Privacy Policy
Last updated:
This Privacy Policy describes how Xaldro ("we", "us", "our") collects, uses, and protects your personal data when you use our Webflow Marketplace App ("Service").
1. Controller
2. What we collect
| Category | Examples | Lawful basis (GDPR) |
|---|---|---|
| Account data | Email, Webflow user ID | Contract performance |
| Site data | Webflow site IDs, ecommerce settings | Contract performance |
| Order data | Order totals, line items, customer name + email, currency, tax | Contract performance |
| Accounting connection data | Encrypted Xero / QuickBooks OAuth tokens, organisation / realm IDs | Contract performance |
| Usage data | Feature usage, API call counts | Legitimate interest (analytics, abuse prevention) |
| Billing data | Stripe customer ID, payment method (handled by Stripe) | Contract performance |
| Support data | Email content, attachments you send us | Contract performance |
| Technical data | IP address, browser user-agent, session timestamps | Legitimate interest (security) |
3. How we use it
- To provide the Service (sync orders to Xero / QuickBooks, render dashboards)
- To bill you and handle payments (via Stripe)
- To send transactional emails (welcome, billing notices, security alerts)
- To respond to support requests
- To improve the Service (aggregate, anonymized analytics)
- To comply with legal obligations
We do NOT sell your data. We do NOT use your data for advertising. We do NOT use your data to train AI models.
4. Sub-processors
We use the following third parties to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | EU (Germany or Finland) |
| Cloudflare, Inc. | DNS, email routing, edge cache | Global (data at rest in EU) |
| Resend, Inc. | Transactional email | EU region selected |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
| Webflow, Inc. | Source of order data we process on your behalf | US (with EU adequacy mechanism) |
| Xero Limited | Accounting system you sync to (recipient of your order data) | EU / global |
| Intuit Inc. (QuickBooks) | Accounting system you sync to (recipient of your order data) | US (with EU adequacy mechanism) |
A current list with DPAs is available at https://xaldro.com/legal/dpa.
5. Data retention
- Account + site data: retained while your subscription is active. Deleted within 30 days of account deletion.
- Billing data: retained per Dutch tax law (7 years for invoices).
- Support data: retained 2 years for quality and audit purposes.
- Webhook event logs: retained 90 days for debugging and abuse prevention.
6. Your rights (GDPR)
- Access: request a copy of all data we hold about you (one-click export from the panel)
- Rectification: correct inaccurate data
- Erasure: delete your account and all associated data (one-click from Account dialog; processed within 30 days)
- Portability: receive your data in machine-readable JSON
- Objection: object to processing based on legitimate interest
- Restriction: limit how we process your data
- Complaint: file a complaint with your local data protection authority (e.g., Autoriteit Persoonsgegevens in the Netherlands)
To exercise any right, email dpa@xaldro.com. We respond within 30 days.
7. International transfers
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions. See the DPA for specifics.
8. Security
We use AES-256-GCM encryption for stored OAuth tokens. All connections are HTTPS-only. Access to production systems is restricted to authorized personnel via SSH keys and multi-factor authentication.
Vulnerability reports: security@xaldro.com (RFC 9116 security.txt at https://xaldro.com/.well-known/security.txt)
9. Cookies and tracking
The marketing site (https://xaldro.com) uses Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not track individuals. The app panel uses one essential cookie for session authentication.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from children.
11. Changes
Material changes to this policy will be communicated via email at least 30 days in advance.
12. Contact
General privacy questions: hello@xaldro.com GDPR data requests + DPA: dpa@xaldro.com