Legal
Privacy Policy
Effective: February 25, 2026
Updated: February 25, 2026
This Privacy Policy describes how xTerminal (“we,” “us,” “our”), a product of Windborne Creative, collects, uses, stores, shares, and protects personal information when you access or use our website, platform, dashboard, APIs, and related services (collectively, the “Services”).
By accessing or using xTerminal, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree, you should not use the Services.
1. Information We Collect
1.1 Account Information
When you create an account or workspace, we collect:
- Email address
- Password (stored as a cryptographic hash; we never store plaintext passwords)
- Workspace name and configuration preferences
- User role and membership associations
1.2 Content and Workspace Data
When you use the dashboard to manage websites, we store:
- Page content, block configurations, and section data
- Blog posts, media references, and publishing metadata
- Site settings, domain configurations, and workspace preferences
- Contact form submissions received through client-facing websites
- Change log entries and content revision history
1.3 Technical and Usage Data
We automatically collect certain technical information when you interact with the Services:
- IP address and approximate geolocation (country/region level)
- Browser type, version, and operating system
- Device type and screen resolution
- Pages visited, features used, and session duration
- Referring URL and exit pages
- Timestamps of account activity and API requests
1.4 API and Runtime Data
When client websites or integrations access our public runtime API, we collect:
- API key identifiers (key prefix only; full keys are never stored)
- Request origin, IP address, and user-agent
- Endpoint accessed, response status, and timestamp
- Rate limit and authorization event data
1.5 Communications
When you contact us for support or inquiries, we collect:
- Name and email address
- Message content and attachments
- Support ticket metadata
1.6 Cookies and Local Storage
We use cookies and browser local storage for:
- Session authentication and token management
- Workspace and tenant context persistence
- UI preferences (e.g., sidebar state, theme preference)
- Security tokens and CSRF protection
We do not use third-party advertising cookies. See Section 7 for detailed cookie information.
2. How We Use Your Information
We use collected information for the following purposes:
- Service delivery: Authenticate users, provision workspaces, render dashboard interfaces, and serve content through runtime APIs
- Security: Detect unauthorized access, enforce rate limits, validate API keys, and maintain audit trails
- Operational integrity: Monitor platform health, debug errors, and ensure tenant data isolation
- Communication: Send transactional emails (account verification, password resets, security alerts), respond to support requests, and deliver platform updates
- Improvement: Analyze usage patterns to improve features, performance, and user experience
- Legal compliance: Fulfill legal obligations, respond to lawful requests, and enforce our Terms and Conditions
We do not use your information for automated decision-making or profiling that produces legal or similarly significant effects.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:
| Purpose | Legal Basis |
|---|
| Account creation and service delivery | Performance of a contract |
| Security monitoring and fraud prevention | Legitimate interest |
| Platform improvement and analytics | Legitimate interest |
| Legal compliance | Legal obligation |
| Marketing communications (if applicable) | Consent |
You may withdraw consent at any time where consent is the basis for processing, without affecting the lawfulness of processing performed prior to withdrawal.
4. Data Sharing and Disclosure
4.1 No Sale of Personal Data
We do not sell personal data. We have never sold personal data and have no plans to do so.
4.2 Service Providers
We may share data with trusted third-party providers who assist in delivering the Services, including:
- Infrastructure providers (hosting, database, CDN)
- Authentication providers (identity and session management)
- Email delivery services (transactional notifications)
All service providers are contractually bound to process data only on our instructions and maintain appropriate security measures.
4.3 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of xTerminal, our users, or the public.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users of any change in ownership or control.
4.5 With Your Consent
We may share information for purposes not described here only with your explicit consent.
5. Data Security
We implement technical and organizational measures designed to protect personal data, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest
- Access controls: Role-based access, tenant-scoped queries, and Row Level Security (RLS) policies enforced at the database level
- Authentication: Secure session management with HTTP-only cookies and cryptographic token validation
- API security: Hashed API keys, per-key rate limiting, origin restrictions, and request logging
- Audit trails: Change logs and key event history for accountability and incident response
- Tenant isolation: Workspace data is logically isolated through tenant-scoped queries and database policies to prevent cross-workspace data exposure
No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
6. Data Retention
We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.
| Data Type | Retention Period |
|---|
| Account information | Duration of active account + 30 days after deletion request |
| Workspace and content data | Duration of active workspace + 30 days after deletion |
| API request logs | 90 days |
| Change log / audit entries | 1 year |
| Support communications | 2 years |
| Security event logs | 1 year |
After the applicable retention period, data is permanently deleted or irreversibly anonymized.
7. Cookies and Tracking Technologies
| Name | Storage | Purpose | Type | Duration |
|---|
| Session token | Cookie | Authentication | Essential | Session |
| xt_tenant_id | Cookie | Workspace context | Essential | Session |
| adminSidebarCollapsed | localStorage | UI preference | Functional | Persistent |
| adminTheme | localStorage | Theme preference | Functional | Persistent |
Essential cookies are required for the platform to function and cannot be disabled.
Functional items stored in localStorage save user preferences and can be cleared through your browser settings.
We do not use analytics cookies, advertising cookies, or third-party tracking pixels.
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data (subject to legal retention requirements)
- Portability: Request your data in a structured, machine-readable format
- Restriction: Request restriction of processing under certain circumstances
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at privacy@xterminal.io. We will respond within 30 days (or as required by applicable law).
If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection authority.
9. International Data Transfers
Your data may be processed in countries other than your country of residence. Where we transfer data outside of the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Contractual obligations with service providers requiring equivalent data protection standards
10. Children's Privacy
xTerminal is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, contact us at privacy@xterminal.io.
11. Third-Party Links
The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any external service you interact with.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform dashboard or via email to registered users. The “Last Updated” date at the top of this policy reflects the most recent revision.
Continued use of the Services after changes take effect constitutes acceptance of the updated policy.
13. Contact
For questions, concerns, or requests related to this Privacy Policy or your personal data:
- Privacy: privacy@xterminal.io
- General: hello@xterminal.io
- Data controller: Windborne Creative