Privacy Policy

Last updated: June 2026

Data controller
XS B.V.
Registered in the Netherlands
Privacy contact: privacy@xs-team.com

This Privacy Policy explains what personal data XS B.V. ("we", "us") collects when you use the Newsguard app or website, why we collect it, and what rights you have under the EU General Data Protection Regulation (GDPR) and applicable Dutch law.

1. Data We Collect

Account data — When you register, we collect your email address and a hashed version of your password. We never store your password in plain text.

Usage and interaction data — When you open, bookmark, or dismiss articles within the app, we record these interactions to personalise your news feed and improve our relevance algorithm. This data is linked to your account.

Subscription data — Your subscription tier (Individual, Pro, or Max) and status are stored on our servers. Payment information is handled exclusively by Apple and RevenueCat; we never see your card details.

Push notification token — If you enable notifications, Apple provides us with a device token (APNs token) used solely to deliver push notifications to your device.

CRM integration data — If you connect a HubSpot account, we store an OAuth access token and refresh token to retrieve your company list on your behalf. We use read-only access and do not write data back to HubSpot.

Website analytics — On our marketing website, we use Google Analytics 4 (GA4) with Consent Mode v2. Analytics cookies are only activated if you click "Accept analytics" in the cookie banner. If you decline, no analytics data is collected. The App itself does not use analytics cookies.

2. Legal Basis for Processing

Contract (Art. 6(1)(b) GDPR) — Account data, usage/interaction data, subscription data, and push token are processed to provide the service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR) — Aggregate, anonymised usage patterns may be analysed to improve the product. We balance this against your privacy interests.
Consent (Art. 6(1)(a) GDPR) — Website analytics via Google Analytics are only processed if you explicitly consent through the cookie banner. You can withdraw consent at any time by clearing your browser's local storage for our domain.

3. How We Use Your Data

To create and manage your account
To deliver your personalised news feed and company briefings
To send push notifications about breaking news at your followed companies
To manage your subscription and enforce plan limits
To improve the relevance algorithm using aggregated interaction signals
To understand website traffic (only with your consent)

4. Third-Party Processors

We share data with the following processors as necessary to operate the service:

Anthropic (USA) — AI provider (Claude). Article headlines and summaries are sent to generate company briefings. No personally identifiable information about you is included in these requests.
RevenueCat (USA) — Subscription management. Processes your App Store transaction data and subscription status.
Apple Inc. (USA) — App Store distribution, in-app purchases, and push notification delivery (APNs).
HubSpot Inc. (USA) — Only if you connect your HubSpot account. We access your company list via OAuth with read-only permissions.
People Data Labs (USA) — Company autocomplete search. Search queries (company names) are sent to their API; no personal data is included.
Logo.dev (USA) — Company logo images fetched by domain name. No personal data is transmitted.
Google LLC (USA) — Google Analytics on our marketing website, only when you have given consent.

Processors in the United States operate under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

5. Data Retention

Account and interaction data — Retained for as long as your account is active. Deleted within 30 days of an account deletion request.
Push notification tokens — Deleted when you delete your account or revoke notification permissions.
HubSpot tokens — Deleted when you disconnect the integration or delete your account.
Analytics data — Retained by Google for up to 14 months (standard GA4 setting).

6. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — Request deletion of your account and all associated personal data.
Right to data portability — Request your data in a structured, machine-readable format.
Right to restriction — Ask us to restrict processing of your data in certain circumstances.
Right to object — Object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent (analytics), you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at privacy@xs-team.com. We will respond within 30 days.

7. Supervisory Authority

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Dutch data protection authority:

Autoriteit Persoonsgegevens
www.autoriteitpersoonsgegevens.nl

8. Security

We use industry-standard security measures including encrypted connections (TLS), hashed passwords (bcrypt), and access controls. No system is completely secure; if you suspect a security issue please contact privacy@xs-team.com promptly.

9. Children

Newsguard is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the App or by email at least 14 days before taking effect. The current version is always available at this URL.

11. Contact

Questions or requests regarding your personal data:
privacy@xs-team.com