Privacy Policy

Privacy Policy

Effective Date: June 12, 2026 ·
Last Updated: June 12, 2026 ·
Version: 2.0

Review status: This policy is a content draft published for
public transparency. It has not yet been reviewed by a US privacy attorney.
Material legal terms (retention windows, processor list, regulator citations)
will be confirmed before being treated as a final binding statement.

1. Who we are

Mineral Rights Xchange (“MRX”, “we”, “us”, or “our”) operates the website
mineralrightsxchange.com and provides free, no-obligation
underwriter reviews for Texas mineral-rights owners. Our business address is
200 N Loraine St, Suite 1450, Midland, TX 79701, United States.
You can reach our privacy team at
underwriter@mineralrightsxchange.com
or +1 (432) 400-6198.

2. Scope of this policy

This Privacy Policy describes the personal information MRX collects through
this website, by phone, by email, and through our GoHighLevel-powered booking
and contact forms, and how we use, share, retain, and protect that
information. It applies to all visitors and to anyone who contacts us to
request an underwriter review, schedule an appointment, or otherwise
communicates with our team.

This policy does not cover information you may share with third
parties we link to (e.g., social-media platforms, banking processors, or
royalty-payment platforms). Those parties have their own privacy practices.

3. Personal information we collect

We collect the following categories of personal information, depending on
how you interact with us:

• Identifiers and contact data: name, email address, phone
  number, mailing address, county / state of residence, and any identifier
  you choose to share.
• Mineral-rights and property data: county, section, survey,
  abstract, royalty interest, working interest, lease status, operator name,
  and any documents (deeds, division orders, leases) you voluntarily upload or
  describe to us.
• Financial information you provide: the rough range of
  income expectations you describe, ownership percentages, and bank or
  payment instructions only when you have agreed to a transaction with us.
• Commercial information: records of the services we have
  provided, communications history, and notes from your underwriter review.
• Internet and device activity: IP address, device and
  browser type, referring URL, pages visited, and timestamps, collected via
  cookies, web server logs, and Google analytics as described in
  Section 6.
• Audio / call recordings: if you call our team and the
  call is recorded, you will be notified at the start of the call. Recordings
  are stored only as long as needed to document your underwriter review and
  are not used for marketing.
• Inferences: a high-level underwriter review (e.g.,
  “your interest appears to qualify for further review”) generated from the
  inputs you provide.

We do not knowingly collect personal information from
children under 18, and we do not collect biometric data, government-issued
ID numbers, or precise geolocation data.

4. Sensitive data and Texas TDPSA disclosures

The Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541,
“TDPSA”) became enforceable on
July 1, 2024. The TDPSA gives Texas residents additional
rights over the personal data we collect, and it requires us to obtain your
consent before processing “sensitive data”.

Under the TDPSA, “sensitive data” includes:

• Government-issued identifiers (SSN, driver’s license, passport);
• Financial account credentials and debit / credit card numbers;
• Precise geolocation;
• Race, ethnicity, religious beliefs, or biometric data used to uniquely
  identify you;
• Health information;
• Sex life or sexual orientation data.

MRX’s current practice is to avoid collecting TDPSA-sensitive data
whenever possible. Where collection is necessary (for example, a bank
routing number needed to issue a royalty payment), we collect the minimum
necessary, use it only for the stated purpose, and delete it once the
business purpose is complete. We do not process sensitive data for the
purpose of inferring characteristics about you, and we do not sell
sensitive data.

Texas residents have the additional TDPSA rights listed in
Section 9, including the right to appeal any
decision we make about a privacy request within 60 days.

5. California rights — CCPA / CPRA “Do Not Sell or Share”

If you are a California resident, the California Consumer Privacy Act
(“CCPA”) as amended by the California Privacy Rights Act
(“CPRA”) gives you the following rights:

• Right to know what personal information we have collected
  about you, the categories of sources, the business or commercial purposes,
  and the categories of third parties with whom we share it.
• Right to delete personal information we have collected
  from you, subject to the CCPA’s exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of your personal
  information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information to
  only what is necessary to provide the requested service.
• Right to non-discrimination for exercising any of the
  above rights.

We do not sell your personal information for money. We may
nonetheless “share” (as defined by the CPRA) limited information with
advertising or analytics services, and you have the right to opt out of
that sharing at any time. To exercise this right, you can either:

• Use the
  Do Not Sell or Share My Personal Information
  form, or
• Email underwriter@mineralrightsxchange.com
  with the subject line “CCPA Opt-Out”.

We will respond to verifiable consumer requests within 45 days as required
by Cal. Civ. Code § 1798.130.

6. GDPR (EU / EEA / UK) disclosures

We do not currently market services to residents of the European Economic
Area, the United Kingdom, or Switzerland, and we do not operate a
business establishment in those jurisdictions. If you are located in the
EEA, UK, or Switzerland and you contact us, we will treat the personal
information you provide under the standards of the EU General Data
Protection Regulation (“GDPR”, Reg. (EU) 2016/679) and the
UK GDPR, including:

• Lawful bases for processing: consent (where you have
  asked us to contact you), performance of a contract, compliance with a
  legal obligation, and our legitimate interests in operating a transparent
  underwriter business.
• Data-subject rights: access, rectification, erasure,
  restriction of processing, data portability, and the right to lodge a
  complaint with your supervisory authority.
• International transfers: if you submit information from
  outside the United States, it will be transferred to and processed in the
  United States, where data-protection laws may differ from those in your
  home jurisdiction.

7. Cookies and tracking technologies

We use a small number of cookies and similar technologies on
mineralrightsxchange.com. The exact set loaded on any given page depends
on the page, your browser, and whether you have signed in.

Strictly necessary cookies (set without consent under most
privacy frameworks, including the ePrivacy Directive):

• __cf_bm (Cloudflare bot management) — HttpOnly,
  SameSite=None, Secure. Expires 30 minutes after the last visit. Used by
  Cloudflare to distinguish humans from bots.
• WordPress authentication cookies (e.g., wordpress_logged_in_*)
  — set only when you sign in to the WordPress admin area; not present
  for normal visitors.

Analytics cookies (set by Google through the gtag.js
snippet installed by Google Site Kit; identifier
GT-WFMD2MXW):

• _ga, _ga_* — first-party analytics
  cookies used to distinguish unique visitors and to throttle request rate.
  Retention is the Google Analytics 4 default (2 months for
  _ga).

Embedded third-party content (loads cookies / sends data
to the embedded service when the relevant block is rendered):

• GoHighLevel booking widget at
  api.leadconnectorhq.com/widget/booking/... and GoHighLevel
  contact form at
  api.leadconnectorhq.com/widget/form/... — these set
  session and load-balancer cookies necessary to render the appointment
  calendar and form.
• GoHighLevel email-form embed at
  link.msgsndr.com/js/form_embed.js — loaded only when an
  inline email-capture form is present.

Our site does not currently deploy Facebook / Meta, LinkedIn Insight Tag,
TikTok Pixel, Microsoft Clarity, or Hotjar. The Organization JSON-LD on
our homepage links to our public X, Facebook, Instagram, and LinkedIn
profiles; visiting those profiles is governed by the privacy policy of
the relevant platform, not this one.

Your choices: you can block or delete cookies in your
browser at any time. Most modern browsers also offer a
“Do Not Track” or “Global Privacy Control” setting; we honour browser
opt-out signals for advertising sale / sharing where technically feasible.
If you are a California resident, you can use the
Do Not Sell or Share form to opt out of
analytics sharing.

Cookie consent banner: we are in the process of deploying a
cookie-consent management platform that will block non-essential cookies
until you grant consent, in line with TDPSA, CCPA, and (where applicable)
GDPR requirements. Until that banner is live, the strictly-necessary
cookies above are set on every page; analytics cookies are set by default
but can be blocked at the browser level.

8. Third-party processors and service providers

We share personal information with a small set of service providers who
help us operate our business. Each provider is contractually required to
protect the data on our behalf:

• Cloudflare, Inc. — content-delivery network, DNS,
  and bot management. Processes IP address, user agent, and request
  metadata. Privacy policy.
• GoHighLevel (LeadConnector HQ, Inc.) — booking
  calendar, contact form, email and SMS automations, and CRM. Processes
  contact identifiers, appointment details, and the contents of any
  messages you send us. Privacy policy.
• Automattic / WordPress.com (hosting stack) — the
  website is built on WordPress; some media and assets are served from
  storage.googleapis.com (Google Cloud Storage bucket
  content-assistant-images-persistent) used to host images
  generated for the site.
  Automattic privacy policy.
• Google LLC — Google Analytics 4 and Google Tag
  (gtag.js), both configured through the Google Site Kit plugin. Google
  acts as a processor for analytics.
  Google privacy policy.
• MetaSync — a WordPress plugin installed on the
  site to assist with content optimisation; sets a first-party analytics
  identifier in the browser.
• Twilio / MessageBird (sub-processors of GoHighLevel)
  — used to deliver SMS notifications you have explicitly requested.
• Professional advisors — attorneys, accountants,
  and underwriters we engage on a need-to-know basis, each bound by
  professional confidentiality duties.
• Authorities — law enforcement, regulators, and
  courts, when we are legally required to disclose information.

We do not sell personal information to data brokers, and we do not allow
third-party processors to use the data we share for their own purposes
beyond operating the service on our behalf.

9. How long we keep your information (retention)

We retain personal information only for as long as needed to provide our
services and to satisfy the legal, accounting, and reporting obligations
that apply to a US business:

• Inquiry and lead records (name, email, phone,
  notes from initial contact): up to 24 months from the
  date of last contact, unless a longer retention is required by law.
• Underwriter reviews (the documents, calculations, and
  report you receive): up to 7 years from the date of the
  review, to support any subsequent transaction and to satisfy IRS
  record-keeping guidance for US trade-or-business records.
• Transaction records (any royalty or interest sale
  paperwork, KYC, payment instructions): up to 7 years
  from the close of the tax year in which the transaction occurred.
• Call recordings: up to 12 months, unless
  a recording is part of a dispute or formal review, in which case it is
  retained until the matter is closed.
• Server logs (IP, user agent, request URL): up to
  90 days, after which they are aggregated or deleted by
  our hosting provider.
• Analytics data (Google Analytics 4): the default GA4
  retention of 2 months for event data, which may be
  extended to 14 months for new users if you do not opt out.

When the retention period ends, we securely delete or de-identify the
information, unless a legal hold or ongoing dispute requires us to
preserve it for longer.

10. Your privacy rights and how to exercise them

Depending on where you live, you may have some or all of the following
rights. We extend the substantive rights below to all visitors,
not just residents of the named jurisdictions:

• Access / right to know — request a copy of the
  personal information we hold about you.
• Deletion / erasure — ask us to delete personal
  information, subject to the exceptions in the relevant law (e.g., active
  transactions, legal-hold records).
• Correction / rectification — ask us to correct
  inaccurate information.
• Opt out of sale or sharing — for California,
  Colorado, Connecticut, Virginia, Utah, Texas, and other US states that
  grant this right. Use the
  Do Not Sell or Share form.
• Limit use of sensitive data (CCPA, TDPSA).
• Data portability (GDPR Art. 20) — receive a
  machine-readable copy of the data you provided to us.
• Non-discrimination — we will not penalise you
  for exercising any privacy right.

To exercise any of these rights, email
underwriter@mineralrightsxchange.com
with the subject line “Privacy Request”. We will respond within
45 days (CCPA / CPRA) or 30 days (TDPSA / GDPR),
with a one-time extension of up to 45 additional days where the request
is complex. We may need to verify your identity before fulfilling the
request, which may require matching at least two data points you have
previously provided to us (for example, email and phone).

TDPSA appeal right: if we decline your Texas request, you
have the right to appeal that decision within 60 days. Send your appeal
to the same address with the subject line “Privacy Request — Appeal”,
and we will respond in writing.

11. Security measures

We use administrative, technical, and physical safeguards designed to
protect personal information against unauthorised access, disclosure,
alteration, and destruction. These include:

• HTTPS / TLS encryption for all traffic between your browser and
  mineralrightsxchange.com (terminated at the Cloudflare edge).
• Cloudflare bot-management and rate-limiting to mitigate credential
  stuffing and scraping.
• Least-privilege access controls on WordPress admin and GoHighLevel;
  only the founders and one contracted underwriter have access to
  identifiable lead records.
• Two-factor authentication on every administrative account that can
  reach personal data.
• Quarterly review of user accounts and access logs.
• Encrypted backups of the website database, stored in
  storage.googleapis.com with bucket-level access controls.

No system is perfectly secure. If you have reason to believe your
interaction with us is no longer secure (for example, you believe an
account credential has been compromised), please contact us immediately
using the details in Section 14.

12. Breach notification

In the event of a data breach affecting your personal information, we
will:

1. Investigate and contain the incident without unreasonable delay.
2. Notify the affected individuals without unreasonable delay and, where
   required by state law (including Tex. Bus. & Com. Code
   § 521.053 for Texas residents), within 60 days of
   becoming aware that the breach occurred.
3. Provide the information required by the applicable statute: a
   description of the breach, the type of data involved, steps you should
   take to protect yourself, and the steps we are taking to address it.
4. Notify the Texas Attorney General and any other applicable state
   attorney general or regulator when the breach triggers a statutory
   notification threshold.

13. Children’s privacy

Our services are not directed to children under 18, and we do not
knowingly collect personal information from children. Mineral rights are
a legal interest that can be held by a minor, but in those cases the
parent, guardian, or court-appointed representative is the party
communicating with us on the minor’s behalf. If you believe we have
collected information from a child in error, please contact us so we can
delete it.

14. Changes to this policy — version history

We will post any material changes to this policy on this page, update
the “Last Updated” date, and where the changes are significant, notify
you by email (if we have an active relationship with you) or by a
prominent banner on the homepage.

Version history:

• v2.0 — June 12, 2026. Comprehensive rewrite.
  Added effective / last-updated dates, cookie inventory, CCPA / CPRA
  opt-out link, TDPSA-sensitive-data disclosures, GDPR section, third-party
  processor list, retention table, security measures, breach-notification
  commitments, children’s-privacy statement, and version history.
  Pending US privacy-attorney review.
• v1.0 — June 9, 2026. Initial short-form policy
  published in conjunction with site launch.

15. How to contact us

If you have any questions about this policy, our privacy practices, or
your rights, please contact us:

• Mineral Rights Xchange
• 200 N Loraine St, Suite 1450
• Midland, TX 79701, United States
• Email: underwriter@mineralrightsxchange.com
• Phone: +1 (432) 400-6198

© 2026 Mineral Rights Xchange. All rights reserved.