Privacy Policy

This Privacy Policy describes how Xtrinel, Inc. (“Xtrinel”, “we”) collects, uses, and shares information when you use the Xtrinel website and the VAAST platform (the “Services”). We wrote this policy to be readable. If anything here is unclear, email us at [email protected] and we will answer directly.

1. Information We Collect

Account data. When you sign up for the Services we collect the information necessary to create and manage your account: name, email address, organization, and, for Enterprise customers, single-sign-on attributes issued by your identity provider.

Authentication data. Individual and Pro accounts authenticate through standard email-based sign-in. Enterprise accounts authenticate through SAML single sign-on via Microsoft Entra ID. We do not store passwords for SSO-authenticated users.

Payment data. Paid subscriptions are billed through Stripe. We do not store your full payment card number or CVC. Stripe provides us with the last four digits, card brand, and expiration date for receipts and dunning.

Customer Data. Targets, configurations, payloads, and findings you create or upload to the Services. Customer Data is treated as confidential and is only accessed by our engineers when strictly necessary to operate the Services or when you explicitly authorize support access.

Usage and telemetry data. Logs of API calls, feature usage, request metadata, and error traces that we use to operate, secure, and improve the Services.

2. How We Use Information

We use the information described above to:

• Provide, maintain, and secure the Services.
• Process payments and manage subscriptions.
• Respond to support requests and communicate with you.
• Detect and prevent abuse, fraud, and unauthorized testing of third-party systems.
• Comply with legal obligations.

We do not use Customer Data to train third-party machine-learning models. We do not use Customer Data to build advertising profiles. We do not enrich Customer Data with information from data brokers.

3. We Do Not Sell Your Data

Xtrinel does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act and similar state laws.

4. Subprocessors

We rely on a small set of vetted subprocessors to operate the Services. The current list includes Stripe (payments), Microsoft Entra ID (enterprise authentication), and our cloud infrastructure providers for compute, storage, and email delivery. We update the list when it changes and will notify Enterprise customers of material changes in advance.

5. Security

We use encryption in transit and at rest, role-based access control for production systems, audit logging for privileged access, and regular security reviews of our own codebase and infrastructure. No system is perfectly secure, but we treat Customer Data with the care we would want our own vendors to apply to ours.

6. Retention

We retain account data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations and resolve disputes. You may request deletion of Customer Data at any time from the dashboard, and we will honor the request within thirty days except where we are required to retain specific records by law.

7. Your Rights

Depending on where you live, you may have the right to access, correct, delete, or port the personal information we hold about you, and to object to certain kinds of processing. You can exercise these rights from the dashboard or by writing to [email protected]. We do not discriminate against you for exercising these rights.

8. International Transfers

Xtrinel is based in the United States and our infrastructure is located in the United States. If you use the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States.

9. Children

The Services are not directed to children under the age of sixteen, and we do not knowingly collect personal information from children under sixteen.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be posted at this URL with a revised “Last Updated” date, and we will notify account holders by email when the changes affect how we process personal information.

11. Contact

Privacy questions can be directed to [email protected].