Back to home
Legal

Privacy Policy

Effective: [EFFECTIVE_DATE_PLACEHOLDER]Last updated: [LAST_UPDATED_PLACEHOLDER]

This policy explains what information X Distribution collects, how we use and share it, and the choices you have. We've written it in plain language so you can actually read it. If anything is unclear, email us at [PRIVACY_EMAIL_PLACEHOLDER]and we'll help.

01 Introduction

X Distribution (“X Distribution,” “we,” our,” or “us”) operates xdistribution.net (the “Site”) and related wholesale distribution services. Our legal entity is [LEGAL_ENTITY_PLACEHOLDER], with a registered address at [BUSINESS_ADDRESS_PLACEHOLDER].

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit the Site, sign up to be matched to wholesale deals, submit a services inquiry, or contact us as a vendor.

We serve clients worldwide. This policy is designed to address the requirements of a range of international privacy laws, including the EU and UK General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil's Lei Geral de Proteção de Dados (LGPD), and the Australia Privacy Act 1988.

By using the Site, you acknowledge that you have read and understood this policy. If you do not agree with it, please do not use the Site or submit information to us.

02 Information we collect

We collect information you give us directly, information collected automatically when you use the Site, and information from a limited set of third parties.

Sign-up information (required)

  • Business owner name — the person completing the form.
  • Business name — the operating name of your business.
  • Business email address — used to contact you and prevent duplicate accounts.
  • Business phone number — used for high-priority deal notifications where you've opted in.

Sign-up profile and preferences (optional)

  • Business address.
  • Seller's permit — an uploaded document to support verification for priority deal access.
  • Selling platforms you use (e.g. Amazon, eBay, Whatnot, Walmart, TikTok Shop, others).
  • Business stage (e.g. just getting started, growing, established, high volume).
  • Product categories you're interested in.
  • Inventory type preferences and shipping destination preferences.
  • Notification channel preferences (e.g. WhatsApp, SMS, email, Telegram).
  • Free-text notes in the “Anything else?” field describing what you're looking for.

Services inquiry form

  • Name, company, email address, services of interest, and the contents of your message.

Vendor contact form

  • Name, company, email address, product type, quantity, and the contents of your message.

Information collected automatically

  • IP address and approximate location derived from it.
  • Browser type and version, operating system, language, and device information.
  • Pages visited, time spent on pages, scroll depth, and click events.
  • Referring URL — the page that sent you to us.
  • UTM parameters attached to links (source, medium, campaign, content, term), used to attribute traffic from ads and referrals.
  • Cookies and similar technologies (see Section 13).

03 How we collect it

  • Directly from you when you fill out a form on the Site (sign-up, services inquiry, vendor contact) or send us a message.
  • Automatically as you browse the Site, through cookies, pixels, local storage, and server logs.
  • From third parties such as advertising platforms (if you arrive via an ad), analytics providers, and authentication providers if you choose “Continue with Google.”

04 Why we collect it

We collect personal information for the following purposes:

  • To operate the Site and deliver the functionality you request.
  • To create and manage your sign-up and keep your profile up to date.
  • To match you to wholesale deals based on your stated preferences, platforms, categories, and inventory interests.
  • To respond to services inquiries and vendor messages you send us.
  • To communicate with you via your selected notification channels when you opt in.
  • To measure and improve the Site, understand which pages convert, and identify and fix issues.
  • To prevent fraud, abuse, and security incidents, and to enforce our terms.
  • To comply with legal obligations and respond to lawful requests.

05 Legal basis for processing

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases under Article 6 of the GDPR (and equivalent provisions elsewhere):

  • Performance of a contract(Art. 6(1)(b)) — to create your account, match you to deals you've asked to receive, and respond to inquiries.
  • Consent (Art. 6(1)(a)) — for optional sign-up fields, for marketing messages through your chosen notification channels, and for non-essential cookies. You can withdraw consent at any time.
  • Legitimate interests(Art. 6(1)(f)) — to understand how the Site is used, improve it, prevent fraud, and secure our systems. Where we rely on legitimate interests, we've assessed that our interests are not overridden by your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable laws, tax obligations, and lawful requests from authorities.

Where we process special categories of data (we generally do not), we rely on your explicit consent or another applicable exception.

06 How we use your information

Beyond the purposes listed in Section 4, we use your information to:

  • Personalise the Site and surface deal channels most likely to match your business.
  • Send transactional messages (account confirmations, sign-up receipts, inquiry replies).
  • Send marketing and deal notifications through the channels you've opted in to.
  • Aggregate and de-identify data for analytics and product research.
  • Investigate and address complaints, violations, and security incidents.

We do not sell your personal information for money. See Section 10for your rights regarding “sale” and “sharing” as defined under California law.

07 How we share your information

We share personal information only with the service providers and in the circumstances described below. Each provider is contractually required to protect your information and may only use it for the purposes we authorise.

Service providers we use

  • Supabase — database and authentication provider. Stores your sign-up, services inquiry, and vendor contact records.
  • Vercel — our hosting provider. Vercel processes IP addresses and request metadata as part of serving the Site and its functions.
  • Google Analytics — usage and conversion-funnel analytics. Google may set cookies and receive information about your visit.
  • Meta (Instagram / Facebook) — if you arrive via an Instagram or Facebook ad, Meta may set attribution cookies or receive conversion events.
  • Anthropic (Claude API) — see the disclosure immediately below.
Important disclosure

Text you submit in the sign-up “Anything else?” free-text field is sent to Anthropic, the provider of the Claude API, so that Claude can parse what you've written into structured data we use for deal matching. Do not paste sensitive personal information, credentials, or confidential third-party data into that field. You can leave the field blank; doing so will not affect your ability to use the Site.

Legal and safety disclosures

  • Law enforcement and legal process — we may disclose information if required by law, subpoena, or court order, or if we reasonably believe it is necessary to prevent fraud, protect rights, or respond to an emergency.
  • Business transfers— if X Distribution is involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We'll notify you and provide choices where the law requires.

We do not share your personal information with third-party advertisers, data brokers, or resellers for their own marketing purposes.

08 International data transfers

X Distribution and several of our service providers operate in the United States and other countries. When you submit information to us, it may be transferred to, stored in, and processed in jurisdictions outside your own, including countries whose data protection laws differ from those in your country.

Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including:

  • The European Commission's Standard Contractual Clauses (SCCs) (modernised version adopted in June 2021), together with supplementary measures where required following the Schrems II ruling.
  • The UK International Data Transfer Agreement or the UK Addendum to the EU SCCs for transfers originating in the United Kingdom.
  • The EU-US Data Privacy Framework (and its UK extension and Swiss equivalent) where our US-based providers are certified.

You may request a copy of the safeguards we use for a specific transfer by emailing [PRIVACY_EMAIL_PLACEHOLDER].

09 Data retention

We keep personal information only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law. In practice:

  • Sign-up accounts — retained while your account is active, and for a reasonable period afterwards so we can respond to questions, enforce our terms, and meet legal obligations.
  • Services and vendor inquiries — retained for up to two years after our last correspondence, unless you ask us to delete them sooner.
  • Seller's permit uploads — retained while your account is verified, then deleted or de-identified.
  • Analytics and log data — retained for up to 14 months in identifiable form, then aggregated or deleted.

You can ask us to delete your information at any time (see Section 10).

10 Your rights

Depending on where you live, you may have some or all of the following rights over your personal information. We honour these rights for every user, regardless of jurisdiction, to the extent we reasonably can.

  • Right to access — request a copy of the personal information we hold about you.
  • Right to rectification — ask us to correct information that is inaccurate or incomplete.
  • Right to erasure (“right to be forgotten”) — ask us to delete your information.
  • Right to restrict processing — ask us to limit how we use your information in certain circumstances.
  • Right to data portability — receive your information in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on legitimate interests, including profiling used for marketing.
  • Right to withdraw consent — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — with your local data protection supervisory authority (for EU/UK residents).

California residents (CCPA / CPRA)

If you are a California resident, in addition to the rights above you have these specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • Right to know what personal information we've collected, used, disclosed, and for what purposes, including the categories of sources and recipients. As of January 1, 2026, this right extends to information we retain going back to January 1, 2022.
  • Right to delete personal information we've collected from you, subject to limited exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell personal information for money. To the extent cookie-based analytics and attribution signals qualify as “sharing” under California law, you can opt out using your browser's Global Privacy Control signal or by emailing us.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination — we will not deny you services, charge you different prices, or provide a different level of quality because you exercised a privacy right.

You may designate an authorised agent to submit a request on your behalf. We may need to verify your identity before responding.

How to exercise your rights

Email [PRIVACY_EMAIL_PLACEHOLDER]with the subject line “Privacy Request” and tell us which right you'd like to exercise. We'll respond within the timeframes required by applicable law — typically within 30 days for GDPR requests and 45 days for CCPA requests, with one extension where permitted.

11Children's privacy

The Site is not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, please email [PRIVACY_EMAIL_PLACEHOLDER] and we will delete it promptly.

12 Security

We take reasonable and appropriate measures to protect your information, including:

  • Encryption in transit — all traffic to and from the Site is served over HTTPS.
  • Encryption at rest — data stored in our database is encrypted by our hosting provider.
  • Access controls — only authorised personnel can access production data, and access is logged.
  • Principle of least privilege — service providers only receive the minimum information needed to do their job.

No method of transmission or storage is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and the relevant authorities where required by law.

13 Cookies and tracking technologies

Cookies are small text files a website places on your device so it can remember things about your visit. We and a limited set of service providers use cookies, pixels, local storage, and similar technologies on the Site. This section is the full disclosure of what we use and why — we do not maintain a separate Cookie Policy page.

We group trackers into four categories. Each category is described in detail below.

1. Strictly necessary

These are required for the Site to work. They cannot be turned off through our consent banner because the Site would not function without them.

  • Purpose: session management, security, CSRF protection, routing traffic to the nearest server, and retaining form state while you move between steps in the sign-up flow.
  • Providers: X Distribution, and our hosting provider Vercel.
  • Data collected: opaque session identifiers and technical metadata needed to serve pages. No marketing profile data.
  • Can you opt out? No — these are required. If you block them, the Site will not work.
  • Retention: session only, or short-lived (typically minutes to hours).

2. Analytics

These help us understand how visitors use the Site so we can measure conversion and improve the experience.

  • Purpose: measure page views, session duration, traffic source, conversion funnels (landing → sign-up → profile completion), and identify errors.
  • Provider: Google Analytics 4 (GA4), operated by Google LLC.
  • Data collected: pseudonymous client identifier, page path, referrer, device and browser information, approximate geography derived from an anonymised IP address, UTM parameters, and interaction events such as clicks and form submissions.
  • Anonymisation: GA4 anonymises IP addresses automatically.
  • Can you opt out? Yes — through the cookie consent banner on the Site, by installing the Google Analytics Opt-out Browser Add-on, or through your browser settings.
  • Retention: GA4 retains user and event data for up to 14 months in identifiable form in our property configuration, after which it is aggregated or deleted. Standard aggregated reports remain available beyond that window.

3. Advertising and attribution

These measure how effective our ads are and help us understand which campaigns drive sign-ups. We run paid campaigns primarily on Instagram and Facebook.

  • Purpose: measure ad campaign effectiveness, attribute sign-ups to the ad or referral that sent you, and report conversion events back to advertising platforms. We do not sell this data or use it to build profiles for third-party advertisers.
  • Providers: [META_PIXEL_PLACEHOLDER] — Meta Pixel (operated by Meta Platforms Inc.) is used to measure conversions from Instagram and Facebook ad campaigns. Meta Pixel only fires for visitors whose journey includes an Instagram or Facebook ad touch, and only after the advertising consent category has been accepted in the cookie banner. Additional advertising trackers, if deployed: [OTHER_ADVERTISING_TRACKERS_PLACEHOLDER].
  • Data collected: page views from ad traffic, conversion events (sign-up complete, inquiry submitted), UTM parameters, and hashed identifiers where supplied by the advertising platform.
  • Can you opt out? Yes — through the cookie consent banner on the Site. You can also manage ad personalisation directly with the providers via Meta's ad preferences and Google's Ads Settings.
  • Retention: according to each provider's default retention policy.

4. Functional

These remember lightweight preferences so the Site feels less repetitive.

  • Purpose: remember progress through the Stage 2 questionnaire, remember if you've dismissed a banner or popup, and store your cookie consent choices.
  • Providers: X Distribution (first-party local storage and cookies only).
  • Data collected: minimal, site-specific preference flags — no marketing profile data.
  • Can you opt out? Yes, through the consent banner. If you do, some convenience features may stop working (for example, you may be asked to repeat sign-up steps).
  • Retention: varies from session-only to a maximum of 12 months for preference storage.

How to control cookies

Where a cookie consent banner is available on the Site, it is the primary way to manage your preferences for analytics, advertising, and functional cookies, and non-essential cookies and trackers only fire after you give affirmative consent. Once the banner is in place, you will be able to change your choices at any time by clicking the “Cookie preferences” link in the footer to reopen it.

You can also control cookies through your browser settings. Most major browsers let you block or delete cookies, or warn you before a cookie is set. Here are the relevant help pages:

Blocking strictly necessary cookies may prevent parts of the Site from working.

Meta Pixel tracking only applies to visitors who arrive from an Instagram or Facebook ad campaign, and only after the advertising consent category has been accepted. If you never click one of our ads, Meta Pixel does not fire for you.

14 Do Not Track signals

Some browsers send a “Do Not Track” (DNT) signal. There is no industry consensus on how to respond to DNT, so we do not currently respond to DNT signals.

We do, however, honour the Global Privacy Control (GPC)signal where it is legally recognised — including for California residents — and treat it as an opt-out of the “sale” or “sharing” of personal information as defined under the CCPA/CPRA.

15 Third-party links

The Site links to external marketplaces and channels (such as Amazon, eBay, Whatnot, Walmart, and others) as well as social media accounts. Those sites have their own privacy practices and we are not responsible for their content or policies. We encourage you to read their privacy policies before providing them with personal information.

16 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we'll update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through a prominent notice on the Site before the changes take effect.

Your continued use of the Site after the effective date of the updated policy means you accept the changes.

17 Contact us

If you have any questions or concerns about this policy or our data practices, please get in touch:

  • Privacy inquiries: [PRIVACY_EMAIL_PLACEHOLDER]
  • General contact: [CONTACT_EMAIL_PLACEHOLDER]
  • Mailing address: [BUSINESS_ADDRESS_PLACEHOLDER]
  • Data Protection Officer (if applicable): [DPO_PLACEHOLDER]

If you are in the European Economic Area or the United Kingdom and believe we have not addressed your concern satisfactorily, you have the right to lodge a complaint with your local data protection supervisory authority.

This policy is written in English. Where a translation is provided, the English version controls in the event of any conflict.