// Privacy

Privacy notice

Plain-language summary, not legal advice — last updated 2026-07-19.

The controller for the data described here is XRaydium (sole trader — Jukka Blomberg), established in Finland. This page lists everything XRaydium actually collects — it was written from the code, not from a template, and it deliberately does not claim anything the platform does not do.

What we collect, and why

Waitlist email address

When you submit the creator waitlist form on the homepage.

Your email address only — nothing else. It is stored in our Upstash database under the key xraydium:waitlist so we can tell you when creator sign-ups open.

Legal basis:
Consent — you chose to submit the form. Withdraw it any time by emailing us.
Kept for:
Until you ask us to remove it, or until the waitlist is retired.

Sign-in email address and session

When you request a magic sign-in link as a creator or a fan.

Your email address, a single-use sign-in token, and a session cookie named xr_session. The token is stored for 15 minutes and destroyed on first use. The cookie is httpOnly, Secure, cryptographically signed, and holds only your email address and an expiry — it cannot be read or forged by scripts in your browser, and it is not used for tracking or advertising.

Legal basis:
Performance of a contract / providing the service you asked for. The session cookie is strictly necessary for signing in.
Kept for:
Sign-in token: 15 minutes. Session cookie: 30 days, or until you sign out.

Creator profile and listings

When you claim a handle and build a storefront.

Handle, display name, bio, niche tag, any links you add, your edit key, your sign-in email, the id of the Stripe account you connect for payouts, and — if you arrived through another creator's invite — that creator's handle. Your profile, bio, links, and listings are public by design; your email, edit key, and Stripe account id are never shown publicly.

Legal basis:
Performance of a contract — this is the storefront you asked us to run.
Kept for:
For as long as your storefront exists. Ask us and we will delete it.

Purchase records

When a fan completes a purchase through Stripe Checkout.

The buyer email Stripe returns to us, the amount, the currency, which item was bought, the sale status (including refunds and membership cancellations), and the Stripe subscription / payment-intent identifiers. We never see or store your card details — those stay with Stripe. When a creator views their own sales, buyer emails are shown masked.

Legal basis:
Performance of a contract (delivering and supporting the purchase) and our legal obligation to keep sales records.
Kept for:
For as long as needed to support the purchase and meet record-keeping obligations.

Storefront view counts

Whenever a public storefront page is rendered.

A single number per storefront that goes up by one. No cookie is set, no visitor is identified, and no per-visitor record exists — it is a counter, and nothing about it can be traced back to you.

Legal basis:
Legitimate interest — giving creators basic, non-identifying visibility of their own traffic.
Kept for:
Indefinitely, as an aggregate count.

Analytics events (Google Analytics 4)

On every page, with three specific events on key actions.

Google Analytics 4 runs site-wide and, like any analytics tool, records standard information such as pages viewed, device and browser type, and an approximate location derived from your IP address. On top of that we send exactly three custom events — waitlist_submit, checkout_start, and purchase. No personal data is included in any of them: they carry only a creator handle, an item id, a button label, a sale amount and currency, and the Stripe session id. We never send your email address, name, or any other identifier to Google Analytics.

Legal basis:
Legitimate interest in understanding how the site is used. You can object at any time (see below), and you can block analytics with your browser settings or Google's opt-out add-on.
Kept for:
As set by Google Analytics' own retention settings for the xraydium.com property.

What we do not do

Who processes data for us

These are the only third parties involved. Some of them process data outside the EU/EEA, in which case the transfer relies on the safeguards in their own data-processing terms.

Stripe
Payments. Stripe hosts the checkout page, collects the buyer's email and card details directly, processes the payment, routes it to the creator's own connected Stripe account, and handles refunds. XRaydium never touches card data.
Upstash
Data storage. The database holding the waitlist, creator records, listings, sale records, sign-in tokens, and view counts.
Resend (or a compatible provider)
Transactional email only — sign-in links and purchase receipts. We do not send marketing email, and this provider is used for nothing else.
Vercel
Hosting. Serves the site and keeps standard server request logs.
Google Analytics
Website analytics, as described above. It receives no personal data from us.

Your rights

Under the GDPR you can ask us to give you a copy of your data (access), correct it (rectification), delete it (erasure), send it to you in a portable format (portability), restrict what we do with it, or stop a use that relies on legitimate interest (objection). Where we rely on consent — the waitlist — you can withdraw it at any time.

Write to hello@xraydium.com and say what you want done. There is no form and no fee. You also have the right to complain to your national data protection authority — in Finland, the Office of the Data Protection Ombudsman.

XRaydium is a fiat monetization platform for digital products and memberships. There is no token, wallet, or investment product. Plain-language summary, not legal advice — last updated 2026-07-19.