Website and settings
IP address, technical browser and device information, selected language, cookie consent and data necessary for website security.
LEGAL
Privacy Policy
This policy explains how Xicorta processes personal data when you visit the website, create an account, use the demo or use the CRM platform on behalf of a company.
Policy draft: 1.0Prepared: 4 June 2026
Before commercial launch
We will publish the full legal details of the Xicorta operator, the official data request address, the providers actually used and final retention periods that depend on the infrastructure and contracts activated.
1. About this policy
Xicorta is a software platform for companies working with vehicles, including car rental, sales and import. This policy applies to the public website, client account, demo access, support services and, within the limits explained below, data hosted in customer companies' CRM workspaces.
This policy is prepared with regard to applicable personal data protection law in the Republic of Moldova, including Law No. 133/2011 while it remains applicable and Law No. 195/2024 on personal data protection, applicable from 23 August 2026. Where Regulation (EU) 2016/679 (GDPR) applies to a processing activity, we will comply with its relevant requirements.
2. Who we are and how to contact us
The platform operates under the Xicorta brand. The operator's complete legal identity, registered office and registration information will be completed on this page before the service is commercially provided.
Until final details are published, privacy questions may be sent to [email protected].
3. The roles of Xicorta and the customer company
Xicorta does not have the same role for all data. This distinction is important for understanding who decides how data is used and who is responsible for that use.
| Situation | Who determines the purpose | Xicorta's role |
|---|---|---|
| Website visit, registration, Xicorta account, subscription, support and cookie consent | Xicorta | Controller of the data, to the extent provided by law. |
| Data uploaded by a company into the CRM about its customers, employees, contracts, payments or vehicles | Customer company | Platform provider and, where applicable, processor acting on the customer's instructions. |
| Exporting, copying or sharing CRM data by the company's users | Customer company | Xicorta does not decide recipients and does not control use outside the platform. |
| Technical logs, security, abuse prevention and protection of the platform | Xicorta | Controller for its own security and operation purposes. |
4. Xicorta is a tool. Responsibility for data entered by customers
A customer company may upload to its CRM workspace information about individuals, documents, contracts, payments and other information required for its operations. The customer company decides what data it collects, why it uses that data, who receives access and whether it exports or shares the data further.
The customer company is responsible for having a lawful basis for collecting, uploading and using this data, informing data subjects, obtaining consent where required, keeping data accurate and granting access only to authorised persons.
Xicorta does not pre-review the legality of every document uploaded by a customer, does not determine what information a customer must request from its own clients and is not responsible for copying, exporting, publishing or distributing data carried out by the customer company or its users outside the platform's control.
This does not remove Xicorta's responsibility for its own obligations: the operation and security of the platform within our control, compliance with applicable documented instructions and lawful processing of data for which Xicorta determines the purpose.
Rule for customers
Do not upload personal data, documents or confidential information to Xicorta unless you have a lawful right to obtain and use them in your company's operations.
5. Data we may process
Account and access
Name, email address, phone number, company, role, protected authentication data, email verification and access actions.
Demo and requests
Information submitted for demo access or contact, demo session information and technical activity necessary to manage the session.
Subscription and billing
Selected plan, modules, order status, billing details and payment confirmations, if payments are activated.
Support and communications
Messages you send to us and information needed to reply to or resolve a request.
Customer CRM data
Information about the company's customers, employees, vehicles, contracts, documents, payments and operations uploaded to its workspace.
Xicorta is intended for professional use by companies and authorised representatives. We do not intentionally provide services to minors. A customer company remains responsible if it enters data concerning minors or categories of data requiring additional protection into the CRM.
6. Purposes and legal bases of processing
| Purpose | Examples | Basis used, where applicable |
|---|---|---|
| Providing the platform | Account, sign-in, cabinet, CRM access, demo and support | Performance of a contract or steps before entering a contract |
| Subscription administration | Plans, modules, billing and payment statuses | Contract and accounting/tax legal obligations, where applicable |
| Security and abuse prevention | Authentication, logs, form protection and incident investigation | Legitimate interests and applicable legal obligations |
| Optional cookies | Analytics or marketing, only if connected in the future | Consent under the Cookie Policy |
| Data hosted in the CRM | The customer company's operations involving its own customers and employees | Documented instructions of the customer company and the applicable contract/DPA |
7. Demo
The Xicorta demo is intended to evaluate the platform through working scenarios. Data in demonstration scenarios is fictional. Do not enter real personal data, identity documents, payment information or confidential company or customer information into the demo.
Demo sessions are temporary and must not be used for permanent storage of operational data.
8. Who may receive data
To the extent needed to provide the service, data may be accessible to technical suppliers assisting with hosting, operational email delivery, payment processing, security and maintenance. The providers actually connected and their roles will be disclosed before their activation in the commercial environment where relevant for transparency.
We may disclose data to authorities or other recipients where required by law, necessary to address a legitimate request or necessary to protect the rights and security of the platform.
External analytics and advertising services are not currently connected. Details are available in our Cookie Policy.
9. International transfers
The final hosting location and infrastructure providers will be disclosed before commercial launch. If data is transferred outside the jurisdiction where a person benefits from legal protection, we will use the safeguards required by applicable law. Where GDPR applies, these may include an adequacy decision or standard contractual clauses and supplementary measures where necessary.
10. How long we retain data
Account and commercial relationship data will be retained for as long as required to provide the service and afterwards only for as long as necessary for legal obligations, invoicing, resolving disputes or protecting rights. CRM data will be returned, deleted or retained in accordance with the contract and the data processing agreement applicable to the customer company.
Retention periods for cookies currently used are published in our Cookie Policy. Final retention periods for accounts, logs, support and CRM data will be completed before commercial launch after infrastructure and the contractual model are confirmed.
11. How we protect data
Xicorta designs the platform with separated company workspaces, role-based access, authentication controls and technical measures for protecting website and CRM operations. No internet transmission or storage can be considered completely risk-free.
Customer companies must also properly manage employee accounts, passwords, access rights, exports and documents uploaded to their own CRM workspace.
12. Your rights
Depending on applicable law and the circumstances, you may request access to data, rectification, erasure, restriction of processing, portability, objection to certain processing and withdrawal of consent where processing relies on consent.
If your request concerns data entered into the CRM by a customer company, please contact first the company that collected your data. Xicorta will assist the customer company within its legal and contractual obligations.
For data processed directly by Xicorta, you may send a request to [email protected]. To protect information, we may request reasonable details to confirm the requester's identity.
13. Complaints and applicable law
You have the right to submit a complaint to a competent supervisory authority. In the Republic of Moldova, the relevant authority is the National Center for Personal Data Protection (CNPDCP). Official information is available at datepersonale.md.
Where GDPR applies, you may also contact the competent supervisory authority in the European Economic Area. The GDPR text is available through EUR-Lex.
14. Data Processing Agreement for CRM customers
For commercial CRM use involving real personal data of a customer company, the hosted-data relationship must be supplemented by contractual terms and, where required, a Data Processing Agreement (DPA) describing the subject matter, duration, types of data, instructions, security, subprocessors and deletion or return of data.
15. Changes to this policy
We will update this policy when platform functions, providers, legal requirements or data handling change. The version and update date will be shown on this page. Where a change requires new consent, it will be requested before the relevant processing is activated.