Privacy Policy
This policy explains what XStellar collects, why we collect it, how we use it, and where the current privacy boundaries of the product are.
Last Updated: March 16, 2026
1. Who We Are
XStellar Systems ("XStellar", "we", "our", or "us") operates xstellar.systems and provides software that helps businesses qualify inbound Instagram direct message leads, route those conversations into Slack and a built-in CRM, and move qualified prospects toward booking.
2. What We Collect
Account Information
- Name, email address, business name, and account credentials.
- Subscription and billing information processed through our payment providers.
Instagram Connection Data
- Instagram business account identifiers, usernames, messaging account IDs, and OAuth access tokens.
- We do not collect or store your Instagram password.
Conversation and Lead Data
- Instagram direct messages sent to your connected business account.
- Message metadata such as sender ID, timestamps, thread IDs, and profile details made available by Meta.
- Conversation history, lead scores, summaries, notes, tags, and workflow state inside XStellar.
Operational Data
- Usage logs, authentication events, configuration changes, and support-related records.
- Slack notification content and message metadata needed to operate the product.
3. How We Use Information
- To connect your Instagram account through Meta's official OAuth flow.
- To process incoming Instagram conversations and generate responses, lead scores, summaries, and routing decisions.
- To display lead activity in your XStellar dashboard and CRM.
- To send operational notifications into Slack.
- To provide onboarding, support, troubleshooting, fraud prevention, and service security.
- To handle billing, subscription management, and account administration.
4. AI Processing
XStellar uses third-party AI providers, including Anthropic and, in certain fallback cases, Google, to process conversation content and generate scoring, summaries, and replies.
Plain English: lead message content may be sent to those providers because that is how the qualification engine works.
5. Where Data Is Stored and Shared
We do not sell customer or lead data. We share data only with service providers needed to operate the product.
- Meta/Instagram: for account connection, webhooks, messaging, and permitted profile data.
- Anthropic and Google: for AI processing.
- Supabase/PostgreSQL: for application data storage.
- Slack: for notifications and client-facing operational workflows.
- Render and other infrastructure providers: for hosting and background jobs.
- Razorpay and Stripe: for billing and subscription workflows.
6. Current Slack Privacy Model
XStellar currently delivers customer notifications through dedicated private channels in an XStellar-managed Slack workspace.
This means XStellar operators may access those channels for onboarding, support, debugging, monitoring, and incident response.
This is an intentional product tradeoff: it reduces support friction and lets us respond quickly when something breaks, but it is not the same as a customer-owned Slack workspace.
7. Security Measures
- Encryption in transit using HTTPS/TLS.
- Encrypted storage of sensitive tokens at rest.
- Tenant-scoped backend architecture for customer data separation.
- Signature verification for supported inbound platform requests.
- Authentication and access controls on protected application endpoints.
No internet-connected system can be guaranteed to be perfectly secure. We work to reduce risk and respond quickly to issues, but we cannot promise absolute security.
8. Data Retention
- Account and billing records: retained for the duration of the business relationship and for a reasonable period afterward for compliance, accounting, and dispute handling.
- Lead and conversation data: retained while your account remains active unless you request deletion or a shorter retention arrangement is agreed.
- OAuth tokens: retained only as long as required to operate the connected service, unless revoked or deleted earlier.
9. Your Choices and Rights
- You can request access to, correction of, or deletion of your account data by emailing support@xstellar.systems.
- You can revoke XStellar's Instagram access through Meta or Instagram settings.
- You can ask us to disconnect your account and delete tokens from our systems.
10. International Transfers
Your information may be processed in countries other than your own depending on the infrastructure and providers used to operate the service.
11. Children
XStellar is not intended for anyone under 18 years old.
12. Changes
We may update this policy over time as the product evolves. Material changes will be reflected by updating the date on this page and, where appropriate, by notifying customers directly.
13. Contact
Questions about privacy or security can be sent to support@xstellar.systems.