Privacy Policy

We collect the following categories of personal data through defined touchpoints across our digital infrastructure:

a. Contact & Inquiry Data

• Full name, email address, phone number, and company name submitted via our contact forms.
• Nature of the business inquiry and any supporting detail you voluntarily provide.
• Consent records and submission timestamps retained for compliance purposes.

b. Booking & Scheduling Data

• Meeting preferences, time zones, and calendar metadata collected via Cal.com when you schedule a discovery or strategy call.
• Post-meeting notes and communication history retained in our CRM system.

c. Technical & Behavioural Data

• IP address, browser type, operating system, referral URL, and device identifiers.
• Pages visited, session duration, scroll depth, and click-path analytics.
• Conversion events triggered on our website (e.g., form submissions, CTA clicks, booking completions).

d. Client & Project Data

• Business information, technical requirements, and project specifications shared during an active engagement.
• Access credentials and API keys provided for integration work—stored in encrypted, access-controlled vaults and never committed to version control.

We operate a multi-layer analytics infrastructure designed for precise measurement of marketing performance and product behaviour. This includes:

Google Analytics 4 (GA4)

We use GA4 to capture session-level behavioural data, traffic attribution, and conversion funnel analysis. Data is processed under Google’s Data Processing Addendum and may be stored on Google’s infrastructure outside your country of residence.

Meta Pixel & Conversions API (CAPI)

We deploy the Meta Pixel for client-side event tracking and supplement it with server-side tracking via Meta’s Conversions API (CAPI). This server-side layer transmits hashed event data—including hashed email addresses and phone numbers— directly from our servers to Meta’s platform to improve ad measurement accuracy and reduce reliance on browser-based cookies. All personally identifiable signals are hashed using SHA-256 prior to transmission.

Server-Side Tag Management

We employ server-side tagging infrastructure to process and route analytics events before they reach third-party platforms. This provides greater control over data fidelity, reduces client-side script load, and limits raw user data exposure to third-party JavaScript environments.

You may opt out of analytics tracking by enabling your browser’s Do Not Track signal, using a compliant ad blocker, or exercising your rights as described in Section 6 of this policy.

We process your personal data for the following lawful purposes:

• Service Delivery: To scope, architect, and deliver software engineering and digital growth solutions tailored to your business.
• Communication: To respond to inquiries, send project updates, and conduct client onboarding.
• Marketing & Retargeting: To run algorithmic advertising campaigns on platforms including Meta and Google, optimised using behavioural signals and lookalike audience modelling.
• Analytics & Optimisation: To measure campaign performance, improve user experience, and inform product and infrastructure decisions.
• Legal & Compliance: To fulfil contractual obligations, maintain records for financial audits, and respond to lawful requests from regulatory authorities.
• Recruitment: If you apply for a position, to evaluate your application and communicate with you throughout the hiring process.

We do not sell, rent, or trade your personal data to any third party.

We share data only with trusted infrastructure and service partners who are bound by contractual data processing agreements (DPAs) and operate under industry-standard security controls. These partners include:

• Amazon Web Services (AWS): Cloud hosting, storage, and compute infrastructure.
• Vercel: Application deployment and edge-network hosting for our web platform.
• Google Workspace: Business email, document collaboration, and internal communication.
• Cal.com: Meeting scheduling and calendar management.
• CRM Platforms: Client relationship management and sales pipeline tracking.
• Meta Platforms: Advertising campaign management and server-side conversion data sharing.
• Google Ads / Google Marketing Platform: Paid search and display campaign management.

All third-party partners are selected based on their compliance posture, data residency policies, and security certifications. We conduct periodic reviews of these partnerships.

We may disclose your data to legal authorities when required by applicable law, court order, or governmental regulation, and only to the minimum extent necessary.

We implement technical and organisational measures commensurate with the sensitivity of the data we process. Our security posture includes:

• Encryption in Transit: All data transmitted between your browser and our servers is protected via TLS 1.2/1.3.
• Encryption at Rest: Sensitive client data and credentials are stored using AES-256 encryption.
• Access Control: Systems are governed by role-based access control (RBAC). Access to personal data is granted on a strict need-to-know basis.
• Secure Cloud Infrastructure: Our production environment runs on SOC 2-compliant platforms (AWS, Vercel).
• Credential Management: Client API keys and secrets are stored in encrypted vaults and never committed to version control repositories.
• Regular Security Reviews: We conduct internal security assessments and rely on our cloud providers’ ongoing penetration testing and compliance programmes.

Despite these controls, no system is impenetrable. In the event of a data breach that poses a material risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities within the timeframes required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EU / EEA Residents)

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data where there is no lawful basis for continued processing.
• Right to Restriction: Request that we limit the manner in which we process your data.
• Right to Data Portability: Request your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Under CCPA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of personal information, subject to statutory exceptions.
• Right to Opt-Out of Sale: We do not sell personal information; no opt-out is required.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of the above rights, please contact us at hello@xlevelsup.com. We will respond within 30 days of receiving a verifiable request.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law:

• Inquiry & Contact Data: Retained for up to 24 months from the date of last interaction, or until you request deletion.
• Client Project Data: Retained for the duration of the engagement and up to 5 years thereafter for legal and financial audit purposes.
• Analytics Data: Session-level data is retained in accordance with the retention policies of our analytics providers (typically 14 months for GA4).
• Job Application Data: Retained for up to 12 months following the conclusion of the relevant recruitment process.

Our website uses cookies and similar tracking technologies to enhance user experience and measure marketing performance. The categories we use are:

• Strictly Necessary Cookies: Essential for core website functionality. These cannot be disabled.
• Analytics Cookies: Used by GA4 to collect aggregate session data. Can be opted out via browser settings or by enabling Do Not Track.
• Marketing Cookies: Used for ad retargeting and conversion tracking via Meta Pixel and Google Ads. Controlled via your ad preferences on those respective platforms.

You can manage cookie preferences via your browser settings. Note that disabling certain cookies may affect the functionality of parts of our website.

We may update this Privacy Policy periodically to reflect changes in our data practices, technology infrastructure, or applicable law. Material changes will be communicated by updating the “Effective Date” at the top of this document. We encourage you to review this page periodically to remain informed.

Continued use of our website or services following a policy update constitutes your acceptance of the revised terms.

For privacy-related enquiries, data subject requests, or to report a concern, please contact our designated privacy point of contact: