication with other users (e.g., messaging), we process your data to enable these interactions.

Feedback and surveys

We may contact you to request feedback or to learn about your experience using our Services, which helps us improve.

Marketing and promotions

With your consent or as permitted by law, we use your information to send marketing communications and offers. You may opt out at any time. See “WHAT ARE YOUR PRIVACY RIGHTS?” for details.

Targeted advertising

We process data to personalize content and ads based on your interests, location, and usage behavior.

Security and fraud prevention

To protect our Services and users, we monitor for unauthorized access, suspicious activity, and misuse.

Usage analytics and improvement

We analyze how you use the Services to identify trends, improve functionality, fix bugs, and enhance overall user experience.

Marketing effectiveness

We evaluate the success of our campaigns to provide you with more relevant offers and content.

Vital interests protection

In urgent situations, we may process your data to protect your or others’ vital interests (e.g., to prevent harm).

Specific purposes related to our application:

Core application functionality

User data is used to ensure that the application performs essential tasks such as generating invoices, managing accounts, and delivering core features reliably.

Security and misuse prevention

We process user data to safeguard the platform from unauthorized access, fraud, and other misuse.

Service performance and improvements

Data is analyzed continuously to monitor and improve application stability, speed, and user experience.

Legal and regulatory compliance

We use your information to meet legal obligations, including invoicing, tax compliance, and business regulations.

Additional Notes:

Feedback loop

The data we collect also acts as indirect feedback, helping us understand user behavior and preferences to enhance the Services.

Data sharing with clients

Where applicable, we share relevant technical data with our clients (such as through OAuth integrations) to help them build better and easier-to-use systems. This data sharing is done securely and in accordance with applicable privacy laws.

Article 3. What Legal Bases Do We Rely On To Process Your Information

In Short:
We only process your personal information when we have a valid legal reason (legal basis) under applicable law. This includes your consent, the need to fulfill a contract, compliance with legal obligations, protecting your rights, or pursuing our legitimate business interests in a way that does not override your fundamental rights.

For residents of the EU and UK:

Under the General Data Protection Regulation (GDPR) and UK GDPR, we are required to clearly explain the legal bases we rely on to process your personal data. These include:

Consent

We may process your personal information if you have given clear permission (consent) for a specific purpose. You can withdraw your consent at any time. [Learn more about withdrawing consent.]

Performance of a Contract

We process your data when necessary to enter into or fulfill our contractual obligations with you, such as providing our Services or handling your orders.

Legitimate Interests

We may process your information to pursue our legitimate business interests, as long as these do not override your rights or freedoms. Examples include:

• Sending you information about special offers and discounts
• Personalizing and delivering relevant advertising content
• Analyzing Service usage to improve and enhance user experience
• Supporting marketing activities
• Diagnosing technical problems and preventing fraud
• Ensuring the application works as intended and delivers core features
• Maintaining platform security and protecting user data
• Improving performance and functionality
• Complying with legal and regulatory obligations and maintaining business records

Legal Obligations

We process your data to comply with laws, cooperate with authorities, exercise or defend legal rights, or respond to legal proceedings.

Vital Interests

When necessary, we process personal information to protect your or others’ vital interests — for example, in emergencies involving risk to life or health.

For residents of Canada:

We may process your information based on:

Express or implied consent

You provide explicit permission for specific uses or implied consent inferred from your actions. You can withdraw consent at any time.

Exceptional legal permissions without consent

In certain cases, applicable law permits processing without your consent, for example:

• When it is clearly in an individual’s interest and consent cannot be obtained timely
• For investigations, fraud detection, and prevention
• During business transactions under specific conditions
• When information is part of an insurance claim process
• To identify injured, ill, or deceased persons and notify next of kin
• When there are reasonable grounds to believe a person is a victim of financial abuse
• When consent would compromise the availability or accuracy of information in legal investigations
• To comply with legal orders like subpoenas or court orders
• When information is produced during employment, business, or professional activities consistent with its use
• For journalistic, artistic, or literary purposes
• When information is publicly available and regulated as such

Article 4. When And With Whom Do We Share Your Personal Information

In Short:
We may share your personal information in specific situations described below and/or with certain categories of third parties.

Third-Party Vendors, Consultants, and Service Providers

We may share your personal data with trusted third-party vendors, service providers, contractors, or agents ("third parties") who perform services on our behalf and require access to your information to carry out their work. We have strict contracts with these parties to ensure they only use your data as instructed by us and that they protect your information in accordance with applicable laws. They are prohibited from sharing your data with others and must retain it only for the duration we specify.

These third parties include, but are not limited to:

• Ad Networks
• Affiliate Marketing Programs
• AI Platforms
• Cloud Computing Services
• Communication & Collaboration Tools
• Data Analytics Services
• Data Storage Service Providers
• Finance & Accounting Tools
• Government Entities
• Order Fulfillment Service Providers
• Payment Processors
• Performance Monitoring Tools
• Product Engineering & Design Tools
• Retargeting Platforms
• Sales & Marketing Tools
• Social Networks
• User Account Registration & Authentication Services
• Website Hosting Service Providers

Sharing in Specific Situations

Business Transfers:
Your personal information may be shared or transferred as part of a merger, acquisition, financing, sale of assets, or other business transaction involving all or part of our company.

Use of Google Maps Platform APIs:
We share location-related information (such as country, region, street, and place) with Google Maps Platform APIs to provide location-based services. Google uses GPS, Wi-Fi, and cell towers to estimate your location. For users in the European Economic Area (EEA) or the UK, please review our Cookie Notice regarding this data use.

Affiliates:
We may share your personal information with our affiliates, such as parent companies, subsidiaries, joint ventures, or other entities under common control. These affiliates are required to adhere to this Privacy Notice.

Business Partners:
We may share your data with business partners to offer you products, services, or promotions.

Other Users:
When you share personal information publicly on the Services (e.g., comments or posts) or interact with public areas, this information may be visible to all users and may remain publicly accessible outside the Services indefinitely. If you register or interact via social networks (e.g., Facebook), your social contacts may see your profile details and activities.

Sharing with Our Clients (XWMS Clients)

We share most of your personal information with our clients to provide and improve their services. Depending on their verification status and permissions ("scopes"):

• Basic Data Access: Verified clients can access your email, name, avatar, and similar profile information.
• Extended Data Access: Verified clients who have been granted higher permissions can access additional information, such as your address and other details.

Important:
A client cannot access your data unless you have logged in to their system at least once, even if they are verified and have permissions. This is a security measure to protect your privacy.

Sharing for Service Improvement and Efficiency

We may also share your data with other service providers or platforms that help us make our software more scalable, efficient, and user-friendly.

We are committed to protecting your privacy and ensure all third parties with whom we share your information follow strict confidentiality and security requirements.

Article 5. What Is Our Stance On Third-party Websites

In Short:
We are not responsible for the privacy, security, or safety of any information you share with third-party websites or services linked to or advertised on our Services, which are not affiliated with us.

Our Services may include links to third-party websites, online services, or mobile applications, and/or display advertisements from third parties that are not under our control. We do not endorse these third parties and are not responsible for their content, practices, or privacy policies. The inclusion of any link to third-party sites does not imply our endorsement or guarantee the safety and privacy of your data shared with them.

Any personal information you provide to third-party websites or services is subject to their own privacy policies, and we recommend you review those policies carefully. We have no control over and assume no responsibility for the privacy practices or content of third-party websites or services.

If you interact with third-party websites or services, you do so at your own risk. Please contact those third parties directly with any questions regarding their data collection, use, and privacy practices.

Article 6. Do We Use Cookies And Other Tracking Technologies

In Short:
Yes. We use cookies and advanced tracking technologies to collect detailed information about your interactions with our Services, including tracking your behavior on our website, to improve and optimize our systems.

We use cookies and similar tracking technologies (such as web beacons, pixels, and device fingerprinting) to collect and store information about your usage of the Services. This includes basic functionality (e.g., saving preferences, maintaining session security), as well as advanced behavioral tracking to better understand how users interact with our Services.

Our advanced tracking system logs extensive data about your behavior on the website—such as pages visited, clicks, time spent on different sections, device information, user agent details, IP address, and other relevant metadata. This helps us analyze and improve the performance, security, and user experience of the XWMS platform.

Additionally, we may allow third-party service providers and partners to use tracking technologies on our Services for analytics, marketing, and advertising purposes. These third parties may use their own cookies or tracking tools to deliver personalized ads, measure the effectiveness of campaigns, and tailor content to your interests.

If you are located in jurisdictions with specific privacy laws (such as certain US states or the EU), you may have the right to opt out of certain types of tracking and data collection. For details on how to manage or refuse cookies and tracking technologies, please see our Cookie Notice or contact us directly.

Google Analytics

We may share information with Google Analytics to track and analyze usage patterns of our Services. Google Analytics may use cookies and similar technologies to collect data on user interactions. For more information and to opt out of Google Analytics tracking, please visit Google Analytics Opt-Out.

Article 7. Do We Offer Artificial Intelligence-based Products

In Short:
We plan to offer AI-powered products, features, or tools that enhance your experience using machine learning and similar technologies.

Currently, we do not yet actively offer AI-based products or services, but this is planned for the near future. When introduced, these AI-powered tools ("AI Products") will be designed to provide innovative solutions such as AI bots, image generation, machine learning models, automation, translation, search, and IoT applications.

We expect to provide these AI Products through trusted third-party AI service providers, such as OpenAI, NVIDIA AI, Microsoft Azure AI, Amazon Web Services (AWS) AI, and Google Cloud AI. Your input, outputs, and personal data processed by these AI services will be handled strictly in accordance with our Privacy Notice and applicable legal bases outlined in Article 4.

You will always retain control over how your data is used with these AI Products and may opt out by adjusting your account settings or contacting us directly.

Article 8. How Do We Handle Your Social Logins

In Short:
If you use social media accounts like Google or Microsoft to log in, we may receive certain profile information from those providers.

Our Services currently support login and registration through third-party social accounts, such as Google and Microsoft. When you choose to log in this way, we receive some profile data from the social provider, typically including your name, email address, profile photo, and any other public information you have shared on those platforms.

We use this data only to provide and improve our Services as described in this Privacy Notice. Please note that the privacy policies and practices of the social media providers are beyond our control, and we encourage you to review their privacy statements to understand how they use your information.

We may expand supported social login providers in the future, as noted in Article 7.

Article 9. Is Your Information Transferred Internationally

In Short:
Yes, your information may be transferred to and processed in countries outside your own, including the United States.

Our servers and those of our third-party service providers are primarily located in the United States. If you access our Services from outside the U.S., please be aware that your personal data will be transferred to, stored, and processed in the U.S. and possibly other countries.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, please note that these countries might not have the same level of data protection as your own. To ensure your data is protected, we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs). These contractual measures require all recipients of your personal data to protect it in compliance with EU and UK data protection laws.

If you wish to review the Standard Contractual Clauses or receive more information on our data transfer safeguards, please contact us.

Article 10. How Long Do We Keep Your Information

In Short:
We keep your information only as long as necessary to fulfill the purposes outlined in this Privacy Notice, unless the law requires otherwise.

We retain your personal information only for as long as needed to fulfill the purposes described in this Privacy Notice, unless a longer retention period is required or permitted by law (such as for tax, accounting, or other legal obligations). We will not keep your personal information longer than the time you maintain an active account with us.

When we no longer have a legitimate business reason to process your personal information, we will delete or anonymize it. If deletion is not possible (e.g., because your data is stored in backup archives), we will securely store your information and isolate it from any further processing until deletion is possible.

Article 11. How Do We Keep Your Information Safe

In Short:
We protect your personal information using advanced organizational and technical security measures.

We employ appropriate and reasonable technical and organizational safeguards to protect the security of your personal information. This includes using the XWMS custom database hashing system—one of the most advanced hashing technologies in the world—ensuring that your data, including sensitive details like your name and email, is securely encrypted.

Despite our best efforts, no method of electronic transmission or data storage can be 100% secure. Therefore, while we strive to protect your information, we cannot guarantee absolute security against unauthorized access, hacking, or cyberattacks. You should access our Services only in secure environments.

Article 12. What Are Your Privacy Rights

In Short:
Depending on your location, you may have rights that allow you to access, control, or delete your personal information.

Depending on your state or country (e.g., the US, European Economic Area, UK, Switzerland, Canada), you have certain rights under applicable data protection laws, including:

• Request access to and a copy of your personal information
• Request correction or deletion of your data
• Restrict or object to the processing of your information
• Request data portability
• Rights related to automated decision-making

You may exercise these rights by logging into your account settings, contacting us directly, or reaching out to our support team.

If you withdraw consent previously given for processing your data, please note that this will not affect any lawful processing conducted before the withdrawal. Also, it will not affect other lawful grounds for processing your data where consent is not required.

You can opt out of marketing and promotional communications at any time by clicking the unsubscribe link in our emails, replying “STOP” or “UNSUBSCRIBE” to SMS messages, disabling notifications in your settings, or contacting us directly. We may still send you necessary service-related communications.

If you want to review, update, or delete your account information, you can do so via your account settings or by contacting support. Upon account termination, we will deactivate or delete your information from active databases but may retain some data to prevent fraud, comply with legal obligations, or resolve disputes.

Most web browsers accept cookies by default. You can adjust your browser settings to reject or delete cookies, though this may impact some functionality of our Services. You may also opt out of interest-based advertising.

For any questions about your privacy rights or data security, please email us at info@xwms.nl or use the contact option in your account.

Article 13. Controls For Do-not-track Features

Most web browsers and some mobile operating systems and apps include a Do-Not-Track ("DNT") feature or setting you can enable to signal your preference not to have your online browsing activities tracked. Currently, there is no uniform industry standard for recognizing or implementing DNT signals. As a result, we do not respond to DNT browser signals or any other automatic mechanism that communicates your choice not to be tracked online.

If a standard for online tracking is adopted in the future that we must comply with, we will update this Privacy Notice to inform you.

California law requires us to disclose how we respond to DNT signals. Because no industry or legal standard exists yet for honoring DNT signals, we do not respond to them at this time.

Article 14. Do United States Residents Have Specific Privacy Rights

In Short:
If you live in certain U.S. states (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia), you may have rights to access, correct, delete, or receive details about the personal information we hold about you. You may also have the right to withdraw consent to data processing. These rights may be limited by law.

Categories of Personal Information Collected in the Past 12 Months:

| Category | Examples | Collected? | |-------------------------------|-----------------------------------------------------|------------| | A. Identifiers | Name, alias, postal address, phone number, email, IP address, account name | YES | | B. Personal info (per California Customer Records) | Contact info, education, employment, financial info | YES | | C. Protected classification characteristics | Gender, age, race, ethnicity, marital status | YES | | D. Commercial info | Purchase history, transaction details, payment info | YES | | E. Biometric info | Fingerprints, voiceprints | YES | | F. Internet/network activity | Browsing history, search history, online behavior | YES | | G. Geolocation data | Device location | YES | | H. Audio, electronic, sensory info | Images, audio/video recordings related to business activities | YES | | I. Professional/employment info | Business contact details, job title, work history | YES | | J. Education info | Student records, directory info | YES | | K. Inferences from collected data | Profiles or summaries of preferences/characteristics | NO | | L. Sensitive personal information | — | NO |

We may also collect other personal information when you interact with us (e.g., customer support, surveys, contests).

Use and Retention of Personal Information:

We retain your personal information as long as you maintain an account with us (categories A-J). More details about data use and sharing are provided in previous sections of this notice.

How We Use and Share Your Personal Information:

We use cookies, social media cookies, and tracking technologies to collect and share your information with service providers, ad networks, and affiliate marketing programs.

We do not consider internal research and technological development as “selling” your data.

Your Rights Under U.S. State Laws Include:

• Know if we process your data
• Access and correct your data
• Request deletion
• Obtain a copy of data shared with us
• Opt out of targeted advertising, selling, or profiling
• Right to non-discrimination for exercising rights
• Additional rights depending on your state (e.g., limits on sensitive data use)

To exercise your rights, contact us via:

• Website: xwms.nl/contact
• Email: info@xwms.nl

You can also opt out of selling or targeted advertising by adjusting your cookie preferences or using the Global Privacy Control (GPC) opt-out signal on your browser.

Verification and Authorized Agents:

We will verify your identity before fulfilling your requests. Authorized agents must provide proof of permission to act on your behalf.

Appeals:

If we deny your request, you may appeal by emailing info@xwms.nl. If denied again, you can file a complaint with your state attorney general.

Financial Incentives:

We may offer financial incentives (e.g., discounts or loyalty programs) related to your personal information. We will explain these offers and your right to withdraw at any time.

California "Shine The Light" Law:

California residents may request, once per year for free, a list of personal information categories disclosed for direct marketing and the names/addresses of third parties we shared this info with.

Article 15. Do Other Regions Have Specific Privacy Rights

In Short:
Depending on the country you live in, you may have additional privacy rights.

Australia and New Zealand

We collect and process your personal information according to the Privacy Act 1988 (Australia) and Privacy Act 2020 (New Zealand). This Privacy Notice meets the requirements of these laws, including details on:

• What personal information we collect
• Where we collect it from
• Why we collect it
• Who else receives your information

If you do not provide the necessary personal information, it may affect our ability to:

• Offer you the products or services you want
• Respond to your requests
• Manage your account
• Confirm your identity and protect your account

You have the right to request access to or correction of your personal information at any time. Please contact us using the details in the section “HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?”

If you believe we are unlawfully processing your personal information, you may file a complaint with:

• Australia: Office of the Australian Information Commissioner
• New Zealand: Office of the New Zealand Privacy Commissioner

Republic of South Africa

You have the right to request access to or correction of your personal information at any time. Please contact us using the details in the section “HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?”

If you are dissatisfied with how we handle your complaint, you may contact the South African Information Regulator:

• General enquiries: enquiries@inforegulator.org.za
• Complaints (POPIA/PAIA form 5): PAIAComplaints@inforegulator.org.za & POPIAComplaints@inforegulator.org.za

Article 16. Do We Make Updates To This Notice

In Short:
Yes, we update this notice as needed to comply with laws.

We may update this Privacy Notice from time to time. Each updated version will have a new “Revised” date at the top. If there are major changes, we may notify you by posting a prominent notice or by contacting you directly. We encourage you to review this Privacy Notice regularly to stay informed about how we protect your information.

Article 17. How Can You Review, Update, Or Delete The Data We Collect From You

Depending on the laws where you live (including US states), you may have the right to:

• Request access to your personal information
• Get details on how we process it
• Correct inaccuracies
• Delete your personal information
• Withdraw your consent to data processing

These rights may be limited by law in some cases.

To make such requests, please visit: xwms.nl/contact

Important:
It is not possible to completely delete your data. However, you can delete your account. When you delete your account, it will no longer be visible or accessible, effectively making it appear as though you were never registered. While the data may still exist technically, it is treated as if it were deleted for all practical purposes.

Article 18. Data We Do Not Collect

We do not collect the following categories of personal information:

• Biometric information
• Audio, electronic, sensory, or similar information
• Professional or employment-related information (unless job application related)
• Education information (beyond student records)
• Inferences drawn from collected personal information