We collect information you provide directly when you create an account, book a demo, or contact support: name, email address, business name, EIN or tax ID, and billing details. We also collect transaction metadata — merchant name, transaction amount, timestamp, and the last four digits of the card — via the Astrada API integration. Full card numbers are never stored on our servers; they are tokenised by our payment processor and transmitted over encrypted TLS 1.3 connections.
When you use Xpnsr Tracker, we collect click event data including IP address, user agent, referrer URL, timestamp, and conversion postback data. This data is used exclusively for campaign performance analytics and bot detection. We do not sell, share, or monetise click-level data with any third party.
For CBN users, we collect keyword lists, SERP rank data, and content generation metadata. This data is used to power the AI article generation pipeline and rank tracking dashboards. Your keyword research and content strategies remain confidential and are never shared with other users or competitors.
We use your information to operate the Service, process transactions, provide customer support, send service updates, and improve our platform. Specifically, we use account data to authenticate users, manage subscriptions, and generate invoices. Transaction data is used to populate real-time expense dashboards, generate spending reports, and reconcile corporate card activity. Click event data is processed through our bot detection engine to filter invalid traffic and provide accurate campaign analytics.
We do not sell your personal information to third parties. We do not use your data for advertising retargeting, profile building, or any purpose beyond delivering and improving the Xpnsr platform. Email addresses are used exclusively for account-related communications — service updates, billing notifications, and direct support responses. We do not send marketing newsletters without explicit opt-in consent.
We share data only with trusted service providers who help us operate the platform. These include Astrada API (card transaction processing and virtual card issuance), DataForSEO (SERP rank tracking and keyword research data), DeepSeek (AI article generation for CBN), and Stripe (payment processing and subscription management). Each provider is contractually bound by data processing agreements that require them to protect your data with encryption, access controls, and strict usage limitations.
We may disclose your information if required by law, such as in response to a valid court order, subpoena, or government request. In such cases, we will notify you within the bounds of the law and limit the disclosure to the minimum required by the request.
We retain your account data — including profile information, transaction history, keyword lists, and campaign data — for as long as your account is active and for 90 days after cancellation. After this period, all personal data is permanently deleted from our production databases and backups. Click-level event data in Tracker is retained for 13 months for campaign analysis purposes, after which it is anonymised and aggregated.
Financial records (invoices, payment history) are retained for 7 years as required by tax and accounting regulations in the jurisdictions where we operate. These records are stored in encrypted, access-controlled archives separate from active production systems.
If you are in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation: the right to access your personal data, the right to correct inaccurate data, the right to delete your data (right to erasure), the right to restrict processing, the right to data portability, and the right to object to processing. You also have the right to lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@xpnsr.tech. We will respond within 30 days. All requests are verified to confirm your identity before processing. There is no charge for exercising your GDPR rights.
We implement industry-standard security measures to protect your data. All data in transit is encrypted using TLS 1.3 with strong cipher suites. All data at rest is encrypted using AES-256 encryption. Access to production systems is restricted through role-based access controls (RBAC) with multi-factor authentication required for all administrative accounts.
We undergo regular third-party security audits and penetration testing. Our infrastructure runs on isolated, hardened servers with automated vulnerability scanning, intrusion detection, and 24/7 security monitoring. We maintain a responsible disclosure program for security researchers and aim to patch critical vulnerabilities within 24 hours of confirmation.
We use essential cookies for authentication, session management, and security. These cookies are necessary for the Service to function — they store your login session, maintain dashboard preferences, and prevent cross-site request forgery (CSRF) attacks. These cookies do not track your activity across other websites.
We use Google Analytics with anonymised IP addresses to understand aggregate usage patterns — which features are used most, where users navigate, and how the platform performs. Google Analytics data is retained for 14 months. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. We do not use advertising cookies, tracking pixels, or third-party marketing cookies on the Xpnsr platform.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Material changes — such as new data collection practices, changes in data sharing, or expanded use of personal information — will be notified via email to the primary account holder and through an in-app notification at least 14 days before the changes take effect.
Non-material changes (clarifications, formatting, minor corrections) may be made without prior notice. We encourage you to review this policy periodically. The "Effective Date" at the top of this page indicates when the policy was last updated.
If you have any questions about this Privacy Policy, your data, or our security practices, please contact our Data Protection Officer:
Email: privacy@xpnsr.tech
We aim to respond to all privacy inquiries within 48 hours. For urgent data deletion requests, please include "Urgent" in the subject line and we will prioritise your request.
© 2026 Xpnsr. All rights reserved.