1. Overview & Scope
This Privacy Policy (“Policy”) describes how Pivot Point Media Holdings(“Company,” “we,” “us,” or “our”) collects, uses, stores, transfers, and protects personal information in connection with the XsitPlan platform available at xsitplan.com and related services (collectively, the “Service”).
This Policy applies to all users worldwide. If you are located in the European Economic Area (“EEA”) or United Kingdom, additional rights under the General Data Protection Regulation (“GDPR”) apply — see Section 12. If you are a California resident, additional rights under the California Consumer Privacy Act (“CCPA”) apply — see Section 13.
By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Service.
2. Who We Are (Data Controller)
For purposes of data protection law, the data controller responsible for your personal information is:
Company Name: Pivot Point Media Holdings
Product: XsitPlan (xsitplan.com)
Data Protection Contact: legal@xsitplan.com
General Contact: hello@xsitplan.com
3. Data We Collect
We collect information in the following categories:
3.1 Account & Identity Data
- Name — provided during sign-up
- Email address — used for authentication, transactional emails, and support
- Password — stored as a one-way bcrypt hash; we never store or transmit your plain-text password
3.2 Profile & Wizard Data
When you complete our onboarding wizard, we collect structured answers about:
- Your professional skills and areas of expertise
- Your prior work experience and industry background
- Your entrepreneurial goals and motivations
- Available startup budget
- Weekly hours you can dedicate to a new business
- Location and language preferences
3.3 AI-Generated Output Data
- Business ideas generated by our AI on your behalf
- Market analysis, competitive snapshots, and viability scores associated with your selected idea
- Business name suggestions, taglines, and positioning copy
3.4 Subscription & Payment Data
- Subscription plan tier and billing period
- Subscription status, start and end dates
- Stripe Customer ID and Stripe Subscription ID (tokenized references only)
- Payment method type (e.g., “Visa ending in 4242”) — full card numbers are handled exclusively by Stripe; we never see them
- Transaction history (amounts, dates, invoice IDs)
3.5 Provisioned Business Assets
Once you subscribe, we create business infrastructure on your behalf. We store references to:
- Registered domain name and registrar details
- Website URL and hosting configuration
- CRM account identifiers (GoHighLevel sub-account)
- Email marketing account identifiers (Resend configuration)
- Provisioning status logs and audit trail
3.6 Usage & Technical Data
- IP address and approximate geographic location (country/region level)
- Browser type, operating system, and device type
- Pages visited, features used, and time spent
- Referring URLs and exit pages
- Error logs and crash reports
- Session identifiers (JWT tokens stored in httpOnly cookies)
3.7 Communications Data
- Support emails and chat messages you send to us
- Survey responses and feedback you voluntarily provide
- Email open/click tracking for transactional and marketing emails (where permitted)
3.8 Data We Do NOT Collect
- Government-issued ID numbers or social security numbers
- Sensitive special category data (health, biometrics, ethnicity, political opinions)
- Full payment card numbers (handled by Stripe)
- Data from children under 18 (see Section 14)
4. How We Use Your Data
| Purpose | Data Categories Used | Lawful Basis |
|---|---|---|
| Create and manage your account | Account & identity data | Contract |
| Generate personalized AI business recommendations | Wizard/profile data | Contract |
| Display your saved ideas and dashboard | AI output data, account data | Contract |
| Process payments and manage subscriptions | Payment & subscription data | Contract |
| Provision business infrastructure (domain, site, CRM, etc.) | Account, subscription, AI output data | Contract |
| Send transactional emails (receipts, provisioning updates, alerts) | Account, subscription data | Contract |
| Provide customer support | All relevant data you share with us | Contract |
| Prevent fraud, abuse, and security threats | Usage & technical data, account data | Legitimate Interests |
| Monitor Service performance and debug errors | Usage & technical data, error logs | Legitimate Interests |
| Improve our AI recommendation models (aggregate/anonymized insights only) | Anonymized aggregate usage patterns | Legitimate Interests |
| Send product update and marketing emails | Account data, email preferences | Consent |
| Analytics and conversion tracking (non-essential cookies) | Usage & technical data | Consent |
| Comply with legal obligations (tax records, court orders) | Account, payment, transaction data | Legal Obligation |
Where we rely on Legitimate Interests, we have conducted a balancing test and concluded our interests do not override your fundamental rights. You may object to such processing at any time — see Section 12.
5. Lawful Basis for Processing (GDPR)
For users in the EEA and UK, every processing activity must rest on a valid legal basis under Article 6 GDPR. We rely on the following:
Contract Performance — Art. 6(1)(b)
The primary basis for our core Service. When you create an account and use XsitPlan, we process your account data, wizard answers, AI outputs, and payment/subscription information because it is strictly necessary to deliver the Service you agreed to receive. Without this processing, we cannot provide business recommendations, provision your infrastructure, manage your subscription, or support your account.
Legitimate Interests — Art. 6(1)(f)
We process usage and technical data for fraud prevention, security monitoring, platform stability, and aggregated (anonymized) analytics. Our legitimate interests are: protecting our users and platform from abuse; improving the reliability and quality of our Service; and understanding how features are used in aggregate to guide product development.
We do not rely on legitimate interests as a basis for processing your wizard profile data, payment data, or for sending marketing communications.
Consent — Art. 6(1)(a)
Marketing emails, non-essential cookies (analytics/advertising), and any optional data enrichment are processed only with your explicit, freely given, specific, and informed consent. You may withdraw consent at any time without affecting processing already completed — by unsubscribing from emails or adjusting your cookie preferences.
Legal Obligation — Art. 6(1)(c)
We retain certain financial and transactional records to comply with tax laws, anti-money laundering regulations, and applicable accounting standards. We also process data when required by a valid court order or law enforcement request.
6. AI & Automated Processing
6.1 How AI Recommendations Work
When you complete the onboarding wizard, your structured profile data (skills, experience, goals, budget, time availability) is compiled into a prompt and transmitted to the Anthropic Claude API. The Claude model analyzes your profile and generates three personalized business idea recommendations. These recommendations are then returned to our servers, stored in your account, and displayed to you on the ideas dashboard.
6.2 What Data Is Sent to Anthropic
Only your anonymized wizard responses are included in the prompt sent to Anthropic. We do not include your name, email address, or payment information in AI prompts. The data transmitted is limited to what is necessary to generate relevant recommendations.
6.3 Your Data Is NOT Used to Train AI
6.4 Automated Decision-Making
The business recommendations generated by our AI are informational suggestions, not automated decisions with legal or similarly significant effects on you. You are always free to disregard any recommendation. No fully automated decision-making that produces legal effects is made about you without human review. Accordingly, Article 22 GDPR rights regarding solely automated decision-making are not engaged, but we remain committed to transparency about how our AI system operates.
If you believe an AI-generated output has unfairly affected you, please contact us at legal@xsitplan.com.
8. International Data Transfers
Pivot Point Media Holdings operates in the United States. All of our primary sub-processors (see Section 7) are also based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to, and processed in, the United States, which the European Commission has not designated as providing an adequate level of data protection comparable to EEA standards.
8.1 Safeguards We Use
To ensure your data receives adequate protection, we rely on the following mechanisms:
- Standard Contractual Clauses (SCCs): For transfers to sub-processors located in the United States, we rely on the European Commission's standard contractual clauses (Controller-to-Processor SCCs, 2021 edition) incorporated into our Data Processing Agreements. These clauses create binding obligations on our processors to protect your data to EEA standards.
- Sub-processor Data Processing Agreements: Each sub-processor listed in Section 7 has executed a data processing agreement (DPA) that restricts their use of your data, requires them to implement appropriate security measures, and obligates them to assist us in fulfilling your data subject rights.
- Technical and organizational measures: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). See Section 11.
8.2 Your Rights Regarding Transfers
You have the right to request a copy of the SCCs we use for any specific transfer. To do so, email legal@xsitplan.com with the subject line “SCC Request.”
9. Data Retention Periods
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. The following table sets out our standard retention periods:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Account & identity data (name, email) | Duration of account + 30 days after deletion request | Contract performance; allow re-activation window |
| Hashed passwords | Duration of account; deleted immediately on account deletion | Security/authentication |
| Wizard profile answers | Duration of account + 30 days | Core service delivery; deleted with account |
| AI-generated business ideas and outputs | Duration of account + 30 days | Service delivery; user reference |
| Subscription & billing records | 7 years from subscription end date | Tax and accounting legal obligations |
| Payment method tokens (Stripe) | Managed by Stripe per their retention policy; removed from our DB on account deletion | Payment processing |
| Provisioned business asset references | Duration of subscription + 90 days (to allow recovery) | Service delivery; then deleted |
| Usage & technical logs | 90 days rolling (server logs); 13 months (analytics aggregates) | Security monitoring; legitimate interests |
| Support communications | 3 years from last contact | Legitimate interests (dispute resolution) |
| Fraud/abuse investigation records | 5 years | Legitimate interests; legal defense |
| Marketing consent records | 3 years from consent (or withdrawal) | Legal obligation (demonstrate consent) |
| Backup copies | Overwritten on a 30-day rolling cycle | Business continuity; then removed |
Upon account deletion, we initiate erasure within 30 days for operational data. Financial records subject to legal retention are isolated in an archive inaccessible to operational systems. You can request confirmation of deletion by contacting legal@xsitplan.com.
11. Data Security
We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction.
11.1 Technical Measures
- Encryption in transit: All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints with HSTS headers.
- Encryption at rest: Databases hosted on MongoDB Atlas use AES-256 encryption at rest. Backups are encrypted with the same standard.
- Password hashing: User passwords are hashed using bcrypt with an industry-standard cost factor before storage. We cannot reverse or read your password.
- JWT authentication: Session tokens are signed JWTs stored in httpOnly, Secure, SameSite=Strict cookies, making them inaccessible to JavaScript and resistant to XSS and CSRF attacks.
- Stripe tokenization: Payment card data is tokenized by Stripe before reaching our servers. We never transmit or store raw card numbers.
- Access controls: Role-based access control (RBAC) limits internal access to data. Production data is accessible only to authorized engineers and only for legitimate operational purposes.
11.2 Organizational Measures
- Regular security reviews and dependency vulnerability scanning
- Least-privilege access principle for all staff and service accounts
- Incident response procedures with defined notification timelines
- Data minimization — we collect only what is necessary
11.3 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by Article 33 GDPR. If the breach is likely to result in high risk to you personally, we will also notify you directly without undue delay in accordance with Article 34 GDPR.
12. Your Rights Under GDPR (EEA & UK Users)
12.1 Your Rights at a Glance
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain confirmation that we process your data and receive a copy of it, along with details about the processing. | Email legal@xsitplan.com with subject: "Data Access Request" |
| Right to Rectification (Art. 16) | Have inaccurate or incomplete personal data corrected without undue delay. | Update in your account settings or email legal@xsitplan.com |
| Right to Erasure (Art. 17) | "Right to be forgotten" — request deletion of your personal data where it is no longer necessary, you withdraw consent, or you object to processing. | Email legal@xsitplan.com with subject: "Erasure Request" |
| Right to Restriction (Art. 18) | Request that we restrict processing (e.g., while a dispute is pending) so that we store but do not actively use your data. | Email legal@xsitplan.com with subject: "Restriction Request" |
| Right to Portability (Art. 20) | Receive your data in a structured, machine-readable format and/or have it transmitted to another controller, where processing is by consent or contract. | Email legal@xsitplan.com with subject: "Data Portability Request" |
| Right to Object (Art. 21) | Object to processing based on legitimate interests (including profiling) or for direct marketing purposes. Processing must cease unless we demonstrate compelling legitimate grounds. | Email legal@xsitplan.com with subject: "Objection to Processing" |
| Automated Decision-Making Rights (Art. 22) | Not to be subject to solely automated decisions that produce legal or significant effects. Our AI recommendations are advisory only (see Section 6.4). | Contact us if you believe an AI output has significantly affected you |
| Right to Withdraw Consent | Withdraw consent at any time for processing based on consent (marketing emails, analytics cookies). Withdrawal does not affect prior lawful processing. | Unsubscribe link in emails, cookie preferences, or email legal@xsitplan.com |
12.2 How to Submit a Data Subject Request
To exercise any of the rights above, please:
- Email us at legal@xsitplan.com with the relevant subject line listed above.
- Include your full name and the email address associated with your XsitPlan account, so we can verify your identity before processing the request.
- Describe your request as clearly as possible — e.g., which data categories you want to access, or what inaccuracies you want corrected.
We will respond within 30 days of receipt (extendable by a further 60 days for complex requests, with notice). Identity verification may be required before we action requests to protect your security. Requests are free of charge; we may charge a reasonable administrative fee only for manifestly unfounded or excessive requests.
12.3 Right to Lodge a Complaint
If you are not satisfied with our response or believe our processing is unlawful, you have the right to lodge a complaint with your local data protection supervisory authority. For example:
- EU residents: Your national data protection authority (find yours at edpb.europa.eu)
- UK residents: Information Commissioner's Office (ICO) — ico.org.uk
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
We encourage you to contact us first at legal@xsitplan.com — we are committed to resolving concerns directly and promptly.
13. California Privacy Rights (CCPA / CPRA)
13.1 Categories of Personal Information Collected
In the 12 months preceding the effective date of this Policy, we have collected the following categories of personal information from California consumers:
| CCPA Category | Examples We Collect | Sold or Shared for Cross-Context Advertising? |
|---|---|---|
| A. Identifiers | Name, email address | No |
| B. Personal records (Cal. Civ. Code § 1798.80) | Name, email; financial info (Stripe tokens) | No |
| C. Protected classification characteristics | None collected | No |
| D. Commercial information | Subscription plan, transaction history | No |
| E. Biometric information | None collected | No |
| F. Internet/electronic network activity | Pages visited, features used, session data | No |
| G. Geolocation data | Country/region level only (from IP) | No |
| H. Audio, electronic, visual data | None collected | No |
| I. Professional/employment information | Self-reported wizard answers (skills, experience) | No |
| J. Inferences drawn from personal information | AI-generated business recommendations | No |
13.2 We Do Not Sell Your Personal Information
13.3 Your California Rights
- Right to Know (§ 1798.110): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete (§ 1798.105): You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal compliance, fraud prevention).
- Right to Correct (§ 1798.106): You have the right to request correction of inaccurate personal information we hold about you.
- Right to Opt Out of Sale/Sharing (§ 1798.120): As noted above, we do not sell or share personal information. No opt-out is required, but you may still signal your preference at legal@xsitplan.com.
- Right to Limit Use of Sensitive Personal Information (§ 1798.121): We do not process sensitive personal information (as defined by CPRA) for purposes beyond providing the Service.
- Right to Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising your CCPA rights — we will not deny goods or services, charge different prices, or provide a different quality of service.
13.4 How to Submit a California Request
To exercise your California rights, submit a verifiable consumer request by emailing legal@xsitplan.com with the subject line “California Privacy Request” and include your full name and account email address for identity verification. We will respond within 45 days (extendable by 45 additional days with notice).
Authorized agents may submit requests on your behalf with written authorization. We may require direct verification from you to protect against fraudulent requests.
14. Children's Privacy
We do not knowingly collect personal information from anyone under the age of 18. Our Service is designed for adults seeking to start or grow a business. You must be at least 18 years old to create an account and use XsitPlan.
If you are a parent or guardian and believe your minor child has provided us with personal information, please contact us immediately at legal@xsitplan.com. We will delete any such information promptly upon verification.
If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that information and terminate the associated account.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will:
- Update the “Effective Date” at the top of this page;
- For material changes — those that meaningfully affect how we use your data or your rights — provide at least 30 days' advance notice via email to the address associated with your account and/or a prominent notice on xsitplan.com;
- For minor, non-material changes (e.g., clarifying language, correcting typos, adding sub-processors with equivalent protections), update the Policy without prior notice, though the effective date will always be updated.
Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not accept the changes, you should stop using the Service and may request account deletion.
We maintain an archive of prior versions of this Policy. To request a copy of a previous version, contact legal@xsitplan.com.
16. Contact Us & Data Protection Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us through any of the following channels:
Data Controller
Company: Pivot Point Media Holdings
Product: XsitPlan
Website: xsitplan.com
Data Protection Contact: legal@xsitplan.com
Response times: We aim to acknowledge all privacy-related emails within 2 business days and to provide a substantive response within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA). For urgent security concerns, please include “URGENT” in your subject line.
Effective Date: June 11, 2026 · Version: 1.0
© 2026 Pivot Point Media Holdings. All rights reserved.