Privacy Policy

Last updated: May 4, 2026

Contents

1. Data Controller
2. Data We Collect
3. Purposes and Legal Bases
4. Retention Periods
5. Recipients and Processors
6. International Transfers
7. User Rights
8. Complaints to the AEPD
9. Security Measures
10. Cookies
11. Modifications
12. Contact and DPO

1. Data Controller

Company name: XNET CORE SL (also referred to as XNET CORE SLU)
Tax ID: B75621797
Registered office: Calle Progreso 177, 32350 A Rúa, Ourense, Spain
Contact email: info@ip4.market
Phone: +34 698 189 848
Registration: Mercantile Registry of Ourense
RIPE identifier: es.xnetcore (org ORG-XCS5-RIPE)

2. Data We Collect

2.1 Data from website visitors (https://ip4.market)

IP address, user agent (browser and operating system), preferred language.
Pages visited, dates and times, referer, anonymous interaction events.
Technical cookie identifiers and, subject to consent, analytical cookies.

2.2 Data from registered customers in the panel (https://panel.ip4.market)

Account data: first name, last name, email, password stored with a secure derivation function (bcrypt).
Tax and company data: company name, Tax ID/VAT, billing address, country, contact person and position.
KYC documentation: identification document of the legal representative, deed of incorporation or equivalent documentation, signed KYC form.
Payment data: processed directly by our payment gateway provider Stripe Payments Europe Ltd. XNET CORE SL does not store the card number — only tokenized identifiers (customer_id, payment_method_id) and the last 4 digits.
Operational data: contracted subnets, issued LOAs, BGP announcements, usage metrics, abuse events.
Support communications: emails, tickets and attachments.

3. Purposes and Legal Bases

Purpose	Legal basis (GDPR Art. 6)
Create and manage the customer account	Performance of a contract (Art. 6.1.b)
KYC verification and compliance with Law 10/2010 (AML/CFT)	Legal obligation (Art. 6.1.c)
Invoicing, accounting and tax obligations	Legal obligation (Art. 6.1.c)
Payment processing via Stripe	Performance of a contract (Art. 6.1.b)
Technical provision of the service (LOAs, RPKI, BGP announcements)	Performance of a contract (Art. 6.1.b)
Detection and mitigation of abuse, fraud and blocklists	Legitimate interest (Art. 6.1.f)
Security of the website and infrastructure, access logging	Legitimate interest (Art. 6.1.f)
Analytical statistics with pseudonymized identifiers	Consent (Art. 6.1.a)
Commercial communications from us or third parties	Consent (Art. 6.1.a)
Responding to user rights (access, rectification, erasure, etc.)	Legal obligation (Art. 6.1.c)

4. Retention Periods

Active customer account: while the contract is in force.
Accounting and tax data: 6 years from the last transaction (Commercial Code Art. 30 and General Tax Law).
KYC documentation and AML/CFT transaction records: 10 years from the end of the business relationship (Law 10/2010, Art. 25).
Access and security logs: 12 months, unless an investigation is ongoing.
Analytical cookies: up to 24 months, configurable by the user.
Marketing communications: until consent is withdrawn.

5. Recipients and Data Processors

XNET CORE SL does not transfer personal data to third parties for commercial purposes. We communicate data to the following categories of recipients when strictly necessary:

Recipient	Function	Country	Safeguards
Stripe Payments Europe Ltd	Payment gateway and card tokenization	Ireland	Data processor (Art. 28 GDPR)
Cloudflare, Inc.	CDN, WAF and DDoS protection for the public website	United States	Standard Contractual Clauses (SCCs)
Glitchtip self-hosted	Application error collection	Spain	Internal processor of XNET CORE
Google Ireland Ltd (Google Analytics 4)	Pseudonymized web analytics with consent	Ireland / USA	SCCs + IP truncation
RIPE NCC	Mandatory publication in WHOIS of assigned subnets	Netherlands	RIPE regulations
Competent authorities	When there is a legal obligation (AML/CFT, tax authorities, courts and tribunals)	Spain / EU	Legal obligation

6. International Transfers

Some categories of data may be processed in the United States by our providers Cloudflare, Inc. and Google LLC. Such transfers are covered by the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, where applicable, the Data Privacy Framework. The user may request a copy of the safeguards by writing to info@ip4.market.

7. User Rights

As the data subject, you have the following rights:

Access to your personal data and information about its processing.
Rectification of inaccurate data.
Erasure when no longer necessary or where a legal obligation applies.
Restriction of processing in the circumstances set out in Art. 18 GDPR.
Portability in a structured, commonly used format.
Objection to processing based on legitimate interest.
Withdraw consent at any time, without retroactive effect.
Not to be subject to automated decisions with significant legal effects.

To exercise any of these rights, send an email to info@ip4.market indicating the right exercised and attaching a copy of your identification document. We will respond to your request within a maximum of one month (extendable by two additional months in complex cases).

8. Complaints to the AEPD

If you consider that your rights have not been addressed, you may file a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.

9. Security Measures

Encryption in transit using TLS 1.2/1.3 on all public services.
Password storage using bcrypt (factor 12).
Segregation of production, staging and development environments.
Encrypted backups and periodic rotation.
Role-based access control and auditable log of administrative operations.
Vulnerability management and incident response policy.

10. Cookies

The use of cookies is governed by our Cookie Policy, which details types, purposes and management mechanisms.

11. Modifications

We may update this policy to reflect legal, technical or service changes. Material modifications will be notified to the user by email or through a prominent notice in the panel at least fifteen (15) days in advance.

12. Contact and DPO

XNET CORE SL is not required to appoint a Data Protection Officer (DPO) pursuant to Art. 37 GDPR. For any questions regarding the processing of your data, contact info@ip4.market.