Legal

Privacy Policy

Effective Date: July 5, 2026

1. Introduction & Scope

This Privacy Policy explains how Xata Technologies OPC ("we," "us," or "our") collects, uses, discloses, and protects personal information when you visit systemsthinker.ai (the "Site"), subscribe to the Systems Thinker newsletter, or take the AI Readiness Check. It applies to all visitors and subscribers, regardless of where you access the Site from.

This Policy covers only this Site. Other properties we operate — including xatatech.com — maintain their own privacy notices.

By using the Site, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will seek your consent before collecting or processing your personal information.

2. Who We Are

The Site is operated by:

Xata Technologies OPC
SEC Registration No. 2025080212430-00
Unit 2116-17 21F, Park Triangle Corporate Plaza, BGC, Taguig City, NCR, Philippines 1635

For purposes of the Philippine Data Privacy Act of 2012 ("DPA"), Xata Technologies OPC is the personal information controller for personal information processed through the Site; our Compliance Officer for Privacy can be reached at privacy@xatatech.com. For purposes of the EU/UK General Data Protection Regulation ("GDPR"), we act as the data controller; under the California Consumer Privacy Act as amended ("CCPA/CPRA") we are a "business"; under the Australian Privacy Act 1988 (Cth) we are an "APP entity."

3. What We Collect

  • Contact information you voluntarily provide — your email address — when you subscribe to the newsletter or unlock your AI Readiness Check result.
  • Your AI Readiness Check responses and computed results (dimension scores, overall score, result type, and recommendation), which are linked to the email address you provide at the end of the check.
  • Correspondence you send us, such as email to hello@xatatech.com.
  • Usage and device data collected automatically via Google Analytics 4 and PostHog when analytics is enabled on production deployments — pages viewed, referring URLs, approximate location (derived from IP address), device and browser type, and interaction events. See Section 5.
  • Anti-spam signals from an invisible honeypot field on our forms, which is not personal information about you.

We do not knowingly collect sensitive personal information, government identifiers, financial account details, or precise geolocation through the Site. We do not knowingly collect personal information from children (see Section 11).

4. How and Why We Use It

PurposeWhat we useLegal basis
Send you your AI Readiness Check result and the newsletter content you signed up forEmail address, check responses and resultsConsent (DPA/GDPR); you may opt out at any time
Understand aggregate readiness patterns to improve our educational materialsCheck responses and resultsLegitimate interest
Respond to inquiries you send usEmail content you send usContract negotiation / legitimate interest
Understand how the Site is used and improve itGA4 and PostHog usage dataLegitimate interest (DPA/GDPR); disclosed use (CCPA/CPRA)
Maintain security and prevent abuse of our formsHoneypot signal, request metadataLegitimate interest
Comply with legal obligationsAny of the above, as requiredLegal obligation

5. Cookies & Tracking Technologies

We use Google Analytics 4 ("GA4") to understand aggregate visitor behavior. GA4 may set cookies or use similar technologies to distinguish visitors and sessions, and is loaded only on production deployments of the Site. We do not use advertising or remarketing cookies, and we do not currently operate a cookie-consent banner. You can control or block cookies through your browser settings, or install the Google Analytics Opt-out Browser Add-on. If we begin using tracking technologies that require opt-in consent under applicable law, we will update this Policy and implement the required consent mechanism first.

We also use PostHog, a product analytics service, for the same aggregate-analytics purposes. PostHog is likewise loaded only on production deployments of the Site, is served through a first-party subdomain of the Site (t.systemsthinker.ai), and may use cookies or local storage to distinguish visitors and sessions. Session recording is disabled — PostHog does not capture a replay of your visit — and we do not use it for advertising.

6. Sharing & Disclosure

We do not sell personal information, and we do not share personal information with third parties for cross-context behavioral advertising.

  • We disclose personal information to service providers who process it on our behalf and under our instructions: Google (analytics), PostHog, Inc. (product analytics), and Amazon Web Services (hosting for the Site, our form-processing infrastructure, and our customer relationship management system).
  • Newsletter and readiness-check submissions are stored in our own customer relationship management system, operated by us on AWS infrastructure — they are shared within our organization, including with our implementation business XataTech, and are never sold.
  • We may also disclose information where required by law, in connection with a business transaction (subject to confidentiality protections), or with your consent.

7. International Data Transfers

All infrastructure and resources we operate — including this Site and the systems that store form submissions — reside in the United States (AWS "us-east-1" region), regardless of where you access the Site from. Your information is therefore transferred to and processed in the United States. For visitors in the EEA, UK, or Switzerland, we rely on your consent and/or our legitimate interests together with contractual and technical safeguards with our service providers as the basis for this transfer. For visitors in the Philippines, Australia, and elsewhere, we take reasonable organizational, contractual, and technical measures designed to protect personal information consistent with this Policy, wherever it is processed.

8. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy. Newsletter and readiness-check records are retained until you unsubscribe or request deletion; correspondence is retained per our general business record-keeping practices; GA4 and PostHog data are retained per each provider's default retention settings for our account. When personal information is no longer needed, we take reasonable steps to delete, de-identify, or anonymize it.

9. Your Rights by Region

Philippines — Data Privacy Act of 2012

You have the right to be informed, to access and correct your personal information, to object to processing, to request erasure or blocking, to data portability, and to be indemnified for damages from unlawful processing. Complaints may be filed with the National Privacy Commission at privacy.gov.ph.

European Economic Area, UK & Switzerland — GDPR

You have the right to access, rectify, or erase your personal data; to restrict or object to processing; to data portability; and to withdraw consent at any time. You may lodge a complaint with your local supervisory authority.

United States — CCPA/CPRA and other state privacy laws

You have the right to know what personal information we have collected and why, to request deletion or correction, and to opt out of "sale" or "sharing" — a right already satisfied, because we do not sell or share personal information as those terms are defined. We will not discriminate against you for exercising these rights.

Australia — Privacy Act 1988 (Cth)

You have the right under the Australian Privacy Principles to access and correct personal information we hold about you, and to complain to the Office of the Australian Information Commissioner at oaic.gov.au.

10. How to Exercise Your Rights

Email privacy@xatatech.com with your request and enough information for us to verify your identity and locate your records (for example, the email address you used). We will respond within a reasonable period, and in any event no later than thirty (30) days, except where applicable law permits a longer period or requires a shorter one.

11. Children's Privacy

The Site is intended for business audiences and is not directed at children under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will delete it promptly.

12. Security

We implement reasonable technical and organizational measures designed to protect personal information from unauthorized access, use, alteration, or disclosure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. Changes to This Policy

We may update this Policy from time to time. The Effective Date above reflects the latest revision; material changes will be noted on this page. Continued use of the Site after a revised Policy is posted constitutes your acknowledgment of the update.

14. Governing Law & Venue

This Policy is governed by the laws of the Republic of the Philippines. The courts of Taguig City, Metro Manila, Philippines have exclusive jurisdiction and venue over any dispute, without prejudice to mandatory rights you may have in your local courts or before your local data protection authority.

15. Contact Us

Xata Technologies OPC
Unit 2116-17 21F, Park Triangle Corporate Plaza, BGC, Taguig City, NCR, Philippines 1635
privacy@xatatech.com