Privacy Policy

Your Privacy Matters to Us

We are committed to transparency about how we collect, use, and protect your personal data. This policy applies to all users of XsitPlan globally, with additional protections for EU/EEA residents (GDPR) and California residents (CCPA).

Effective Date: June 11, 2026  · Controller: Pivot Point Media Holdings  · legal@xsitplan.com

1. Overview & Scope

This Privacy Policy (“Policy”) describes how Pivot Point Media Holdings(“Company,” “we,” “us,” or “our”) collects, uses, stores, transfers, and protects personal information in connection with the XsitPlan platform available at xsitplan.com and related services (collectively, the “Service”).

This Policy applies to all users worldwide. If you are located in the European Economic Area (“EEA”) or United Kingdom, additional rights under the General Data Protection Regulation (“GDPR”) apply — see Section 12. If you are a California resident, additional rights under the California Consumer Privacy Act (“CCPA”) apply — see Section 13.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Service.

Our core commitment: We collect only the data necessary to deliver our Service, we do not sell your personal information to any third party, and we do not use your data to train AI models.

2. Who We Are (Data Controller)

For purposes of data protection law, the data controller responsible for your personal information is:

Company Name: Pivot Point Media Holdings

Product: XsitPlan (xsitplan.com)

Data Protection Contact: legal@xsitplan.com

General Contact: hello@xsitplan.com

EU Representative: If you are located in the EEA and wish to exercise your rights or raise a concern, you may contact us directly at legal@xsitplan.com. We are in the process of formally designating an Article 27 EU Representative and will update this Policy when that appointment is complete. In the meantime, all GDPR inquiries should be directed to the contact above.

3. Data We Collect

We collect information in the following categories:

3.1 Account & Identity Data

  • Name — provided during sign-up
  • Email address — used for authentication, transactional emails, and support
  • Password — stored as a one-way bcrypt hash; we never store or transmit your plain-text password

3.2 Profile & Wizard Data

When you complete our onboarding wizard, we collect structured answers about:

  • Your professional skills and areas of expertise
  • Your prior work experience and industry background
  • Your entrepreneurial goals and motivations
  • Available startup budget
  • Weekly hours you can dedicate to a new business
  • Location and language preferences
This wizard data is the core input to our AI recommendation engine. It is processed to generate personalized business ideas tailored specifically to you. See Section 6 for details on how AI processing works.

3.3 AI-Generated Output Data

  • Business ideas generated by our AI on your behalf
  • Market analysis, competitive snapshots, and viability scores associated with your selected idea
  • Business name suggestions, taglines, and positioning copy

3.4 Subscription & Payment Data

  • Subscription plan tier and billing period
  • Subscription status, start and end dates
  • Stripe Customer ID and Stripe Subscription ID (tokenized references only)
  • Payment method type (e.g., “Visa ending in 4242”) — full card numbers are handled exclusively by Stripe; we never see them
  • Transaction history (amounts, dates, invoice IDs)

3.5 Provisioned Business Assets

Once you subscribe, we create business infrastructure on your behalf. We store references to:

  • Registered domain name and registrar details
  • Website URL and hosting configuration
  • CRM account identifiers (GoHighLevel sub-account)
  • Email marketing account identifiers (Resend configuration)
  • Provisioning status logs and audit trail

3.6 Usage & Technical Data

  • IP address and approximate geographic location (country/region level)
  • Browser type, operating system, and device type
  • Pages visited, features used, and time spent
  • Referring URLs and exit pages
  • Error logs and crash reports
  • Session identifiers (JWT tokens stored in httpOnly cookies)

3.7 Communications Data

  • Support emails and chat messages you send to us
  • Survey responses and feedback you voluntarily provide
  • Email open/click tracking for transactional and marketing emails (where permitted)

3.8 Data We Do NOT Collect

  • Government-issued ID numbers or social security numbers
  • Sensitive special category data (health, biometrics, ethnicity, political opinions)
  • Full payment card numbers (handled by Stripe)
  • Data from children under 18 (see Section 14)

4. How We Use Your Data

PurposeData Categories UsedLawful Basis
Create and manage your accountAccount & identity dataContract
Generate personalized AI business recommendationsWizard/profile dataContract
Display your saved ideas and dashboardAI output data, account dataContract
Process payments and manage subscriptionsPayment & subscription dataContract
Provision business infrastructure (domain, site, CRM, etc.)Account, subscription, AI output dataContract
Send transactional emails (receipts, provisioning updates, alerts)Account, subscription dataContract
Provide customer supportAll relevant data you share with usContract
Prevent fraud, abuse, and security threatsUsage & technical data, account dataLegitimate Interests
Monitor Service performance and debug errorsUsage & technical data, error logsLegitimate Interests
Improve our AI recommendation models (aggregate/anonymized insights only)Anonymized aggregate usage patternsLegitimate Interests
Send product update and marketing emailsAccount data, email preferencesConsent
Analytics and conversion tracking (non-essential cookies)Usage & technical dataConsent
Comply with legal obligations (tax records, court orders)Account, payment, transaction dataLegal Obligation

Where we rely on Legitimate Interests, we have conducted a balancing test and concluded our interests do not override your fundamental rights. You may object to such processing at any time — see Section 12.

5. Lawful Basis for Processing (GDPR)

For users in the EEA and UK, every processing activity must rest on a valid legal basis under Article 6 GDPR. We rely on the following:

Contract Performance — Art. 6(1)(b)

The primary basis for our core Service. When you create an account and use XsitPlan, we process your account data, wizard answers, AI outputs, and payment/subscription information because it is strictly necessary to deliver the Service you agreed to receive. Without this processing, we cannot provide business recommendations, provision your infrastructure, manage your subscription, or support your account.

Legitimate Interests — Art. 6(1)(f)

We process usage and technical data for fraud prevention, security monitoring, platform stability, and aggregated (anonymized) analytics. Our legitimate interests are: protecting our users and platform from abuse; improving the reliability and quality of our Service; and understanding how features are used in aggregate to guide product development.

We do not rely on legitimate interests as a basis for processing your wizard profile data, payment data, or for sending marketing communications.

Consent — Art. 6(1)(a)

Marketing emails, non-essential cookies (analytics/advertising), and any optional data enrichment are processed only with your explicit, freely given, specific, and informed consent. You may withdraw consent at any time without affecting processing already completed — by unsubscribing from emails or adjusting your cookie preferences.

Legal Obligation — Art. 6(1)(c)

We retain certain financial and transactional records to comply with tax laws, anti-money laundering regulations, and applicable accounting standards. We also process data when required by a valid court order or law enforcement request.

6. AI & Automated Processing

Key disclosure: Your wizard answers are sent to Anthropic's Claude API to generate personalized business recommendations. This is the core function of XsitPlan. We are transparent about this process.

6.1 How AI Recommendations Work

When you complete the onboarding wizard, your structured profile data (skills, experience, goals, budget, time availability) is compiled into a prompt and transmitted to the Anthropic Claude API. The Claude model analyzes your profile and generates three personalized business idea recommendations. These recommendations are then returned to our servers, stored in your account, and displayed to you on the ideas dashboard.

6.2 What Data Is Sent to Anthropic

Only your anonymized wizard responses are included in the prompt sent to Anthropic. We do not include your name, email address, or payment information in AI prompts. The data transmitted is limited to what is necessary to generate relevant recommendations.

6.3 Your Data Is NOT Used to Train AI

We have an API data usage agreement with Anthropic under which your inputs and outputs are not used to train or improve Anthropic's models. Anthropic processes your data solely to generate the API response and does not retain it for model training purposes.

6.4 Automated Decision-Making

The business recommendations generated by our AI are informational suggestions, not automated decisions with legal or similarly significant effects on you. You are always free to disregard any recommendation. No fully automated decision-making that produces legal effects is made about you without human review. Accordingly, Article 22 GDPR rights regarding solely automated decision-making are not engaged, but we remain committed to transparency about how our AI system operates.

If you believe an AI-generated output has unfairly affected you, please contact us at legal@xsitplan.com.

7. Sharing & Third-Party Sub-Processors

We do not sell, rent, or trade your personal information. We share data only with the service providers (sub-processors) strictly necessary to deliver our Service, and only to the extent required for their specific function.

Sub-ProcessorRoleData SharedLocationSafeguard
Stripe, Inc.Payment processing & subscription managementEmail, payment method tokens, subscription metadataUSASCC + Stripe DPA
Anthropic, PBCAI language model (Claude API) for business recommendationsAnonymized wizard answersUSAAnthropic API DPA (no training use)
MongoDB Atlas (MongoDB, Inc.)Primary database (cloud-hosted)All structured account, profile, and platform dataUSA (AWS)MongoDB DPA + SCC
Railway Corp.Backend API and server hostingAll data processed through our APIUSARailway DPA
Netlify, Inc.Frontend hosting & CDNStatic assets; IP addresses in access logsUSA (global CDN)Netlify DPA + SCC
GoHighLevel (HighLevel, Inc.)CRM platform for provisioned user business sub-accountsBusiness name, contact details for sub-account setupUSAGoHighLevel DPA
Resend, Inc.Transactional email deliveryRecipient email address, email contentUSAResend DPA
Name.com (Donuts, Inc.)Domain name registrationBusiness name, registrant contact data (per ICANN rules)USAName.com Privacy Policy

7.2 Other Disclosures

We may also share your information in the following circumstances:

  • Legal requirements: To comply with a court order, subpoena, legal process, or government request; to enforce our Terms of Service; or to protect the rights, property, or safety of Pivot Point Media Holdings, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, sale of assets, or financing, your data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
  • With your consent: For any other purpose, only with your explicit prior consent.

We do not share your data with advertisers, data brokers, social media platforms for targeting purposes, or any entity for commercial gain.

8. International Data Transfers

Pivot Point Media Holdings operates in the United States. All of our primary sub-processors (see Section 7) are also based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to, and processed in, the United States, which the European Commission has not designated as providing an adequate level of data protection comparable to EEA standards.

8.1 Safeguards We Use

To ensure your data receives adequate protection, we rely on the following mechanisms:

  • Standard Contractual Clauses (SCCs): For transfers to sub-processors located in the United States, we rely on the European Commission's standard contractual clauses (Controller-to-Processor SCCs, 2021 edition) incorporated into our Data Processing Agreements. These clauses create binding obligations on our processors to protect your data to EEA standards.
  • Sub-processor Data Processing Agreements: Each sub-processor listed in Section 7 has executed a data processing agreement (DPA) that restricts their use of your data, requires them to implement appropriate security measures, and obligates them to assist us in fulfilling your data subject rights.
  • Technical and organizational measures: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). See Section 11.

8.2 Your Rights Regarding Transfers

You have the right to request a copy of the SCCs we use for any specific transfer. To do so, email legal@xsitplan.com with the subject line “SCC Request.”

9. Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. The following table sets out our standard retention periods:

Data CategoryRetention PeriodBasis for Retention
Account & identity data (name, email)Duration of account + 30 days after deletion requestContract performance; allow re-activation window
Hashed passwordsDuration of account; deleted immediately on account deletionSecurity/authentication
Wizard profile answersDuration of account + 30 daysCore service delivery; deleted with account
AI-generated business ideas and outputsDuration of account + 30 daysService delivery; user reference
Subscription & billing records7 years from subscription end dateTax and accounting legal obligations
Payment method tokens (Stripe)Managed by Stripe per their retention policy; removed from our DB on account deletionPayment processing
Provisioned business asset referencesDuration of subscription + 90 days (to allow recovery)Service delivery; then deleted
Usage & technical logs90 days rolling (server logs); 13 months (analytics aggregates)Security monitoring; legitimate interests
Support communications3 years from last contactLegitimate interests (dispute resolution)
Fraud/abuse investigation records5 yearsLegitimate interests; legal defense
Marketing consent records3 years from consent (or withdrawal)Legal obligation (demonstrate consent)
Backup copiesOverwritten on a 30-day rolling cycleBusiness continuity; then removed

Upon account deletion, we initiate erasure within 30 days for operational data. Financial records subject to legal retention are isolated in an archive inaccessible to operational systems. You can request confirmation of deletion by contacting legal@xsitplan.com.

10. Cookies & Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device by your browser. We also use similar technologies such as local storage and session tokens. Cookies help us authenticate users, remember preferences, and understand how our Service is used.

10.2 Cookies We Use

Cookie / TokenTypePurposeDurationConsent Required?
xsitplan_session (JWT)Essential / AuthenticationMaintains your logged-in session after sign-in. httpOnly flag set; not accessible to JavaScript.Session or 30-day rolling ("Remember me")No — Essential
csrf_tokenEssential / SecurityPrevents cross-site request forgery attacks.SessionNo — Essential
cookie_consentEssential / PreferenceRemembers your cookie consent choice so you are not asked repeatedly.1 yearNo — Essential
Analytics cookies (e.g., _ga, _ga_*)Analytics / Non-essentialAggregated usage analytics to understand feature adoption and improve our Service. No advertising profiling.Up to 13 monthsYes — Consent Required

10.3 Cookie Consent

When you first visit XsitPlan, we display a cookie consent banner. Essential cookies (authentication, security) are deployed without consent as they are strictly necessary for the Service to function. Non-essential cookies (analytics) are only activated after you accept them via the consent banner. You can change your preferences at any time by clicking the “Cookie Preferences” link in our site footer.

10.4 Do Not Track

Some browsers transmit a “Do Not Track” signal. We respect this signal — when DNT is enabled, we do not activate non-essential analytics cookies regardless of your consent banner selection.

10.5 Third-Party Tracking

We do not allow third-party advertisers or social media platforms to place tracking cookies on xsitplan.com. We do not participate in cross-site behavioral advertising networks.

11. Data Security

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction.

11.1 Technical Measures

  • Encryption in transit: All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints with HSTS headers.
  • Encryption at rest: Databases hosted on MongoDB Atlas use AES-256 encryption at rest. Backups are encrypted with the same standard.
  • Password hashing: User passwords are hashed using bcrypt with an industry-standard cost factor before storage. We cannot reverse or read your password.
  • JWT authentication: Session tokens are signed JWTs stored in httpOnly, Secure, SameSite=Strict cookies, making them inaccessible to JavaScript and resistant to XSS and CSRF attacks.
  • Stripe tokenization: Payment card data is tokenized by Stripe before reaching our servers. We never transmit or store raw card numbers.
  • Access controls: Role-based access control (RBAC) limits internal access to data. Production data is accessible only to authorized engineers and only for legitimate operational purposes.

11.2 Organizational Measures

  • Regular security reviews and dependency vulnerability scanning
  • Least-privilege access principle for all staff and service accounts
  • Incident response procedures with defined notification timelines
  • Data minimization — we collect only what is necessary

11.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by Article 33 GDPR. If the breach is likely to result in high risk to you personally, we will also notify you directly without undue delay in accordance with Article 34 GDPR.

No security system is impenetrable. While we take robust precautions, we cannot guarantee the absolute security of information transmitted over the internet. If you suspect unauthorized access to your account, contact us immediately at legal@xsitplan.com.

12. Your Rights Under GDPR (EEA & UK Users)

If you are located in the EEA, United Kingdom, or Switzerland, the following rights apply to you under the General Data Protection Regulation (GDPR) and equivalent national laws. These rights may be subject to certain limitations and exemptions.

12.1 Your Rights at a Glance

RightWhat It MeansHow to Exercise
Right of Access (Art. 15)Obtain confirmation that we process your data and receive a copy of it, along with details about the processing.Email legal@xsitplan.com with subject: "Data Access Request"
Right to Rectification (Art. 16)Have inaccurate or incomplete personal data corrected without undue delay.Update in your account settings or email legal@xsitplan.com
Right to Erasure (Art. 17)"Right to be forgotten" — request deletion of your personal data where it is no longer necessary, you withdraw consent, or you object to processing.Email legal@xsitplan.com with subject: "Erasure Request"
Right to Restriction (Art. 18)Request that we restrict processing (e.g., while a dispute is pending) so that we store but do not actively use your data.Email legal@xsitplan.com with subject: "Restriction Request"
Right to Portability (Art. 20)Receive your data in a structured, machine-readable format and/or have it transmitted to another controller, where processing is by consent or contract.Email legal@xsitplan.com with subject: "Data Portability Request"
Right to Object (Art. 21)Object to processing based on legitimate interests (including profiling) or for direct marketing purposes. Processing must cease unless we demonstrate compelling legitimate grounds.Email legal@xsitplan.com with subject: "Objection to Processing"
Automated Decision-Making Rights (Art. 22)Not to be subject to solely automated decisions that produce legal or significant effects. Our AI recommendations are advisory only (see Section 6.4).Contact us if you believe an AI output has significantly affected you
Right to Withdraw ConsentWithdraw consent at any time for processing based on consent (marketing emails, analytics cookies). Withdrawal does not affect prior lawful processing.Unsubscribe link in emails, cookie preferences, or email legal@xsitplan.com

12.2 How to Submit a Data Subject Request

To exercise any of the rights above, please:

  1. Email us at legal@xsitplan.com with the relevant subject line listed above.
  2. Include your full name and the email address associated with your XsitPlan account, so we can verify your identity before processing the request.
  3. Describe your request as clearly as possible — e.g., which data categories you want to access, or what inaccuracies you want corrected.

We will respond within 30 days of receipt (extendable by a further 60 days for complex requests, with notice). Identity verification may be required before we action requests to protect your security. Requests are free of charge; we may charge a reasonable administrative fee only for manifestly unfounded or excessive requests.

12.3 Right to Lodge a Complaint

If you are not satisfied with our response or believe our processing is unlawful, you have the right to lodge a complaint with your local data protection supervisory authority. For example:

  • EU residents: Your national data protection authority (find yours at edpb.europa.eu)
  • UK residents: Information Commissioner's Office (ICO) — ico.org.uk
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

We encourage you to contact us first at legal@xsitplan.com — we are committed to resolving concerns directly and promptly.

13. California Privacy Rights (CCPA / CPRA)

This section applies to residents of California under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective January 1, 2023.

13.1 Categories of Personal Information Collected

In the 12 months preceding the effective date of this Policy, we have collected the following categories of personal information from California consumers:

CCPA CategoryExamples We CollectSold or Shared for Cross-Context Advertising?
A. IdentifiersName, email addressNo
B. Personal records (Cal. Civ. Code § 1798.80)Name, email; financial info (Stripe tokens)No
C. Protected classification characteristicsNone collectedNo
D. Commercial informationSubscription plan, transaction historyNo
E. Biometric informationNone collectedNo
F. Internet/electronic network activityPages visited, features used, session dataNo
G. Geolocation dataCountry/region level only (from IP)No
H. Audio, electronic, visual dataNone collectedNo
I. Professional/employment informationSelf-reported wizard answers (skills, experience)No
J. Inferences drawn from personal informationAI-generated business recommendationsNo

13.2 We Do Not Sell Your Personal Information

XsitPlan does not sell your personal information to third parties, as defined under CCPA, including selling, renting, releasing, disclosing, disseminating, making available, or transferring for monetary or other valuable consideration. We also do not “share” your personal information for cross-context behavioral advertising.

13.3 Your California Rights

  • Right to Know (§ 1798.110): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete (§ 1798.105): You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal compliance, fraud prevention).
  • Right to Correct (§ 1798.106): You have the right to request correction of inaccurate personal information we hold about you.
  • Right to Opt Out of Sale/Sharing (§ 1798.120): As noted above, we do not sell or share personal information. No opt-out is required, but you may still signal your preference at legal@xsitplan.com.
  • Right to Limit Use of Sensitive Personal Information (§ 1798.121): We do not process sensitive personal information (as defined by CPRA) for purposes beyond providing the Service.
  • Right to Non-Discrimination (§ 1798.125): We will not discriminate against you for exercising your CCPA rights — we will not deny goods or services, charge different prices, or provide a different quality of service.

13.4 How to Submit a California Request

To exercise your California rights, submit a verifiable consumer request by emailing legal@xsitplan.com with the subject line “California Privacy Request” and include your full name and account email address for identity verification. We will respond within 45 days (extendable by 45 additional days with notice).

Authorized agents may submit requests on your behalf with written authorization. We may require direct verification from you to protect against fraudulent requests.

14. Children's Privacy

XsitPlan is not directed to persons under the age of 18.

We do not knowingly collect personal information from anyone under the age of 18. Our Service is designed for adults seeking to start or grow a business. You must be at least 18 years old to create an account and use XsitPlan.

If you are a parent or guardian and believe your minor child has provided us with personal information, please contact us immediately at legal@xsitplan.com. We will delete any such information promptly upon verification.

If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that information and terminate the associated account.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will:

  • Update the “Effective Date” at the top of this page;
  • For material changes — those that meaningfully affect how we use your data or your rights — provide at least 30 days' advance notice via email to the address associated with your account and/or a prominent notice on xsitplan.com;
  • For minor, non-material changes (e.g., clarifying language, correcting typos, adding sub-processors with equivalent protections), update the Policy without prior notice, though the effective date will always be updated.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not accept the changes, you should stop using the Service and may request account deletion.

We maintain an archive of prior versions of this Policy. To request a copy of a previous version, contact legal@xsitplan.com.

16. Contact Us & Data Protection Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us through any of the following channels:

Privacy & Legal
legal@xsitplan.com

GDPR requests, CCPA requests, data breach reports, DPA inquiries

General Support
hello@xsitplan.com

General questions, account help, product support

Data Controller

Company: Pivot Point Media Holdings

Product: XsitPlan

Website: xsitplan.com

Data Protection Contact: legal@xsitplan.com

Response times: We aim to acknowledge all privacy-related emails within 2 business days and to provide a substantive response within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA). For urgent security concerns, please include “URGENT” in your subject line.

Effective Date: June 11, 2026  · Version: 1.0

© 2026 Pivot Point Media Holdings. All rights reserved.