Home/Privacy Policy

Privacy Policy

Last updated: March 1, 2026

1. Introduction

CMSX ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address — used for authentication, notifications, and support
  • Name — used to personalize your dashboard experience
  • Password hash — securely hashed using bcrypt; we never store plaintext passwords
  • OAuth data — if you sign in via GitHub, we receive your GitHub profile and email

Content & API Data

When you use the CMSX API and dashboard, we collect:

  • Content data — the content entries, schemas, and media you create and manage through the platform
  • IP address — recorded with API requests for rate limiting and security
  • API usage — request counts and patterns for performance monitoring
  • Audit logs — records of content changes, user actions, and access events
  • Timestamps — when content is created, updated, published, or deleted

Usage Data

We automatically collect:

  • Browser type and version
  • Pages visited and time spent on pages
  • API request patterns (for performance monitoring)
  • Error logs and diagnostic data

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service operation — to provide, maintain, and improve the CMSX platform
  • Authentication — to verify your identity and manage your account
  • Content management — to store, version, and deliver your content via API
  • Security — to detect, prevent, and respond to fraud and abuse
  • Communication — to send account-related notifications (email verification, password resets, billing alerts)
  • Analytics — to understand usage patterns and improve the Service

4. Data Storage & Security

Your data is stored on secure servers with the following protections:

  • All data is encrypted in transit using TLS 1.3
  • Passwords are hashed using Argon2id
  • Content is encrypted at rest with AES-256-GCM
  • API authentication uses JWT with refresh token rotation
  • Database backups are encrypted at rest
  • Access to production systems is restricted and logged

5. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share data only in the following circumstances:

  • Service providers — trusted services that help us operate (hosting, email delivery, payment processing)
  • Legal requirements — when required by law, regulation, or legal process
  • Business transfers — in connection with a merger, acquisition, or sale of assets
  • Consent — when you have given explicit permission

6. Cookies

We use the following cookies:

CookiePurposeDuration
xcript_sessionAuthentication session7 days
xcript_refreshRefresh token for session renewal30 days
themeDark/light mode preference1 year

We do not use third-party tracking cookies. All cookies are strictly functional.

7. Your Rights (GDPR)

If you are a resident of the European Economic Area (EEA), you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Portability — request a machine-readable copy of your data
  • Restriction — request restriction of processing under certain circumstances
  • Objection — object to data processing based on legitimate interests

To exercise any of these rights, contact us at support@cmsx.dev. We will respond within 30 days.

8. Data Retention

We retain your data for the following periods:

  • Account data — retained while your account is active, deleted within 30 days of account deletion
  • API access logs — retained for 90 days for analytics, then aggregated and anonymized
  • Audit logs — retained for 1 year for security and compliance
  • Billing records — retained as required by tax regulations (typically 7 years)

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

11. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at support@cmsx.dev.