/ 01 Who We Are
ThemeXtra ("we", "us", "our") is an independent business operating the website at themextra.com. We sell Bootstrap themes for industry-specific use cases.
For GDPR purposes, we are the Data Controller for personal data collected via this website.
/ 02 Data We Collect
We collect only what is necessary to deliver our service:
- Account data: Email address, hashed password, name (optional).
- Purchase data: Items purchased, license keys, invoice details, country (for VAT).
- Payment data: Processed by our payment provider — we never see or store full card numbers.
- Usage data: IP address, browser type, pages visited, anonymized analytics.
- Communication data: Emails sent to support, contact form submissions.
/ 03 How We Use Your Data
- To deliver the themes you purchased and provide download access.
- To generate invoices and comply with tax laws.
- To send you order confirmations, license keys, and update notifications.
- To provide customer support when you contact us.
- To improve our website (via anonymized analytics).
- To detect and prevent fraud or abuse.
/ 04 Legal Basis (GDPR)
We process your personal data under the following legal bases:
- Contract performance — to fulfill your purchase.
- Legal obligation — for tax and accounting records.
- Legitimate interest — for fraud prevention, security, and service improvement.
- Consent — for marketing emails and non-essential cookies (you can withdraw consent anytime).
/ 05 Sharing & Third Parties
We do not sell your data. We share data only with the following processors, each bound by GDPR-compliant agreements:
- Payment processor (Stripe / Iyzico) — for processing payments.
- Email provider (Postmark / SendGrid) — for transactional emails.
- Hosting provider — for storing your account and order data.
- Analytics (Plausible / Fathom — privacy-focused, no personal data) — for site usage statistics.
We may disclose your data if legally required by court order or government request.
/ 06 Data Retention
- Account data: Kept while your account is active. Deleted within 30 days of account deletion.
- Invoices: Retained for the period required by tax law (typically 7-10 years).
- Support emails: Retained for 2 years.
- Analytics: Aggregated, no personal identifiers retained beyond 12 months.
/ 07 Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access — request a copy of all data we hold about you.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — request deletion, except where law requires retention.
- Portability — receive your data in a machine-readable format.
- Restriction — limit how we process your data.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time for any consent-based processing.
- Lodge a complaint — with your local Data Protection Authority.
To exercise any of these rights, contact us at privacy@themextra.com. We respond within 30 days.
/ 08 Cookies
We use a minimal set of cookies:
- Essential cookies — for login sessions, shopping cart, security. Cannot be disabled.
- Analytics cookies — privacy-focused, anonymized. You can opt out anytime.
We do not use advertising cookies or tracking pixels.
/ 09 Contact / DPO
For privacy concerns, data requests, or questions about this policy:
- Email: privacy@themextra.com
- Subject line: Use "GDPR Request" for faster routing.
Notice: This is a template document. Before going to production, have a qualified attorney in your jurisdiction review and adapt this to your specific business and applicable laws.
Questions? Contact us →