Privacy

Privacy Policy

This policy explains what data xreso processes, why it is processed, and which controls are available to users. xreso is an open-source, community-driven platform for sharing programming notes.

Effective date: April 15, 2026

1. Data controller

xreso is an open-source project maintained by Aniket Mishra. For all data-related inquiries, contact us at xresoinc@gmail.com.

2. Data we collect

  • Account information: Name, email address, profile photo, and role metadata when you create an account.
  • Authentication data: OAuth provider identifiers (Google, GitHub, LinkedIn) or hashed password for credential-based accounts. We never store plaintext passwords.
  • Contributed content: Notes, resources, and associated metadata (title, description, tags, license) you upload.
  • Usage data: Page views, bookmark counts, search queries, and moderation actions for platform analytics.
  • Security logs: IP addresses, user agents, and timestamps for authentication events, rate limiting, and abuse prevention. These are retained for fraud detection.
  • Cookies: Essential session cookies for authentication (httpOnly, secure). Optional analytics cookies are only set with your consent via the cookie banner.

3. Lawful basis for processing (GDPR Article 6)

  • Contract performance: Processing your account data to provide the xreso platform services you signed up for.
  • Legitimate interest: Security logging, abuse prevention, content moderation, and service improvement.
  • Consent: Analytics and advertising cookies are only activated after you explicitly accept via the cookie consent banner.
  • Legal obligation: Responding to valid legal requests such as DMCA takedown notices and court orders.

4. How data is used

  • Operate authentication, contributions, search, and recommendations.
  • Moderate content quality and enforce community guidelines.
  • Maintain audit trails for admin actions and account security.
  • Send transactional emails (welcome, note approval, password reset).
  • Improve reliability, performance, and product decisions.
  • Serve contextual advertisements (Google AdSense) — only with cookie consent.

5. Third-party processors

We use the following services to operate xreso. Each processes data under their own privacy policies and data processing agreements:

  • Vercel (USA) — Hosting, serverless functions, edge network
  • Turso / LibSQL (USA) — Primary database
  • Cloudflare R2 (Global) — File and media storage
  • Resend (USA) — Transactional email delivery
  • Upstash (Global) — Rate limiting via Redis
  • Google AdSense (USA) — Contextual advertising (consent-gated)
  • Google / GitHub / LinkedIn — OAuth authentication providers

6. International data transfers

Your data may be processed in the United States and other countries where our processors operate. These transfers are protected by:

  • Standard Contractual Clauses (SCCs) with our processors
  • EU-US Data Privacy Framework certifications where applicable
  • Encryption in transit (TLS 1.2+) and at rest

7. Data retention periods

  • Account data: Retained until you request account deletion.
  • Contributed content: Retained as long as the resource remains published. Removed upon takedown or account deletion.
  • Security and auth logs: 90 days from creation.
  • Rate limiting data: Automatically expires within minutes to hours depending on the limit window.
  • Password reset tokens: Expire and are invalidated after 1 hour.
  • Cookie consent preference: Stored locally in your browser (localStorage) — never sent to our servers.

8. Your rights under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Correct inaccurate data via your profile settings or by contacting us.
  • Right to erasure: Request deletion of your account and associated data.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent: Withdraw cookie or marketing consent at any time via the cookie settings or by contacting us.

To exercise any of these rights, email us at xresoinc@gmail.com. We will respond within 30 days.

9. Information Technology Act, 2000 (India)

In accordance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

  • We implement reasonable security practices including encryption, access controls, and secure authentication.
  • Sensitive personal data (passwords) is stored using industry-standard bcrypt hashing and is never stored in plaintext.

Grievance Officer:
Aniket Mishra
Email: xresoinc@gmail.com
Complaints will be acknowledged within 24 hours and resolved within 30 days as per the IT Rules, 2011.

10. Children's privacy

xreso is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us and we will promptly delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the platform or by email. Continued use of xreso after changes constitutes acceptance of the updated policy.

12. Contact

For privacy inquiries, data subject requests, or complaints:

Email: xresoinc@gmail.com
GitHub: aniketmishra-0/xreso
Response target: 30 days for formal requests, 1-3 business days for general inquiries.

EU residents also have the right to lodge a complaint with a supervisory authority in their country of residence.

Terms of Service · DMCA Policy · Contact