Privacy Policy

The data controller is Abdeldjalil Sichaib, operating CxOPack as a sole proprietor based in France. Contact: hello@cxopack.com. For security-related matters: security@cxopack.com.

We collect only data necessary to provide the service:

• Account + billing data — email address, name (if provided), billing country, VAT identifier (if applicable). Collected at checkout through Stripe.
• GitHub username — provided by you at checkout so we can invite you to the private kit repositories.
• Transaction data — plan purchased, amount, date, Stripe session and subscription identifiers. Stored in our database.
• Communication data — emails you send us, with their content, so we can reply.
• Waitlist entries — if you join the Autopilot waitlist, we store your email address and the source of the signup.
• Technical data — server logs (IP address, user agent, timestamps) for security and abuse prevention. Retained for 30 days.

We do not collect: payment card numbers (handled directly by Stripe), data from your installed Kits (they run locally in your AI tool), or personal content generated by your use of the Kits (such content stays on your machine).

• To provide the service (create your order, grant repository access, send invoices).
• To send transactional emails (welcome, renewal reminders, cancellation confirmations).
• To send occasional product updates — only to active customers, and only with an easy one-click unsubscribe.
• To comply with legal obligations (invoicing, tax reporting).
• To prevent abuse and enforce the Terms of Service.

Legal basis under GDPR: contract for transactional processing, legitimate interest for security and abuse prevention, consent for non-transactional marketing emails (which you can withdraw anytime).

We use a small number of trusted processors. Each handles specific data under their own privacy policies (linked below):

• Stripe (Ireland / US) — payment processing, invoicing, tax calculation. Handles your billing details and card data.Policy
• Supabase (EU region) — our database host. Stores orders, entitlements, waitlist entries.Policy
• Resend (US) — transactional email delivery. Sends welcome emails, renewal reminders, and cancellation confirmations.Policy
• Vercel (US) — hosts the landing page and API. Handles request logs.Policy
• GitHub (US) — hosts private repositories and issues customer invitations. We pass only your GitHub username and organisation-level metadata.Policy

Transfers outside the EU (to the US) are governed by Standard Contractual Clauses signed with each processor.

The site uses essential cookies only — for authentication state and Stripe checkout functionality. We do not currently use marketing cookies or third-party advertising trackers.

If we introduce analytics in the future (e.g. privacy-first tools like Plausible), we will update this policy and notify active customers in advance.

• Account and transactional data: retained for the duration of your subscription plus 10 years after your last transaction (French accounting law).
• Server logs: 30 days.
• Waitlist entries: until you opt out, or up to 24 months of inactivity, whichever comes first.
• Email communication: retained while we have an active relationship with you.

If you are in the EU, UK, Switzerland, or any jurisdiction granting equivalent rights, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion (subject to legal retention obligations).
• Export your data in a portable format.
• Object to processing, or restrict it.
• Withdraw consent for non-essential processing.
• Lodge a complaint with the CNIL (France) or your local data protection authority.

To exercise any of these rights, email hello@cxopack.com. We respond within 30 days.

We follow reasonable technical and organisational measures to protect your data: encryption in transit (HTTPS / TLS), encryption at rest on Supabase, access control via GitHub and Supabase Auth, quarterly secrets rotation, and least-privilege access to all internal tooling.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify affected customers within 72 hours of confirmation as required by GDPR Article 33.

CxOPack is a professional tool not intended for anyone under the age of 16. We do not knowingly collect data from minors. If you believe a minor has submitted data to us, contact hello@cxopack.com and we will delete it.

We may update this policy to reflect legal or operational changes. Material changes will be announced by email to active customers at least 30 days before taking effect. The current version is always available at cxopack.com/legal/privacy.

For any question related to this document, contact hello@cxopack.com.