Template — pending legal review. This text is a DSGVO baseline for the Xboard pilot. Replace bracketed placeholders and have a qualified German data-protection counsel sign off before public launch.
Privacy policy
1. Controller
The controller responsible for the processing of your personal data on Xboard is:
[Operator legal name][Operator street address]
[Operator city, postal code, country]
Email: [Operator contact email]
Data Protection Officer: [DPO contact]
2. Purposes and lawful bases
Xboard is a lead-to-deposit and growth operating system for self-employed creators (tattoo artists, photographers, barbers, musicians, painters, cooks). Personal data is processed for the following purposes:
- Booking operations — receiving inquiries, confirming appointments, taking deposits. Lawful basis: Art. 6(1)(b) GDPR (performance of a contract).
- Marketing communications — only on explicit opt-in. Lawful basis: Art. 6(1)(a) GDPR (consent), withdrawable at any time.
- Ad measurement and retargeting — only on explicit tracking-and-ad-data opt-in. Lawful basis: Art. 6(1)(a) GDPR.
- Service security and fraud prevention. Lawful basis: Art. 6(1)(f) GDPR (legitimate interest).
- Compliance with legal obligations (tax records, data-subject-rights handling). Lawful basis: Art. 6(1)(c) GDPR.
3. Categories of data
- Contact data (name, email, WhatsApp number, location).
- Project briefs (free-text descriptions of the work requested).
- Booking and payment data (Stripe Connect references, deposit amounts, currency).
- Communication content (drafted emails / WhatsApp / IG DMs that the artist approves).
- Tracking and ad-measurement events when explicitly consented.
- Audit-log metadata for security and compliance.
4. Data subject rights
You have the right to:
- Access (Art. 15) — request a copy of all personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion (subject to retention obligations).
- Restriction (Art. 18) — limit further processing.
- Portability (Art. 20) — receive your data in a machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7) — at any time, with no effect on prior lawful processing.
- Lodge a complaint with the supervisory authority. For the German pilot: the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
To exercise these rights, contact [Operator contact email]. We respond within 30 days as required by Art. 12(3).
5. Retention
Personal data is retained only as long as necessary for the purpose it was collected. Default retention windows:
- Lead inquiries that did not become bookings: 90 days.
- Booking and deposit records: as long as legally required under §147 AO (10 years for tax records in Germany).
- Marketing-consent records: until withdrawal or 36 months of inactivity, whichever is sooner.
- Tracking events: 90 days at the row level, plus aggregated reports.
- Audit logs: 24 months (security and compliance).
Per-tenant retention rules can override these defaults. The current rules for your studio are visible inside the Compliance dashboard.
6. Recipients and sub-processors
Personal data is shared with the following categories of recipients under Art. 28 data-processing agreements:
- Hosting provider — application + database (EU region: [hosting region]).
- Payment processor — Stripe Payments Europe Ltd. (Ireland) under Stripe Connect.
- Email delivery — [email provider].
- AI inference — Anthropic PBC (USA) under EU Standard Contractual Clauses for the assistant feature.
- Error monitoring — [error monitoring provider].
- Meta Platforms Ireland Ltd. — only when the studio explicitly connects a Meta account for Lead Ads + CAPI.
Where data is transferred outside the EEA, we rely on the EU Commission's adequacy decisions or Standard Contractual Clauses.
7. Security
Xboard uses industry-standard transport encryption (TLS 1.2+) and at-rest encryption for sensitive material such as access tokens. Access to production data is restricted to the operator and audited.
8. Cookies and similar
The application uses strictly necessary cookies for session authentication. Tracking cookies for ad measurement are only set when the studio's visitor explicitly consents on the public booking form. There is no third-party advertising network embedded in the dashboard.
9. Changes
We may update this policy. Material changes will be notified at least 30 days before they take effect, via the dashboard.