Privacy Policy

1. Definitions

• "Personal Data" — any information relating to an identified or identifiable individual (also "Personal Information" under CCPA).
• "Processing" — any operation performed on Personal Data, whether automated or manual.
• "Customer" — entity or individual using ExoChat Services that determines purposes and means of processing.
• "End Users" — individuals who interact with Customer's AI flows built on ExoChat.
• "Controller" — entity determining purpose and means of processing. Customer acts as Controller for Customer Data.
• "Processor" — entity processing on behalf of Controller. ExoChat acts as Processor for Customer Data.
• "LLM Providers" — third-party AI model vendors (OpenAI, Anthropic, Google, Azure OpenAI).
• "AI Interaction Data" — prompts, messages, outputs, logs, state transitions, metadata processed through ExoChat.
• "Sub-Processors" — third-party service providers engaged by ExoChat.
• "Data Subject" — individual whose Personal Data is processed.

2. Roles & Responsibilities

2.1. ExoChat as Data Processor

For Customer Data, ExoChat acts as Processor. We process only on documented instructions, do not use data for our own purposes, implement security measures, assist with data protection obligations, and delete or return data upon request.

2.2. ExoChat as Data Controller

For website visitors, marketing, account management, and billing, ExoChat acts as Controller. We determine what data to collect and how to process it.

2.3. Customer Responsibilities

Customers as Controllers must ensure lawfulness, obtain consents, provide privacy notices, handle Data Subject requests, minimize data, define retention, and secure credentials. A Data Processing Agreement (DPA) is mandatory for Customers processing Personal Data.

3. Data We Collect

3.1. Information Provided by Customers (Controller)

Account information (name, email, password, company, phone, profile), billing & payment information, service configuration (FSM flows, prompts, API keys), support & communications.

3.2. AI Interaction Data (Processor)

When Customers use Services: input data (prompts, context, files), output data (AI responses, structured data), metadata (timestamps, transitions, token usage). Customers control logging, anonymization, retention (1–90 days), and data locality.

3.3. Automatically Collected Data (Controller)

Technical information (IP, browser, OS, device), usage analytics, security & diagnostic data.

3.4. Cookies & Tracking

Strictly necessary cookies (no consent), functional cookies (consent-based), analytics cookies (opt-in). We do NOT use third-party advertising cookies, cross-site tracking, or social media pixels. Manage preferences via cookie settings.

4. How We Use Collected Information

Service delivery (platform operation, authentication, billing, support), legal & compliance, marketing (with consent). We do NOT: train on Customer Data, sell Personal Data, use data for advertising, share with data brokers, or use one Customer's data for others.

5. AI Model Providers & Data Flow

AI Interaction Data may be transmitted to OpenAI, Anthropic, Google, Azure OpenAI, or self-hosted LLMs per Customer configuration. We do not store prompt/output data unless logging is enabled. Major LLM providers (Enterprise) do not train on API data. Data may be processed in US, EU, or Customer-specified regions. Customers control provider selection, geographic restrictions, and can use self-hosted models.

6. Lawful Basis for Processing (GDPR)

Contract (Art. 6(1)(b)): Account management, service delivery, billing. Legitimate interests (Art. 6(1)(f)): Security, anonymized analytics, business operations. Consent (Art. 6(1)(a)): Optional cookies, marketing. Legal obligation (Art. 6(1)(c)): Tax, regulatory, court orders. We generally do not process special categories unless authorized by Customer with appropriate legal basis.

7. Sub-Processors

We engage Sub-Processors (AWS, Azure, GCP, Stripe, SendGrid, Sentry, Plausible, Cloudflare) under DPAs. We notify 30 days in advance of changes; Customers may object within 15 days.

8. International Data Transfers

We use Standard Contractual Clauses (SCCs), adequacy decisions, and BCRs. Additional safeguards: TLS 1.3, AES-256, access controls, data minimization. We conduct Transfer Impact Assessments. Enterprise customers can request EU-only hosting.

9. Data Retention & Deletion

Retention: Account data until deletion; AI logs 1–90 days (configurable); billing 7 years; backups 30–90 days; security logs 1–3 years. Deletion: Access disabled immediately; production deleted within 7 days; full deletion within 30 days; purged from backups within 60 days. Right to erasure: we comply within 30 days unless legal obligations apply. Export via dashboard or API.

10. Security Practices

Aligned with ISO 27001, SOC 2. Technical: AES-256 at rest, TLS 1.3 in transit, RBAC, MFA, zero-trust, firewalls, WAF, IDS, secure SDLC, penetration testing. Organizational: background checks, security training, access reviews, vendor due diligence, incident response plan, disaster recovery. Customers must protect credentials, enable MFA, and report incidents to info@exo-chat.com.

11. Incident Response

In case of breach: notify affected Customers within 72 hours (GDPR), provide breach details, comply with CCPA and other jurisdictions. Response: containment, investigation, risk assessment, notification, remediation, documentation. We assist Customers with their breach notification obligations.

12. Your Rights

GDPR: Access, rectification, erasure, restriction, portability, object, withdraw consent, lodge complaint. CCPA: Right to know, delete, correct, opt-out of sale (we do not sell), limit sensitive data use, non-discrimination. We honor rights under LGPD, PIPEDA, POPIA, etc. To exercise: email info@exo-chat.com, dashboard Account Settings, or mail to Keemia tn 4, 10616 Tallinn, Estonia. End Users: contact the Customer (Controller). Response: GDPR 1 month, CCPA 45 days.

13. Customer Responsibilities

Ensure lawful collection, privacy notices, consent management, data subject rights handling, data minimization, credential protection, MFA, incident reporting, export controls, DPA compliance.

14. Children's Privacy

We do not knowingly collect from children under 16 (or 13 in US). Services are not directed to children. Customers building child-accessible services must obtain parental consent, implement age verification, and comply with COPPA/GDPR Art. 8. Inadvertent collection: we delete and notify. Contact info@exo-chat.com.

15. Automated Decision-Making

ExoChat provides tools; Customers are responsible for compliance. We do not make automated decisions with legal effects in our operations. Customers using automated decisions must inform Data Subjects, provide human intervention, and conduct DPIAs where required. AI limitations: bias, inaccuracy, hallucinations—human oversight recommended for high-stakes decisions.

16. Business Transfers

Personal Data may transfer in merger, acquisition, or asset sale. We notify 30 days in advance; data remains protected; successor bound by this Policy. You may delete data before transfer.

17. Changes to This Policy

We may update for law changes, new features, feedback. Material changes: 30 days notice by email and dashboard. You may terminate with pro-rata refund if you disagree. Non-material changes effective upon posting.

18. Contact Information

ExoChat / Stamina AI OÜ
Keemia tn 4, 10616 Tallinn, Estonia
Email: info@exo-chat.com