Privacy Policy

Effective: June 15, 2026Last reviewed: June 15, 2026

xcelit is a startup project platform. We collect only what we need to operate accounts, match founders and builders, generate verifiable execution records, and keep the platform secure. We do not sell your personal data.

01

Who We Are

xcelit operates as a digital platform connecting startup founders, builders, and investors. We are the data controller responsible for personal data collected through xcelit's website and applications.

xcelit

Punjab, India

support@xcelit.co.in

02

Data We Collect

Account & profile data

  • Name, email address, and authentication identifiers (from GitHub or Google OAuth)
  • Profile details: bio, skills, interests, location, role type, onboarding preferences
  • Company profile: company name, logo, industry, website, founding details
  • Profile photo and any uploaded portfolio materials

Project & collaboration data

  • Project listings, descriptions, stage, and structured content
  • Team membership, roles, and task assignments within workspaces
  • Applications, cover letters, and applicant decisions
  • Comments, messages, and activity within project workspaces

Execution & integration data

  • GitHub: commit history, repository metadata, and push events (via the xcelit GitHub App)
  • Stripe / Paddle: MRR, ARR, subscription status, and revenue verification signals (when connected by founder)
  • PostHog: active users, session counts, retention rates, and product engagement metrics (when connected by founder)

Financial & billing data

  • Subscription plan, billing cycle, and payment status
  • Transaction reference IDs from PayPal and Razorpay (we do not store full card numbers)
  • Founder-submitted financial metrics: MRR, ARR, churn rate, CAC, LTV

Technical & usage data

  • IP address, device type, browser, and operating system
  • Session activity, page views, and feature usage logs
  • Error logs and performance monitoring data
  • Timestamps and audit trails for security and compliance
03

How We Use Your Data

  • Create, authenticate, and secure your account and workspace
  • Power the matching algorithm that connects founders with relevant builders (based on skills, interests, location, and activity)
  • Generate execution records from GitHub, Stripe, and PostHog data — turning activity into verifiable evidence for investors
  • Display your profile and projects to other users on the Platform
  • Process subscription payments and manage billing history
  • Send operational emails: account confirmations, security alerts, billing notifications, investor digests, and weekly project updates
  • Detect, investigate, and prevent fraud, abuse, and policy violations
  • Analyze platform-level usage to improve product quality and reliability
  • Comply with legal obligations and respond to lawful requests
04

Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance — to create and operate your account, process payments, and deliver the services you signed up for.
  • Legitimate interests — to improve the Platform, prevent abuse, ensure security, and communicate relevant platform updates, where these interests do not override your rights.
  • Consent — for optional data integrations (GitHub App, Stripe Connect, PostHog), marketing communications, and cookie-based analytics. You may withdraw consent at any time.
  • Legal obligation — to comply with applicable laws in India, including the Digital Personal Data Protection (DPDP) Act, 2023, and any other applicable data protection frameworks.
05

When Data Is Shared

We share data only in the following circumstances:

  • Within project workspaces — your profile and activity are visible to other members of workspaces you join.
  • Investor visibility — founders who publish project listings make their execution records visible to Insights subscribers. Founders control what integrations are connected.
  • Service providers — we share limited data with trusted providers: Vercel (hosting), Neon (database), Resend (email), UploadThing (file storage), Inngest (background jobs), and Arcjet (security). All providers are bound by data processing agreements.
  • Payment processors — billing data is shared with PayPal, Razorpay, Stripe, and Paddle only as needed to process transactions.
  • Legal requirements — we may disclose data to courts, regulators, or law enforcement when required by valid legal process.
  • Business transfers — in the event of a merger, acquisition, or asset sale, user data may be transferred as part of the transaction, with advance notice provided.

We do not sell, rent, or trade personal data to third parties for marketing purposes.

06

How Long We Keep Data

We retain personal data for as long as your account is active and for a reasonable period thereafter as required for legal compliance, dispute resolution, and service continuity.

  • Account data — retained while your account is active. Deleted within 30 days of account deletion request.
  • Execution records — retained while the project is active. Anonymized or deleted upon account or project deletion.
  • Billing records — retained for 7 years for financial and tax compliance purposes.
  • Security & audit logs — retained for up to 12 months for abuse prevention and legal compliance.
  • Backups — may persist for up to 90 days in encrypted backup storage before full deletion.
07

Security Controls

We implement the following controls to protect your data:

  • TLS encryption for all data in transit
  • Encrypted storage for sensitive API tokens and third-party credentials (AES-256)
  • Role-based access controls within workspaces and internal systems
  • Secure OAuth-based authentication via GitHub and Google (no passwords stored)
  • Rate limiting and bot protection via Arcjet on sensitive endpoints
  • Continuous monitoring and error alerting via our monitoring service
  • Database hosted on Neon with automated backups and point-in-time recovery
  • Payment card data is never stored — handled entirely by PCI-compliant processors

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to support@xcelit.co.in.

08

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data. Most profile data can be updated directly in account settings.
  • Deletion — request deletion of your account and personal data. Initiate this via account settings or email us.
  • Data portability — request an export of your personal data in a machine-readable format.
  • Withdraw consent — revoke consent for optional integrations or marketing communications at any time.
  • Object to processing — object to processing based on legitimate interests where your situation warrants it.
  • Restrict processing — ask us to temporarily restrict processing while a dispute is resolved.

To exercise any of these rights, email support@xcelit.co.in. We will respond within 30 days. We may verify your identity before fulfilling the request.

09

Cookies & Analytics

xcelit uses the following types of cookies and tracking technologies:

  • Session cookies — required for authentication and maintaining your login state. Cannot be disabled without breaking core functionality.
  • Security cookies — used to detect and prevent CSRF attacks and unauthorized access.
  • Analytics (PostHog) — used to understand how the Platform is used at an aggregate level (page views, feature engagement, session duration). PostHog is configured in a privacy-respecting mode. You can opt out via browser settings or a Do Not Track signal.

We do not use third-party advertising cookies or share browsing data with ad networks.

10

Children

xcelit is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that data has been submitted by a user under 16 without verifiable parental consent, we will delete that data promptly. If you believe a child has registered without consent, contact us at support@xcelit.co.in.

11

International Transfers

xcelit is operated from India. Our infrastructure providers (Vercel, Neon, Resend, Inngest, UploadThing) may process data in the United States or other jurisdictions. Where data is transferred internationally, we rely on the data protection provisions in our agreements with those providers and applicable cross-border transfer frameworks. By using xcelit, you acknowledge that your data may be processed outside your country of residence.

12

Policy Updates

We may update this Privacy Policy as the Platform evolves or legal requirements change. Material changes — such as new data types collected or significant changes to how data is used or shared — will be communicated via in-product notification or email at least 14 days before taking effect. The effective date at the top of this page reflects when the current version was last revised.

13

Contact & Complaints

For privacy questions, data requests, or concerns, contact us at:

xcelit — Privacy

Punjab, India

support@xcelit.co.in

We aim to respond within 30 days.

If you are unhappy with how we handle your request, you have the right to raise a complaint with the relevant data protection authority in your jurisdiction. In India, this is the Data Protection Board of India under the DPDP Act, 2023.