Privacy Policy

Information You Provide Directly

We collect information you provide when you create an account, request a demo, submit a support ticket, or otherwise communicate with us. This includes:

• Account information: name, work email address, company name, job title, and password (stored using bcrypt hashing).
• Profile information: professional details, profile photo, and preferences you configure within the platform.
• Payment information: billing address and payment method details, which are processed by our third-party payment processor and never stored on our servers.
• Communications: messages you send us via email, support tickets, or the contact form, including any attachments.
• Demo and sales requests: information submitted through our Get Started Free or Request Demo forms, including availability preferences and workflow information.
• User-generated content: project data, sprint plans, backlog items, comments, file attachments, and other content you create within the platform.

Information Collected Automatically

When you use our Services, we automatically collect certain information about your device and usage, including:

• Log data: IP address, browser type and version, pages visited, time spent on pages, referring URLs, and access timestamps. All API calls and user actions are logged for security and audit purposes.
• Device information: operating system, device type, screen resolution, and device fingerprint used for session security and fraud prevention.
• Usage data: features used, workflows configured, sprint and project activity, and performance metrics that help us improve the Service.
• Location data: approximate geographic location derived from your IP address, used for security monitoring (such as detecting logins from new geographic regions) and for compliance with regional data protection laws.
• Session data: session tokens, authentication events, MFA verifications, and device trust status stored securely in Redis with automatic expiration.

Information from Third Parties

We may receive information about you from third parties in the following circumstances:

• Single Sign-On providers: if you authenticate using Google Workspace or Microsoft Azure Active Directory via Auth0, we receive your name, email address, profile photo, and organizational details from those providers.
• Payment processors: we receive transaction confirmations and billing status updates from our payment processing partners, but not full payment card details.
• Customer organizations: your employer or organization may provide us with your account information when provisioning access to Sprint Bridge on your behalf.

To Provide and Maintain the Service

• Create and manage your account, authenticate your identity, and enable access to Sprint Bridge features.
• Process transactions and send you related information, including purchase confirmations and invoices.
• Provision organizational workspaces and configure permissions according to your role and your organization's settings.
• Provide customer support and respond to inquiries, including processing support tickets through the Sprint Bridge Support Portal.
• Send transactional emails such as password reset links, login verification, sprint notifications, and workspace invitation emails.

For Security and Fraud Prevention

• Monitor authentication events, detect brute-force attempts, and automatically block suspicious IP addresses including known Tor exit nodes and VPN proxies.
• Calculate risk scores (0–100) per authentication event using IP reputation, device fingerprint, geographic signals, and behavioral patterns.
• Maintain tamper-evident audit logs of all user actions, API calls, and configuration changes for security incident response and compliance reporting.
• Enforce session security policies including idle timeouts, concurrent session limits, and force-logout capabilities.

For Compliance and Legal Obligations

• Generate SOX, GDPR, SOC 2, PCI DSS, and ASC 350-40 compliance reports, audit trails, and financial documentation as required by your organization's compliance obligations.
• Maintain records as required by applicable law, including financial records, access logs, and data processing agreements.
• Respond to lawful requests from public authorities, including law enforcement and regulatory agencies, where required by applicable law.

To Improve and Develop the Service

• Analyze usage patterns, feature adoption, and performance metrics to improve Sprint Bridge functionality and user experience.
• Conduct internal research and development to build new features, with data aggregated and anonymized where possible.
• Send product update emails, release notes, and service announcements — you may opt out of non-transactional communications at any time.

Service Providers

We share information with trusted third-party vendors who assist us in operating our Services. These providers are contractually bound to use your information only as directed by us and in accordance with this Privacy Policy. Current categories of service providers include:

• Authentication: Auth0 (Okta) for identity management, single sign-on, and multi-factor authentication.
• Infrastructure: cloud hosting and database services for platform operation, backup, and disaster recovery.
• Email delivery: transactional email service providers for sending system notifications, invitations, and support communications.
• Payment processing: PCI DSS-compliant payment processors for handling subscription billing. We receive no raw card data.
• AI providers: OpenAI (GPT-4), Google (Gemini), and Anthropic (Claude) for optional AI-assisted features, used only when you explicitly invoke those features.
• Analytics: aggregated, anonymized usage analytics to understand platform performance. We do not share personally identifiable information with analytics providers.

Within Your Organization

If you access Sprint Bridge through your employer or organization, your account information, activity logs, and project data are accessible to administrators within your organization according to the roles and permissions configured by your organization's administrator. Xidisk Software Solutions is not responsible for your organization's privacy practices with respect to this data.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, including a court order, subpoena, search warrant, or other lawful request. We will attempt to notify you of such requests in advance where legally permissible and where we have a means of contacting you.

Business Transfers

If Xidisk Software Solutions is involved in a merger, acquisition, financing, or sale of business assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website if such a transfer occurs and if it results in a material change to this Privacy Policy.

With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so, including when you authorize integrations with third-party services through the Sprint Bridge integrations marketplace.

Strictly Necessary Cookies

These cookies are essential for the Services to function and cannot be disabled. They include session cookies that maintain your authenticated state, CSRF protection tokens, and security cookies used to detect and prevent fraudulent activity. These cookies do not require your consent under applicable cookie laws.

Performance and Analytics Cookies

We use cookies to collect information about how visitors interact with our website — which pages are visited most, how long users spend on each page, and whether errors occur. This information is used in aggregated, anonymized form to improve our Services. You may opt out of performance cookies through your browser settings or our cookie preference center.

Preference Cookies

These cookies remember your settings and preferences — such as your chosen theme, language, and display options within Sprint Bridge — so you do not need to reconfigure them each time you log in.

Managing Cookies

Most web browsers allow you to control cookies through browser settings. You can instruct your browser to refuse all cookies or to alert you when cookies are being sent. However, disabling strictly necessary cookies may prevent Sprint Bridge from functioning correctly. Your browser's help documentation will explain how to manage cookie settings for your specific browser.

Our Services do not respond to "Do Not Track" browser signals at this time, as there is no consistent industry standard for how to respond to such signals.

California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), the right to non-discrimination for exercising your privacy rights, and the right to correct inaccurate personal information.

To exercise these rights, please contact us at privacy@xidisk.com with the subject line "CCPA Privacy Request." We will respond to verified requests within 45 days.

How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to privacy@xidisk.com. We will respond to all verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

If you are located in the European Economic Area and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.