Privacy policy

Your privacy is important to us. This Privacy Policy (“Policy”) explains how we handle and treat your data when you (i) register or visit our sites as listed in Annex 1 or associated sites or pages ("Site"), (ii) use the devices purchased from us (“Device”), (iii) use the application we make available on our Site or third party platform ("Application"), or (iv) engage with us to use the products or services that we provide (together with “Site”, “Device”, and “Application”, the "Service").

References in this policy to “you” or “your” refer to individuals whose Personal Data we process in connection with the Service provided by us.

References in this policy to "xTool", "we", "us", or "our" refer to XTL US INC., its affiliates and subsidiaries (as defined in and listed in schedule 1 of our Terms of Use).

1. PURPOSE OF THIS POLICY

This Privacy Policy ("Privacy Policy") explains our approach to any personal data that we collect from you and the purposes for which we process your Personal Data. It also sets out your rights in respect of our processing of your Personal Data.

This Privacy Policy will inform you of the nature of your personal information that is processed by us and how you can request that we delete, update, transfer and/or provide you with access to it.

This Privacy Policy is intended to assist you in making informed decisions when using our Service. Please take a moment to read and understand it.

Please also note that this Privacy Policy only applies to the use of your personal information obtained by us.

You may also have certain rights regarding the information we collect about you. Specifically, the rights of Data Subjects under the GDPR are explained in Section 17 below. Similarly, U.S. residents in general and California Residents in particular may find information on their rights as a consumer in Section 20 below.

2. CONTROLLER FOR PERSONAL DATA PROCESSED

A "controller" is a person or organization who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. This Privacy Policy is issued on behalf of XTL US INC., its affiliates and subsidiaries as controllers. For further details on controllers in operation of the Services, please refer to the table in Annex I.

Please note we use Shopify for data storage and transfer. By engaging with our services, you acknowledge and agree to the storage and processing of your data through Shopify's systems. For more information on how your data is managed, please refer to Shopify's Privacy Policy for more details: https://www.shopify.com/zh/legal/privacy. Your use of our services signifies your consent to these terms.

3. HOW TO CONTACT US

For general enquiries, or to exercise any of the rights set out in this notice, please contact us via:

sending an email to: vicky@info.xtool.com;
calling us at +1 (970) 638-7030;
visiting our website at: https://www.xtool.com; or
our address at 16035 Arrow Hwy. Irwindale, CA 91706.

If you have any concerns or would like to make a complaint about our processing of your Personal Data, we would encourage you to contact us in the first instance as we aim to promptly, efficiently and satisfactorily resolve any concerns or complaints you may have in relation to xTool's processing of your Personal Data.

4. PERSONAL DATA WE COLLECT

Personal data includes any information relating to an identified or identifiable natural person. It does not include data that cannot be linked to an individual (anonymous data). In limited circumstances, we collect special categories of Personal Data about you. Please see below in Section 4 (PERSONAL DATA WE COLLECT ABOUT YOU) for details of these circumstances and Section 7 (HOW DO WE USE YOUR PERSONAL DATA) for further details.

We collect, use, store and transfer different kinds of Personal Data about you. We have grouped together the following categories of Personal Data to explain how this type of information is used by us. These terms are used throughout this notice (collectively as “Personal Data”):

"Identity Data": includes your name and preferred name;
"Contact Data": includes your mailing address (county, city, district, street, detailed address and postcode), email address and telephone number;
"Financial Data" *: includes your bank account and payment card details, billing address, payment method, and invoice / payment records. Please note that we use third-party payment providers, including Shop Pay, Stripe, Affirm, Afterpay, PayPal, and Google Pay, to process payments made to us;
"Services Data": includes details about payments* to you and other details of services you have purchased from us;
"Marketing and Communications Data": includes information on when you receive and read marketing communications from us. Additional information about the Personal Data we process in connection with marketing is included with the marketing communications we send you;
"Profile Data": includes information about you, provided by you on our Site and/or Application including your usernames and passwords, user login token, your interests, biography, profile settings, marketing and communication preferences such as your preferred language of communication and content, alert and display preferences, content type and frequency of email alerts, content that interests you (including sectors, topics and jurisdictions), registered account, date of registration and current stage of registration, account status and level of access, and information from forms you fill in including responses to surveys and feedback provided;
"Device Data": includes the Device information, such as device name and model, serial number or other identifier, activation time, operating system, hardware model and version, network connection and crash data;
"Usage Data": includes information about your use of our Service, such as information collected progressively when you visit our Site, including pages you visit, actions you take, information on the last viewed/visited site and details of the content viewed including when and how many times the content was viewed, patterns of page visits, time details per visits (e.g. visit duration, number of visits, time spent on each page, frequency of visits), details about the path followed with particular reference to the sequence of pages visited, interactions, functionalities and modules used, chat messages;
"Technical Data": includes technical information collected when you use our Service, which we have agreed with you to use, including your internet protocol (IP) address or domain names of the devices utilized, your login data, browser type and version, uniform resource identifier (URI) address, location information, browser plug-in types and versions, operating system and platform and other technology on the devices you are using;
"Special Categories of Personal Data" *: includes Personal Data listed above in this Section 4 (PERSONAL DATA WE COLLECT ABOUT YOU), which we process in limited circumstances, for example, where required to do so for legal or regulatory purposes or where you have provided us with such information as it is necessary for a specific service we are providing to you. We will process this Personal Data for the following reasons:
- We may collect, use and share aggregated data, such as statistical or demographic data for any purpose. Aggregated data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this notice.
- We may collect, use and share information from third-party authentication services or other third-party accounts you link to our services. Some of our Sites, Applications, products, or services may allow you to log in through a third-party social network or authentication service, such as Apple, Google, and Facebook. When you use these single sign-on services to access our Sites, Applications, products, or services, we do not receive your login credentials for the relevant third-party service. Instead, we receive tokens from the single sign-on service to help identify you in our system (such as by your username) and confirm you successfully authenticated with the single sign-on services. In addition to authenticating your identity, these services will, in most cases, provide you the option to share certain Personal Data with us, which could include your name, email address, address book, friend list and other contacts, or other information in your public profile (e.g., profile picture, age range, gender, language, country). The data we receive is dependent on that third party’s policies and your privacy settings on that third-party site;
- We may collect, use and share feedback and support information including the contents of custom messages sent through the forms, email addresses, photographs or videos you file, or other contact information we make available to customers, as well as recordings of calls with us (where permitted by law);
- We may collect, use and share Event, contest, promotion, and survey information including information provided when you sign up for an event, enter a contest or promotion, complete a survey or submit a testimonial;

Our Service are neither aimed at nor intended for, and we do not knowingly collect personal information from children (as defined by applicable national laws). If a minor has provided us with personal information without parental or guardian consent, don't hesitate to contact us using the contact details in Section 3.

For individuals based in mainland China: References to "special categories of Personal Data" shall be understood to refer to "sensitive personal information" (as shown with an "*" in the list of categories of Personal Data above) under Chinese laws. We only process sensitive personal information if and to the extent permitted or required by applicable laws, including after obtaining your separate consent if required. We will seek to protect such information rigorously using the security measures further described below and, therefore, your sensitive personal information should not be processed in a way that will result in negative implications to your personal rights, e.g. harm to your reputation, physical or mental health, personal or property security.

5. IF YOU FAIL TO PROVIDE PERSONAL DATA TO US

Where we need to collect Personal Data by law or under the terms of a contract we have with you, and you fail to provide the Personal Data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to decline to provide the relevant services, but we will notify you if this is the case at the time the Personal Data is collected.

6. HOW YOUR PERSONAL DATA IS COLLECTED

We use different methods to collect Personal Data from and about you, including through the channels set out below.

Direct interactions: You provide us with your Personal Data in your direct interactions with us (e.g., when you register an account with us; where you contact us via email, telephone, or by any other means; or when you provide us with your business card).
Website, application and marketing: You provide us with your Personal Data, when you interact with any third-party content or advertising on our Sites and/ or Applications (including third-party plugins, cookies, server logs, or other similar technologies) we allow the relevant third party providers to collect your Personal Data. In exchange, we receive Personal Data from the relevant third-party provider relating to your interaction with that content or advertising.
Third-party sources: We collect or obtain Personal Data from third parties who provide it to us (e.g., single sign-on providers and other authentication services you use to connect to our services, third-party providers of integrated services, your employer, other xTool’s customers, business partners, processors, and governmental or regulatory bodies or other authorities). In relation to the use of our Site, we may also receive Technical Data from analytics providers such as Google.
Publicly available sources: We may collect the content you publish, or otherwise manifestly made public about us through our Application and platforms, your social media, or any other publicly available platforms.
Automated technologies or interactions: We and our third-party partners automatically collect information you provide to us and information about how you access and use our Sites, Applications, Devices or other services when you visit our services, read our emails, or otherwise engage with us. We typically collect this information through a variety of tracking technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies (collectively, “tracking technologies”) and we may use third-party partners or technologies to collect this information. Information we collect automatically about you may be combined with other personal information we collect directly from you or receive from other sources.

7. HOW DO WE USE YOUR PERSONAL DATA

We will only process your Personal Data when the law allows us to, that is, when we have a legal basis for processing.

Subject to applicable laws, we use your Personal Data in the following circumstances:

"performance of a contract": where we need to perform a contract which we are about to enter into or have entered into with you as a party or to take steps at your request before entering into such a contract;
"legal or regulatory obligation": where we need to comply with a legal or regulatory obligation that we are subject to;
"legitimate interests": where necessary for our interests (or those of a third party), provided that your fundamental rights do not override such interests. This can mean, for instance, that it is in our interest, to monitor how you are using our Service to ensure that the security of our Site and Application is maintained. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests; and
"consent": where you have provided your consent to processing your Personal Data.

We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us using the contact details in Section 3.

With limited exceptions (for instance, in relation to some of our electronic marketing), generally we do not rely on consent as the legal basis for processing your Personal Data. When we do, you have the right to withdraw consent at any time. Please refer to Section 10 (Marketing and exercising your right to opt-out of marketing) for more information about how we use your Personal Data for marketing purposes and your rights.

8. PURPOSES AND LEGAL BASIS

We may collect personal information from you in the course of our business, including through your use of our Service. We set out below, in a table format, a description of the ways in which we use your Personal Data and the legal bases we rely on to do so. Where appropriate (and to the extent relevant under applicable law), we have also identified our legitimate interests in processing your Personal Data.

We may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your Personal Data. Please contact us if you need details about the specific legal basis we are relying on to process your Personal Data where more than one ground has been set out in Annex II.

9. CHANGE OF PURPOSE

We will only use your Personal Data for the purposes for which we collected it as detailed in Section 7 (HOW WE USE YOUR PERSONAL DATA) and Section 8 (PURPOSES AND LEGAL BASIS), unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details in Section 3.

If we need to use your Personal Data for an unrelated purpose, we will notify you, and we will explain the legal basis that allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

10. MARKETING AND EXERCISING YOUR RIGHT TO OPT OUT OF MARKETING

We will not use your Personal Data to send you marketing materials if you have requested not to receive them. If you request that we stop processing your Personal Data for marketing purposes, we will stop processing your Personal Data for those purposes. We would encourage you to make such requests by contacting us using the contact details in Section 3.

We do not share your Personal Data with any organizations outside of xTool for marketing purposes.

11. USE OF SITE

Our Site or Application may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Site, we encourage you to read the privacy notice of every website you visit.

12. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your Personal Data. It is our policy to respect your rights and we will act promptly and in accordance with any applicable law, rule or regulation relating to the processing of your Personal Data.

Details of your rights are set out below:

right to be informed about how Personal Data is used – you have a right to be informed about how we will use and share your Personal Data. This explanation will be provided to you in a concise, transparent, intelligible and easily accessible format and will be written in clear and plain language;
right to access Personal Data – you have a right to obtain confirmation of whether we are processing your Personal Data, access to your Personal Data and information regarding how your Personal Data is being used by us;
right to have inaccurate Personal Data rectified – you have a right to have any inaccurate or incomplete Personal Data rectified. If we have disclosed the relevant Personal Data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible;
right to have Personal Data erased in certain circumstances – you have a right to request that certain Personal Data held by us is erased. This is also known as the right to be forgotten. This is not a blanket right to require all Personal Data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your Personal Data;
right to restrict the processing of Personal Data in certain circumstances – you have a right to block the processing of your Personal Data in certain circumstances. This right arises if you are disputing the accuracy of Personal Data, if you have raised an objection to processing, if the processing of Personal Data is unlawful and you oppose erasure and request restriction instead or if the Personal Data is no longer required by us but you require the Personal Data to be retained to establish, exercise or defend a legal claim;
right to data portability – in certain circumstances, you can request to receive a copy of your Personal Data in a commonly used electronic format. This right only applies to Personal Data that you have provided to us (for example, by completing a form or providing information through a website). Information about you which has been gathered by monitoring your behaviour will also be subject to the right to data portability. The right to data portability only applies if the processing is based on your consent or if the Personal Data must be processed for the performance of a contract and the processing is carried out by automated means (i.e. electronically);
right to object to the processing of Personal Data in certain circumstances, including where Personal Data is used for marketing purposes – you have a right to object to processing being carried out by us if (a) we are processing Personal Data based on legitimate interests or for the performance of a task in the public interest (including profiling), (b) if we are using Personal Data for direct marketing purposes, or (c) if information is being processed for scientific or historical research or statistical purposes. You will be informed that you have a right to object at the point of data collection and the right to object will be explicitly brought to your attention and be presented clearly and separately from any other information; and
right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect – you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you.

You may exercise any of your rights using the contact details set out in Section 3. You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one calendar month (or earlier in accordance with applicable laws). Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13. SHARING OF YOUR PERSONAL DATA

xTool is a part of a corporate organization that has several legal entities (collectively, "xTool entities"), business processes, management structures, and technical systems. Any information that we collect or that you provide to us may be shared and processed by any xTool entity in order to provide the Service. We share Personal Data amongst the legal entities that make up the xTool entities, for legitimate business purposes and the operation of our Sites, Applications, products, and services for you, in accordance with applicable law. These legal entities may use your Personal Data in the manner described in this Privacy Policy.

We may have to share your Personal Data with the entities and persons set out below for the purposes for which we collected the Personal Data, as detailed in Section 7 (HOW WE USE YOUR PERSONAL DATA) and Section 8 (PURPOSES AND LEGAL BASIS).

Where required, we will (subject to applicable laws and any terms of business which we may enter into with you) disclose your Personal Data to:
- any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation, or other regulatory authority, law enforcement agency, or similar body;
- Third parties to whom we outsource certain services such as, without limitation, IT systems or software providers, IT Support service providers, and information storage providers;
- Third-party service providers to assist us with user analytics, such as Google Analytics and Shopify Analytics; and
- Please note this list is non-exhaustive and there may be other examples where we need to share with other parties in order to provide the Service as effectively as we can.
We may share your Personal Data with persons or entities outside of xTool to whom we may sell or transfer parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the part of our business that is (as the case may be) sold, acquired, or is the merged entity may use your Personal Data in the same way as set out in this policy.

We require any person or entity to whom we disclose Personal Data pursuant to this Section 13 to respect the confidentiality and security of your Personal Data and to treat it in accordance with applicable laws and regulations. We do not allow such recipients of your Personal Data to use it for their own purposes, and we only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

14. THIRD-PARTY CONTRACTORS AND OTHER CONTROLLERS

As mentioned above, we may appoint sub-contractor data processors as required to deliver the Service, such as, without limitation, IT systems or software providers, IT Support service providers, and information storage providers, who will process Personal Data on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process Personal Data appropriately and according to our legal and regulatory obligations.

Further, we may appoint external data controllers where necessary to deliver the Service. When doing so, we will comply with our legal and regulatory obligations in relation to the Personal Data, including without limitation, putting appropriate safeguards in place.

What is our legal basis?

It is necessary for us to perform our obligations in accordance with any contract that we may have with you.

It is in our legitimate interest or a third party's legitimate interest to use personal information in such a way as to ensure that we provide the Service in the best way that we can.

In some cases, the parties which we use to process Personal Data on our behalf are based outside the EEA, therefore their processing of your Personal Data will involve a transfer of such data outside the EEA.

Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

we will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission (in the case of transfers out of the EEA); and/or
where we use certain service providers, we may use specific contracts approved by the European Commission (in the case of transfers out of the EEA), in both cases which give Personal Data the same protection it has within the EEA.

For individuals based in mainland China: In due course, we will publish a list of the recipients to provide notice of the parties that can independently determine processing purposes and methods when processing your Personal Data, including their contact details and details on what, how and why such recipients process your Personal Data. Should you require such information in the meantime, please contact us using the contact details in Section 3.

15. SECURITY OF YOUR PERSONAL DATA

We are committed to keeping the Personal Data provided to us secure, and we have implemented appropriate information security policies, rules, and technical measures to protect the Personal Data that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification, and unlawful destruction or accidental loss, including:

the pseudonymization and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

We ensure that those who have permanent or regular access to Personal Data, or that are involved in the processing of Personal Data, or in the development of tools used to process Personal Data, are trained and informed of their rights and responsibilities in when processing Personal Data, and are obliged to respect the confidentiality of such personal information.

16. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for. This includes for example the purposes of satisfying any legal, regulatory, accounting, or reporting requirements, to carry out legal work, for the establishment or defense of legal claims.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

If you would like to know more about the retention periods we apply to your Personal Data, please contact us using the contact details in Section 3.

In some circumstances, we may anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

17. HOW TO ACCESS YOUR INFORMATION AND YOUR OTHER RIGHTS

You have the following rights in relation to the personal information we hold about you:

Your right of access

If you ask us, we'll confirm whether we're processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to rectification

If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we've shared your personal information with others, we'll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.
Your right to erasure

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we've shared your personal information with others, we'll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.
Your right to restrict processing

You can ask us to 'block' or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we've shared your personal information with others, we'll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.
Your right to data portability

You have the right, in certain circumstances, to obtain personal information you've provided us with (in a structured, commonly used, and machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Your right to object

You can ask us to stop processing your personal information, and we will do so if we are:
- relying on our own or someone else's legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or
- processing your personal information for direct marketing purposes.
Your right to withdraw consent

If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the supervisory authority

If you have a concern about any aspect of our privacy practices, including the way we've handled your personal information, you can report it to the relevant supervisory authority.

Under the GDPR, you may also have the following additional rights regarding the processing of your relevant Personal Data:

1. the right to object, on grounds relating to your particular situation, to the processing of your Relevant Personal Data by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR;

2. the right to object to the processing of your relevant Personal Data by us or on our behalf for direct marketing purposes; and

3. the right to lodge complaints regarding the Processing of your Relevant Personal Data with a competent Data Protection Authority (in particular, the UK Information Commissioner’s Office, or the Data Protection Authority of the EU Member State in which you live, or in which you work, or in which the alleged infringement occurred. If you live in Germany, the relevant Data Protection Authority is the "Bayerisches Landesamt für Datenschutzaufsicht", Promenade 18, 91522 Ansbach). However, we encourage you to first contact us so that we can together solve any concerns you may have.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.

18. CHANGES TO THIS PRIVACY POLICY OR TO YOUR PERSONAL DATA

We may make changes to this Privacy Policy from time to time to comply with changes in applicable law, regulatory requirements or our practices. If we make any material changes, we will notify you by email of any significant changes, or by means of a notice on our Application or Site you used prior to the change becoming effective. All changes shall be effective from the date of publication unless otherwise provided. However, we encourage you to review this Privacy Policy periodically to be informed of how we use your personal information.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us. If you wish to update your Personal Data, please update through our Site or Application, or contact us using the contact details in Section 3.

19. Cookies, Analytics and Tailored Advertising

Cookies are small text files that are automatically placed on your computer, tablet, mobile phone or other device when you visit our Site. These could be traditional HTML-cookies, pixel tags, beacons or scripts and are stored by your internet browser. These cookies may contain basic information about your device or internet use. Your browser sends these cookies back to our Site every time you revisit it, so we can recognize your computer or mobile device and personalize and improve your browsing experience.

The cookies we use fall into four categories. These categories are described below:

Strictly necessary cookies. Strictly necessary cookies are necessary for the proper functioning of our Site and to help you access and move around our Site and use all its features. We also use functional cookies, for example, to remember your language preferences to save you the trouble of having to change these every time you enter our Site. Without these cookies, our site would not work properly and you would not be able to use certain important features.
Analytics Cookies. We use Google Analytics and Shopify Analysis, etc. to place and read cookies for the abovementioned use.
Performance Cookies. We use cookies to collect information about the way our Site is used, such as the Internet browser and operating system used, domain name of the Site from which you accessed our Site, number of visits, average time spent on the Site and pages viewed.
Advertising Cookies. These cookies collect information about your browsing habits in order to make our content and advertising as relevant to you and your interests as possible. These cookies are also used to help us measure the effectiveness of our advertising campaigns by tracking the number of clicks. The cookies are usually placed by third party advertising networks. They remember the websites you visit and use this information to give you access to interesting and exciting content on our website and to show you more personalized adverts when you visit other websites. These cookies also help improve your browsing experience, for example by helping to prevent the same advertisement from reappearing to you.

xTool and its third-party partners and providers use cookies and similar technologies to automatically collect certain Personal Data when you visit or interact with our Sites and services to enhance navigation, analyze trends, administer the Sites, track users’ movements around the Sites, gather demographic information about our user base as a whole, and assist with our marketing efforts and customer service. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our Sites and services.

Our Sites provide you the ability to adjust your preferences regarding our use of cookies and similar technologies by clicking the "Cookie Settings” link in the footer of our Sites. These cookie preference manager tools are website, device, and browser specific, so you will need to change your preferences on each device and browser you use when interacting with the specific Site you are visiting. You can also stop all collection of information via our web services by not using our Sites and services.

You may also be able to utilize third-party tools and features to further restrict our use of cookies and similar technologies. For example, cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options, so you may need to set them separately. In addition, you may be able to exercise specific privacy choices, such as enabling or disabling certain location-based services, by adjusting the permissions in your mobile device or internet browser. You may also exercise choice regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout to download the Google Analytics Opt-out Browser Add-on. For information on how Google Analytics collects and processes data, as well as how you can control information sent to Google, review Google's website here: www.google.com/policies/privacy/partners/.

You may also opt-out of targeted advertising by companies that participate in the Digital Advertising Alliance (“DAA”) AdChoices Program by visting optout.aboutads.info. For more information on the DAA AdChoices Program, please visit www.youradchoices.com. In addition, the Network Advertising Initiative (“NAI”) has developed a tool that allows consumers to opt out of certain tailored advertising delivered by NAI members’ advertising networks. To learn more about opting out of such targeted advertising or to use the NAI tool, see https://optout.networkadvertising.org/.

20. ADDITIONAL UNITED STATES PRIVACY DISCLOSURES

These disclosures supplement the information contained in the main body of our Privacy Policy by providing additional information about our Personal Data processing practices relating to individual residents of certain states in the United States. For a detailed description of how we collect, use, disclose, and otherwise process Personal Data, please read the main body of our Privacy Policy.

California, Colorado, Connecticut, Utah, and Virginia Residents

If you are a resident of the state of California, Colorado, Connecticut, Utah, or Virginia in the United States the following supplementary disclosures apply to you.

Collection and Use of Personal Data: Personal Data

As described in more detail in Section 6 above, we collect the following categories of Personal Data:

Identifiers, such as first and last name, preferred name, phone number, email address, unique personal identifiers, and online identifiers.
Customer records, such as contact information, address book information, and account information.
Protected classification characteristics, such as age, gender, and health status.
Commercial information, such as records of purchases and prices, shipping address and contact information, and details of returns, and consumer histories and tendencies.
Biometric information, such as facial, fingerprint or other biometric recognition technology results processed and maintained solely on the user’s device (see below for more detail).
Internet / network information, such as the device type, manufacturer, and model, operating system, IP address, browser type, Internet service provider, and unique identifiers associated with you, your device, or your network.
Geolocation data, including general geographic location, as well as more precise geolocation when you grant us access through your device settings (see below for more detail).
Audio, electronic, visual, thermal, olfactory, or similar information, including voice prompts / recordings and security /service images and video.
Professional / employment information, such as employer and job title.
Sensitive personal data, such as account credentials, biometric information, health data, and precise geolocation (as further described below).
Other Personal Data, such as your communication preferences, entertainment preferences, home configuration (for our home-related services), participation in our loyalty and incentive programs, and any other Personal Data you choose to share in custom messages sent through the forms, email addresses, or other contact information we make available to customers.
Inferences, including consumer preferences, predispositions, and characteristics.

As described in Section 6 above, we collect this Personal Data directly from you, automatically when you interact with our Sites, Applications, products, or other services, from third parties, and from public third-party platforms such as social media websites.

We collect Personal Data from and about you for a variety of purposes. For example, we use Personal Data to communicate with you; to facilitate, process, and fulfill orders you place with us or the services you request; to conduct surveys, sweepstakes, contests and other promotions; to analyze and improve the use of our Sites and Applications; to deliver marketing communications and personalized and non-personalized advertising; and to facilitate our customer services.

Collection and Use of Personal Data: Sensitive Personal Data

The following Personal Data elements we collect may be classified as “sensitive” under certain privacy laws (“Sensitive Personal Data”):

Account credentials.
Payment card information (collected and processed solely by our third-party payment providers; xTool does not have access to this data).
Biometric information (collected and processed solely on the user’s device; xTool does not have access to this data).
Health metrics, including sleep patterns, movements, heart rate, height, weight, and body mass index .
Precise geolocation data.

We only use or disclose Sensitive Personal Data where reasonably necessary and proportionate for the purposes of performing services you have requested, verifying and improving the services we provide, detecting security incidents, fraud and other illegal actions, ensuring the physical safety of natural persons, performing services on behalf of the business, or short-term transient use. We only collect and process Sensitive Personal Data without the purpose of inferring characteristics about the relevant individual, and we do not sell Sensitive Personal Data or process or otherwise share Sensitive Personal Data for the purpose of targeted advertising (as further described below).

However, depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to limit, or withdraw your consent for, our processing of Sensitive Personal Data (as described in the Your Additional U.S. Privacy Choices section below).

Collection and Use of Personal Data: Deidentified Information

We may at times receive, or process Personal Data to create, deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.

Nevada Residents: If you are a resident of the state of Nevada in the United States, you have the right to opt out of the sale of certain of your Personal Data.

Personal Data Disclosures, Sales, and Targeted Advertising

We may disclose the categories of Personal Data above to the following categories of third parties: the entities that make up the xTool entities, Processors, ad networks and advertising partners, business and marketing partners, third-party providers with services integrating with our services, individuals you choose to share Personal Data with, and certain third parties where you have provided consent or where otherwise required or permitted by law.

Our disclosure or making available of identifiers, customer records, commercial information, internet / network information, and inferences to ad networks and advertising partners may qualify as the sale of Personal Data or the sharing or processing of Personal Data for the purpose of displaying advertisements that are selected based on Personal Data obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”) under certain privacy laws.

Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to limit or opt-out of the sale of Personal Data or the processing of Personal Data for purposes of targeted advertising (as described in the Your Additional U.S. Privacy Choices section below).

Please note we do not sell the Personal Data of individuals we know to be less than 16 years of age or share such information for targeted advertising purposes. In addition, we do not sell Sensitive Personal Data, and we do not process or otherwise share Sensitive Personal Data for the purpose of targeted advertising.

Automated Decision-Making and Profiling

We do not conduct automated processing of Personal Data for the purposes of evaluating, analyzing, or predicting an individual’s personal aspects in furtherance of decisions that produce legal or similarly significant effects. As a result, we do not provide a right to exercise control over such forms of automated decision-making and profiling.

Your Additional U.S. Privacy Choices

Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:

Right to Know. The right to confirm whether we are processing Personal Data about you and, under California law only, to obtain certain personalized details about the Personal Data we have collected about you, including:
- The categories of Personal Data collected;
- The categories of sources of the Personal Data
- The purposes for which the Personal Data were collected;
- The categories of Personal Data disclosed to third parties (if any), and the categories of recipients to whom this Personal Data were disclosed;
- The categories of Personal Data shared for targeted advertising purposes (if any), and the categories of recipients to whom the Personal Data were disclosed for these purposes; and
- The categories of Personal Data sold (if any) and the categories of third parties to whom the Personal Data were sold.
Right to Access & Portability. The right to obtain access to the Personal Data we have collected about you and, where required by law, the right to obtain a copy of the Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
Right to Correction. The right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of the Personal Data.
Right to Control Over Sensitive Personal Data. The right to exercise control over our collection and processing of certain Sensitive Personal Data.
Right to Opt-Out of Targeted Advertising. The right to direct us not to use or share Personal Data for certain targeted advertising purposes.
Right to Opt-Out of Sales. The right to direct us not to sell Personal Data to third parties.
Right to Deletion. The right to have us delete Personal Data we maintain about you (subject to certain exceptions).

Depending on your state of residency, you may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

ANNEX I: SERVICE LIST (AS OF OCTOBER, 2024)

Service	Controller
https://www.xtool.com/	XTL US INC.
https://customthings.com/	ONE LINK SELLING INC.
https://designfind.com/	ONE LINK SELLING INC.
https://ca.xtool.com/	XTL US INC.
https://www.xtool.eu/	Makeblock (Hong Kong) Company Limited
https://de.xtool.com/	Makeblock (Hong Kong) Company Limited
https://uk.xtool.com/	Makeblock (Hong Kong) Company Limited
https://fr.xtool.com/	Makeblock (Hong Kong) Company Limited
https://jp.xtool.com/	Makeblock (Hong Kong) Company Limited
https://au.xtool.com/	Makeblock (Hong Kong) Company Limited

Annex II: PURPOSES AND LEGAL BASIS (AS OF OCTOBER, 2024)

Purpose

Information Collected

Legal Basis for Proceeding

To provide you with access to our Site and Application, and enable you to use our Device and other service

· Identity Data

· Contact Data

· Financial Data

· Services Data

· Device Data

· Content Data

· Technical Data

· Special Categories of Personal Data

· Performance of a contract;

· Legal or regulatory obligation;

· Legitimate interests:

providing you with access to the requested Service and ensuring that you are provided with the best Service we can offer

To manage our relationship with you which will include notifying you about changes to our terms of use

· Identity Data

· Contact Data

· Profile Data

· Marketing and Communications Data

· Performance of a contract

· Legal or regulatory obligation

· Legitimate interests: ensuring we can notify you about changes to our terms of use

To manage and protect our business and our Site, Device and Application, including improving data security, troubleshooting data and systems, system maintenance and testing, data hosting and reporting

· Contact Data

· Identity Data

· Device Data

· Content Data

· Technical Data

· Usage Data

· Marketing and Communications Data

· Legal or regulatory obligation;

· Legitimate interests:

ensuring the efficient and secure running of our business and the Site, including through maintaining information technology services, network and data security

To use data analytics to improve our Service, for example to train our models that power the Service, marketing, customer relationships and experiences

· Technical Data

· Usage Data

· Profile Data

· Content Data

· Marketing and Communications Data

· Legitimate interests:

reviewing how clients use and what they think of our Site and Application, improving our Site and Application, and identifying ways to grow our business

· Consent

To investigate and address violations of our terms of use and policies as well as detect, prevent and combat harmful or unlawful behaviour

· Identity Data

· Contact Data

· Financial Data

· Services Data

· Profile Data

· Technical Data

· Usage Data

· Special Categories of Personal Data

· Legal or regulatory obligation;

· Legitimate interests:

preventing and addressing unlawful use of our electronic portals and platforms, violations of our terms and policies, or other harmful or illegal activity

To deliver optimized and relevant content, measure or understand the effectiveness of the Service we serve, and improve the overall approach and experience (e.g. by analysing your stated preferences and tracking patterns on how you interact and engage with our Site)

· Contact Data

· Identity Data

· Profile Data

· Technical Data

· Usage Data

· Marketing and Communications Data

· Legitimate interest:

providing relevant content and identifying ways to grow our business;

· Consent

To identify areas of interest, services or products which might interest you and to help us have a better experience on the Service and support we can offer (e.g. by tracking and analysing how you interact with our Site)

· Identity Data

· Contact Data

· Profile Data

· Marketing and Communications Data

· Technical Data

· Usage Data

· Legitimate interest:

identifying ways to grow our business by targeting our business development initiatives and marketing activities more effectively

· Consent

To ask you for feedback about our Service as well as marketing or other events, and to manage, review and act on the feedback we are getting

· Identity Data

· Contact Data

· Profile Data

· Legitimate interests:

understanding what users think of our Service as well as marketing or other events, improving them and identifying ways to grow our business and improve users' experience

To interact with governmental or regulatory bodies or other authorities in relation to you, subject to applicable laws

· Identity Data

· Contact Data

· Financial Data

· Services Data

· Performance of a contract;

· Legal or regulatory obligation;

· Public interest