Privacy Policy
Last updated: February 06, 2024
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.
We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.
Interpretation and Definitions
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
Account means a unique account created for You to access our Service or parts of our Service.
Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to XStak Inc, 185-S, Quaid-e-Azam Industrial Estate Kot Lakhpat, Lahore, Punjab 54000.
Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
Country refers to: Pakistan
Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual.
Service refers to the Website.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to XStak Inc., accessible from https://www.xstak.com/ . You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Collecting and Using Your Personal Data
Types of Data Collected
Personal Data
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
Email address
First name and last name
Phone number
Address, State, Province, ZIP/Postal code, City
Usage Data
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. The technologies We use may include:
- Cookies or Browser Cookies. A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service. Unless you have adjusted Your browser setting so that it will refuse Cookies, our Service may use Cookies.
- Flash Cookies. Certain features of our Service may use local stored objects (or Flash Cookies) to collect and store information about Your preferences or Your activity on our Service. Flash Cookies are not managed by the same browser settings as those used for Browser Cookies. For more information on how You can delete Flash Cookies, please read "Where can I change the settings for disabling, or deleting local shared objects?" available at https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects
- Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser. Learn more about cookies: Cookies by PrivacyPolicies Generator.
We use both Session and Persistent Cookies for the purposes set out below:
Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies identify if users have accepted the use of cookies on the Website.
Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy or the Cookies section of our Privacy Policy.
Use of Your Personal Data
The Company may use Personal Data for the following purposes:
To provide and maintain our Service, including to monitor the usage of our Service.
To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
To manage Your requests: To attend and manage Your requests to Us.
For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.
We may share Your personal information in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
- For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
- With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
- With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
- With Your consent: We may disclose Your personal information for any other purpose with Your consent.
Retention of Your Personal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.
The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.
Disclosure of Your Personal Data
Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of Users of the Service or the public
Protect against legal liability
Security of Your Personal Data
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Children's Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Changes to this Privacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.
We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
Contact Us
If you have any questions about this Privacy Policy, You can contact us:
By email: info@xstak.com
By phone number: +92 308 777 7996
XPay Privacy policy
This Privacy Policy (“Policy”) describes the Personal Data we collect, how we use and share it, along with details on how you can reach out to us with privacy-related inquiries. Additionally, the Policy outlines your rights as a data subject and choices you have, including the right to object to certain usages of your Personal Data by us.
In this Policy, “Headless ecommerce technology (Private) Limited”, “we”, “our”, or “us” refers to the Headless ecommerce technology (Private) Limited entity responsible for the collection, use, and handling of Personal Data as described in this document.
“Personal Data” refers to any information associated with an identified or identifiable individual, which can include data that you provide to us, and we collect about you during your interaction with our Services (such as device information, IP address, etc.).
“Services” refer to the products and services provided by Headless ecommerce technology (Private) Limited under the Headless ecommerce technology (Private) Limited Services Agreement and the Headless ecommerce technology (Private) Limited Consumer Terms of Service. This may include devices and applications provided by Headless ecommerce technology (Private) Limited.
Our “Business Services” are services that we provide to entities (“Business Users”) that directly and indirectly provide us with “End Customer” Personal Data in connection with their own business operations and activities.
Our “End User Services” are those that Headless ecommerce technology (Private) Limited provides directly to individuals for their personal use. “Sites” refer to www.xstak.com and other Headless ecommerce technology (Private) Limited websites, apps, and online services. Collectively, we refer to Sites, Business Services, and End User Services as “Services”.
“Financial Partners” are financial institutions, banks, and other partners such as payment method acquirers, payout providers, and card networks that we partner with to provide the Services.
Depending on the context, “you” might be an End Customer, End User, Representative, or Visitor:
- When you use an End User Service for personal use, such as signing up for 1Tap, we refer to you as an “End User”.
- When you do business with, or otherwise engage in a transaction with a Business User, such as buying a pair of shoes from a Business User using Headless ecommerce technology (Private) Limited Checkout for payment processing, but are not directly transacting with Headless ecommerce technology (Private) Limited, we refer to you as an “End Customer”.
- When you are acting on behalf of an existing or potential Business User—perhaps as a company founder, account administrator for a Business User, or a recipient of an employee credit card from a Business User via Headless ecommerce technology (Private) Limited Issuing—we categorize you as a “Representative”.
- When you interact with Headless ecommerce technology (Private) Limited by visiting a Site without being logged into a Headless ecommerce technology (Private) Limited account, or when your interaction with Headless ecommerce technology (Private) Limited does not involve you being an End User, End Customer, or Representative, you are considered a “Visitor”. For example, you are a Visitor when you send a message to Headless ecommerce technology (Private) Limited asking for more information about our Services.
In this Policy, “Transaction Data” refers to data collected and used by Headless ecommerce technology (Private) Limited to facilitate transactions you request. Some Transaction Data is Personal Data and may include: your name, email address, contact number, billing and shipping address, payment method information (like credit or debit card number, bank account details, or payment card image chosen by you), merchant and location details, amount and date of purchase, and in some instances, information about what was purchased.
Depending on the activity, Headless ecommerce technology (Private) Limited assumes the role of a “data controller” and/or “data processor” (or “service provider”) based on the activity.
1. Personal Data we collect and how we use and share it
Our collection and use of Personal Data differs based on whether you are an End User, End Customer, Representative, or Visitor, and the specific Service being utilized. For example, if you're a sole proprietor who wants to use our Business Services, we may collect your Personal Data to onboard your business; at the same time, you might also be an End Customer if you've bought goods from another Business User utilizing our Services for payment processing. You could be an End User if you used our End User Service, such as 1Tap, for those transactions.
1.1 End Users
We provide End User Services when we provide the Services directly to you for your personal use (e.g., 1Tap).
a. Personal Data we collect about End Users
Using 1Tap or Connecting your bank account. Headless ecommerce technology (Private) Limited offers a service called "1Tap," which allows you to store your payment methods with Headless ecommerce technology (Private) Limited to conveniently use them across our Business Users. When you sign up for 1Tap, you agree to store your Personal Data (such as name, contact information, payment method details) with Headless ecommerce technology (Private) Limited. This will allow for a more streamlined purchasing experience when using 1Tap in the future. If you choose to pay with 1Tap, we will also collect Transaction Data associated with your transactions. Should you decide to share your bank account information (including to make payments using your bank account via 1Tap) with us, Headless ecommerce technology (Private) Limited will periodically collect and process your account information (such as bank account owner information, account balances, account number and details, account transactions, and, in some cases, log-in credentials). You can ask us to cease the collection of such data at any time.
You may also choose to store your identity documents (such as your driver’s license) using 1Tap and share the saved document with other Business Users in the future.
Paying Headless ecommerce technology (Private) Limited. When you purchase goods or services directly from Headless ecommerce technology (Private) Limited, we receive your Transaction Data. For instance, when you make a payment to Headless ecommerce technology (Private) Limited Climate, we collect information about the transaction, as well as your contact and payment method details. We offer an identity verification service that automates the comparison of your identity document (such as a driver’s license) with your image (such as a selfie). You can separately consent to us using your biometric data to enhance our verification technology, with the option to revoke your consent at any time.
b. How we use and share Personal Data of End Users
Services
We use and share your Personal Data to provide the End User Services to you, which includes support, personalization (such as language preferences and setting choices), and communication about our End User Services (such as communicating Policy updates and information about our Services). For example, Headless ecommerce technology (Private) Limited may use cookies and similar technologies or the data you provide to our Business Users (such as when you input your email address on a Business User’s website) to recognize you and help you use 1Tap when visiting our Business User’s website. Learn more about how we use cookies and similar technologies in Headless ecommerce technology (Private) Limited’s Cookie Policy.
Our Business Users
When you use 1Tap to make payments, we share your Transaction Data with the Business Users you choose to do business with. Furthermore, when you opt to connect your bank account with Headless ecommerce technology (Private) Limited, you can also direct Headless ecommerce technology (Private) Limited to share your account information with Business Users you do business with. Please note that these Business Users have their own privacy policies, which should describe how they use the information shared with them.
Transactions.
When you use 1Tap to make payments, we use your Personal Data (such as name, contact information, payment method details) saved with us to complete transactions with Headless ecommerce technology (Private) Limited Business Users. We provide such data to Business Users and others you do business with and process it as a Data Processor for those Business Users, as detailed in Section 1.2 of this Policy.
Fraud Detection and Loss Prevention.
We use your Personal Data collected across our Services (such as Headless ecommerce technology (Private) Limited Radar) to detect fraud and prevent financial losses for you, us, and our Business Users and Financial Partners, including detecting unauthorized purchases. We may provide Business Users and Financial Partners that utilize our fraud prevention-related Business Services with Personal Data about you (including your attempted transactions) so that they can assess the fraud or loss risk associated with the transaction.
Advertising.
We may use your Personal Data to assess your eligibility for, and offer you, other End User Services or promote existing End User Services. Where allowed by law (including with your opt-in consent where required), we use and share End User Personal Data with others so that we may market our End User Services to you, including through interest-based advertising. We do not transfer your Personal Data to third parties in exchange for payment, but we may provide your data to third party partners, such as advertising partners, analytics providers, and social networks, who assist us in advertising our Services to you.
1.2 End Customers
Headless ecommerce technology (Private) Limited provides various Business Services to our Business Users, which include in-person or online checkout payment processing or processing payouts for those Business Users. When acting as a service provider—also referred to as a data processor—for a Business User, we process End Customer Personal Data in accordance with our agreement with the Business User and the Business User's lawful instructions. This happens, for example, when we process a payment for a Business User because you purchased a product from them, or when the Business User asks us to send you funds.
Business Users are responsible for ensuring that the privacy rights of their End Customers are respected, including obtaining appropriate consents and making disclosures about their own data collection and use associated with their products and services. If you're an End Customer, please refer to the privacy policy of the Business User you're doing business with for its privacy practices, choices, and controls.
a. Personal Data we collect about End Customers
Transaction Data.
If you're an End Customer making payments to, receiving refunds from, initiating a purchase or donation, or otherwise transacting with our Business User, whether in-person or online, we receive your Transaction Data. We may also receive your transaction history with the Business User. Additionally, we may collect information entered into a checkout form even if you opt not to complete the form or transact with the Business User. A Business User who utilizes Headless ecommerce technology (Private) Limited’s Terminal Service to provide its goods or services to End Customers may use the Terminal Service to collect End Customer Personal Data (like your name, email, phone number, address, signature, or age) in accordance with its own privacy policy.
Identity/Verification Information.
Headless ecommerce technology (Private) Limited provides a verification and fraud prevention Service that our Business Users can use to verify Personal Data about you, such as your authorization to use a particular payment method. During the process, you’d be asked to share with us certain Personal Data (like your government ID and selfie for biometric verification, Personal Data you input, or Personal Data that is apparent from the physical payment method like a credit card image). To protect against fraud and determine if somebody is trying to impersonate you, we may cross-verify this data with information about you that we've collected from Business Users, Financial Partners, business affiliates, identity verification services, publicly available sources, and other third party service providers and sources.
b. How we use and share Personal Data of End Customers
To provide our Business Services to our Business Users, we use and share End Customers' Personal Data with them. Where allowed, we also use End Customers' Personal Data for Headless ecommerce technology (Private) Limited’s own purposes such as enhancing security, improving and offering our Business Services, and preventing fraud, loss, and other damages, as described further below.
Payment processing and accounting.
We use your Transaction Data to deliver Payment-related Business Services to Business Users, including online payment transactions processing, sales tax calculation, invoice and bill handling, and helping them determine their revenue, settle their bills, and execute accounting tasks. We may also use your Personal Data to provide and improve our Business Services.
During payment transactions, your Personal Data is shared with various entities in connection to your transaction. As a service provider or data processor, we share Personal Data to enable transactions as directed by Business Users. For instance, when you choose a payment method for your transaction, be it a credit card, debit card, Buy Now Pay Later, or direct debit, your payment method provider may receive your Transaction Data from transactions facilitated by Headless ecommerce technology (Private) Limited. The Business User you choose to do business with also receives Transaction Data and might share the data with others. Please review their privacy policies for more information about how they use and share your Personal Data.
Financial services.
Certain Business Users leverage our Services to offer financial services to you via Headless ecommerce technology (Private) Limited or our Financial Partners. For example, a Business User may issue a card product with which you can purchase goods and services. Such cards could carry the brand of Headless ecommerce technology (Private) Limited, the bank partner, and/or the Business User. In addition to any Transaction Data we may generate or receive when these cards are used for purchases, we also collect and utilize your Personal Data to provide and manage these products, including assisting our Business Users in preventing misuse of the cards. Please review the privacy policies of the Business User and, if applicable, our bank partners associated with the financial service (the brands of which may be shown on the card) for more information.
Identity/Verification services.
We utilize Personal Data about your identity, including information provided by you and our service providers, to perform verification services for Headless ecommerce technology (Private) Limited or for the Business Users that you are transacting with, to prevent fraud and enhance security. If you provide a selfie along with an image of your identity document, we may employ biometric technology to compare and calculate whether they match and verify your identity.
Fraud detection and loss prevention.
We use your Personal Data collected across our Services to detect and prevent losses for you, us, our Business Users, and Financial Partners. We may provide Business Users and Financial Partners using our fraud prevention-related Business Services with your Personal Data (including your attempted transactions) to help them assess the fraud or loss risk associated with the transaction.
Our Business Users (and their authorized third parties).
We share End Customers' Personal Data with their respective Business Users and parties directly authorized by those Business Users to receive such data. Here are common examples of such sharing:
When a Business User instructs Headless ecommerce technology (Private) Limited to provide another Business User with access to its Headless ecommerce technology (Private) Limited account, including data related to its End Customers, via Headless ecommerce technology (Private) Limited Connect.
Sharing information that you have provided to us with a Business User so that we can send payments to you on behalf of that Business User.
Sharing information, documents, or images provided by an End Customer with a Business User when the latter uses Headless ecommerce technology (Private) Limited Identity, our identity verification Service, to verify the identity of the End Customer.
The Business Users you choose to do business with may further share your Personal Data with third parties (like additional third party service providers other than Headless ecommerce technology (Private) Limited). Please review the Business User’s privacy policy for more information.
Advertising by Business Users.
If you initiate a purchasing process with a Business User, the Business User receives your Personal Data from us in connection with our provision of Services even if you don't finish your purchase. The Business User may use your Personal Data to market and advertise their products or services, subject to the terms of their privacy policy. Please review the Business User’s privacy policy for more information, including your rights to stop their usage of your Personal Data for marketing purposes.
1.3 Representatives
We collect, use, and share Personal Data from Representatives of Business Users (for example, business owners) to provide our Business Services.
a. Personal Data we collect about Representatives
Registration and contact information.
When you register for a Headless ecommerce technology (Private) Limited account for a Business User (including incorporation of a Business), we collect your name and login credentials. If you register for or attend an event organized by Headless ecommerce technology (Private) Limited or sign up to receive Headless ecommerce technology (Private) Limited communications, we collect your registration and profile data. As a Representative, we may collect your Personal Data from third parties, including data providers, to advertise, market, and communicate with you. We may also 1Tap a location with you to tailor the Services or information effectively to your needs.
Identification Information.
As a current or potential Business User, an owner of a Business User, or a shareholder, officer, or director of a Business User, we need your contact details, such as name, postal address, telephone number, and email address, to fulfill our Financial Partner and regulatory requirements, verify your identity, and prevent fraudulent activities and harm to the Headless ecommerce technology (Private) Limited platform. We collect your Personal Data, such as ownership interest in the Business User, date of birth, government-issued identity documents, and associated identifiers, as well as any history of fraud or misuse, directly from you and/or from third parties such as credit bureaus and via the Services we provide. You may also choose to provide us with bank account information.
b. How we use and share Personal Data of Representatives
We typically use the Personal Data of Representatives to provide the Business Services to the corresponding Business Users. The ways we use and share this data are further described below.
Business Services.
We use and share Representatives’ Personal Data with Business Users to provide the Services requested by you or the Business User you represent.
In some instances, we may have to submit your Personal Data to a government entity to provide our Business Services, for purposes such as the incorporation of a business, or calculating and paying applicable sales tax. For our tax-related Business Services, we may use your Personal Data to file taxes on behalf of the Business User you represent. For our Atlas business incorporation Services, we may use your Personal Data to submit forms to the IRS on your behalf and file documents with other government authorities, such as articles of incorporation in your state of incorporation.
We share Representatives’ Personal Data with parties specifically authorized by the corresponding Business User, such as Financial Partners servicing a financial product, or third party apps or services the Business User chooses to use alongside our Business Services. Here are common examples of such sharing:
Payment method providers, like Visa or WeChat Pay, require information about Business Users and their Representatives who accept their payment methods. This information is typically required during the onboarding process or for processing transactions for these Business Users.
A Business User may authorize Headless ecommerce technology (Private) Limited to share your Personal Data with other Business Users to facilitate the provision of Services through Headless ecommerce technology (Private) Limited Connect.
The use of Personal Data by a third party authorized by a Business User is subject to the third party’s privacy policy.
If you are a Business User who has chosen a name that includes Personal Data (for example, a sole proprietorship or family name in a company name), we will use and share such information for the provision of our Services in the same way we do with any company name. This may include, for example, displaying it on receipts and other transaction-identifying descriptions.
Fraud detection and loss prevention. We use Representatives’ Personal Data to identify and manage risks that our Business Services might be used for fraudulent activities causing losses to Headless ecommerce technology (Private) Limited, End Users, End Customers, Business Users, Financial Partners, and others. We also use information about you obtained from third parties like credit bureaus and from our Services to address such risks, including to identify patterns of misuse and monitor for terms of service violations. Headless ecommerce technology (Private) Limited may share Representatives' Personal Data with Business Users, our Financial Partners, and third party service providers to verify the information provided by you and identify risk indicators. We also use and share Representatives' Personal Data to conduct due diligence, including conducting anti-money laundering and sanctions screening in accordance with applicable law.
Advertising.
Where allowed by applicable law, we use and share Representatives’ Personal Data with third parties so we can advertise and market our Services. Subject to applicable law, including any consent requirements, we may advertise through interest-based advertising and track the efficacy of such ads. See our Cookie Policy. We do not transfer your Personal Data to third parties in exchange for payment. However, we may provide your data to third party partners, like advertising partners, analytics providers, and social networks, who assist us in advertising our Services. We may also use your Personal Data, including your Headless ecommerce technology (Private) Limited account activity, to evaluate your eligibility for and offer you Business Services or promote existing Business Services.
1.4 Visitors
We collect, use, and share the Personal Data of Visitors.
a. Personal Data we collect about Visitors
When you browse our Sites, we receive your Personal Data, either provided directly by you or collected through our use of cookies and similar technologies. See our Cookie Policy for more information. If you opt to complete a form on the Site or third party websites where our advertisements are displayed (like 1TapedIn or Facebook), we collect the information you included in the form. This may include your contact information and other information pertaining to your questions about our Services. We may also associate a location with your visit.
b. How we use and share Personal Data of Visitors
Personalization.
We use the data we collect from cookies and similar technologies about you to measure user engagement with the content on the Sites, improve relevancy and navigation, customize your user experience (such as language preference and region-specific content), and curate content about Headless ecommerce technology (Private) Limited and our Services that's tailored to you. For instance, as not all of our Services are available globally, we may customize our responses based on your region.
Advertising.
Where allowed by applicable law, we use and share Visitors’ Personal Data with third parties so we can advertise and market our Services. Subject to applicable law, including any consent requirements, we may advertise through interest-based advertising and track the efficacy of such ads. See our Cookie Policy. We do not transfer your Personal Data to third parties in exchange for payment. However, we may provide your data to third party partners, like advertising partners, analytics providers, and social networks, who assist us in advertising our Services.
Engagement.
As you interact with our Sites, we use the information we collect about and through your devices to provide opportunities for further interactions, such as discussions about Services or interactions with chatbots, to address your questions.
2. More ways we collect, use, and share Personal Data
In addition to the ways described above, we also process your Personal Data as follows:
a. Collection of Personal Data
Online Activity.
Depending on the Service used and how our Business Services are implemented by the Business Users, we may collect information related to:
The devices and browsers you use across our Sites and third party websites, apps, and other online services (“Third Party Sites”).
Usage data associated with those devices and browsers and your engagement with our Services, including data elements like IP address, plug-ins, language preference, time spent on Sites and Third Party Sites, pages visited, 1Taps clicked, payment methods used, and the pages that led you to our Sites and Third Party Sites. We also collect activity indicators, such as mouse activity indicators, to help us detect fraud. See also our Cookie Policy.
Communication and Engagement Information.
We also collect information you choose to share with us through various channels, such as support tickets, emails, or social media. If you respond to emails or surveys from Headless ecommerce technology (Private) Limited, we collect your email address, name, and any other data you opt to include in your email or responses. If you engage with us over the phone, we collect your phone number and any other information you might provide during the call. Additionally, we collect your engagement data, like your registration for, attendance at, or viewing of Headless ecommerce technology (Private) Limited events and any other interactions with Headless ecommerce technology (Private) Limited personnel.
Forums and Discussion Groups. If our Sites allow posting of content, we collect Personal Data that you provide in connection with the post.
b. Use of Personal Data
Besides the use of Personal Data described above, we use Personal Data in the ways listed below:
Improving and Developing our Services.
We use analytics on our Sites to help us understand your use of our Sites and Services and diagnose technical issues. Please review our Cookie Policy to learn more about how you can control our use of cookies and third party analytics. We also collect and process Personal Data throughout our various Services, whether you are an End User, End Customer, Representative, or Visitor, to improve our Services, develop new Services, and support our efforts to make our Services more relevant and useful to you.
Communications.
We use the contact information we have about you to deliver our Services, which may involve sending codes via SMS for your authentication. If you are an End User, Representative, or Visitor, we may communicate with you using the contact information we have about you to provide information about our Services and our affiliates’ services, invite you to participate in our events, surveys, or user research, or otherwise communicate with you for marketing purposes, in compliance with applicable law, including any consent or opt-out requirements. For example, when you provide your contact information to us or when we collect your business contact details through participation at trade shows or other events, we may use this data to follow up with you regarding an event, provide information requested about our Services, and include you in our marketing information campaigns. Where permitted under applicable law, we may record our calls with you to provide our Services, comply with our legal obligations, perform research and quality assurance, as well as for training purposes.
Social Media and Promotions.
If you opt to submit Personal Data to engage in an offer, program, or promotion, we use the Personal Data you provide to manage the offer, program, or promotion. We also use the Personal Data you provide, along with the Personal Data you make available on social media platforms, for marketing purposes, unless we are not permitted to do so.
Fraud Prevention and Security.
We collect and use Personal Data to help us identify and manage activities that could be fraudulent or harmful across our Services, enable our fraud detection Business Services, and secure our Services and transactions against unauthorized access, use, alteration or misappropriation of Personal Data, information, and funds. As part of the fraud prevention, detection, security monitoring, and compliance efforts for Headless ecommerce technology (Private) Limited and its Business Users, we collect information from third parties (such as credit bureaus) and via the Services we offer. In some instances, we may also collect information about you directly from you, or from our Business Users, Financial Partners, and other third parties for the same purposes. Furthermore, to protect our Services, we may receive details such as IP addresses and other identifying data about potential security threats from third parties. Such information helps us verify identities, conduct credit checks where lawfully permitted, and prevent fraud. Additionally, we might use technology to evaluate the potential risk of fraud associated with individuals seeking to procure our Business Services or arising from attempted transactions by an End Customer or End User with our Business Users or Financial Partners.
Compliance with Legal Obligations.
We use Personal Data to meet our contractual and legal obligations related to anti-money laundering, Know-Your-Customer ("KYC") laws, anti-terrorism activities, safeguarding vulnerable customers, export control, and prohibition of doing business with restricted persons or in certain business fields, among other legal obligations. For example, we may monitor transaction patterns and other online signals and use those insights to identify fraud, money laundering, and other harmful activity that could affect Headless ecommerce technology (Private) Limited, our Financial Partners, End Users, our Business Users and others. Learn More. Ensuring safety, security, and compliance for our Services is a key priority for us, and collecting and utilizing Personal Data is crucial to this effort.
Minors. Our Services are not directed to children under the age of 13, and we request that they do not provide Personal Data to seek Services directly from Headless ecommerce technology (Private) Limited. In certain countries, we may impose higher age limits as required by applicable law.
c. Sharing of Personal Data.
Besides the sharing of Personal Data described above, we share Personal Data in the ways listed below:
Headless ecommerce technology (Private) Limited Affiliates. We share Personal Data with other Headless ecommerce technology (Private) Limited-affiliated entities for purposes identified in this Policy.
Service Providers or Processors.
In order to provide, communicate, market, and advertise our Services, we depend on service providers. These providers offer critical services spanning from providing cloud infrastructure, conducting analytics for the assessment of speed, accuracy, and/or security of our Services, verifying identities, to providing customer service and audit functions. We authorize these service providers to use or disclose the Personal Data we make available to them to perform services on our behalf and comply with relevant legal obligations. We mandate these service providers to contractually commit to ensuring the security and confidentiality of the Personal Data they process on our behalf.
Financial Partners.
We share Personal Data with certain Financial Partners to provide Services to Business Users seeking such Services as well as offer certain Services in conjunction with these Financial Partners. For instance, we share certain Personal Data about Representatives, such as loan repayment data and contact information, with institutional investors who purchase or provide credit that's secured through the Capital loans we've extended to the Business Users they are associated with.
Others with Consent.
In some situations, we may not offer a service, but instead refer you to others (like professional service firms that we partner with to deliver the Atlas Service). In these instances, we will disclose the identity of the third party and the information to be shared with them, and seek your consent to share the information.
Corporate Transactions.
If we enter or intend to enter a transaction that modifies the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or part of our business, assets, or stock, we may share Personal Data with third parties in connection with such transaction. Any other entity that buys us or part of our business will have the right to continue to use your Personal Data, but subject to the terms of this Policy.
Compliance and Harm Prevention.
We share Personal Data when we believe it is necessary to comply with applicable law; to abide by rules imposed by Financial Partners in connection with the use of their payment method; enforce our contractual rights; secure and protect the Services, rights, privacy, safety, and property of Headless ecommerce technology (Private) Limited, you, and others, including against malicious or fraudulent activity; and to respond to valid legal requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
3. Legal bases for processing Personal Data
For purposes of the General Data Protection Regulation and other applicable data protection laws, we rely on a number of legal bases to process your Personal Data.
a. Contractual and Pre-Contractual Business Relationships.
We process Personal Data to enter into business relationships with prospective Business Users and End Users and fulfill our respective contractual obligations with them. These processing activities include:
- Creation and management of Headless ecommerce technology (Private) Limited accounts and Headless ecommerce technology (Private) Limited account credentials, including the assessment of applications to initiate or expand the use of our Services;
- Creation and management of Headless ecommerce technology (Private) Limited Checkout accounts;
- Accounting, auditing, and billing activities; and
- Processing of payments and related activities, which include fraud detection, loss prevention, transaction optimization, communications about such payments, and related customer service activities.
- b. Legal Compliance.
We process Personal Data to verify the identities of individuals and entities to comply with obligations related to fraud monitoring, prevention, and detection, laws associated with identifying and reporting illicit and illegal activities, such as those under the Anti-Money Laundering ("AML") and Know-Your-Customer (“KYC") regulations, and financial reporting obligations. For example, we may be required to record and verify a Business User’s identity to comply with regulations designed to prevent money laundering, fraud, and financial crimes. These legal obligations may require us to report our compliance to third parties and subject ourselves to third party verification audits.
c. Legitimate Interests.
Where allowed under applicable law, we rely on our legitimate business interests to process your Personal Data. The following list provides an example of the business purposes for which we have a legitimate interest in processing your data:
- Detection, monitoring, and prevention of fraud and unauthorized payment transactions;
- Mitigation of financial loss, claims, liabilities or other harm to End Customers, End Users, Business Users, Financial Partners, and Headless ecommerce technology (Private) Limited
- Determination of eligibility for and offering new Headless ecommerce technology (Private) Limited Services
- Response to inquiries, delivery of Service notices, and provision of customer support;
- Promotion, analysis, modification, and improvement of our Services, systems, and tools, as well as the development of new products and services, including enhancing the reliability of the Services;
- Management, operation, and improvement of the performance of our Sites and Services, through understanding their effectiveness and optimizing our digital assets;
- Analysis and advertisement of our Services, and related improvements;
- Aggregate analysis and development of business intelligence that enable us to operate, protect, make informed decisions about, and report on the performance of our business;
- Sharing of Personal Data with third party service providers that offer services on our behalf and business partners that help us in operating and improving our business;
- Enabling network and information security throughout Headless ecommerce technology (Private) Limited and our Services; and
- Sharing of Personal Data among our affiliates.
d. Consent.
- We may rely on consent or explicit consent to collect and process Personal Data regarding our interactions with you and the provision of our Services such as 1Tap, Financial Connections, Atlas, and Identity. When we process your Personal Data based on your consent, you have the right to withdraw your consent at any time, and such a withdrawal will not impact the legality of processing performed based on the consent prior to its withdrawal.
e. Substantial Public Interest
- We may process special categories of Personal Data, as defined by the GDPR, when such processing is necessary for reasons of substantial public interest and consistent with applicable law, such as when we conduct politically-exposed person checks. We may also process Personal Data related to criminal convictions and offenses when such processing is authorized by applicable law, such as when we conduct sanctions screening to comply with AML and KYC obligations.
4. Your rights and choices
Depending on your location and subject to applicable law, you may have choices regarding our collection, use, and disclosure of your Personal Data:
a. Opting out of receiving electronic communications from us
If you wish to stop receiving marketing-related emails from us, you can opt-out by clicking the unsubscribe 1Tap included in such emails or as described. We'll try to process your request(s) as quickly as reasonably practicable. However, it's important to note that even if you opt out of receiving marketing-related emails from us, we retain the right to communicate with you about the Services you receive (like support and important legal notices) and our Business Users might still send you messages or instruct us to send you messages on their behalf.
b. Your data protection rights
Depending on your location and subject to applicable law, you may have the following rights regarding the Personal Data we control about you:
- The right to request confirmation of whether Headless ecommerce technology (Private) Limited is processing Personal Data associated with you, and if so, request access to that Personal Data
- The right to request that Headless ecommerce technology (Private) Limited rectify or update your Personal Data if it's inaccurate, incomplete, or outdated;
- The right to request that Headless ecommerce technology (Private) Limited erase your Personal Data in certain circumstances as provided by law
- The right to request that Headless ecommerce technology (Private) Limited restrict the use of your Personal Data in certain circumstances, such as while Headless ecommerce technology (Private) Limited is considering another request you've submitted (for instance, a request that Headless ecommerce technology (Private) Limited update your Personal Data);
- The right to request that we export the Personal Data we hold about you to another company, provided it's technically feasible;
- The right to withdraw your consent if your Personal Data is being processed based on your previous consent;
- The right to object to the processing of your Personal Data if we are processing your data based on our legitimate interests; unless there are compelling legitimate grounds or the processing is necessary for legal reasons, we will cease processing your Personal Data upon receiving your objection
- The right not to be discriminated against for exercising these rights; and
- The right to appeal any decision by Headless ecommerce technology (Private) Limited relating to these rights by contacting Headless ecommerce technology (Private) Limited at info@xstak.com.
c. Process for exercising your data protection rights
To exercise your data protection rights, write to us at info@xstak.com
5. Security and Retention
We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical, and administrative measures designed to protect the Personal Data covered by this Policy from unauthorized access, destruction, loss, alteration, or misuse. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.
We encourage you to assist us in protecting your Personal Data. If you hold a Headless ecommerce technology (Private) Limited account, you can do so by using a strong password, safeguarding your password against unauthorized use, and avoiding using identical login credentials you use for other services or accounts for your Headless ecommerce technology (Private) Limited account. If you suspect that your interaction with us is no longer secure (for instance, you believe that your Headless ecommerce technology (Private) Limited account's security has been compromised), please contact us immediately at info@xstak.com.
We retain your Personal Data for as long as we continue to provide the Services to you or our Business Users, or for a period in which we reasonably foresee continuing to provide the Services. Even after we stop providing Services directly to you or to a Business User that you're doing business with, and even after you close your Headless ecommerce technology (Private) Limited account or complete a transaction with a Business User, we may continue to retain your Personal Data to:
- Comply with our legal and regulatory obligations;
- Enable fraud monitoring, detection, and prevention activities; and
- Comply with our tax, accounting, and financial reporting obligations, including when such retention is required by our contractual agreements with our Financial Partners (and where data retention is mandated by the payment methods you've used).
In cases where we keep your Personal Data, we do so in accordance with any limitation periods and record retention obligations imposed by applicable law.
6. Updates and notifications
We may change this Policy from time to time to reflect new services, changes in our privacy practices or relevant laws. The “Last updated” legend at the top of this Policy indicates when this Policy was last revised. Any changes are effective the latter of when we post the revised Policy on the Services or otherwise provide notice of the update as required by law.
We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our website and, if you are an End User or Representative, by contacting you through your Headless ecommerce technology (Private) Limited Dashboard, email address and/or the physical address listed in your Headless ecommerce technology (Private) Limited account.
7. Contact us
If you have any questions or complaints about this Policy, please contact us at info@xstak.com. If you are an End Customer (i.e., an individual doing business or transacting with a Business User), please refer to the privacy policy or notice of the Business User for information regarding the Business User’s privacy practices, choices and controls, or contact the Business User directly.