LEGAL

GDPR & UK Data Protection

LAST UPDATED MAY 31, 2026 · XBUILDERAI LTD

Data protection information for users in the UK and European Economic Area who use Goodstand.

1. Data controller

XBUILDERAI LTD is the data controller for personal data processed in connection with Goodstand. For general privacy practices, see our Privacy Policy.

2. Lawful bases for processing

Under UK GDPR and EU GDPR, we process personal data on the following bases:

  • Performance of a contract — providing the Service you subscribed to
  • Legitimate interests — security, fraud prevention, service improvement (balanced against your rights)
  • Legal obligation — compliance with tax, accounting, and regulatory requirements
  • Consent — optional marketing communications (withdraw anytime)

3. Categories of personal data

  • Identity and contact data (name, email, billing address)
  • Account credentials (hashed passwords, session tokens)
  • Entity and compliance data you enter or upload
  • Technical data (IP address, browser type, usage logs)
  • Communications (support tickets, email correspondence)

4. EU and UK storage

EU-resident users' personal data is stored on EU infrastructure (AWS EU-West replica) where applicable, in addition to our US-East primary region. All transfers use encryption in transit (TLS 1.3). Sensitive documents are held in an encrypted vault with access logging.

5. Your data subject rights

If you are in the UK or EEA, you have the right to:

  • Access — obtain a copy of personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion where no lawful basis to retain
  • Restriction — limit processing in certain circumstances
  • Portability — receive data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests or for direct marketing
  • Withdraw consent — where processing is consent-based

6. How to exercise your rights

Email support@goodstand.com with your request. We may need to verify your identity. We respond within 30 days, or inform you if an extension is required under applicable law. There is no fee unless a request is manifestly unfounded or excessive.

7. Subprocessors

We use subprocessors that may process personal data on our behalf, including AWS for hosting. Subprocessors are bound by data processing agreements with appropriate safeguards. A current list is available on request at support@goodstand.com.

8. International transfers

Where personal data is transferred outside the UK or EEA, we implement appropriate safeguards — including UK International Data Transfer Agreements and EU Standard Contractual Clauses — unless an adequacy decision applies.

9. Supervisory authority

You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO). We encourage you to contact us first at support@goodstand.com so we can address your concern.

10. Relationship to other policies

This notice supplements our Privacy Policy and Terms of Service. In case of conflict on data protection matters, this GDPR notice prevails for UK and EEA users.

OTHER LEGAL DOCUMENTS

Terms of ServicePrivacy PolicyDisclaimerRefund Policy