Privacy Policy

1. Who This Policy Covers

This Policy applies to:

• Merchants — BigCommerce store owners who install and configure the App
• xApp Off-Ramp Users — Xaman wallet holders who use the XRPay xApp to convert XRPL assets to fiat USD
• Shoppers — customers who pay through a checkout powered by the App
• Waitlist subscribers — individuals who sign up for early access at our public landing page

2. Information We Collect

From Merchants (via BigCommerce OAuth)

• BigCommerce store hash, store name, and store domain
• Merchant email address (provided by BigCommerce during install)
• BigCommerce API access tokens (stored encrypted, used to read/update orders)
• XRPL wallet address (public address only — we never store private keys)
• App configuration: settlement preferences, POS settings, Telegram bot tokens
• Transaction history: order IDs, amounts, payment statuses, XRPL transaction hashes
• B2B wholesale listings, orders, and inventory managed within the App
• POS employee records: names and PIN hashes (for in-store register access)

From xApp Off-Ramp Users (KYC & Bank Linking)

• Identity data (KYC): Full legal name, date of birth, residential address, Social Security Number (SSN), and government-issued ID — collected and processed by our regulated partner Bridge.xyz as required by US financial regulations
• Bank account data: Bank name, routing number, and account number (US ACH), IBAN and BIC/SWIFT (international), or wire transfer details — used solely to route fiat withdrawals
• Off-ramp transaction records: XRPL wallet address, token amounts, conversion rates, fees, ACH transfer IDs, and settlement timestamps
• XRPL trustline balances (read-only, fetched at session time to populate the withdrawal UI)

KYC identity data is collected, stored, and processed primarily by Bridge.xyz under their own privacy policy. Xbit Innovations retains only the Bridge customer ID, KYC status, and transaction records necessary to provide the service.

From Shoppers (at checkout)

• Email address (passed from BigCommerce checkout for confirmation purposes)
• XRPL wallet address used for payment (recorded from public blockchain data)
• Transaction amounts and blockchain transaction hashes

From Waitlist Subscribers

• Email address and optional store name (submitted via the landing page form)

We do not collect passwords, credit card numbers, or any data beyond what is listed above. SSN and government ID are processed exclusively by Bridge.xyz and are never stored on Xbit Innovations infrastructure.

3. How We Use Your Information

• To authenticate your BigCommerce store and maintain your App installation
• To generate payment requests, QR codes, and verify on-chain settlement
• To update order statuses and sync payment results back to your BigCommerce store
• To provide the merchant dashboard, analytics, B2B marketplace, POS register, and tax ledger
• To operate the xApp off-ramp: verify identity via Bridge.xyz, link bank accounts via Plaid, initiate ACH withdrawals, and record transaction history
• To comply with US financial regulations (BSA/FinCEN) applicable to fiat off-ramp services
• To send one launch notification to waitlist subscribers (opt-in at time of submission)
• To detect and prevent fraudulent or unauthorized activity
• To comply with applicable legal obligations

We do not use your data for advertising or sell it to any third party.

4. Data Storage & Security

All data is stored in a PostgreSQL database hosted on Railway (EU/US region). Sensitive values — including integration API tokens — are encrypted at rest using enterprise-grade encryption. XRPL wallet private keys are never stored by the App. All communications between the App, third-party services, and XRPL are transmitted over HTTPS/TLS.

We perform regular dependency audits and follow OWASP security guidelines for web application development.

5. Data Sharing

We share data only in the following limited circumstances:

• BigCommerce — We write order status updates and register storefront scripts via the BigCommerce API as required for the App to function
• XRP Ledger (XRPL) — Payment transactions are submitted to the public XRP Ledger; all XRPL transactions are publicly visible by design
• Xaman (XUMM) — Payment signing requests are routed through Xaman's API; no personal data beyond a payment amount and destination address is shared
• Bridge.xyz — For xApp off-ramp users, KYC identity data (name, DOB, SSN, address, ID) and bank account details are shared with Bridge.xyz as required to process fiat withdrawals. Bridge.xyz is an independent controller of this data under their own privacy policy
• Plaid — Bank account credentials entered during the Plaid Link flow are processed directly by Plaid; Xbit Innovations receives only a tokenized reference used to route ACH transfers (US users)
• ChangeNOW — XRPL wallet address and token amounts are shared with ChangeNOW to obtain swap quotes and execute DEX conversions for non-XRP trustline withdrawals
• Telegram — Store catalog data is delivered to your configured Telegram bot; no shopper personal data is transmitted to Telegram by the App
• Law enforcement — Only when required by a valid legal process under applicable law

We do not sell, rent, or trade personal data to advertisers or data brokers.

6. BigCommerce Mandatory Privacy Webhooks

As a BigCommerce App Marketplace partner, we honor the following mandatory privacy webhook endpoints, processed within 48 hours of receipt:

• Customer Data Request — Export all personal data associated with a customer upon request
• Customer Data Erasure — Delete all identifiable customer data from our systems
• Store/Shop Data Erasure — Delete all merchant and store data upon app uninstallation

7. Data Retention & Deletion

• Merchant and transaction data is retained while the App is installed
• Session tokens are invalidated on uninstallation
• Upon uninstallation, store data is deleted within 30 days per our erasure webhook
• Waitlist email addresses are deleted upon request or within 12 months if no launch notification is sent
• xApp off-ramp KYC records are retained for a minimum of 5 years as required by US Bank Secrecy Act (BSA) and FinCEN regulations. This retention obligation supersedes deletion requests for regulatory data
• Off-ramp transaction records (amounts, timestamps, XRPL hashes, ACH transfer IDs) are retained for 7 years to comply with financial recordkeeping requirements
• Merchants and off-ramp users may request deletion of non-regulated data at any time by emailing support@xbitinnovations.com

8. GDPR & International Privacy Rights

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we restrict processing of your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at support@xbitinnovations.com. We will respond within 30 days.

9. Cookies & Analytics

The App does not use tracking cookies or third-party analytics tools on merchant storefronts. The BigCommerce control panel view of the App may use session cookies to maintain your authenticated session. No behavioral data is collected.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be posted in the App dashboard and on this page with an updated effective date. Continued use of the App after notice of changes constitutes your acceptance.

11. Contact

For privacy-related questions, data requests, or to exercise your rights:

Xbit Innovations
support@xbitinnovations.com