Privacy Policy
XAgentStore — XGenTra Inc.
Effective Date: May 30, 2026 Last Updated: May 13, 2026
1. Introduction
XGenTra Inc. ("XGenTra," "we," "us," or "our") operates the XAgentStore marketplace at xgentra.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
This Privacy Policy describes how we handle your personal information. By using the Service, you acknowledge that you have read and understood this policy. Where applicable law requires it, we will obtain your active consent before processing your personal information for purposes beyond those necessary to provide the Service (such as marketing communications, targeted advertising, or sensitive data processing). If you do not agree to this Privacy Policy, please do not use the Service.
Company Information
| Field | Detail |
|---|---|
| Legal name | XGenTra Inc. |
| State of incorporation | Delaware, United States |
| EIN | 37-2232749 |
| [email protected] | |
| Website | https://xgentra.com |
| Address | 131 Continental Dr, Suite 305, Newark, DE 19713, US |
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples |
|---|---|
| Account information | Email address, display name, profile photo |
| Payment information | Billing address, payment method details (processed by Stripe — we do not store raw card numbers) |
| Maker information | Payout account details for revenue settlement |
| Communications | Messages to customer support, feedback |
| Content | .xagt files and descriptions you upload as a Maker |
2.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Usage data | Pages visited, features used, search queries, purchase history |
| Device & log data | IP address, browser type, operating system, referrer URL |
| Cookies & tracking | Session tokens, preference cookies, analytics identifiers |
2.3 Information from Third Parties
- Clerk (Authentication): When you sign in, Clerk provides us with your verified email address and a unique user identifier. Clerk's privacy practices are at https://clerk.com/legal/privacy.
- Stripe (Payments): Provides transaction confirmations and billing data. We do not receive or store full payment card numbers.
- AI Service Providers: When using AI-assisted features (e.g., xagt Builder), your inputs may be processed by Anthropic (Claude API) or Google (Gemini API), subject to their respective privacy policies.
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and management | Contract performance |
| Processing purchases and payouts | Contract performance |
| Sending transactional emails (receipts, alerts) | Contract performance |
| Providing customer support | Legitimate interest |
| Improving the Service (analytics) | Legitimate interest |
| Fraud prevention and security | Legitimate interest |
| Sending marketing communications (opt-in only) | Consent |
| Complying with legal obligations | Legal obligation |
4. Sub-processors and Infrastructure
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, edge network | Global (US-based) |
| Cloudflare R2 | File storage (.xagt files) | US / Asia-Pacific |
| Railway | Backend application hosting | US |
| Clerk | Authentication | US |
| Stripe | Payment processing | US |
| Anthropic | Claude API (AI features) | US |
| Gemini API (AI features) | US |
All sub-processors are contractually required to maintain appropriate data protection standards.
5. Cookies and Tracking Technologies
| Type | Purpose | Duration |
|---|---|---|
| Essential cookies | Session management, authentication | Session |
| Preference cookies | Language, UI settings | 1 year |
| Analytics cookies | Aggregate usage statistics | 90 days |
| Marketing cookies | Targeted advertising (opt-in only) | 180 days |
You may control cookie preferences through your browser settings. Disabling essential cookies may impair Service functionality.
Do Not Track / Global Privacy Control: We recognize browser-based Do Not Track (DNT) signals and Global Privacy Control (GPC) signals. When a valid GPC signal is detected, we treat it as an opt-out of the sale or sharing of personal information to the extent required by applicable law. Note that some third-party analytics and advertising partners operating on the Service may independently collect data across sites; please refer to their respective privacy policies for their DNT/GPC practices.
6. Data Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
- Service Providers: With sub-processors listed in Section 4, solely to operate the Service.
- Makers: If you purchase a
.xagtfile, the Maker may receive your country/region and purchase date for fraud prevention — not your name or email unless you choose to share them. - Legal Requirements: When required by applicable law, court order, or governmental authority.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to you.
- Safety: To protect the rights, property, or safety of XGenTra, our users, or the public.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Transaction records | 7 years (tax/legal compliance) |
| Usage logs | 90 days |
| Download logs | 12 months |
| Support communications | 3 years |
Deleted .xagt files | 30 days (then permanently removed) |
8. Your Rights
8.1 All Users
Regardless of your location, you may:
- Access: Request a copy of personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
- Opt-out of marketing: Unsubscribe via the link in any marketing email or by emailing [email protected].
8.2 EEA / UK Users (GDPR)
In addition to the above:
- Data Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request restriction of processing in certain circumstances.
- Objection: Object to processing based on legitimate interest.
- Withdraw Consent: Withdraw any consent at any time.
- Lodge a Complaint: With your local supervisory authority (e.g., your national Data Protection Authority).
8.3 California Users (CCPA)
California residents have the right to:
- Know what personal information is collected and how it is used.
- Delete personal information (subject to exceptions).
- Opt out of the "sale" or "sharing" of personal information. (We do not sell personal information.)
- Non-discrimination for exercising privacy rights.
To exercise CCPA rights, email [email protected] with the subject line "CCPA Request."
8.4 Korean Users (PIPA — 개인정보보호법)
In accordance with Korea's Personal Information Protection Act:
- You have the right to access, correct, delete, and suspend processing of your personal information.
- We will process your request within 10 business days.
- Contact: [email protected] with the subject "PIPA Request."
8.5 Japanese Users (APPI — 個人情報保護法)
In accordance with Japan's Act on the Protection of Personal Information:
- You have the right to request disclosure, correction, addition, deletion, suspension of use, and suspension of third-party provision of your personal information.
- We will respond promptly without undue delay (typically within 2 weeks).
- Contact: [email protected] with the subject "APPI Request."
8.6 Delaware Users (Delaware Personal Data Privacy Act — DPDPA)
Delaware residents have the right to:
- Access / Confirmation: Confirm whether we process your personal data and obtain a copy.
- Correction: Correct inaccuracies in your personal data.
- Deletion: Request deletion of personal data you have provided or that we have collected about you.
- Data Portability: Obtain your data in a portable and, to the extent technically feasible, readily usable format.
- Category Disclosure: Know the categories of third parties with whom we share your personal data.
- Opt-Out of Sale / Targeted Advertising / Profiling: Opt out of the sale of personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- Appeal: If we decline to act on your request, you may appeal that decision by emailing [email protected] with the subject "DPDPA Appeal." We will respond within 60 days. If your appeal is denied, you may contact the Delaware Department of Justice at https://attorneygeneral.delaware.gov.
To exercise DPDPA rights, email [email protected] with the subject "DPDPA Request."
9. Exercising Your Rights
- Email: [email protected] with subject "Privacy Request — [Request Type]"
- Response Time: Within 30 days (up to 45 days for complex requests).
- Identity Verification: We may ask you to verify your identity before processing your request.
10. Data Security
We implement industry-standard security measures including:
- TLS encryption for data in transit.
- AES-256 encryption at rest for sensitive stored data.
- Access controls and least-privilege principles.
- Regular security audits and vulnerability assessments.
No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
Security Breach Notification: In the event of a breach of security involving your personal information, we will notify affected individuals without undue delay and, where required by law, within the timeframes mandated by applicable law (e.g., within 60 days under Delaware law). If a breach affects 500 or more Delaware residents, we will also notify the Delaware Attorney General. Notification will be provided by email or, if email is unavailable, by other reasonable means.
11. Children's Privacy
The Service is not intended for users under the age of 18. We do not knowingly collect personal information from minors under 18. If we become aware of such collection, we will delete it promptly.
12. International Data Transfers
XGenTra is incorporated in Delaware, USA. Your data may be transferred to and processed in the United States, which may have different data protection laws than your country.
- EEA/UK: Transfers outside the EEA/UK are conducted under Standard Contractual Clauses (SCCs) or other approved mechanisms.
- Korea: Cross-border transfers to the US are disclosed in accordance with PIPA requirements.
- Japan: Cross-border transfers to the US are conducted with your consent or under equivalent protection measures as required by APPI.
13. Changes to This Policy
We will notify you of material changes by email or prominent notice on the Service at least 30 days before the new policy takes effect. The "Last Updated" date at the top reflects the most recent revision.
14. Data Protection Officer / Privacy Contact
XGenTra Inc. DPO Email: [email protected] General: [email protected] Website: https://xgentra.com 131 Continental Dr, Suite 305, Newark, DE 19713, US
This Privacy Policy is the authoritative English version. In the event of any conflict between a translated version and this English version, this English version shall prevail.
Data Protection Officer: [email protected] | XGenTra Inc.