Legal

Privacy

Working version - last reviewed 2026-06-03

EXO stores tenant data in a multi-tenant Supabase project hosted in the EU region (Ireland). Every table that holds tenant data carries Row Level Security policies that restrict reads + writes to that tenant's authenticated users.

Data we collect: workspace settings, agent conversations, client briefs, audit outputs, integration tokens (encrypted at rest), telemetry events (page views + action types, no PII).

Data we DO NOT collect: third-party tracker advertising IDs, sale of personal data to any third party, training data sent to model providers (Anthropic + OpenAI requests use zero-retention API paths).

Sub-processors: Supabase (data hosting), Vercel (web hosting), Anthropic (Claude model inference), OpenAI (model inference), Stripe (payments), Resend (transactional email), Sentry (error telemetry, scrubbed of PII), Slack (founder + ops notifications).

Data retention: workspace data retained while subscription active + 30 days after cancellation, then deletion on request or after 90 days automatic. Backups retained 30 days encrypted.

Your rights: access, rectification, erasure, portability. Full data export available from any tenant's settings page or by request.

The full legal document lands when EXO Ltd incorporates. The summary above describes how we actually operate today.

Questions, data-subject requests, or enterprise-specific addendums: hello@exo-ai.ai