Xtra-Dev

Legal

Privacy Policy

Effective date: April 23, 2026. We keep this short, specific, and free of dark patterns.

1. Who we are

Xtra-Dev is a service of Wyxloop Corp ("Xtra-Dev", "we", "us"). We provide custom web development, client systems, automation, and IT services. You can reach us at contact@xtra-dev.com.

2. Scope of this policy

This policy covers personal data we process through our public website (xtra-dev.com), our client portals, and direct communication channels. It applies to prospects, invited workspace members, and visitors.

3. Data we collect

  • Contact requests: name, work email, company, phone (optional), service interest, budget range, and project details you submit through the contact form.
  • Account data (invited users only): email, full name, role, password hash, MFA settings, session metadata, and audit/security event logs.
  • Operational data: IP address, user agent, request timestamps, and basic page-level analytics needed to operate the service securely.
  • Cookies: a small set of strictly necessary cookies (session token, CSRF token, theme preference) plus a consent record cookie.

We do not buy data, we do not run third-party advertising, and we do not sell data to anyone.

4. How we use your data

  • To respond to your inquiry and produce a scope or proposal.
  • To operate the workspace you were invited to (authentication, billing, support).
  • To maintain security: rate limiting, abuse detection, MFA, and session management.
  • To meet legal, tax, and accounting obligations.

5. Legal bases (GDPR)

Where GDPR applies, we rely on: (a) your consent for optional cookies, (b) the performance of a contract for paid client work, (c) our legitimate interest in operating and securing the service, and (d) legal obligation for tax and accounting records.

6. Data sharing

We share data only with sub-processors required to deliver the service (email delivery, cloud hosting, error monitoring). Each sub-processor is bound by a data processing agreement and only handles data needed for its function. We never sell or rent your data.

7. International transfers

Some sub-processors may store or process data outside your country. When required, we use Standard Contractual Clauses or equivalent safeguards.

8. Retention

  • Contact form submissions: up to 24 months after the last interaction, then deleted.
  • Active workspace accounts: for as long as the workspace is active. After deactivation, account data is retained up to 90 days then deleted, except where law requires longer retention.
  • Security and audit logs: up to 12 months.
  • Billing and tax records: as required by applicable tax law (typically 5-7 years).

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict the processing of your personal data, and to withdraw consent. To exercise any right, email contact@xtra-dev.com. We respond within 30 days.

California residents (CCPA/CPRA) have additional rights, including the right to opt out of any sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.

10. Cookies

We use a minimal cookie set:

  • Strictly necessary: session token, CSRF token, theme preference, consent record. Always on.
  • Optional: none at this time. If we add optional analytics, they will be opt-in via the consent banner.

11. Security

We use bcrypt-hashed passwords, MFA for administrators, idle session timeouts, CSRF protection, rate limiting, and audited access controls. No system is perfect; we will notify affected users and authorities as required if a security incident impacts personal data.

12. Children

Our service is intended for businesses. We do not knowingly collect personal data from children under 16.

13. Changes to this policy

We post material changes to this page and update the effective date. Substantial changes affecting account holders are also announced by email.

14. Contact

Questions about privacy: contact@xtra-dev.com.