Privacy Policy

Effective Date: August 15, 2025

X DIGIT ("X DIGIT," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit our websites (including xdigit.us and any subdomains), interact with us online or offline, receive our marketing communications (including SMS), or use our professional services (collectively, the Services).

1) Who We Are & Roles

Controller. For our own websites, marketing, sales, and business operations, X DIGIT is the controller of your personal information.

Processor. When we process data on behalf of our business customers as part of our professional services, we act as a processor/service provider and our processing is governed by our Data Processing Addendum (DPA). If you are a business customer, please review the DPA for details of processor obligations.

About Us: X DIGIT is a California-based Certified Public Accounting (CPA) firm headquartered in Burbank, California (Greater Los Angeles area), with a focus on the entertainment industry and clients of all sizes across the United States and abroad.

Contact: info@xdigit.us

Postal Address: 3500 W Olive Ave, Suite 300, Burbank, CA 91505, United States

2) Personal Information We Collect

The information we collect about you depends on how you interact with us. Below are examples of categories of personal information ("PI") we may collect, consistent with global privacy laws (e.g., GDPR, UK GDPR, CPRA, and other U.S. state laws):

  1. Identifiers – name, alias, postal address, email address, phone number, unique identifiers (e.g., cookie IDs, device IDs), and government ID where legally required for compliance (rare).
  2. Customer Records – account credentials, billing address, payment details (processed by our payment processor), order history, and service usage information.
  3. Commercial Information – records of products/services purchased, obtained, or considered.
  4. Internet/Electronic Activity – browsing history, search interactions, clickstream, pages viewed, time stamps, referral URLs, approximate location derived from IP, device info, and diagnostics.
  5. Geolocation Data – approximate location (e.g., city/region) from IP; precise location only if you enable it.
  6. Audio/Visual – support calls/meetings (with notice), photographs or video if you submit or attend events.
  7. Professional/Employment Information – employer, job title, and related details if you engage as a business contact.
  8. Inferences – preferences or characteristics derived from the above to personalize content.
  9. Sensitive PI – we do not intentionally collect sensitive PI (e.g., precise geolocation, government IDs, health data) unless you provide it for a specific, disclosed purpose (e.g., account security or regulated onboarding). We do not use or disclose sensitive PI for additional purposes without your consent where required by law.

Sources: We collect PI directly from you (forms, meetings, email, Microsoft Teams, and iMessage/SMS on company-issued devices), automatically (cookies, pixels, SDKs, logs), from service providers/partners (e.g., analytics, CRM, payment, messaging), from publicly available sources, and from business customers in our processor role.

2A) CPA-Specific Legal & Professional Obligations

In addition to this Privacy Policy, certain activities are subject to stricter professional and legal rules:

  • AICPA & California Board of Accountancy Confidentiality. We are bound by professional standards (AICPA Code of Professional Conduct and California Accountancy Act) that require us to maintain the confidentiality of client information. We will not disclose client information without consent except as permitted or required by law and professional standards (e.g., peer review, subpoena, quality control).
  • GLBA (Gramm-Leach-Bliley Act). For services provided to individual consumers (e.g., tax preparation, personal financial planning), some data may be nonpublic personal information (NPI) under GLBA. Where GLBA applies, we limit use and disclosure to what is permitted by GLBA and its Safeguards Rule. CPRA/CCPA Exemption: To the extent PI is processed pursuant to GLBA, California privacy law exemptions may apply; other data remain subject to CPRA.
  • IRS 26 U.S.C. §7216 & Regulations. If we prepare or assist in preparing your U.S. federal tax return, tax return information is subject to §7216/§6713 and related regulations. We will not use or disclose such information for non-tax purposes without your informed written consent unless an exception applies.

3) How We Use Personal Information

We use PI for the following purposes:

  • Provide and operate the Services; create and manage accounts; process orders and payments; deliver customer support; enable collaboration.
  • Security, Fraud, & Compliance; authenticate users; detect/prevent security incidents or abuse; comply with laws and enforce agreements.
  • Communications; respond to inquiries; send administrative notices; provide newsletters, event invites, and promotional messages (you may opt out).
  • Personalization & Analytics; measure and improve site performance; understand usage; develop new features; perform research and statistical analysis.
  • Marketing & Advertising; show or measure ads, including cross-context behavioral advertising where applicable (you can opt out where the law provides that right).
  • Corporate Transactions; support a merger, acquisition, financing, or sale of assets, subject to confidentiality.

Where required by law (e.g., EEA/UK/Switzerland), our legal bases include: performance of a contract, legitimate interests (e.g., to secure and improve our Services), compliance with legal obligations, and consent (e.g., for certain cookies/marketing/SMS).

4) Cookies, Tracking, and Controls

We and our providers may use cookies, pixels, SDKs, and similar technologies to operate our site, remember settings, analyze traffic, and (if enabled) tailor content and ads. You can manage preferences via our Cookie Preferences tool and your browser/device settings.

  • Do Not Track (DNT): We currently do not respond to DNT signals.
  • Global Privacy Control (GPC): Where required (e.g., CA, CO, CT), we treat a valid GPC signal as a request to opt out of sales/sharing for the browser/session.

Cookie Controls: Manage your preferences through the cookie banner on our site and via your browser/device settings.

5) Disclosure of Personal Information

We do not sell personal information and we do not knowingly engage in cross-context behavioral advertising ("sharing"). We may use basic analytics; where third-party analytics could be considered a "share" in certain jurisdictions, you can opt out via our preference tools.

We disclose PI to:

  • Service Providers/Contractors/Processors – e.g., hosting, cloud, security, analytics, CRM, payments, messaging/SMS, email, customer support, and professional advisers. These parties are contractually limited to using PI to perform services for us.
  • Advertising/Analytics Partners – if we engage in targeted advertising or analytics that may constitute a "sale" or "share" under certain state laws; you can opt out where applicable.
  • Affiliates – entities under common ownership or control.
  • Authorities/Legal – to comply with law or legal process, or to protect rights, safety, and property.
  • Business Transfers – in connection with corporate transactions (see Section 3).

We do not disclose PI for third parties' own direct marketing without your consent. We do not knowingly sell or share the PI of children under 16.

5A) Payment Processing

We use Authorize.Net and, from time to time, other merchant service providers to process payments. Payment card details are submitted directly to these processors; we do not store full card numbers or CVV on our systems. We may retain limited billing details (e.g., name, billing address, last four digits, transaction tokens, amounts, and timestamps) for records, fraud prevention, and tax/accounting. Our processors are responsible for PCI DSS compliance for cardholder data they process on our behalf.

6) Data Retention

We retain PI for as long as necessary to fulfill the purposes described in this policy, to comply with legal/contractual obligations, resolve disputes, protect our rights, and maintain business records. Where specific retention periods are required, we follow them.

CPA-specific retention. Consistent with professional standards and regulatory guidance, we generally retain engagement records for at least seven (7) years, or longer where required (e.g., pending audits/inquiries or legal holds). Tax return source documents may be returned to clients; we may keep copies of workpapers and e-files for our records.

7) Security

We implement technical and organizational measures designed to protect PI against unauthorized access, destruction, loss, alteration, or disclosure. No system is 100% secure; we recommend that you use strong passwords and protect your devices and accounts.

8) International Data Transfers

We primarily process personal information in the United States. If you reside outside the U.S., your information may be transferred to, stored, and processed in the U.S. and in other countries where we or our service providers operate. These locations may have privacy laws that are different from those in your country of residence.

Where required, we use appropriate safeguards such as the EU/UK Standard Contractual Clauses (SCCs) and supplementary measures for cross-border transfers. We do not claim participation in any government-run certification unless expressly stated here after verification.

9) Your Privacy Rights

Your rights depend on your location. Subject to legal limits, you may have the right to:

  • Access (know/confirm whether we process your PI and obtain a copy).
  • Correct inaccurate PI.
  • Delete PI.
  • Portability (receive certain PI in a portable format).
  • Restrict/Object to certain processing (including targeted advertising or profiling that produces legal or similarly significant effects).
  • Withdraw Consent where processing is based on consent.
  • Appeal a decision if we decline to act on a request (for applicable U.S. states).
  • Non-Discrimination for exercising your rights.
  • Limit Use and Disclosure of Sensitive PI (where applicable).

How to Exercise: Email privacy@xdigit.us or info@xdigit.us with your request. We may need to verify your identity and authority. You may use an authorized agent subject to verification. We aim to respond within the timeframes required by law.

10) Marketing Emails & SMS Messaging Consent

Emails. You can opt out of marketing emails by using the unsubscribe link in the message or contacting us. We may still send transactional/administrative emails (e.g., receipts, service notices).

SMS/Text & iMessage. By providing your mobile number to us (e.g., via forms or opt-in checkboxes), you consent to receive text messages via SMS and iMessage from X DIGIT for transactional and (if you opt in) marketing purposes. Message frequency varies. Message and data rates may apply for SMS. Consent is not a condition of purchase. You can opt out at any time by replying STOP; for help, reply HELP or email info@xdigit.us. Carriers are not liable for delayed or undelivered messages. See also our Terms and this Privacy Policy for further details.

10A) Client Messaging (Microsoft Teams, SMS/iMessage)

If you message us via Microsoft Teams or iMessage/SMS (including messages sent from company-issued iPhones), we process the content of your messages and related metadata (e.g., timestamps, recipients, delivery information). We use this information to provide services, maintain records, ensure quality, and comply with professional and legal obligations. For security, please avoid sending sensitive tax or identity documents via SMS/iMessage; instead use our designated secure channels (e.g., client portal or encrypted email links). Where required, we may archive certain communications for record-keeping, dispute resolution, or compliance.

11) Children's Privacy

Our Services are not directed to children under 13 (or the age defined by your jurisdiction). We do not knowingly collect PI from children. If we learn that a child has provided PI, we will delete it and take appropriate steps. If you believe a child provided PI, please contact us.

12) Third-Party Sites and Services

Our Services may link to third-party sites, plugins, or services. Their privacy practices are governed by their own policies. We are not responsible for their content or practices.

13) Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective Date" will reflect the latest version. Material changes will be communicated as required by law (e.g., posting a notice on our site or emailing you). Your continued use of the Services after the effective date constitutes acceptance.

14) Contact Us

If you have questions or concerns, or wish to exercise your rights, please contact:

X DIGIT
Email: info@xdigit.us / privacy@xdigit.us
Address: 3500 W Olive Ave, Suite 300, Burbank, CA 91505, United States

15) Region-Specific Disclosures

A. EEA/UK/Switzerland (GDPR/UK GDPR)

  • Controller: X DIGIT.
  • Legal Bases: contract, legitimate interests, legal obligations, and consent (as applicable).
  • Data Subject Rights: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
  • Complaints: You may lodge a complaint with your local supervisory authority.

B. U.S. State Privacy Laws (e.g., CA, CO, CT, VA, UT)

You may have rights to access, correct, delete, receive a copy of your PI, and opt out of targeted advertising, sales, or profiling with legal/significant effects. Submit requests via privacy@xdigit.us.

We honor verifiable opt-out preference signals (e.g., GPC) as required.

If we deny your request, you may appeal by replying to our decision within 30 days; we will inform you of the outcome and how to contact your state attorney general.

California Notice at Collection. We collect the categories of PI listed below for the purposes described in Sections 3 and 5. We do not knowingly sell/share the PI of minors under 16.

Your California Rights: know/access, correct, delete, portability, opt out of sales/sharing, limit sensitive PI, and non-discrimination.

How to Exercise: see Section 9.

Financial Incentives: If we offer discounts or perks for marketing sign-ups, we will describe the material terms, how to opt in/out, and our good-faith method for calculating program value at the point of collection.

16) Processor Services (Business Customers)

When we provide services to a business customer, we handle personal data as a processor/service provider under the customer's instructions. The customer is responsible for providing any required notices to its end users and obtaining any necessary consents. Our processing is governed by our DPA, including standard transfer clauses as necessary.

17) Glossary (Plain Language)

  • Personal Information/Personal Data (PI/PD): Information that identifies, relates to, describes, or could reasonably be linked to a particular person or household.
  • Sale/Share (US state laws): Disclosing PI to third parties for monetary or other valuable consideration (sale) or for cross-context behavioral advertising (share).
  • Targeted Advertising: Ads based on PI obtained across businesses, websites, apps, or services.