Privacy Policy — Goodstand

1. Who we are

XBUILDERAI LTD ("we", "us") operates the Goodstand platform. We are the data controller for personal data described in this policy. For GDPR-specific rights and EU/UK processing detail, see our GDPR page.

2. Data we collect

Account data — name, email, password hash, company name, billing address
Entity data — LLC names, EINs, state registration numbers, ownership details you enter
Documents — formation papers, EIN letters, IDs, filing receipts you upload
Usage data — pages viewed, features used, device/browser type, IP address, timestamps
Support data — messages you send via contact forms, email, or in-app support
Payment data — processed by our payment provider; we store billing metadata, not full card numbers

3. How we use data

We use personal data to provide and improve the Service, process filings you request, send deadline alerts, authenticate users, process payments, respond to support requests, prevent fraud, and comply with legal obligations. We do not sell personal data. We do not use your documents to train machine learning models.

Contract — to deliver the Service you signed up for
Legitimate interests — security, product improvement, anonymized analytics
Legal obligation — tax, accounting, and regulatory retention where required
Consent — marketing emails where you opt in (you may opt out anytime)

4. Sharing and subprocessors

We share data only with service providers who process it on our behalf under contract, such as cloud hosting, payment processing, email delivery, and customer support tools. We may disclose data if required by law, to protect rights and safety, or in connection with a merger or acquisition with notice where required.

Amazon Web Services (AWS) — primary hosting (US-East); EU-West replica for EU/UK customers
Payment processor — subscription billing
Email provider — transactional and support email

5. Retention

We retain account and entity data while your account is active. After closure, we delete or anonymize data except where US tax law, UK law, or legitimate business records require retention. Document vault contents are deleted on account closure unless you export them first or law requires retention.

6. Security

Data is encrypted at rest in AWS and in transit via TLS 1.3. Sensitive documents are stored in a separate encrypted vault with per-document access logging. No method of transmission or storage is 100% secure; we maintain reasonable administrative, technical, and organizational safeguards.

7. International transfers

We operate globally. Data may be processed in the United States, the United Kingdom, and the European Union. Where required, we use Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms. EU-resident users' personal data may be stored on EU infrastructure as described on our GDPR page.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. UK and EEA residents have additional rights under UK GDPR and EU GDPR — see /gdpr. To exercise rights, email support@goodstand.com. We respond within 30 days.

9. Cookies and analytics

We use essential cookies for authentication and session management. We may use privacy-respecting analytics to understand product usage. You can control non-essential cookies through your browser settings. We do not use third-party advertising cookies on the Service.

10. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. Contact us if you believe a child has provided data and we will delete it.

11. Changes

We may update this Privacy Policy. The "Last updated" date at the top of this page will change when we do. Material changes will be communicated by email or in-app notice where appropriate.

12. Contact

Privacy inquiries and data subject requests: support@goodstand.com.