Legal

Privacy Policy

Effective Date: July 5, 2026

1. Introduction & Scope

This Privacy Policy explains how Xata Technologies OPC ("XataTech," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit xatatech.com (the "Site"), subscribe to our newsletter, take the AI Readiness Check, submit the contact form, or otherwise interact with us in connection with our business, product, and services engagements. It applies to visitors, prospective clients, newsletter subscribers, and other individuals who interact with the Site, regardless of where you access it from.

This Policy does not cover learn.xatatech.com or any other platform we operate services through; those services maintain their own privacy notices, which we encourage you to review before enrolling or transacting there.

By using the Site, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will seek your consent before collecting or processing your personal information.

2. Who We Are

The Site is operated by:

Xata Technologies OPC
SEC Registration No. 2025080212430-00
Unit 2116-17 21F, Park Triangle Corporate Plaza, BGC, Taguig City, NCR, Philippines 1635

For purposes of the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, "DPA") and its Implementing Rules and Regulations, Xata Technologies OPC is the personal information controller ("PIC") for personal information processed through the Site. Our Compliance Officer for Privacy ("COP") can be reached at privacy@xatatech.com.

For purposes of the EU/UK General Data Protection Regulation ("GDPR"), Xata Technologies OPC acts as the data controller. For purposes of the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") and other applicable US state privacy laws, we are a "business." For purposes of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"), we are an "APP entity."

3. Definitions

  • "Personal Information" / "Personal Data" means any information that identifies or can reasonably be used to identify an individual, whether directly or indirectly.
  • "Sensitive Personal Information" has the meaning given in Section 3(l) of the DPA (e.g., race, health, sexual life, government-issued IDs). We do not knowingly collect Sensitive Personal Information through the Site.
  • "Processing" means any operation performed on personal information, including collection, recording, storage, use, disclosure, or destruction.
  • "Consent" means any freely given, specific, informed indication of agreement.

Where this Policy uses a term defined differently under GDPR, CCPA/CPRA, or the Australian Privacy Act, the corresponding local definition applies to individuals covered by that law, without narrowing the protections available to any individual.

4. What We Collect

We collect the following categories of information through the Site:

  • Contact information you voluntarily provide, such as your email address, when you subscribe to our newsletter through the forms on the Site.
  • Inquiry details you submit through the contact form on the Site — your name, email address, and an optional message about your project.
  • Your AI Readiness Check responses and computed results (pillar scores, overall score, readiness band, and recommendation), which are linked to the email address you provide at the end of the check.
  • Correspondence you send us, such as when you email hello@xatatech.com to discuss a project.
  • Usage and device data collected automatically via Google Analytics 4 and PostHog, such as pages viewed, referring URLs, approximate location (derived from IP address), device and browser type, and interaction events. See Section 6 (Cookies & Tracking Technologies).
  • Anti-spam signals from an invisible honeypot field on our forms, which is not personal information about you.

We do not knowingly collect Sensitive Personal Information, government identifiers, financial account details, or precise geolocation through the Site. We do not knowingly collect personal information from children (see Section 12).

5. How and Why We Use It

PurposeWhat we useLegal basis
Send newsletter updates and business content you signed up forEmail addressConsent (DPA/GDPR); you may opt out at any time
Send you your AI Readiness Check score report and the follow-up you signed up forEmail address, check responses and computed resultsConsent (DPA/GDPR); you may opt out at any time
Understand aggregate readiness patterns to improve our services and contentCheck responses and computed resultsLegitimate interest
Respond to project inquiries submitted through the contact form or sent to hello@xatatech.comName, email address, and any message you provideContract negotiation / legitimate interest
Understand how the Site is used and improve itGA4 and PostHog usage dataLegitimate interest (DPA/GDPR); disclosed use (CCPA/CPRA)
Maintain security and prevent abuse of our formsHoneypot signal, request metadataLegitimate interest
Comply with legal obligationsAny of the above, as requiredLegal obligation

6. Cookies & Tracking Technologies

We use Google Analytics 4 ("GA4") to understand aggregate visitor behavior on the Site. GA4 may set cookies or use similar technologies (such as local storage) to distinguish visitors and sessions. GA4 is loaded only on production deployments of the Site.

We also use PostHog, a product analytics service, for the same aggregate-analytics purposes. PostHog is likewise loaded only on production deployments, is served through a first-party subdomain of the Site (t.xatatech.com), and may use cookies or local storage to distinguish visitors and sessions. Session recording is disabled — PostHog does not capture a replay of your visit — and we do not use it for advertising.

We do not currently use advertising or remarketing cookies, and we do not currently operate a cookie-consent banner. You can control or block cookies through your browser settings, or install the Google Analytics Opt-out Browser Add-on (available from Google) to prevent your data from being used by GA4 across all websites that use it; blocking cookies and local storage through your browser also limits PostHog. Blocking cookies may affect how well parts of the Site work, though the Site remains fully usable without them.

If we begin using additional tracking technologies, including any that require opt-in consent under applicable law (such as the EU ePrivacy Directive/GDPR), we will update this Policy and implement the consent mechanism required by law before doing so.

7. Sharing & Disclosure

We do not sell personal information, and we do not share personal information with third parties for cross-context behavioral advertising.

We disclose personal information only:

  • To service providers who process it on our behalf and under our instructions, namely: Google (Google Analytics, for Site analytics), PostHog, Inc. (product analytics for the Site), and Amazon Web Services (for hosting the infrastructure described in Section 8 — including the customer relationship management system where newsletter, contact-form, and AI Readiness Check submissions are stored, and Amazon Simple Email Service, which delivers your AI Readiness Check report).
  • Where required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of XataTech, our users, or others.
  • In connection with a merger, acquisition, financing, or sale of business assets, subject to confidentiality protections and, where required by law, notice to affected individuals.
  • With your consent, or at your direction.

8. International Data Transfers

All infrastructure and resources built and operated by Xata Technologies OPC — including this Site, our content management system, and our customer relationship management system — reside in the United States (AWS "us-east-1" region), regardless of where you access the Site from. This means your information is transferred to, and processed in, the United States and is subject to US law, which may differ from the data protection laws of your home jurisdiction.

For visitors in the European Economic Area, United Kingdom, or Switzerland, we rely on your consent and/or our legitimate interests, together with contractual and technical safeguards with our service providers, as the basis for this transfer. For visitors in the Philippines, Australia, and elsewhere, we take reasonable organizational, contractual, and technical measures designed to protect personal information consistent with the standard set out in this Policy, wherever it is processed.

9. Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Newsletter, contact-form, and AI Readiness Check records are retained until you unsubscribe or request deletion; correspondence is retained per our general business record-keeping practices; GA4 and PostHog data are retained per each provider's default retention settings for our account. When personal information is no longer needed, we take reasonable steps to delete, de-identify, or anonymize it.

10. Your Rights by Region

Philippines — Data Privacy Act of 2012

If you are in the Philippines, you have the right to: be informed that your personal information will be processed; access your personal information; object to its processing; request correction or rectification; request erasure or blocking, where the information is incomplete, outdated, false, unlawfully obtained, or used for unauthorized purposes; data portability; and to be indemnified for damages from inaccurate, incomplete, or unauthorized processing. You may file a complaint with the National Privacy Commission (NPC) at privacy.gov.ph if you believe your rights under the DPA have been violated.

European Economic Area, UK & Switzerland — GDPR

If you are located in the EEA, UK, or Switzerland, you have the right to: access your personal data; request rectification or erasure; restrict or object to processing; request data portability; and withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You also have the right to lodge a complaint with your local data protection supervisory authority.

United States — CCPA/CPRA and other state privacy laws

If you are a California resident, or a resident of another US state with a comprehensive privacy law, you have the right to: know what personal information we have collected about you and why; request deletion of your personal information; request correction of inaccurate personal information; and opt out of the "sale" or "sharing" of personal information — a right that is already satisfied, because we do not sell or share personal information as those terms are defined under the CCPA/CPRA. We will not discriminate against you for exercising any of these rights.

Australia — Privacy Act 1988 (Cth)

If you are in Australia, you have the right, under the Australian Privacy Principles, to access personal information we hold about you and to request correction of that information. If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

These regional rights are provided for clarity and do not limit the rights available to any individual under the laws that actually apply to them.

11. How to Exercise Your Rights

To exercise any of the rights described in Section 10, email privacy@xatatech.com with your request and enough information for us to verify your identity and locate your records (for example, the email address you used to subscribe). We will respond within a reasonable period, and in any event no later than thirty (30) days, except where applicable law permits a longer period or requires a shorter one. We may decline a request, in whole or in part, to the extent permitted by applicable law — for example, where the request is manifestly unfounded, excessive, or would infringe the rights of others.

12. Children's Privacy

The Site is intended for business audiences and is not directed at, and we do not knowingly collect personal information from, children under the age of 16. If we learn that we have inadvertently collected personal information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, contact privacy@xatatech.com.

13. Security

We implement reasonable technical and organizational measures designed to protect personal information from unauthorized access, use, alteration, or disclosure, including access controls and secure hosting infrastructure. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. You share information with us at your own risk, and we are not liable for matters outside our reasonable control, including unauthorized access resulting from circumstances beyond our reasonable control.

14. Automated Decision-Making

We do not currently use your personal information to make any decision that produces legal effects concerning you or similarly significantly affects you through solely automated means. If this changes, we will update this Policy accordingly.

15. Changes to This Policy

We may update this Policy from time to time, in our sole discretion, to reflect changes in our practices, our services, or applicable law. The Effective Date above reflects the date of the latest revision. Where a change is material, we will post a notice on this page. Your continued use of the Site after a revised Policy is posted constitutes your acknowledgment of the update.

16. Governing Law & Venue

This Policy, and any dispute arising out of or relating to it or to our processing of personal information, is governed by the laws of the Republic of the Philippines, without regard to conflict-of-law principles. You agree that the courts of Taguig City, Metro Manila, Philippines shall have exclusive jurisdiction and venue over any such dispute, without prejudice to any mandatory rights you may have to bring a claim in your local courts or before your local data protection authority under applicable law.

17. Contact Us

Questions about this Policy or how we handle personal information can be sent to:

Xata Technologies OPC
Unit 2116-17 21F, Park Triangle Corporate Plaza, BGC, Taguig City, NCR, Philippines 1635
privacy@xatatech.com