Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and profile information provided through Google OAuth. We may also collect your company name, job title, and team role as part of the onboarding process.

Business Data

You may input business data into the Service, including leads, projects, invoices, timesheets, supplier information, purchasing records, and other operational data. This data is stored to provide you with the Service and remains your property.

Usage and Analytics Data

We automatically collect usage information when you interact with the Service, including pages visited, features used, timestamps, browser type, device information, and IP address. We use third-party analytics tools (Segment, Mixpanel, and PostHog) to gather this data.

Payment Information

If you subscribe to a paid plan, payment information is collected and processed by Stripe, our payment processor. We do not directly store your credit card numbers or banking details on our servers.

Cookies and Local Storage

We use cookies and local storage to maintain your authenticated session, store your preferences, and collect analytics data. See Section 8 for more details.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Process transactions and send billing-related communications
• Analyze usage patterns and improve user experience through analytics and session recordings
• Send service-related notifications, updates, and security alerts
• Respond to your requests, questions, and support inquiries
• Detect, prevent, and address technical issues, fraud, or abuse
• Comply with legal obligations

3. Data Sharing

We do not sell your personal information to third parties. We share data only with the following service providers, strictly for operating the Service:

• Supabase — Database hosting, authentication, and data storage
• Stripe — Payment processing for subscriptions
• Segment — Event routing and analytics infrastructure
• Mixpanel — Product analytics and event tracking
• PostHog — Session recordings and product analytics
• Resend — Transactional email delivery
• Vercel — Application hosting and edge delivery

We may also disclose information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of Xische & Co, our users, or the public.

4. Session Recordings

We use PostHog to record user sessions for the purpose of improving the user experience and diagnosing issues. These recordings capture your interactions with the Service (clicks, scrolling, navigation) but apply masking to sensitive input fields such as passwords.

Session recordings are stored securely and are only accessible to authorized team members. You may opt out of session recordings by declining cookies when prompted or by contacting us at support@os.xische.com.

5. Data Retention

We retain your account information and business data for as long as your account is active or as needed to provide you with the Service. Usage and analytics data is typically retained for up to 24 months.

If you delete your account, we will remove your personal data and business data within 30 days, except where we are required to retain certain information for legal, accounting, or compliance purposes. Anonymized or aggregated data that cannot identify you may be retained indefinitely.

6. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is encrypted in transit using TLS 1.2 or higher
• Data at rest is encrypted using AES-256 encryption
• Row-level security (RLS) policies ensure tenant isolation at the database level so you can only access your own data
• Our infrastructure providers (Supabase, Vercel, Stripe) maintain SOC 2 Type II compliance
• Access to production systems is restricted and audited

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your personal data
• Data Export — Export your business data in standard formats (CSV, JSON) from the Settings page
• Restriction — Request that we limit how we process your data
• Objection — Object to our processing of your data for certain purposes
• Portability — Receive your data in a structured, machine-readable format

For EU/EEA residents: You have rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is contractual necessity (to provide the Service), legitimate interest (for analytics and improvement), and consent (for cookies and session recordings).

To exercise any of these rights, contact us at support@os.xische.com. We will respond to your request within 30 days.

8. Cookies

We use the following types of cookies:

• Essential cookies — Required for authentication and core functionality. These cannot be disabled.
• Analytics cookies — First-party cookies used by Segment, Mixpanel, and PostHog to understand usage patterns and improve the Service. You can decline these when prompted.

You can manage your cookie preferences through the cookie consent banner shown on your first visit, or through your browser settings. Note that disabling essential cookies may prevent you from using the Service.

9. Children's Privacy

BusinessOS is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child under 16 has provided us with personal data, please contact us at support@os.xische.com and we will promptly delete the information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (using the email address associated with your account) and update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

11. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: