EXO

Privacy Policy

Last updated: 2026-05-05

EXO is an AI-powered marketing operations platform built for performance marketing agencies and the brands they work with. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the rights you have over it. We wrote this to be readable — if anything is unclear, email us at jonny@realreturnmarketing.co.uk.

1. Who we are

EXO is currently operated by Real Return Marketing Ltd., a company registered in England & Wales. Real Return Marketing Ltd. is the data controller responsible for the personal data described in this policy. EXO is in the process of being incorporated as a separate legal entity (EXO Operations Ltd.); when that completes, this policy will be updated and controller responsibilities will transfer.

Contact for any data-protection questions: jonny@realreturnmarketing.co.uk.

2. The data we collect

Account data

When you or a teammate creates an EXO account, we collect: name, email address, role within your organisation, password (hashed; we never see plaintext), authentication tokens, and basic usage logs (which features you use, when, from what device).

Tenant data

Inside your EXO workspace ("tenant"), you create records about your business and your clients — briefs, voice cards, strategic context, agent conversations, and notes. This data belongs to your organisation. We process it to provide EXO's services to you.

Integration data

When you connect an external platform (Meta Ads, Google Ads, Shopify, Klaviyo, Google Analytics), EXO pulls the data needed to produce intelligence on your behalf:

  • Meta Ads: ad account metadata, campaign and ad performance metrics, creative assets, audience definitions. We do not read your messages, contacts, or personal Facebook profile data.
  • Google Ads: account metadata, campaign performance, keyword performance, conversion data.
  • Shopify: orders, customers (email, name, address), products, inventory, reports. We do not access your storefront content beyond what is required for analytics.
  • Klaviyo: account metadata, campaign and flow performance, segment metadata, profile counts. We do not export individual subscriber profiles.
  • Google Analytics 4: property metadata and aggregated event metrics.

Site usage data

We collect minimal product analytics (which pages you visit inside EXO, how long you stay, which features you click) to improve the product. We do not run third- party advertising trackers on the EXO platform.

3. How we use your data

  • To provide EXO's intelligence and recommendations to you and your team
  • To produce per-tenant analyses, audits, briefs, and chat responses
  • To compute aggregate, fully-anonymised benchmarks across our customer base (a tenant is never identifiable in benchmark data)
  • To bill you for your subscription
  • To investigate security incidents and prevent abuse
  • To comply with legal obligations

We do not sell your data. We do not use your tenant data or integration data to train third-party models. AI providers we use (Anthropic) operate under zero-retention API contracts where applicable, meaning prompts and completions are not used to train their models.

4. Sub-processors

We use carefully selected sub-processors to deliver EXO. Each is bound by data processing agreements and is GDPR-compliant where required:

  • Anthropic — large-language-model API (data passes through but is not retained for training)
  • Supabase — database, authentication, file storage (EU/UK region)
  • Vercel — application hosting and edge delivery
  • Stripe — payment processing
  • Resend or equivalent — transactional email
  • Sentry — error monitoring

A current sub-processor list is maintained and we will give reasonable advance notice of any change. Email us for the up-to-date list.

5. International transfers

Where data leaves the UK or EEA (e.g. when transferred to Anthropic in the United States), we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR and EU GDPR.

6. How long we keep data

  • Account data: for the lifetime of your account, deleted within 30 days of account closure
  • Tenant data: for the lifetime of your subscription; deleted within 30 days of subscription termination unless you request earlier deletion
  • Integration data: refreshed on schedule; older than 24 months is automatically pruned unless required for active analysis
  • Billing records: retained 7 years to satisfy UK tax law
  • Backups: encrypted and rotated; deleted on a 30-day cycle

7. Your rights

Under UK GDPR and EU GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to certain processing
  • Receive your data in a portable, machine-readable format
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority

To exercise any of these rights, email jonny@realreturnmarketing.co.uk. We respond within 30 days.

8. Security

We protect data with: encryption in transit (TLS) and at rest, role-based access within EXO, row-level security on every database table, OAuth state validation, secret rotation, audit logs of admin access, and regular vulnerability monitoring. No system is perfectly secure, but we treat security as a first-order concern.

9. Cookies

We use essential cookies for authentication and session management. We use minimal first-party analytics cookies to understand product usage. We do not use third-party advertising or cross-site tracking cookies on the EXO platform.

10. Changes to this policy

We may update this policy. Material changes will be communicated by email to account admins at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change.

11. Contact

Real Return Marketing Ltd. (operating EXO)
Email: jonny@realreturnmarketing.co.uk