XDMEDIA

Legal

Privacy Policy

Last updated: May 26, 2026  ·  XDMEDIA, Netherlands

1. Who we are

XDMEDIA ("we", "us", "our") is a digital product studio based in the Netherlands. We operate web-based products and services. This Privacy Policy explains how we collect, use, and protect personal data when you use our Services. We are the data controller for the purposes of the General Data Protection Regulation (GDPR).

Contact: [email protected]

2. What data we collect

We collect only what is necessary to provide the Services:

  • Account data — name, email address, and password when you register for an account
  • Usage data — pages visited, features used, browser type, device type, IP address, and timestamps, collected automatically via analytics tools
  • Payment data — billing information processed by Stripe. We do not store full card numbers; Stripe handles payment data under their own privacy policy
  • Communications — content of messages you send us via contact forms or email
  • Files you upload — files submitted for processing (e.g. images). These are processed in real time and deleted from our servers after a short retention period as described in the relevant Service

3. Legal basis for processing

We process your personal data on the following legal bases under the GDPR:

  • Contract — processing necessary to provide the Services you have signed up for
  • Legitimate interests — analytics, security, fraud prevention, and improving our Services
  • Consent — marketing emails and non-essential cookies, where you have opted in
  • Legal obligation — where required by applicable law

4. How we use your data

  • To provide, maintain, and improve the Services
  • To process payments and manage subscriptions
  • To send transactional emails (account confirmations, receipts, security alerts)
  • To send marketing communications, where you have given consent
  • To analyse usage patterns and improve performance
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

5. Cookies

We use cookies and similar technologies to operate the Services and gather analytics. Essential cookies are required for the Services to function; analytics and marketing cookies are only set with your consent. You can manage your cookie preferences via the cookie banner on our Services or through your browser settings.

6. Third-party processors

We share data with trusted third parties only where necessary:

  • Stripe — payment processing (stripe.com/privacy)
  • Brevo (Sendinblue) — transactional and marketing email delivery
  • Google Analytics / Google Tag Manager — usage analytics (where enabled on a Service)
  • Hetzner Online GmbH — server hosting infrastructure, located in the EU

All processors are contractually bound to process data only on our instructions and in compliance with GDPR.

7. Data retention

We retain personal data only for as long as necessary:

  • Account data is retained for the duration of your account and deleted within 30 days of account closure
  • Uploaded files are deleted automatically after processing (retention periods are stated per Service)
  • Payment records are retained for 7 years as required by Dutch tax law
  • Analytics data is retained in aggregated, anonymised form

8. International transfers

Our servers are located within the European Union. Some third-party processors (such as Stripe) may process data outside the EU. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

9. Your rights under GDPR

As an EU/EEA resident you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request that we limit processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests or for direct marketing
  • Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS), access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

11. Children

Our Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the date at the top of this page. Continued use of the Services after changes are posted constitutes acceptance of the revised policy.

13. Contact

Questions or requests regarding this Privacy Policy: [email protected]