Privacy Policy

XO Ruby PRIVACY AND SECURITY POLICY

This document explains our policies and practices regarding your information and how we will treat it. Please read it carefully. By using the Service you accept and agree with the terms of the XO Ruby Privacy and Security Policy (the “Policy”).

XO Ruby Overview
XO Ruby is an event and entertainment production company responsible for creating digital and in-person events. Our platform allows people to find connection in their communities and enhance their craft while XO Ruby focuses on sweating the details that bring them all together. XO Ruby applies security best practices and manages platform security so customers can focus on their business. 

Security Assessments and Compliance

PCI

We use PCI compliant payment processor Stripe for encrypting and processing credit card payments.

Physical Security

XO Ruby uses cloud providers such as Ghost.org. Ghost.org’s infrastructure is hosted in secure, professional data centers designed to safeguard customer data and ensure continuous service. All Ghost(Pro) servers are located in Amsterdam, The Netherlands, within facilities that adhere to strict local government standards for security and privacy.

These data centers implement multiple layers of physical security:

  • The premises are staffed 24/7/365 with onsite security personnel to prevent unauthorized entry.
  • Security cameras monitor both the exterior and interior of the facility, including all areas of the data center itself.
  • Access to the building is controlled by biometric readers and requires at least two-factor authentication for entry.
  • Facilities are unmarked to avoid drawing unwanted attention and further reduce risk.

Access is strictly limited to authorized personnel. All visitors and contractors must present identification, are signed in, and are continuously escorted while on site. These measures ensure that only individuals with a legitimate business need can access sensitive infrastructure, and all access is logged and monitored

.

Ghost Foundation is committed to maintaining the highest standards of physical and operational security to protect your data and ensure the reliability of its services

Data Security

Our site hosted on Ghost.org is designed with robust security measures to protect your data and ensure system stability. Ghost employs modern security best practices, including regular penetration testing, external security audits, and continuous peer review of its open-source codebase by security experts.

All Ghost sites operate in secure, isolated environments that prevent unauthorized access between applications or system areas. This isolation protects processes, memory, and file systems, and is reinforced by host-based firewalls that restrict unnecessary network connections

Key security features include:

  • Automatic SSL Certificates: All Ghost sites are automatically configured with SSL certificates via Let’s Encrypt, ensuring encrypted traffic between your site and its visitors.
  • Standardized Permissions: Server directory permissions are automatically set according to OWASP standards, minimizing the risk of unauthorized access.
  • Brute Force Protection: Login and password reset attempts are limited to five per hour per IP address to protect against brute force attacks.
  • Password Security: All passwords are securely hashed and salted using bcrypt, following OWASP authentication standards.
  • Two-Factor Authentication: Optional email-based two-factor authentication adds an extra layer of account protection.
  • SQL Injection and XSS Prevention: Ghost uses safe query builders and escapes all user input to prevent SQL injection and cross-site scripting attacks.
  • Data Validation: Strong validation and serialization are applied to all data, with automated protection for uploaded files.

Ghost also maintains up-to-date dependency management and performs regular security updates to further safeguard your data.

For more technical details on Ghost’s security architecture and practices, please refer to the Ghost Security documentation.

Customer Security Best Practices

Encrypt Data in Transit 

Enable HTTPS for applications and SSL database connections to protect sensitive data transmitted to and from applications.

Authentication 

To prevent unauthorized account access, use a strong passphrase for your XO Ruby user account and store passwords securely to prevent disclosure.

Privacy 

Privacy of the XO Ruby website is of great importance to us. Because we store important information used by our customers, we have established this Policy as a means to communicate our information gathering and dissemination practices. We reserve the right to change this Policy at any time. Customers may view the latest privacy policy at any time either by viewing it on our website or requesting that it be emailed.

Collected Information

In order to provide and allow you to use the Service offered on our Site (collectively, the "Service"), we collect several types of information from you that identify, reference, or could reasonably linked, directly or indirectly, with you or your device (“Personal Information”). In particular, we have collected the following categories of information from our customers in the last 12 months: 

Category 

Examples

?

A. Identifiers

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

Y

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

A name, signature, Social Security Number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information in this category may overlap with other categories.

Y

C. Protected classification under California or federal law

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

N

D. Commercial information

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

N

E. Biometric information

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait or other physical patterns, and sleep, health, or exercise data.

N

F. Internet or other similar network activity

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

Y

G. Geolocation data

Physical location or movements.

N

H. Sensory data

Audio, electronic, visual, thermal, olfactory, or other similar information.

N

I. Professional or employment-related information

Current or past job history or performance evaluations.

N

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 24 C.F.R. Part 99)

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

N

K. Inferences drawn from other personal information

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

N

The term “Personal Information” does not include: 

  • Publicly available information from government records; 
  • Deidentified or aggregate consumer information; or 
  • Information excluded from the California Consumer Privacy Act’s (“CCPA”) scope, like (i) health or medical information covered by HIPPA and CMIA; and (ii) personal information covered by certain sector-specific laws, including the FRCP, GLBA, FIPA, and the Driver’s Privacy Protection Act of 1994.

The Personal Information we collect on or through the Service may include: 

  • Name, company name, address, phone number, and e-mail address;
  • Billing information, such as billing name and address, credit card number

We collect Personal Information when you express interest in attaining additional information, or when you register for the Service. Customers can opt out of providing this additional information by not entering it when asked.

How We Use Your Information 

We may use or disclose the Personal Information that we collect for one or more of the following business purposes: 

  • To set up the Service 
  • To contact customers to further discuss customer interest in our company and the Service we provide
  • To send information regarding our company or partners, such as promotions and events 
  • To fulfill or meet the reason you provided the information 
  • To provide support, personalize, and develop the service 
  • To create, maintain, customize your account with us
  • To process your requests, purchases, transactions, and payments and to prevent transactional fraud 
  • To provide you with support and to respond to your inquiries, including to investigate and address concerns and monitor and improve our responses
  • For testing, research, analysis and product development
  • To respond to law enforcement requests and as required by applicable law, court order, or other governmental regulations 
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets in which personal information held by us is among the assets transferred
  • To enforce or apply agreements, including for billing and collection purposes
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of our employees, clients, customers or others
  • To our subsidiaries and affiliates
  • To our contractors, service providers, and other third parties we use to support our business
  • For any other purpose with your consent 
  1. We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purpose without providing you notice. We may disclose aggregated information about users, and other information that does not identify any individual, without restriction.  

All financial and billing information that we collect through the Site is used solely to check the qualifications of prospective customers and to bill for the Service. This billing information is not used by XO Ruby  for marketing or promotional purposes.

Cookies

When you interact with the Service we strive to make that experience easy and meaningful. When you come to our Web site, our Web server may send a cookie to your computer. Cookies are files that Web browsers place on a computer's hard drive and are used to tell us whether customers and visitors have visited the Site previously. Standing alone, cookies do not identify you personally. They merely recognize your browser. Unless you choose to identify yourself to the Service, either by responding to a promotional offer, opening an account or registering for a demo, you remain anonymous to XO Ruby.  Cookies come in two flavors: session and persistent-based.  Session cookies exist only during an online session.  They disappear from your computer when you close your browser software or turn off your computer.  Persistent cookies remain on your computer after you've closed your browser or turned off your computer. They include such information as a unique identifier for your browser. XO Ruby uses session cookies containing encrypted information to allow the system to uniquely identify you while you are logged in.  This information allows XO Ruby to process your online transactions and requests. Session cookies help us make sure you are who you say you are after you've logged in and are required in order to use the Service application.  We are especially careful about the security and confidentiality of the information stored in persistent cookies. For example, we do not store account numbers or passwords in persistent cookies.  Users who disable their Web browsers' ability to accept cookies will be able to browse our Marketing Website but will not be able to successfully use our Service. Third Party Cookies: We may from time to time engage third parties to track and analyze non-personally identifiable usage and volume statistical information from visitors to our Service to help us administer our Service and improve its quality.  Such third parties may use cookies to help track visitor behavior.  Such cookies will not be used to associate individual visitors to any personally identifiable information.  All data collected by such third parties on behalf of XO Ruby is used only to provide us with information on Service usage and is not shared with any other third parties.

Third Party Services and Sharing Personal Information

XO Ruby may disclose your personal information to a third party for a business purpose (or sell your personal information, subject to your right to opt-out of those sales (see Opt-Out Rights). When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. The CCPA prohibits third parties who purchase the personal information we hold from reselling it unless you have received explicit notice and an opportunity to opt-out of further sales. We share your personal information with the following categories of third parties:

  • Postmark
  • Ghost.org
  • Stripe

The third-party services and your provision of information to and storage of your data with such services are subject to those third-parties’ applicable terms and policies.

Disclosures of Personal Information for a Business Purpose 

In the preceding 12 months, we have not disclosed personal information for a business purpose.

Sale of Personal Information

In the preceding 12 months, we have not sold personal information. 

Your Rights and Choices 

Access to Specific Information and Data Portability Rights 

You have the right to request that we disclose certain information to you about our collection and use of your personal  information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you: 

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request we will delete (and direct our service providers to delete) your personal information from our records unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to: 

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, or take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform the Services.
  • Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for such activities. 
  • Debug products to identify and repair errors that impair existing intended functionality. 
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us. 
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provide it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights, please submit a verifiable consumer request to us by emailing us at xoruby@beflagrant.com

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12 month period. The verifiable consumer request must: 

  • Provide sufficient information that allows us to reasonably verify you are the person we collected personal information on. 
  • Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it. 

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us. 

Response Timing and Format
We endeavor to respond to verifiable consumer requests within 45 days of receipt. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response to you by mail or electronically, at your option. Any disclosures we provide will only cover the 12 month period preceding the verifiable consumer request’s receipt. If applicable, we will also provide reasons we cannot comply with your request. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information. We do not charge a fee to process or respond to a verifiable consumer request unless it is excessive, repetitive, or unfounded. If we determine a fee is warranted, we will provide you with an estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights
If you are 16 years of age or older, you have the right to direct us not to sell your personal information (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years or age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time. To exercise the right to opt-out, you may submit a request by sending an email to xoruby@beflagrant.com with the title “Do Not Sell My Personal Information”)]. You may opt back in to personal information sales at any time by sending an email to xoruby@beflagrant.com

Non-Discrimination 
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not: 

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you with a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level of quality of goods or services.

Children Under the Age of 13
The Service is not intended for children under 13 years of age, and no one under age 13 may provide any information to or through the Service. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on or through the Service, including any information about yourself (such as name, address, email or telephone number). If we learn that we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information.

Your California Privacy Rights
California Civil Code Section §1798.83 permits users of the Service who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to xoruby@beflagrant.com with “Request for California Privacy Information” in the subject line and in the body of your message. We will provide the requested information to you in your email address in response.

International Users
If you are accessing the Service from the European Union, Asia, or any other region with laws or regulations governing personal data collection, use, and disclosure that differ from United States laws, please be advised that through your continued use, which is governed by the law of the United States and this Policy, you will be transferring your personal information into the United States and you consent to that transfer.

Correcting & Updating Your Information

If customers need to update or change registration information they may do so by editing the user or organization record. To update a User Profile, log on to the Service and update the user account section.  To update billing information please e-mail xoruby@beflagrant.com or call +1 (844) 435-2472‬. To discontinue the Service, email or call the number above. 

Changes to XO Ruby’s Privacy Policy
It is our policy to post any changes made to the Policy on this page. If we make material changes to how we treat users’ personal information, we will notify you at the address we have on file for you. You are responsible for ensuring we have an up-to-date active and deliverable email address for you. Do not assume that the Policy has not changed since you last used the Service. The date the Policy was last revised is identified at the bottom of the page.

Contact Us
Questions regarding this Policy or the practices of this Service should be directed to XO Ruby by:

  • E-mailing such questions to xoruby@beflagrant.com
  • Sending regular mail addressed to XO Ruby, 296 Beech St, Oxford, WI.
  • Calling us at ‭+1 (844) 435-2472‬. 

Last Modified 
April 17, 2025