Privacy Policy

Last updated: April 18, 2026 | Effective date: April 18, 2026

This Privacy Policy describes how Xania Media collects, uses, processes, shares, retains, and protects personal data of visitors and customers of the website xaniacode.com. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Xania Media (ETS — sole proprietorship)
29 Rue du Général Fleury
7700 Mouscron, Belgium
VAT / Enterprise number: BE0875444103
Email: legal@xaniacode.com
Phone: +32 488 03 76 04

For all questions, requests, or complaints regarding this Privacy Policy or your personal data, please contact us at: legal@xaniacode.com.

We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under Article 37 GDPR. However, all data protection matters are handled directly by Xania Media via the contact details above.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information (when you register an account)

  • Full name (display name)
  • Email address
  • Password (stored as a one-way bcrypt hash; we never see your plain-text password)
  • Account creation date

2.2 Billing Information (when you complete your billing profile or place an order)

  • Billing type (individual or company)
  • For companies: company name, VAT number, VAT validation status
  • First name and last name
  • Full billing address (street, city, postcode, state/region, country)
  • Phone number (optional)
  • Email address (used for invoicing)

2.3 Order and Transaction Data

  • Order number, date, and amount
  • Products purchased
  • Payment method (e.g., card brand and last 4 digits — supplied to us by Stripe; we do NOT see or store your full card number)
  • Invoice details
  • License keys generated for purchased products

2.4 Support Data (when you contact us or open a support ticket)

  • Ticket subject and message content
  • Attached files
  • Conversation history with our support team

2.5 Product Usage Data (limited)

  • License activations: domains where you have activated a purchased license, IP address at activation, and timestamps of activation and last verification (used solely for license enforcement and anti-piracy purposes)

2.6 Technical Data (collected automatically when you visit the Website)

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and timestamps
  • Referring URL

2.7 Communications

  • Emails or messages you send to us
  • Email delivery / open status (limited to transactional emails such as order confirmation, license expiration reminders, and review requests)

2.8 Two-Factor Authentication Data (only if you enable 2FA)

  • Encrypted TOTP secret OR email-based one-time codes
  • Recovery codes (stored as one-way hashes)

We do not knowingly collect any special categories of personal data ("sensitive data") such as racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, or sexual orientation. You should not submit any such data through the Website.

3. Legal Basis and Purposes of Processing

We process your personal data on the following legal bases under Article 6 GDPR:

3.1 Performance of a Contract (Art. 6(1)(b) GDPR)

  • To create and manage your account
  • To process and fulfil your orders
  • To deliver digital products and license keys
  • To provide customer support
  • To enforce license terms (activation tracking)

3.2 Legal Obligation (Art. 6(1)(c) GDPR)

  • To issue invoices and maintain accounting records as required by Belgian tax law
  • To respond to legitimate requests from public authorities
  • To validate VAT numbers via the EU VIES system, where applicable

3.3 Legitimate Interests (Art. 6(1)(f) GDPR)

  • To prevent fraud, abuse, and unauthorised access to our services
  • To improve and secure the Website and Products
  • To detect and block malicious activity (e.g., bot submissions, brute force attempts)
  • To send transactional notifications (order confirmation, license expiry, support replies, post-purchase review requests) — you may opt out at any time
  • To enforce our Terms of Service and protect our legal rights

3.4 Consent (Art. 6(1)(a) GDPR)

  • For any optional processing that requires consent, such as subscribing to a newsletter (where applicable)
  • You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal

4. Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party. We share your personal data only with the following categories of recipients, strictly to the extent necessary for the purposes set out in this Policy:

4.1 Payment Processor — Stripe

All payments are processed by Stripe Payments Europe Ltd., headquartered at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. When you make a payment, the following data is shared with Stripe to enable the transaction:

  • Your name and email
  • Your billing address
  • Your payment card information (entered directly on Stripe's hosted checkout — we never receive or store the full card number)
  • The order amount and currency

Stripe acts as an independent data controller for the payment processing itself. See Stripe's Privacy Policy: https://stripe.com/en-be/privacy

4.2 Email Delivery — Own SMTP Server

Transactional emails (order confirmations, license keys, support replies, password resets, etc.) are sent through our own SMTP server hosted at mail.xaniacode.com. No third-party email delivery service is used.

4.3 Hosting Provider

The Website and its database are hosted on a managed server. The hosting provider has technical access to the server but is contractually bound by data processing obligations and does not access your personal data for any other purpose. Server backups are stored on the same hosting infrastructure.

4.4 EU VIES (VAT Validation)

When you enter a VAT number on your billing profile and request validation, the country code and VAT number are submitted to the EU VIES SOAP service operated by the European Commission for the sole purpose of confirming that the VAT number is valid and obtaining the associated company name and address.

4.5 Professional Advisors and Authorities

We may disclose personal data to our accountants, legal advisors, auditors, or insurers, where necessary for the management of our business, and to public authorities, courts, or regulators where required by law (e.g., tax inspections, court orders, criminal investigations).

5. International Data Transfers

5.1 Our Website and primary infrastructure are located within the European Economic Area (EEA).

5.2 Where any of the third-party recipients listed in Section 4 process data outside the EEA (in particular Stripe, which may process data in the United States), they do so under appropriate safeguards as required by Articles 44–49 GDPR, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission;
  • Adequacy decisions, where applicable;
  • Binding corporate rules.

You may request a copy of the relevant safeguards by contacting us at legal@xaniacode.com.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

CategoryRetention Period
Order, invoice, and accounting data7 years from the end of the relevant accounting year (Belgian tax law)
Account data (active accounts)For the duration of the account, plus 7 years for any data linked to invoices
Account data (inactive accounts with no orders)3 years from the last login, then deleted or anonymised
License activation logsFor the duration of the license, plus 1 year
Support tickets3 years from the last reply, then archived or deleted
Server access logs (technical)Up to 90 days
Two-factor authentication dataFor as long as 2FA is enabled, deleted immediately if 2FA is disabled
Marketing-related personal dataUntil the user unsubscribes or withdraws consent

After the applicable retention period, your personal data will be securely deleted or irreversibly anonymised, unless we are required by law to retain it longer.

7. Your Rights Under the GDPR

Subject to applicable law and any legal exceptions, you have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data, and to receive a copy of that data.

7.2 Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate or incomplete personal data corrected. You can update most of your account and billing information directly from your dashboard.

7.3 Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You have the right to request the deletion of your personal data, subject to our legal obligations to retain certain data (e.g., invoices must be retained for 7 years under Belgian tax law).

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we restrict the processing of your data in certain circumstances.

7.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller, where processing is based on consent or on a contract.

7.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data based on legitimate interests, including profiling, where applicable.

7.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

7.8 Right Not to Be Subject to Automated Decisions (Art. 22 GDPR)

We do not engage in automated decision-making (including profiling) that produces legal effects on you or significantly affects you.

How to exercise your rights: Send a written request to legal@xaniacode.com from the email address associated with your account. We may need to verify your identity before acting on your request. We will respond within one (1) month of receiving your request, in accordance with Article 12(3) GDPR. This period may be extended by up to two (2) months for complex requests, in which case we will inform you within the first month.

7.9 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority in Belgium:

Belgian Data Protection Authority
(Autorité de protection des données / Gegevensbeschermingsautoriteit)
Rue de la Presse 35, 1000 Brussels, Belgium
Tel: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: https://www.dataprotectionauthority.be

Or with the supervisory authority in your country of habitual residence.

8. Cookies and Tracking Technologies

8.1 The Website uses only essential (strictly necessary) cookies, which are required for the basic operation of the Website and do not require your consent under Article 5(3) of the ePrivacy Directive.

8.2 The essential cookies we use are:

Cookie namePurposeLifetime
XSRF-TOKEN / laravel_sessionCross-Site Request Forgery protection and user session management (required for login, checkout, and any form submission)Session
xc-theme (localStorage)Stores your light / dark mode preference. Stored only in your browser; never sent to our server.Persistent
xc-coupon-banner-dismissed (localStorage)Remembers that you have dismissed the optional discount banner. Stored only in your browser.Persistent

8.3 We do not use:

  • Google Analytics or any other web analytics service
  • Advertising or marketing cookies
  • Third-party tracking pixels (Facebook Pixel, etc.)
  • Behavioural profiling
  • Heatmap or session-replay tools

8.4 Because we do not use any non-essential cookies, no cookie consent banner is required under EU law.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:

  • HTTPS / TLS encryption for all data in transit
  • Bcrypt hashing of passwords (we never store plain-text passwords)
  • Encrypted storage of sensitive credentials (e.g., 2FA secrets, SMTP passwords) using Laravel's encrypted casts
  • Cross-Site Request Forgery (CSRF) protection on all forms
  • Server-side input validation and sanitisation
  • Restricted access to production systems, limited to authorised personnel only
  • Regular security updates of the framework, dependencies, and server operating system
  • Optional two-factor authentication (TOTP or email OTP) available to all users
  • Restricted file permissions on configuration files and uploaded content

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Belgian Data Protection Authority within 72 hours of becoming aware of it, in accordance with Article 33 and 34 GDPR.

10. Children's Privacy

The Website and our services are intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal data from minors. If you believe that we have inadvertently collected personal data from a minor, please contact us at legal@xaniacode.com and we will delete the data without delay.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. The updated version will be posted on this page with a revised "Last updated" date. For material changes, we will make reasonable efforts to notify registered users by email.

You are encouraged to review this Privacy Policy periodically.

12. Contact

For any question, request, or complaint regarding this Privacy Policy or your personal data, please contact us at:

Xania Media (ETS)
29 Rue du Général Fleury
7700 Mouscron, Belgium
VAT / Enterprise number: BE0875444103
Email: legal@xaniacode.com
Phone: +32 488 03 76 04

We will respond to all reasonable requests within one (1) month, in accordance with Article 12(3) GDPR.