Privacy Policy

This privacy notice describes how MOMENTUM TECHNOLOGY ARENA SRL(“Xygnius”, “we”, “us”) processes personal data in connection with the Xygnius SEO and AI-visibility platform available at xygnius.com and its subdomains (the “Service”).

Controller details.

• Registered name: MOMENTUM TECHNOLOGY ARENA SRL
• Registered office: Strada Caius Marcius Coriolan 29, București, Romania
• Trade Register / Company number: ROONRC.J2022011320401
• VAT / CUI: 46304415
• Privacy contact: [email protected]

For requests under the EU General Data Protection Regulation (“GDPR”) or the Romanian Law no. 190/2018, contact the privacy address above. We respond within one month of receipt and may extend by up to two further months for complex requests (Art. 12(3) GDPR).

We process the following categories of personal data:

• Account data — name, email address, hashed password, profile picture (when supplied via Google OAuth), preferred language and theme.
• Billing data — subscription tier, billing cycle, invoice history, and the last four digits of the payment method. Full card numbers never reach our servers; they are handled directly by Stripe.
• Service usage data — content you generate (blog posts, audits, keyword runs, ad creatives, AI-visibility checks), the URLs and brands you analyse, uploaded product files, custom prompts, and configuration choices.
• Technical data — IP address (truncated for analytics), user-agent, browser language, page-view timestamps, device type, and pseudonymous session identifiers.
• Diagnostic data — error stack traces and breadcrumbs captured by our error-monitoring tool when something fails. We strip authentication tokens and passwords before transmission, but stack traces may incidentally contain request metadata.
• Third-party-platform data you connect — when you connect Google Analytics, Google Search Console, or Google Merchant Center, we receive an OAuth refresh token and the property data you authorise. We use it solely to render the connected dashboards inside your account; we do not retain Google content beyond the cache windows necessary for the feature to work.
• Communications — emails you send to support and the contact form submissions you make on the public site.
• Consent records— the choices you make in the cookie consent banner, together with the timestamp, the consent-policy version in force at the time, your truncated IP prefix (the first three octets of an IPv4 address or the first 48 bits of an IPv6 address), and a truncated User-Agent string. We keep this record so we can demonstrate, if asked, that consent was given (Art. 7(1) GDPR — controller’s burden of proof).

We do not knowingly collect special categories of personal data (Art. 9 GDPR — health, religion, biometric data, etc.). Do not submit such data through the Service.

We rely on different lawful bases depending on the activity:

• Performance of a contract (Art. 6(1)(b)). Creating and maintaining your account, providing access to the tools you have subscribed to, processing payments, sending service-related notifications, and responding to support requests.
• Legitimate interests (Art. 6(1)(f)). Securing the Service against abuse and fraud (rate limiting, ban enforcement, audit logging), preventing duplicate accounts, billing reconciliation, and measuring aggregate feature usage with strictly-necessary tooling. Our legitimate-interests assessments are available on request.
• Consent (Art. 6(1)(a)). Optional analytics cookies, optional marketing cookies, and any future direct-marketing emails. You may withdraw consent at any time via the cookie preferences dialog or by emailing the privacy contact above. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c)). Tax and accounting record retention, and responding to lawful requests from competent authorities.

We do not sell personal data. We share it only with vetted sub-processors that act on our written instructions under an Article 28 GDPR data-processing agreement (DPA):

Where a sub-processor is located outside the European Economic Area, transfers are covered by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), supplementary technical measures (encryption in transit and at rest), and the corresponding processor's DPA. We can supply the relevant transfer-impact assessment summaries on written request.

AI providers and your prompts. Content you submit to AI-powered features (blog generator, AI visibility checks, schema generator, brand voice extraction, etc.) is forwarded through OpenRouter to the model provider you or the platform have selected. We use models that operate under zero-retention API agreements, meaning the provider does not train its models on your inputs. We do not log full prompt bodies on our side beyond what is needed to render the result in your account.

We use a small number of cookies and equivalent storage technologies. The full list, their purposes, retention, and provider is in our Cookie Policy. You can change your choices at any time via the “Manage cookies” link in the footer or under Settings.

Our primary infrastructure is hosted in the European Economic Area. Some sub-processors listed in §4 are based in the United States or operate global edge networks. For those transfers, we rely on:

• The European Commission's adequacy decisions where applicable;
• The 2021 Standard Contractual Clauses (Module Two: Controller-to-Processor);
• Technical safeguards including TLS 1.2+ in transit and AES-256 at rest;
• Organisational safeguards including least-privilege access, audited DPAs, and breach-notification clauses.

We keep personal data only for as long as we need it for the purpose it was collected, or as required by law:

• Account & profile data — for the lifetime of your account, plus 30 days after deletion to allow recovery from accidental deletion.
• Generated content — for the lifetime of your account, unless you delete the item earlier.
• Billing records — 10 years (Romanian Accounting Law no. 82/1991).
• Server logs — 30 days rolling, then aggregated or deleted.
• Diagnostic / error data — 90 days in Sentry, then auto-purged.
• Backups — encrypted nightly snapshots retained for 30 days, then overwritten.
• Marketing-consent records — until consent is withdrawn or 24 months after the last interaction, whichever comes first.
• Cookie consent log — 3 years from the most recent entry per visitor, then automatically purged. Retained under our legitimate interest in defending against complaints (Art. 6(1)(f) + Art. 7(1)).

Under the GDPR you can exercise the following rights free of charge, once per reasonable period:

• Access (Art. 15) — receive a copy of the data we hold about you;
• Rectification (Art. 16) — correct inaccurate or incomplete data;
• Erasure (Art. 17, “right to be forgotten”) — delete your account and personal data, subject to retention obligations under Romanian accounting and tax law;
• Restriction (Art. 18) — pause processing while a dispute is resolved;
• Portability (Art. 20) — receive your data in a structured, machine-readable format;
• Objection (Art. 21) — object to processing based on legitimate interests;
• Withdraw consent (Art. 7(3)) — at any time, with no effect on processing already carried out;
• Lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) at dataprotection.ro or your local supervisory authority in another EU member state.

To exercise any right, email [email protected]. We may need to verify your identity before responding.

We do not use personal data to make decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. AI-generated outputs (blog drafts, audit recommendations, ad copy, visibility scores, etc.) are advisory tools for you — they do not determine access to credit, employment, or essential services.

AI outputs may be inaccurate, biased, or incomplete. Always review them before publishing or relying on them in business decisions. See §8 of our Terms of Service for the full disclaimer.

We apply technical and organisational safeguards proportionate to the risk:

• HTTPS-only transport with HSTS preload;
• HTTP-only, secure session cookies signed by a rotating server-side secret;
• Bcrypt-hashed passwords (no plaintext storage);
• Per-route rate limiting with Cloudflare client-IP keying;
• Least-privilege database access from application processes;
• Encrypted backups with offsite copies;
• Continuous error and performance monitoring;
• Periodic security audits across the codebase covering authentication, input validation, SSRF, prompt-injection, and resource-exhaustion paths.

Despite these measures, no service can be guaranteed entirely secure. We will notify affected users and the relevant supervisory authority without undue delay if a personal-data breach is likely to result in a risk to their rights and freedoms (Art. 33–34 GDPR).

The Service is intended for business users and is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a child has registered for an account, contact us and we will delete the data.

We may update this notice when our processing changes or the law requires it. Material changes will be notified by email and surfaced in-app at least 14 days before they take effect. The “last updated” date at the top of the page always reflects the current version.

Questions, requests, or complaints under this notice: [email protected]. Postal correspondence: MOMENTUM TECHNOLOGY ARENA SRL, Strada Caius Marcius Coriolan 29, București, Romania.