These Data Privacy Terms (“DPT”) apply when X3 Digital (“Company”, “X3 Digital”, “we”) processes Personal Data on behalf of a customer (“Client”) in connection with services provided under an applicable agreement and/or statement of work (“Agreement”).
1. Definitions
- Personal Data: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with an individual, as defined under applicable privacy law.
- Process/Processing: any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
- Applicable Privacy Laws: laws governing privacy/data protection that apply to the Parties (e.g., CCPA/CPRA, GDPR, U.S. state privacy laws, etc.).
2. Roles of the Parties
- Client is the controller/business (as applicable) of Client Personal Data.
- Company is a processor/service provider (as applicable) when processing Client Personal Data on Client’s documented instructions.
3. Scope of Processing
a. Subject Matter / Nature / Purpose
Company may process Personal Data as necessary to perform the Services, including: account administration, website and analytics support, marketing/advertising services (when applicable), reporting and optimization, troubleshooting, and quality assurance.
b. Categories of Data
Typical categories may include: name, email, phone number, identifiers, online identifiers (cookie/device IDs), IP address, event/behavioral data, and related analytics/marketing data.
c. Duration
For the term of the Agreement plus any retention period required by law or reasonably necessary for legitimate business purposes (e.g., dispute resolution, security, recordkeeping).
4. Client Obligations
Client represents and warrants that:
- It has provided required notices and obtained required consents/authorizations for collection and processing of Personal Data; and
- Client instructions and the Client Personal Data shared with Company comply with Applicable Privacy Laws.
5. Company Obligations
Company will:
- Process Personal Data only on Client’s documented instructions (including as set forth in the Agreement and related SOWs)
- Maintain reasonable administrative, technical, and physical safeguards appropriate to the nature of the data and services
- Restrict access to Personal Data to authorized personnel with confidentiality obligations
- Not “sell” or “share” Personal Data (as defined by certain privacy laws) except as permitted to provide the Services
6. Subprocessors
Company may engage subcontractors/subprocessors to support the Services. Company will require them to maintain data protection obligations reasonably consistent with these DPT. Upon written request, Company will provide a general description of subprocessors used for Client’s Services, where available and appropriate.
7. Security Incidents and Breach Notice
Company will notify Client without undue delay after becoming aware of a confirmed Security Incident involving Client Personal Data, and will reasonably cooperate with Client’s investigation and remediation efforts. Notification timing may depend on information availability and law enforcement or legal restrictions.
8. Data Subject Requests
If Company receives a request directly from an individual to exercise privacy rights relating to Client Personal Data, Company will direct the requester to Client unless legally prohibited, and will reasonably assist Client as needed.
9. International Transfers
Where required, the Parties will implement appropriate transfer mechanisms (e.g., SCCs) to support lawful international transfers.
10. Data Return/Deletion
Upon termination of Services and upon Client request (where applicable), Company will delete or return Client Personal Data in Company’s possession, subject to legal, regulatory, and reasonable backup/archival retention requirements.
11. Limitation
These DPT do not apply to data Company processes as an independent controller (e.g., Company HR/applicant data, Company website visitor data not provided by Client).
Last Updated: January 1, 2026
