Privacy Policy

1. Controller and Contact Information

instxnt.xyz is operated by FROM AMERICA LLC, an Illinois limited liability company. For privacy inquiries, contact us at:

• Email: [email protected]
• Data Protection Officer: [email protected]

2. Information We Collect

Information you provide directly

• Account data: Email address, name, profile photo (if provided), and authentication credentials.
• Store content: Product names, descriptions, prices, images, and custom HTML/CSS/JS code.
• Payment information: Processed and stored by Stripe. We receive only transaction IDs, amounts, and status updates.
• Communications: Support tickets, emails, and feedback you send us.
• Subscription data: Billing tier (Free or Premium), payment status, and subscription history.

Information collected automatically

• Usage data: Pages viewed, features used, stores created, generation requests, and API calls.
• Device information: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Analytics: We use Google Analytics and Google Tag Manager to track aggregate behavior patterns. See Section 5 for cookie details.
• Log data: Server logs including timestamps, request paths, error codes, and response times.

Information from third parties

• OAuth providers: When you sign in with Google, Apple, or Stripe, we receive your email, profile name, and unique ID.
• Stripe Connect: Account status, verification status, payout data, and transaction metadata.

3. How We Use Your Information

We process personal data for the following purposes:

Service delivery (Legal basis: Contract performance)

• Creating and managing your account
• Processing AI generation requests
• Publishing and hosting storefronts
• Facilitating Stripe Connect integration
• Providing customer support

Payment processing (Legal basis: Contract performance)

• Calculating and collecting platform fees
• Managing subscription billing
• Preventing fraud and chargebacks

Platform improvement (Legal basis: Legitimate interest)

• Analyzing usage patterns to improve features
• Testing new functionality
• Optimizing performance and reliability

Legal compliance (Legal basis: Legal obligation)

• Responding to legal requests and subpoenas
• Enforcing Terms of Service
• Preventing illegal activity and abuse
• Maintaining records for tax and accounting purposes

Communications (Legal basis: Legitimate interest or consent)

• Sending transactional emails (order confirmations, password resets)
• Service announcements and policy updates
• Marketing emails (opt-in only; you may unsubscribe anytime)

4. Who We Share Information With

We do not sell or rent your personal data. We share data only as described below:

Service providers

• Stripe: Payment processing, KYC verification, and payout management. See Stripe's Privacy Policy.
• Cloudflare: CDN, DDoS protection, R2 storage, and Workers platform. See Cloudflare's Privacy Policy.
• Anthropic: AI content generation. Product descriptions and images are sent for processing. Anthropic does not use customer data for model training. See Anthropic's Privacy Policy.
• Google (Analytics, Tag Manager): Website analytics and tag management. See Google's Privacy Policy.

Legal disclosures

We may disclose personal data if required by law, subpoena, court order, or government investigation. We will notify you unless prohibited by law.

Business transfers

If instxnt is acquired, merges, or undergoes restructuring, your data may be transferred to the successor entity. You will be notified of any ownership change.

Aggregated and anonymized data

We may share aggregate statistics (e.g., "10,000 stores created") that do not identify individuals.

5. Cookies and Tracking Technologies

instxnt uses cookies and similar technologies to operate the service and analyze usage.

Essential cookies

Required for authentication, session management, and security. Cannot be disabled.

• Session cookies: Maintain login state and CSRF protection
• Authentication tokens: Secure API access

Analytics cookies (opt-out available)

• Google Analytics: Tracks page views, referrers, and user flows
• Google Tag Manager: Manages analytics scripts

To opt out of Google Analytics, use the Google Analytics Opt-out Browser Add-on.

Third-party cookies

Stripe, Google, and other integrated services may set their own cookies. Review their privacy policies for details.

6. Data Retention

We retain personal data as follows:

• Active accounts: Data retained for the duration of your account.
• Closed accounts: Most data deleted within 30 days. Some records retained for up to 3 years for fraud prevention, legal compliance, and tax purposes.
• Transaction records: Retained for 7 years to comply with financial recordkeeping laws.
• Support communications: Retained for 2 years.
• Logs and analytics: Aggregated or anonymized after 90 days; retained indefinitely in de-identified form.

You may request early deletion by contacting [email protected]. We will honor requests unless retention is legally required.

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted over HTTPS/TLS. Sensitive data encrypted at rest.
• Access controls: Limited employee access to personal data; role-based permissions.
• Authentication: OAuth 2.0 for login; no passwords stored by instxnt.
• Monitoring: Automated alerts for suspicious activity and security events.
• Third-party audits: Cloudflare and Stripe maintain SOC 2 Type II compliance.

No system is completely secure. If a breach occurs that affects your data, we will notify you within 72 hours as required by GDPR and other applicable laws.

8. Your Privacy Rights

All users

• Access: Request a copy of your personal data.
• Correction: Update inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
• Data portability: Receive your data in a structured, machine-readable format.
• Opt-out of marketing: Unsubscribe from promotional emails via the link in each email.

EU/UK residents (GDPR)

Under the General Data Protection Regulation, you have additional rights:

• Right to object: Object to processing based on legitimate interests.
• Right to restrict processing: Request temporary suspension of data processing.
• Right to withdraw consent: Withdraw consent for data processing at any time (does not affect prior lawful processing).
• Right to lodge a complaint: File a complaint with your national data protection authority.

California residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know: Request disclosure of categories and specific pieces of personal information collected.
• Delete: Request deletion of personal information (subject to exceptions). We will respond within 45 days of verification.
• Correct: Request correction of inaccurate information.
• Opt-out of sales/sharing: Opt out of "sale" or "sharing" of personal information. Note: instxnt does not sell or share personal information with third parties for their independent use.
• Opt-out of targeted advertising: Disable tracking for personalized advertising. Visit aboutads.info or use browser DNT signals.
• Non-discrimination: You may exercise privacy rights without facing discrimination or retaliation.

How to opt-out of sales/sharing: Email [email protected] with subject line "CCPA Opt-Out Request" to disable any future selling or sharing of your personal information.

How to exercise rights

Email [email protected] with your request. We will respond within 30 days (GDPR) or 45 days (CCPA). Identity verification may be required.

9. International Data Transfers

instxnt operates globally and may transfer data to the United States and other countries. We rely on the following mechanisms for lawful international transfers:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements with service providers.
• Data Processing Addendum: Available upon request for EU/UK customers.
• Adequacy decisions: Transfers to countries with GDPR adequacy findings (e.g., UK post-Brexit, Switzerland).

Cloudflare stores data in distributed data centers globally. Stripe processes payments in compliance with regional data protection laws.

10. Children's Privacy

instxnt is not directed at children under 18. We do not knowingly collect personal information from minors. If you are under 18, do not use the service or provide any personal information.

If we learn that we have collected data from a child under 18, we will delete it promptly. Parents or guardians may contact [email protected] to request removal.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on the website
• Updated "Last Updated" date at the top of this page

Continued use of instxnt after changes take effect constitutes acceptance of the updated policy. If you disagree, close your account before the effective date.

12. Third-Party Links

instxnt may contain links to third-party websites (e.g., Stripe documentation, Google policies). We are not responsible for the privacy practices of external sites. Review their privacy policies before providing personal information.

13. Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. instxnt does not currently respond to DNT signals, but you may opt out of Google Analytics tracking (see Section 5).

14. Contact Us