Table of Contents
- Overview & Scope
- Data Controller
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing
- Information Sharing & Disclosure
- Data Storage & Residency
- Data Security
- Data Retention
- Your Rights
- Cookies & Tracking
- Children's Privacy
- Geofencing & Location Data
- International Data Transfers
- Changes to This Policy
- Contact Us
1. Overview & Scope
This Privacy Policy describes how CommunityXO ("we", "us", "our") — the multi-community SaaS platform at communityxo.com — collects, uses, discloses, and safeguards your personal data when you access or use our platform, websites, mobile applications, APIs, and related services (collectively, the "Platform").
This Policy applies to all users of the Platform including Community Owners, Members, and visitors. It complies with the EU General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDPA) 2023, and other applicable data protection laws.
2. Data Controller
CommunityXO acts as the Data Processor (technology platform provider). Each Community Owner acts as the Data Fiduciary / Data Controller for the personal data collected within their community.
For data processed directly by CommunityXO (e.g., account registration, platform analytics), CommunityXO is the Data Controller. For data collected by communities (member profiles, posts, donations), the Community Owner is the Data Controller and CommunityXO processes it on their behalf.
3. Information We Collect
| Category | Data Types | Purpose |
|---|---|---|
| Account Data | Name, email, phone, profile photo, bio | Account creation, authentication, profile display |
| Preferences | Language, timezone, currency, notification settings | Localization, personalized experience |
| Community Data | Community memberships, roles, custom field values, engagement metrics | Community management, analytics, rewards |
| Content Data | Posts, comments, reactions, messages, media uploads | Platform functionality, moderation |
| Transaction Data | Order details, donation records, payment method type | Payment processing, receipts, accounting |
| Device & Usage Data | Device type, OS, app version, IP address, session duration, actions taken | Analytics, security, performance optimization |
| Location Data | Approximate location (if geofencing enabled & user opted in) | Geofenced notification delivery only — never stored |
4. How We Use Your Information
- Provide, maintain, and improve the Platform and its features.
- Authenticate your identity and manage your account.
- Enable community discovery, membership, and participation.
- Process transactions including marketplace orders and donations.
- Deliver notifications (in-app, push, email, SMS) based on your preferences.
- Deliver geofenced notifications when you opt in to location services and enter a geofenced area.
- Enforce our Terms of Service and community guidelines.
- Detect and prevent fraud, abuse, and security threats.
- Generate aggregated, anonymized analytics for Community Owners.
- Comply with legal obligations and respond to lawful requests.
5. Legal Basis for Processing
| Basis | Examples |
|---|---|
| Consent | Location services, marketing emails, optional profile fields |
| Contract | Account creation, community membership, marketplace transactions |
| Legitimate Interest | Security monitoring, fraud prevention, analytics, platform improvement |
| Legal Obligation | Tax compliance, law enforcement requests, data retention regulations |
6. Information Sharing & Disclosure
We do not sell your personal data. We may share information with:
- Community Owners: Profile data you choose to share within a community, engagement metrics.
- Service Providers: Payment processors (Razorpay, Stripe, PayU), email (SendGrid, AWS SES), SMS (Twilio, Gupshup), hosting (AWS, DigitalOcean), CDN (Cloudflare), analytics (Mixpanel, Google Analytics).
- Legal Authorities: When required by law, court order, or to protect rights and safety.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred, with notice provided.
7. Data Storage & Residency
CommunityXO stores data on self-hosted Supabase (PostgreSQL) infrastructure with regional deployment:
- India users: AWS Mumbai (ap-south-1)
- EU users: EU servers (GDPR-compliant)
- USA users: AWS Virginia (us-east-1)
- Asia users: AWS Singapore (ap-southeast-1)
Auto-routing based on user IP ensures data residency compliance. All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
8. Data Security
We implement industry-standard security measures including:
- Row-Level Security (RLS) on all database tables via Supabase.
- End-to-end encryption for direct messaging (optional, configurable).
- Encrypted geofencing data — admin cannot track member location.
- Multi-factor authentication (MFA/2FA) support.
- Regular security audits, penetration testing, and vulnerability scanning.
- Error monitoring via Sentry with PII redaction.
- Infrastructure monitoring via DataDog.
9. Data Retention
We retain your data only as long as necessary to fulfil the purposes described in this Policy:
- Account data: Retained while your account is active. Deleted within 90 days of account deletion request.
- Content: Retained according to community retention policies. May persist in community archives after your departure unless you request erasure.
- Transaction data: Retained for 7 years to comply with tax and accounting regulations.
- Analytics data: Aggregated and anonymized; retained indefinitely.
- Location data: Never stored. Processed transiently for geofence notification delivery only.
10. Your Rights
Depending on your jurisdiction, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your personal data | Settings → Privacy → Request My Data, or email hello@communityxo.com |
| Rectification | Correct inaccurate data | Edit Profile, or email hello@communityxo.com |
| Erasure | Request deletion of your data | Settings → Account → Delete Account, or email hello@communityxo.com |
| Portability | Export your data in machine-readable format | Settings → Privacy → Export Data |
| Restriction | Limit processing of your data | Email hello@communityxo.com |
| Objection | Object to processing based on legitimate interest | Email hello@communityxo.com |
| Withdrawal of Consent | Withdraw consent at any time | Settings → Privacy, or email hello@communityxo.com |
| Nomination (DPDPA) | Nominate someone to exercise rights on your behalf | Email hello@communityxo.com |
We will respond to all rights requests within 30 days. Identity verification via OTP may be required.
11. Cookies & Tracking
Our web platform uses essential cookies for authentication and session management. We use analytics tools (Google Analytics, Mixpanel) to understand usage patterns. You can control cookies through your browser settings. Our mobile apps use device identifiers for push notifications (FCM tokens) which can be disabled in app settings.
12. Children's Privacy
CommunityXO is not intended for children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under this age. If we become aware that a child has provided personal data, we will take steps to delete it promptly. Parents or guardians should contact us at hello@communityxo.com if they believe their child's data has been collected.
See our Child Safety Standards for comprehensive details.
13. Geofencing & Location Data
Privacy-first geofencing: User location is never stored. Admins cannot track member locations. Only notification delivery is measured.
- Location services are opt-in only. Members must explicitly grant permission.
- Location data is processed transiently on-device to check proximity to geofenced areas.
- Only the fact that a notification was delivered and opened is recorded — not your location.
- You can disable geofencing notifications per community or globally at any time.
- Frequency capping prevents notification fatigue (default: max 1 per day per geofenced area).
14. International Data Transfers
If your data is transferred across borders, we ensure adequate protection through Standard Contractual Clauses (SCCs), data processing agreements with sub-processors, and compliance with applicable transfer mechanisms under GDPR and DPDPA.
15. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via in-app notification and email at least 15 days before taking effect. The "Effective" date at the top of this page indicates the latest revision.