Privacy Policy

Effective date: January 1, 2026 | Last updated: January 1, 2026

Operated by: FROM AMERICA LLC, based in Illinois — fromamerica-llc.com

Quick Summary

instxnt.xyz ("Service") respects your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, how long we keep it, and your rights.

  • Account data: Email, name, OAuth ID (Google), profile info
  • Payment data: Processed by Stripe (we don't store credit cards)
  • Store content: Product titles, descriptions, images, prices you publish
  • Usage data: IP address, browser type, device info, analytics
  • Processors: Stripe, Cloudflare, Anthropic
  • Rights: Access, correct, delete, port your data (EU/CA residents have stronger rights)
  • No sales: We do not sell or share personal information for marketing unless given explicit consent
  • Breach notification: We'll notify you within 72 hours if required by law

1. Information We Collect

1.1 Information You Provide

  • Account creation: Email address, name, OAuth provider ID (Google)
  • Seller profile: Profile photo, bio, business name (optional)
  • Store content: Product titles, descriptions, images, prices, tags
  • Custom domain: Domain name, DNS verification records
  • Communications: Emails, support tickets, feedback you send to us
  • Preferences: Settings, notification preferences, customization choices
  • Stripe KYB: Tax ID, business info (shared directly with Stripe, not instxnt)

1.2 Information Collected Automatically

  • IP address and geolocation: Derived from IP for analytics and security
  • Device info: Browser type, OS, device type, screen resolution
  • Usage analytics: Pages visited, features used, time spent, clicks, conversions
  • Cookies and session tokens: To maintain sessions and track preferences
  • Referrer information: How you arrived at the Service
  • Error logs: Technical errors and debugging information
  • Storefront analytics: Visitor count, traffic source, conversion metrics (Cloudflare analytics)

1.3 Information from Third Parties

  • Google OAuth: Email, name, profile picture (with your consent)
  • Stripe: Payout account status, connected account ID, charges/payouts enabled flags
  • Fraud detection services: Risk scoring from third-party providers
  • Customer data (from your storefronts): Email addresses, shipping info, payment info for order notifications

1.4 Sensitive Personal Information (California CPRA)

We collect limited sensitive personal information:

  • Financial information: Payment card data (processed by Stripe, not stored by us), bank account info (via Stripe Connect)
  • Government ID information: Only if required by Stripe for KYC (shared directly with Stripe)

2. How We Use Your Information

We use your information for these purposes:

  • Provide the Service: Create and maintain your account, host storefronts, process payments via Stripe
  • Personalization: Remember your preferences, settings, and usage patterns
  • AI generation: Generate product descriptions and storefront layouts (only content you provide)
  • Communication: Send account updates, transactional emails, support responses, billing notifications
  • Security and fraud prevention: Detect abuse, prevent chargebacks, identify suspicious activity, enforce ToS
  • Legal compliance: Fulfill legal obligations (tax reporting, DMCA takedowns, subpoenas)
  • Product improvement: Analyze usage to improve features, fix bugs, develop new functionality
  • Analytics and monitoring: Understand how users interact with the Service, measure performance
  • Legitimate business interests: Protect against fraud, enforce our Terms, troubleshoot technical issues

3. Legal Basis for Processing (GDPR/LGPD)

For users in the EEA/UK, our processing is based on:

  • Contract: Processing necessary to provide the Service and execute our Agreement with you
  • Legal obligation: Complying with tax laws, anti-money laundering, law enforcement requests
  • Legitimate interests: Fraud prevention, security, product improvement, business operations
  • Consent: Optional features like optional AI generation, marketing emails (you can withdraw anytime)

4. Third-Party Processors and Integrations

4.1 Stripe (Payment Processing & Connect)

What data is shared: Email, name, Stripe account ID, transaction history, payout status

Purpose: Process payments, manage seller payouts, KYC/Know Your Customer verification

Stripe's privacy policy: https://stripe.com/privacy

Your data in Stripe: You have your own relationship with Stripe and can request data subject rights from them directly.

4.2 Cloudflare (Infrastructure & Storage)

What data is shared: All traffic (IP addresses, logs, content served), stored data in D1 (database) and R2 (object storage)

Purpose: Host the API, store databases, serve images/templates, provide CDN, edge computing, DDoS protection

Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/

Data locations: Cloudflare may process data in the US and other countries where they operate.

4.3 Anthropic (Optional AI Generation)

What data is shared: Product info and images you provide when you opt-in to AI generation

Purpose: Generate product descriptions and marketing copy using Claude AI

Important: Anthropic does NOT use your content to train their models. See Anthropic's privacy policy: https://www.anthropic.com/privacy

Opt-out: Don't use AI generation features if you don't want content sent to Anthropic. You can also request that we delete content from Anthropic's systems by contacting privacy@instxnt.xyz.

4.4 Google (Authentication)

What data is shared: Only when you click "Sign in with Google" — email, name, profile picture

Purpose: Authenticate your account, verify email ownership

Google's privacy policy: https://policies.google.com/privacy

4.5 Apple Push Notification Service (Optional)

What data is shared: Device tokens (if you enable push notifications on iOS)

Purpose: Send order notifications and updates to your customers' iOS devices

Apple's privacy policy: https://www.apple.com/privacy/

4.6 Seller Customer Data

As a seller, YOU are the data controller for customer data (emails, shipping addresses, purchase history). instxnt acts as a data PROCESSOR when we store this data for you. We process customer data only as instructed and will not use it for our own marketing or purposes.

You must provide customers with a privacy policy and comply with GDPR, CCPA, and other privacy laws.

5. Data Retention and Deletion

How long we retain your data:

  • Account data (email, name, profile): Retained while account is active. After account deletion, retained for 3 years for fraud prevention and legal compliance, then deleted.
  • Payment and transaction history: Retained for minimum 7 years for tax, accounting, and legal compliance (required by law). Longer retention may apply based on jurisdiction.
  • Store content (product images, descriptions): Retained while store is live. Upon deletion, retained for 30 days in backups/archives, then permanently deleted (except where legal holds apply).
  • Logs and analytics (IP, device info, usage): Retained for up to 24 months for security and troubleshooting. Older logs are aggregated or deleted.
  • Customer data from your storefronts: Your responsibility to retain or delete. We retain a copy for order fulfillment and dispute resolution. After 3 years of inactivity, we may delete customer contact info.
  • Cookies and session tokens: Typically expire after 30 days of inactivity or when you log out.

6. Data Transfers & International Processing

instxnt is based in the US and data is primarily processed in the US via Cloudflare and Stripe. Both processors may transfer data internationally depending on where they operate.

For EU/UK Users (GDPR & UK GDPR):

Transfers to the US are based on:

  • Adequacy decisions (e.g., UK GDPR for UK data)
  • Standard Contractual Clauses (SCCs) between us and our processors
  • Contractual commitments with Stripe and Cloudflare

To request a copy of our Standard Contractual Clauses or execute a Data Processing Addendum (DPA), contact privacy@instxnt.xyz.

7. Your Privacy Rights

General Rights (All Users):

  • Access: Request a copy of your personal data
  • Correct: Update inaccurate information
  • Delete: Request deletion of your data
  • Port: Request your data in a portable format

GDPR Rights (EU/EEA/UK Users):

  • Right to be forgotten: Delete your data (with exceptions for legal obligations)
  • Right to restrict processing: Ask us to limit how we use your data
  • Right to object: Opt out of legitimate interest processing
  • Right to lodge a complaint: Contact your data protection authority (DPA)

CCPA/CPRA Rights (California Users):

  • Right to know: What categories of personal information we collect
  • Right to delete: Request deletion (with exceptions)
  • Right to correct: Fix inaccurate data
  • Right to opt out: Opt out of any "sale" or "sharing" of personal information (we don't sell, but may share for marketing under CPRA definition)
  • Right to limit: Limit use of sensitive personal information
  • Limit tracking: Opt out of cross-context behavioral advertising (CPRA)

LGPD Rights (Brazil Users):

  • Access, correct, delete, port, and object to processing
  • Right to withdraw consent anytime

How to Exercise Your Rights: Email privacy@instxnt.xyz with:

  • Your name and account email
  • The specific right you're requesting (access, delete, correct, port, etc.)
  • Sufficient information to locate your data

Response time: We will verify your identity and respond within 30 days (may extend by 60 days if complex). We may request government ID for verification.

8. Security Measures

We implement technical and organizational safeguards to protect your data:

  • Transport security: TLS 1.2+ encryption for all data in transit
  • Encryption at rest: Provider-managed encryption for databases and storage (Cloudflare, Stripe)
  • Access control: Role-based access; employees can only access data needed for their role
  • Authentication: Multi-factor authentication for admin access
  • Monitoring & logging: Logs of administrative actions and access attempts
  • Regular security audits: Third-party penetration testing and vulnerability assessments
  • Incident response: Documented procedures for responding to breaches

If you discover a security vulnerability, please email security@instxnt.xyz.

9. Data Breach Notification

In the event of a confirmed breach of your personal data, we will:

  • Notify you without undue delay (typically within 72 hours)
  • Describe the nature of the breach and data affected
  • Provide steps to mitigate risk
  • Notify relevant supervisory authorities where required by law
  • Notify Stripe and other processors as appropriate

10. Cookies and Tracking

We use cookies and similar tracking technologies to:

  • Maintain your session and remember login state
  • Remember your preferences and settings
  • Analyze usage patterns via Cloudflare analytics

We do not use third-party advertising cookies or sell behavioral data to advertisers. You can disable cookies in your browser settings, but some features may not work properly.

See our Cookie Policy for more details.

11. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected data from a child under 13, we will delete it promptly.

Parents or guardians who believe a child has provided information should contact privacy@instxnt.xyz.

12. Do Not Track (DNT)

Some browsers support "Do Not Track" signals. We recognize DNT headers and will not use behavioral tracking advertising; however, we may continue to collect analytics for service improvement.

13. Your Storefronts and Public Content

Content you publish to your storefront (product titles, images, descriptions) is public and may be:

  • Indexed by search engines (Google, Bing, etc.)
  • Cached by third-party services and archives
  • Screenshot and shared on social media

You are responsible for the privacy implications of publishing content. We can help remove content from our Service, but cannot control third-party caches or archives.

14. Sale or Sharing of Personal Information

We do NOT sell personal information.

Under CCPA, we also DO NOT "share" personal information for cross-context behavioral advertising, though we may share data with processors for legitimate business purposes (e.g., Stripe for payments).

If you are a California resident and want to opt out of any future "sale" or "sharing," contact privacy@instxnt.xyz.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification, and the "Last updated" date will be changed. Your continued use of the Service after changes indicates acceptance. If you disagree with changes, you may close your account.

16. Contact Us

FROM AMERICA LLC

General privacy inquiries: privacy@instxnt.xyz

Security incidents: security@instxnt.xyz

Legal requests: legal@instxnt.xyz

Data Protection Authority Contacts:

  • EU (GDPR): Contact your national Data Protection Authority
  • UK (UK GDPR): Information Commissioner's Office (ICO): https://ico.org.uk
  • California (CCPA/CPRA): California Attorney General Privacy Hotline: 1-833-656-4366
  • Brazil (LGPD): Autoridade Nacional de Proteção de Dados (ANPD)
← Back to home