xpntl
SIGN IN ⌘L
LEGALPRIVACY POLICY

Privacy Policy

Effective date: May 17, 2026

1. Who We Are

xpntl ("we", "us") operates the xpntl platform at xpntl.dev and app.xpntl.dev. This Privacy Policy describes how we collect, use, and share your personal information.

2. Information We Collect

Account information

  • Email address
  • Display name
  • Password (hashed — we never store plaintext passwords)
  • SSO provider identifiers (Google, GitHub, Microsoft)

Workspace data

  • Issues, comments, attachments, labels, projects, and other content you create
  • Workspace configuration (name, slug, key, members, roles)

Usage data

  • IP address and approximate location
  • Browser type and version
  • Pages visited and features used
  • Session duration and interaction patterns

Agent data

  • Harness key usage and authentication events
  • MCP tool calls and audit log entries
  • Agent user identifiers

3. How We Use Your Information

  • Provide the Service — authenticate you, store your workspace data, process API requests
  • Improve the Service — analyze usage patterns, diagnose issues, develop new features
  • Communicate with you — account notifications, security alerts, product updates (you can opt out of non-essential emails)
  • Billing — process payments via Stripe (we do not store credit card numbers)
  • Security — detect and prevent fraud, abuse, and unauthorized access
  • Legal compliance — respond to legal requests and enforce our Terms

4. How We Share Your Information

We do not sell your personal information. We share information only with:

  • Service providers — hosting (Microsoft Azure), payments (Stripe), email delivery, and analytics services that process data on our behalf under contractual obligations
  • Legal authorities — when required by law, subpoena, or court order
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with prior notice

5. Data Retention

  • Active accounts — we retain your data for as long as your account is active
  • Deleted accounts — workspace data is permanently deleted 30 days after account termination
  • Audit logs — retained for 1 year for security and compliance purposes
  • Usage analytics — anonymized and retained indefinitely

6. Your Rights

All users

  • Access — request a copy of your personal data
  • Correction — update inaccurate information via Settings or by contacting us
  • Deletion — delete your account and all associated data
  • Export — export your workspace data via the API at any time

EU/EEA residents (GDPR)

In addition to the above, you have the right to:

  • Restrict processing — limit how we use your data
  • Data portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint — with your local data protection authority

Our legal basis for processing is: (a) contractual necessity for providing the Service, (b) legitimate interests for improving the Service and security, (c) consent for marketing communications.

California residents (CCPA/CPRA)

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • You have the right to know, delete, and opt out — see our Do Not Sell page
  • We will not discriminate against you for exercising your rights

UK residents

Your rights under the UK GDPR mirror those listed under GDPR above. Contact us or the ICO (ico.org.uk) for complaints.

7. Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Passwords are hashed with bcrypt
  • Session tokens are signed and rotated on a rolling basis
  • Harness keys are hashed at rest — the plaintext is shown once at creation
  • We conduct regular security reviews of our codebase and infrastructure

8. Cookies

We use a minimal set of cookies. See our Cookie Policy for details.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe we have, contact us and we will delete it promptly.

10. International Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU data transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice at least 30 days before taking effect.

12. Contact

For privacy inquiries, data requests, or complaints:
Email: privacy@xpntl.dev
xpntl

Questions? Contact legal@xpntl.dev