Effective date: 1 March 2026
1. Who We Are (Data Controller)
Xounter is the data controller responsible for your personal data. Contact us at: contact@xounter.com
2. What Data We Collect and Why
a) Account & Authentication Data
We collect your name, email address, and (if applicable) social login tokens from Google, Facebook, or Microsoft when you register or sign in.
Lawful basis: Art. 6(1)(b) GDPR — performance of a contract.
Retention: Held for the lifetime of your account; deleted within 30 days of account closure.
b) Contact Form Submissions
When you use our contact form, we collect your name, email address, and phone number.
Lawful basis: Art. 6(1)(f) GDPR — legitimate interest in responding to enquiries.
Retention: Up to 2 years from the date of the enquiry, or until it is resolved.
c) Analytics Data (with your consent)
We use Google Analytics to collect aggregated data on how visitors use this website (pages visited, session duration, etc.). This is only collected if you click “Accept All” on our cookie banner.
Lawful basis: Art. 6(1)(a) GDPR — your consent.
Retention: Google Analytics data is retained for 14 months. You may withdraw consent at any time via our cookie banner.
d) Payment Data
Payments are processed by PayPal. We receive only a transaction confirmation and your PayPal email address. Full card or bank details are never held by Xounter.
Lawful basis: Art. 6(1)(b) GDPR — performance of a contract.
e) Technical Log Data
Our web server automatically collects IP addresses, browser types, and access timestamps.
Lawful basis: Art. 6(1)(f) GDPR — legitimate interest in security and service maintenance.
Retention: Server logs are retained for up to 90 days.
3. Who We Share Your Data With
We do not sell your personal data. We share data only with the following service providers (data processors) acting on our instructions:
| Recipient | Purpose | Location |
|---|---|---|
| Google LLC (Analytics / GTM) | Aggregated site analytics (consent only) | USA — EU Standard Contractual Clauses (SCCs) |
| Google LLC (OAuth) | Google Sign-In authentication | USA — EU SCCs |
| Meta Platforms, Inc. (Facebook) | Facebook Login authentication | USA — EU SCCs |
| Microsoft Corporation | Microsoft Sign-In authentication | USA — EU SCCs |
| PayPal (Europe) S.à r.l. | Payment processing | Luxembourg (EEA) |
4. International Data Transfers
Some of our service providers (Google, Meta/Facebook, Microsoft) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the appropriate safeguard under Art. 46(2)(c) GDPR.
5. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): obtain a copy of your data.
- Right to rectification (Art. 16): have inaccurate data corrected.
- Right to erasure (Art. 17): request deletion of your data (“right to be forgotten”).
- Right to restriction (Art. 18): limit how we process your data.
- Right to data portability (Art. 20): receive your data in a machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting prior processing.
To exercise any right, email us at contact@xounter.com. We will respond within 30 days.
6. Right to Lodge a Complaint
If you believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state where you live, work, or where the alleged infringement occurred. A list of EU supervisory authorities is available at edpb.europa.eu.
7. Cookies
We use two categories of cookies:
- Essential cookies: required for login sessions and security. These cannot be rejected as they are strictly necessary for the service to function.
- Analytics cookies: set by Google Analytics to measure aggregate site usage. Only placed with your explicit consent via our cookie banner.
You can update your cookie preferences at any time by clicking the cookie banner that appears on your first visit.
8. Data Security and Breach Notification
We use appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and, where required, inform affected individuals directly (Art. 34 GDPR).
9. Children
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has submitted data to us, please contact us at contact@xounter.com and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the effective date at the top of this page. Your continued use of the service after notification constitutes acceptance of the revised policy.