Privacy Policy

Last updated: 2026-05-21

EXO is an AI-powered marketing operations platform built for performance marketing agencies and the brands they work with. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the rights you have over it. We wrote this to be readable — if anything is unclear, email us at hello@exo-ai.ai.

1. Who we are

EXO is operated by EXO AI Ltd, a company registered in England & Wales (incorporated 2026-05-06). EXO AI Ltd is the data controller responsible for the personal data described in this policy.

Contact for any data-protection questions: hello@exo-ai.ai.

2. The data we collect

Account data

When you or a teammate creates an EXO account, we collect: name, email address, role within your organisation, password (hashed; we never see plaintext), authentication tokens, and basic usage logs (which features you use, when, from what device).

Tenant data

Inside your EXO workspace ("tenant"), you create records about your business and your clients — briefs, voice cards, strategic context, agent conversations, and notes. This data belongs to your organisation. We process it to provide EXO's services to you.

Integration data

When you connect an external platform (Meta Ads, Google Ads, Shopify, Klaviyo, Google Analytics), EXO pulls the data needed to produce intelligence on your behalf:

  • Meta Ads: ad account metadata, campaign and ad performance metrics, creative assets, audience definitions. We do not read your messages, contacts, or personal Facebook profile data.
  • Google Ads: account metadata, campaign performance, keyword performance, conversion data.
  • Shopify: orders, customers, products, inventory, reports. See the dedicated Shopify subsection below for scope-by-scope detail, retention, and deletion behaviour.
  • Klaviyo: account metadata, campaign and flow performance, segment metadata, profile counts. We do not export individual subscriber profiles.
  • Google Analytics 4: property metadata and aggregated event metrics.

Shopify — scopes, use, retention, and deletion

Where you connect a Shopify store to EXO, the following scopes are requested under your authorisation and used as described. Every scope is read-only; EXO does not modify your store, orders, customers, products, or inventory.

  • read_orders — order metadata (date, value, line-item summary, fulfillment + financial status) used by the Piper agent to compute true return-on-ad-spend across Meta, Google, TikTok, Snapchat, and Pinterest, and by the Ellis agent to map customer lifecycle (time-to-second-order, repeat-purchase rate, segment LTV). We do not contact customers and do not export order line-items beyond aggregate counts.
  • read_customers — customer counts, repeat-purchase rate, and aggregate segment membership used for retention strategy and lifecycle segment analysis. We do not export individual customer profiles, do not store customer PII content (names, addresses, phone numbers, order-line PII), and do not contact customers.
  • read_products — product catalog (title, description, images, variants, sales velocity) used by the Cleo agent to surface top-converting concepts and recommend ad creative tied to your catalog, and by the Marcus agent for promotion strategy.
  • read_inventory — inventory levels used as a safety check to suppress agent recommendations that would push out-of-stock SKUs. Inventory is queried on demand at recommendation time and is not persisted long-term.
  • read_reports — Shopify Analytics Reports used for cross-channel attribution triangulation against Meta-pixel-attributed conversions and direct order data. Results are stored in aggregate; no per-customer report rows are persisted.

Shopify data is fetched via the Shopify Admin GraphQL API, encrypted at rest in our Postgres database (Supabase, EU/UK region) under per-tenant Row Level Security, and never shared with third parties beyond the sub-processors listed in §4. Sub-processors receive only the data needed to deliver EXO's service to you — typically aggregate metrics or anonymised prompts to the language-model API.

EXO implements all four Shopify mandatory webhooks. Each is HMAC-verified against the Shopify client secret using a timing-safe comparison, idempotent (replay-protected via the X-Shopify-Webhook-Id header), audit-logged, and returns HTTP 200 within Shopify's 5-second window:

  • app/uninstalled — marks your Shopify integration as revoked and triggers cascade deletion of all Shopify-derived data within 48 hours.
  • customers/data_request — logs the request and confirms what data we hold (none of the requested PII content; only aggregate metrics).
  • customers/redact — logs the request; because we do not hold customer PII content, there is nothing to delete beyond the audit log.
  • shop/redact — hard-deletes every database row tied to the shop domain, including snapshots, audits, and integration metadata.

Site usage data

We collect minimal product analytics (which pages you visit inside EXO, how long you stay, which features you click) to improve the product. We do not run third- party advertising trackers on the EXO platform.

3. How we use your data

  • To provide EXO's intelligence and recommendations to you and your team
  • To produce per-tenant analyses, audits, briefs, and chat responses
  • To compute aggregate, fully-anonymised benchmarks across our customer base (a tenant is never identifiable in benchmark data)
  • To bill you for your subscription
  • To investigate security incidents and prevent abuse
  • To comply with legal obligations

We do not sell your data. We do not use your tenant data or integration data to train third-party models. AI providers we use (Anthropic) operate under zero-retention API contracts where applicable, meaning prompts and completions are not used to train their models.

4. Sub-processors

We use carefully selected sub-processors to deliver EXO. Each is bound by data processing agreements and is GDPR-compliant where required:

  • Anthropic — large-language-model API (data passes through but is not retained for training)
  • Supabase — database, authentication, file storage (EU/UK region)
  • Vercel — application hosting and edge delivery
  • Stripe — payment processing
  • Resend or equivalent — transactional email
  • Sentry — error monitoring

A current sub-processor list is maintained and we will give reasonable advance notice of any change. Email us for the up-to-date list.

5. International transfers

Where data leaves the UK or EEA (e.g. when transferred to Anthropic in the United States), we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR and EU GDPR.

6. How long we keep data

  • Account data: for the lifetime of your account, deleted within 30 days of account closure
  • Tenant data: for the lifetime of your subscription; deleted within 30 days of subscription termination unless you request earlier deletion
  • Integration data: refreshed on schedule; older than 24 months is automatically pruned unless required for active analysis
  • Shopify data: cascade-deleted within 48 hours of app/uninstalled webhook receipt and immediately on shop/redact webhook receipt; you can also disconnect a Shopify store from the EXO integrations panel at any time to trigger the same deletion
  • Billing records: retained 7 years to satisfy UK tax law
  • Backups: encrypted and rotated; deleted on a 30-day cycle

7. Your rights

Under UK GDPR and EU GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to certain processing
  • Receive your data in a portable, machine-readable format
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority

To exercise any of these rights, email hello@exo-ai.ai. We respond within 30 days.

8. Security

We protect data with: encryption in transit (TLS) and at rest, role-based access within EXO, row-level security on every database table, OAuth state validation, secret rotation, audit logs of admin access, and regular vulnerability monitoring. No system is perfectly secure, but we treat security as a first-order concern.

9. Cookies

We use essential cookies for authentication and session management. We use minimal first-party analytics cookies to understand product usage. We do not use third-party advertising or cross-site tracking cookies on the EXO platform.

10. Changes to this policy

We may update this policy. Material changes will be communicated by email to account admins at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change.

11. Contact

EXO AI Ltd (operating EXO)
Registered in England & Wales
Email: hello@exo-ai.ai