Privacy Policy

This Privacy Policy describes how exstats.com ("Exstats", "we", "us") collects, uses, discloses, and protects personal data when you use our website and services (the "Service"). This Policy should be read together with our Terms of Service.

1. Who we are

The Service is operated by Nowaffl LLC, 30 N Gould St Ste R, Sheridan, WY 82801, United States. Nowaffl LLC is the data controller for the personal data processed through the Service. For privacy questions or requests, contact [email protected].

2. Data we collect

• Account Data: name, email address, and avatar where provided by your authentication provider (Google) via Firebase Authentication. We also store basic account metadata.
• Usage and Analytics Data: event-level and aggregated usage information collected via Google Analytics 4 (GA4) and the Meta (Facebook) Pixel. This may include device and browser information, general location (from IP), pages viewed, features used, and referral data.
• Logs and Diagnostics: IP addresses, device/browser information, timestamps, and error details captured in our application logs and through Sentry for debugging and reliability.
• Payments: we use Stripe to process payments. We do not store full payment card numbers on our servers. Stripe processes payment data as an independent controller where applicable.
• Communications: email address and message content when you contact us. If you opt in to marketing, we record your marketing preferences. We send transactional emails and service notifications.

3. How we collect data

• Authentication: Firebase Authentication (Google and Email OTP) provides account data you choose to submit.
• Cookies and similar technologies: GA4 and the Meta Pixel set cookies or use similar identifiers to collect usage data. These are only activated after you provide consent where required by law. See Section 6.
• Diagnostics: Sentry captures application errors and performance signals.

4. How we use data

• Provide, secure, and maintain the Service.
• Monitor performance, fix bugs, and improve features.
• Analyze usage trends and audience metrics.
• Process payments and prevent fraud.
• Send transactional messages and, where permitted, marketing communications.
• Comply with legal obligations and enforce terms.

Legal bases (EEA/UK users): contract performance, legitimate interests (e.g., security, analytics), consent where required (e.g., non-essential cookies/marketing), and legal obligations.

5. Sharing and disclosures

We do not sell personal data. We share personal data with service providers that process it on our behalf or as required by law. Data is primarily stored and processed in the United States.

• Firebase Authentication (account and auth): Privacy
• Google Analytics 4 (analytics): How Google uses information from sites or apps
• Meta Pixel (ads/measurement): Meta Privacy Policy
• Sentry (error monitoring): Privacy
• Cloudflare (security/proxy/CDN): Privacy Policy
• Stripe (payments): Privacy Policy
• Resend (transactional and marketing email): Privacy Policy

These providers may process personal data as independent controllers or processors, depending on the service and context.

6. Cookies and similar technologies

We use a consent management platform (CookieYes CMP) to present choices and obtain consent for non-essential cookies where required by law. GA4 and the Meta Pixel are only activated after consent is obtained. You can change your preferences at any time via the CookieYes "Cookie Settings" link on our site and through your browser settings.

7. Payments

Payments are processed by Stripe. We do not store full payment card numbers. Stripe may collect and process personal data for fraud prevention and regulatory compliance. See Stripe's privacy notice linked above.

8. Data retention

We retain personal data for the following periods:

• Account data: for as long as your account is active, plus 30 days after deletion to allow for data export requests.
• Logs and diagnostics: up to 90 days.
• Analytics data: as configured in GA4 and Meta (typically up to 14 months for GA4).
• Payment records: as required by applicable tax and accounting laws (typically up to 7 years).
• Support communications: up to 12 months after the last interaction, unless needed longer for ongoing disputes.

When no longer needed, we delete or anonymize data.

9. Your rights

Depending on your location, you may have the right to request access, correction, deletion, restriction, or portability of your personal data, to object to certain processing, and to withdraw consent at any time. California residents also have the right to know, delete, correct, and to opt out of certain disclosures that may be considered a "sale" or "sharing" for cross-context behavioral advertising. We will not discriminate against you for exercising your rights.

To submit a request, contact us at [email protected]. We may need to verify your identity before acting on a request. We will respond within 30 days (or 45 days for requests under California law). If we need additional time, we will notify you.

10. Marketing communications

We send transactional emails related to your account and Service. We may send marketing emails where permitted by law. You can opt out at any time by using the unsubscribe link in those emails or by contacting us.

11. International data transfers

Your data is primarily stored and processed in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. Where required by law, we use appropriate safeguards for such transfers, including standard contractual clauses between us and our service providers.

12. Security

We use technical and organizational measures designed to protect personal data, including HTTPS/TLS in transit, access controls, and least-privilege permissions. No method of transmission or storage is completely secure.

13. Children

The Service is not directed to children under 13. In the EEA, the minimum age is 16 unless parental or guardian consent is provided. If you believe a child has provided us with personal data, contact us at [email protected] to request deletion.

14. Do Not Sell or Share (California)

We do not sell personal data for money. Certain analytics and advertising disclosures may be considered "sharing" under California law. You can manage your preferences via the CookieYes banner and settings on our site and your browser or device settings. You may also contact us to exercise your rights.

15. Changes to this Policy

We may update this Policy from time to time. For material changes, we will notify you at least 30 days before they take effect by posting the updated version with a new effective date and, where practicable, by sending a notice to the email address associated with your account. If you do not agree with the updated Policy, you may stop using the Service and delete your account before the changes take effect.

16. Contact

Questions or requests: [email protected]

Nowaffl LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States