Last Updated: November 2025
xtuis.com ('we', 'our', 'us', or 'Company') is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, store, and safeguard your information when you use our email notification service (the 'Service'). This policy applies to all users of the Service, including visitors to our website. By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the data practices described, please do not use the Service.
We collect the following categories of information: (a) Account Information: Email address (required for registration), API keys, account creation date, subscription plan type (free or paid), and account status; (b) Usage Data: Request timestamps, IP addresses, HTTP request headers, rate limit tracking data, API endpoint accessed, and response status codes for service operation, abuse prevention, and analytics; (c) Payment Information: Payment transaction data processed securely through Stripe, including payment amounts, currency, transaction IDs, and payment status. We do NOT store credit card numbers, CVV codes, or full payment card details on our servers; (d) Email Content: The subject line and body text of emails you send through our Service. This content is transmitted through AWS SNS to deliver your emails but is NOT stored on our servers after delivery; (e) Technical Data: Browser type, device information, operating system, referring URLs, and other technical information collected automatically when you visit our website; (f) Communication Data: Records of correspondence when you contact us for support or inquiries.
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal information based on the following legal grounds: (a) Contractual Necessity: Processing necessary to perform our contract with you (providing the Service); (b) Legitimate Interests: Processing necessary for our legitimate business interests, such as preventing fraud, ensuring security, and improving our Service; (c) Legal Obligation: Processing necessary to comply with legal obligations; (d) Consent: Where you have provided explicit consent for specific processing activities. You may withdraw consent at any time by contacting us.
We use the information we collect for the following purposes: (a) Service Delivery: To provide, operate, maintain, and improve the Service, including processing API requests and delivering emails; (b) Account Management: To create and manage your account, authenticate your identity, and provide customer support; (c) Payment Processing: To process payments, manage subscriptions, send payment receipts, and handle billing inquiries; (d) Communication: To send you service-related communications, including confirmation emails, API keys, payment receipts, security alerts, and important service updates; (e) Security and Abuse Prevention: To monitor for and prevent fraud, abuse, security threats, unauthorized access, and violations of our Terms of Service; (f) Analytics and Improvement: To analyze usage patterns, understand how the Service is used, and improve our Service, features, and user experience; (g) Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests; (h) Enforcement: To enforce our Terms of Service and protect our rights, property, and safety, as well as that of our users.
Your email address, API key, account information, and usage metadata are stored securely in AWS DynamoDB databases located in AWS data centers. Email content (subject and body) is transmitted through AWS Simple Notification Service (SNS) but is NOT stored on our servers after delivery. Payment transaction records are stored in a separate DynamoDB table. We implement industry-standard security measures including: (a) Encryption in transit using TLS/SSL protocols; (b) Encryption at rest for sensitive data stored in databases; (c) Access controls and authentication mechanisms to limit access to personal data; (d) Regular security audits and vulnerability assessments; (e) Secure API key generation using cryptographically secure random number generators; (f) Rate limiting and abuse detection systems. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information only in the following limited circumstances: (a) Service Providers: We share information with trusted third-party service providers who assist in operating our Service, including AWS (for infrastructure and email delivery) and Stripe (for payment processing). These providers are contractually obligated to protect your information and use it only for the purposes we specify; (b) Legal Requirements: When required by law, regulation, legal process, or government request, including responding to subpoenas, court orders, or regulatory investigations; (c) Protection of Rights: To protect and defend our rights, property, or safety, or that of our users, employees, or others, including investigating potential violations of our Terms of Service; (d) Business Transfers: In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction; (e) With Your Consent: We may share your information with your explicit consent or at your direction.
Our Service relies on the following third-party services: (a) Amazon Web Services (AWS): We use AWS for cloud infrastructure, DynamoDB for data storage, SNS for email delivery, SES for sending transactional emails, and CloudWatch for logging. AWS processes your data in accordance with their data processing agreements and privacy policies. Data may be stored in AWS data centers located in various regions; (b) Stripe: We use Stripe for payment processing. Stripe handles payment card information in accordance with PCI DSS standards. Stripe's privacy policy governs their handling of payment data; (c) Exchange Rate APIs: We may use third-party APIs to fetch currency exchange rates for pricing display. These services may receive your IP address but do not receive personal identifying information. We encourage you to review the privacy policies of these third-party services to understand their data practices.
Depending on your location, you may have the following rights regarding your personal information: (a) Right to Access: Request a copy of the personal information we hold about you; (b) Right to Rectification: Request correction of inaccurate or incomplete information; (c) Right to Erasure ('Right to be Forgotten'): Request deletion of your personal information, subject to certain legal exceptions; (d) Right to Restrict Processing: Request limitation of how we process your information; (e) Right to Data Portability: Request transfer of your data in a structured, machine-readable format; (f) Right to Object: Object to processing of your personal information for certain purposes; (g) Right to Withdraw Consent: Withdraw previously given consent for data processing; (h) Right to Opt-Out (CCPA): If you are a California resident, you have the right to opt-out of the sale of personal information (we do not sell personal information); (i) Right to Non-Discrimination: Exercise your privacy rights without discrimination. To exercise any of these rights, please contact us at contact@xtuis.com. We will respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing certain requests.
We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically: (a) Account Information: Retained while your account is active and for up to 30 days after account deletion, unless we are required to retain it longer for legal, tax, or regulatory purposes; (b) Usage Data: Retained for up to 90 days for security and abuse prevention purposes, then anonymized or deleted; (c) Payment Records: Retained for at least 7 years as required by tax and accounting regulations; (d) Email Content: Not stored after transmission; (e) Logs: Retained for up to 180 days for security monitoring and troubleshooting. When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law. You may request immediate deletion by contacting us, and we will process your request subject to legal requirements.
Our website may use cookies, web beacons, and similar tracking technologies to enhance user experience, analyze usage patterns, and provide personalized content. Types of cookies we may use: (a) Essential Cookies: Required for the website to function properly; (b) Analytics Cookies: Help us understand how visitors interact with our website; (c) Preference Cookies: Remember your settings and preferences. You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling cookies may limit some functionality of our website. We do not use cookies for advertising or cross-site tracking. Our website does not respond to 'Do Not Track' signals, but you can opt out of certain tracking through your browser settings.
Our Service is not intended for children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children under 13 (or 16 in the EEA). If you are a parent or guardian and believe your child under 13 (or 16 in the EEA) has provided us with personal information, please contact us immediately at contact@xtuis.com. If we become aware that we have collected personal information from a child under 13 (or 16 in the EEA) without parental consent, we will take steps to delete such information promptly.
Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. These countries may have different data protection laws than your country. When we transfer your information internationally, we take appropriate safeguards to ensure your information receives an adequate level of protection, including: (a) Using Standard Contractual Clauses approved by the European Commission; (b) Relying on adequacy decisions where applicable; (c) Implementing appropriate technical and organizational measures. By using our Service, you consent to the transfer of your information to these countries. If you are located in the EEA or UK, you have the right to object to such transfers, but this may affect your ability to use the Service.
In the event of a data breach that may affect your personal information, we will: (a) Investigate the breach promptly and take steps to contain and remediate it; (b) Notify affected users and relevant data protection authorities as required by applicable law (typically within 72 hours for GDPR); (c) Provide information about the nature of the breach, the data affected, and steps we are taking to address it; (d) Recommend steps you can take to protect yourself. We maintain incident response procedures and regularly test our security measures to prevent breaches.
We do not use automated decision-making or profiling that produces legal effects or significantly affects you. Rate limiting and abuse detection systems operate automatically but do not make decisions about your account status without human review. If we implement any automated decision-making in the future, we will update this Privacy Policy and provide you with information about the logic involved and your rights regarding such processing.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): (a) Right to Know: Request information about the categories and specific pieces of personal information we collect, use, disclose, and sell; (b) Right to Delete: Request deletion of your personal information; (c) Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information); (d) Right to Non-Discrimination: Exercise your CCPA rights without discrimination. We do not sell personal information to third parties. To exercise your California privacy rights, contact us at contact@xtuis.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of any material changes by: (a) Posting the updated Privacy Policy on this page with a new 'Last Updated' date; (b) Sending an email notification to registered users for significant changes; (c) Displaying a prominent notice on our website for material changes. Material changes will become effective 30 days after notification, unless otherwise required by law. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, including exercising your privacy rights, please contact us at: Email: contact@xtuis.com. We will respond to your inquiry within a reasonable timeframe, typically within 30 days. If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.