⚠️ DRAFT — NOT LEGAL ADVICE. This document was prepared as a starting template to save time. It has not been reviewed by a lawyer. Data-protection compliance (GDPR, UK GDPR, US state laws) depends on what you actually do with data, not only what this document says. Have a qualified lawyer review and adapt this before you publish it. Replace every
[BRACKETED]placeholder with your real details.
Privacy Policy
Effective date: [EFFECTIVE DATE]
Last updated: [DATE]
This Privacy Policy explains how [LEGAL ENTITY NAME] ("Xuroe," "we," "us," or "our"), a business established in [JURISDICTION OF INCORPORATION — e.g. Turks and Caicos Islands], collects, uses, and protects personal information when you visit our website at [WEBSITE URL] (the "Site") or submit a demo request.
This policy covers our marketing website and demo-request form only. If you become a customer and use the Xuroe platform, the personal data processed inside that product is governed by [SEPARATE PRODUCT PRIVACY POLICY / DATA PROCESSING AGREEMENT REFERENCE].
1. Who is responsible for your data (Controller)
The data controller responsible for your personal information is:
[LEGAL ENTITY NAME][REGISTERED BUSINESS ADDRESS]- Contact:
[PRIVACY CONTACT EMAIL — e.g. privacy@xuroe.com]
[IF YOU APPOINT ONE:] Our Data Protection Officer / privacy contact is [NAME / EMAIL].
Lawyer to confirm: Because anyone worldwide can submit our form, if we process the personal data of individuals located in the EU or UK, we may be required to appoint an EU representative (GDPR Art. 27) and/or a UK representative. Confirm whether this applies and add their details here.
2. What personal data we collect
(a) Information you give us — the demo request form: - Full name - Email address - Phone number (optional) - Business name - Business type (optional) - Team size (optional) - Any message you choose to include
(b) Information collected automatically when you visit the Site: Our infrastructure providers automatically process certain technical data for security, fraud prevention, and to deliver the Site, including: - IP address - Browser type and device/operating-system information - Referring pages and pages viewed - Date, time, and general location (derived from IP)
We also store the IP address associated with a demo-request submission to help prevent spam and abuse.
(c) What we do NOT currently collect:
- We do not use advertising or marketing cookies or third-party tracking pixels on this Site.
- We do not run third-party analytics [REMOVE THIS LINE IF YOU ADD ANALYTICS — SEE COOKIE NOTICE].
- We do not knowingly collect data from children (see Section 10).
3. How we use your data and our legal bases
| What we do | Why | Legal basis (GDPR / UK GDPR) |
|---|---|---|
| Respond to your demo request and contact you | To answer your enquiry and arrange a demo | Taking steps at your request prior to entering a contract (Art. 6(1)(b)); and/or our legitimate interest in responding to enquiries (Art. 6(1)(f)) |
| Keep a record of your enquiry | Business administration and follow-up | Legitimate interest (Art. 6(1)(f)) |
| Log technical data / IP; spam prevention | Security, fraud/abuse prevention, reliability | Legitimate interest (Art. 6(1)(f)) |
Send you service or marketing emails [ONLY IF APPLICABLE] |
To share relevant updates | Consent (Art. 6(1)(a)) where required, which you can withdraw at any time |
We do not sell your personal data. We do not use your form data for automated decision-making or profiling.
4. Cookies and similar technologies
The Site currently sets only strictly necessary cookies (for example, security cookies set by our hosting provider Cloudflare). We do not currently use analytics or advertising cookies. For details, see our separate Cookie Notice at [COOKIE NOTICE URL].
If you later add analytics or marketing tools, EU/UK law generally requires consent before non-essential cookies are set. Update this section and the Cookie Notice accordingly.
5. Who we share your data with (Processors / Sub-processors)
We share personal data only with service providers who process it on our behalf under contract, and only as needed to run the Site and respond to you:
- Cloudflare, Inc. — website hosting, content delivery, serverless functions, and security (processes technical data and form submissions in transit).
[REGION: US / global] - Resend (Plusdotcom, Inc. / Resend, Inc.) — sends the notification email containing your form submission.
[REGION: US] - Google LLC (Google Workspace) — hosts the inbox that receives and stores demo-request emails.
[REGION: US / global]
[ADD OR REMOVE PROVIDERS TO MATCH YOUR ACTUAL STACK.]
We may also disclose personal data where required by law, to protect our legal rights, or in connection with a business sale or reorganization.
6. International data transfers
We are based in [JURISDICTION], and our service providers process data in the United States and potentially other countries. If you are located in the UK, EU/EEA, or another region, your personal data may be transferred outside your country.
Where we transfer personal data internationally, we rely on appropriate safeguards such as [e.g. Standard Contractual Clauses / UK International Data Transfer Agreement / the providers' own transfer mechanisms].
Lawyer to confirm the correct transfer mechanism for EU→US and UK→US flows through Cloudflare, Resend, and Google, and reference it accurately here.
7. How long we keep your data
We keep demo-request information for [RETENTION PERIOD — e.g. 24 months] after your last contact with us, unless you ask us to delete it sooner or we are required to keep it longer for legal reasons. Technical/security logs are retained for [PERIOD — check Cloudflare's retention].
8. Your rights
Depending on where you live, you may have some or all of the following rights over your personal data:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — ask us to delete your data ("right to be forgotten")
- Restriction — ask us to limit how we use your data
- Portability — receive your data in a portable format
- Objection — object to processing based on legitimate interests, and to direct marketing at any time
- Withdraw consent — where we rely on consent, withdraw it at any time
To exercise any right, contact us at [PRIVACY CONTACT EMAIL]. We will respond within the timeframe required by applicable law (generally one month under GDPR/UK GDPR).
Complaints: If you are in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU/EEA, you may complain to your local data protection authority.
US residents: [IF YOU HAVE CALIFORNIA/US USERS: add CCPA/CPRA and other state-law disclosures — right to know, delete, correct, opt out of "sale/sharing"; note that we do not sell personal information. Confirm scope with counsel.]
9. How we protect your data
We use reasonable technical and organizational measures to protect personal data, including encrypted transmission (HTTPS), access controls on the inbox that receives submissions, and reputable infrastructure providers. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
10. Children's privacy
The Site and our services are intended for business owners and are not directed to children. We do not knowingly collect personal data from anyone under [16 / 18 — confirm the correct age threshold for your markets]. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it last changed. Material changes will be [posted on this page / notified by email where appropriate].
12. Contact us
Questions about this policy or your data:
[LEGAL ENTITY NAME] — [PRIVACY CONTACT EMAIL] — [REGISTERED ADDRESS]