Privacy Policy
xcelit is a startup project platform. We collect only what we need to operate accounts, match founders and builders, generate verifiable execution records, and keep the platform secure. We do not sell your personal data.
Who We Are
xcelit operates as a digital platform connecting startup founders, builders, and investors. We are the data controller responsible for personal data collected through xcelit's website and applications.
Data We Collect
Account & profile data
- Name, email address, and authentication identifiers (from GitHub or Google OAuth)
- Profile details: bio, skills, interests, location, role type, onboarding preferences
- Company profile: company name, logo, industry, website, founding details
- Profile photo and any uploaded portfolio materials
Project & collaboration data
- Project listings, descriptions, stage, and structured content
- Team membership, roles, and task assignments within workspaces
- Applications, cover letters, and applicant decisions
- Comments, messages, and activity within project workspaces
Execution & integration data
- GitHub: commit history, repository metadata, and push events (via the xcelit GitHub App)
- Stripe / Paddle: MRR, ARR, subscription status, and revenue verification signals (when connected by founder)
- PostHog: active users, session counts, retention rates, and product engagement metrics (when connected by founder)
Financial & billing data
- Subscription plan, billing cycle, and payment status
- Transaction reference IDs from PayPal and Razorpay (we do not store full card numbers)
- Founder-submitted financial metrics: MRR, ARR, churn rate, CAC, LTV
Technical & usage data
- IP address, device type, browser, and operating system
- Session activity, page views, and feature usage logs
- Error logs and performance monitoring data
- Timestamps and audit trails for security and compliance
How We Use Your Data
- Create, authenticate, and secure your account and workspace
- Power the matching algorithm that connects founders with relevant builders (based on skills, interests, location, and activity)
- Generate execution records from GitHub, Stripe, and PostHog data — turning activity into verifiable evidence for investors
- Display your profile and projects to other users on the Platform
- Process subscription payments and manage billing history
- Send operational emails: account confirmations, security alerts, billing notifications, investor digests, and weekly project updates
- Detect, investigate, and prevent fraud, abuse, and policy violations
- Analyze platform-level usage to improve product quality and reliability
- Comply with legal obligations and respond to lawful requests
Legal Basis for Processing
We process your data under the following legal bases:
- Contract performance — to create and operate your account, process payments, and deliver the services you signed up for.
- Legitimate interests — to improve the Platform, prevent abuse, ensure security, and communicate relevant platform updates, where these interests do not override your rights.
- Consent — for optional data integrations (GitHub App, Stripe Connect, PostHog), marketing communications, and cookie-based analytics. You may withdraw consent at any time.
- Legal obligation — to comply with applicable laws in India, including the Digital Personal Data Protection (DPDP) Act, 2023, and any other applicable data protection frameworks.
How Long We Keep Data
We retain personal data for as long as your account is active and for a reasonable period thereafter as required for legal compliance, dispute resolution, and service continuity.
- Account data — retained while your account is active. Deleted within 30 days of account deletion request.
- Execution records — retained while the project is active. Anonymized or deleted upon account or project deletion.
- Billing records — retained for 7 years for financial and tax compliance purposes.
- Security & audit logs — retained for up to 12 months for abuse prevention and legal compliance.
- Backups — may persist for up to 90 days in encrypted backup storage before full deletion.
Security Controls
We implement the following controls to protect your data:
- TLS encryption for all data in transit
- Encrypted storage for sensitive API tokens and third-party credentials (AES-256)
- Role-based access controls within workspaces and internal systems
- Secure OAuth-based authentication via GitHub and Google (no passwords stored)
- Rate limiting and bot protection via Arcjet on sensitive endpoints
- Continuous monitoring and error alerting via our monitoring service
- Database hosted on Neon with automated backups and point-in-time recovery
- Payment card data is never stored — handled entirely by PCI-compliant processors
No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to support@xcelit.co.in.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data. Most profile data can be updated directly in account settings.
- Deletion — request deletion of your account and personal data. Initiate this via account settings or email us.
- Data portability — request an export of your personal data in a machine-readable format.
- Withdraw consent — revoke consent for optional integrations or marketing communications at any time.
- Object to processing — object to processing based on legitimate interests where your situation warrants it.
- Restrict processing — ask us to temporarily restrict processing while a dispute is resolved.
To exercise any of these rights, email support@xcelit.co.in. We will respond within 30 days. We may verify your identity before fulfilling the request.
Children
xcelit is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that data has been submitted by a user under 16 without verifiable parental consent, we will delete that data promptly. If you believe a child has registered without consent, contact us at support@xcelit.co.in.
International Transfers
xcelit is operated from India. Our infrastructure providers (Vercel, Neon, Resend, Inngest, UploadThing) may process data in the United States or other jurisdictions. Where data is transferred internationally, we rely on the data protection provisions in our agreements with those providers and applicable cross-border transfer frameworks. By using xcelit, you acknowledge that your data may be processed outside your country of residence.
Policy Updates
We may update this Privacy Policy as the Platform evolves or legal requirements change. Material changes — such as new data types collected or significant changes to how data is used or shared — will be communicated via in-product notification or email at least 14 days before taking effect. The effective date at the top of this page reflects when the current version was last revised.
Contact & Complaints
For privacy questions, data requests, or concerns, contact us at:
If you are unhappy with how we handle your request, you have the right to raise a complaint with the relevant data protection authority in your jurisdiction. In India, this is the Data Protection Board of India under the DPDP Act, 2023.