What we collect, why we use it.

exAI, Inc. is a Delaware C-corporation registered at 251 Little Falls Drive, Wilmington, DE 19808, United States. Our operating offices are in Athens (Marousi, 15125), Berlin (Mitte, 10117), and San Francisco (Mission, 94110). When this policy says "we", "us", or "exAI", it means exAI, Inc. and its wholly-owned operating subsidiaries — exAI GmbH (Germany) and exAI Hellas IKE (Greece). The legal entity that controls your data depends on where your account was created; the section below lists the contact points for each.

For all privacy correspondence, write to privacy@exai.cloud. For postal mail, address the Data Protection Officer at our Athens office (Agiou Konstantinou 40, 15124 Marousi, Greece). We answer inside ten business days. For an EEA representative under GDPR Art. 27 and a UK representative under UK-GDPR, see § 11.

We organize what we hold about you into three categories. The boundaries are real: each category is governed by a different legal basis, retained for a different period, and accessible to a different set of internal roles. The categories are listed below, with the specific elements inside each.

Three reasons, no fourth. We do not sell personal data. We do not rent it. We do not train models on your workspace data — not on inputs, not on outputs, not on byproducts. The processing purposes that do exist break down into three columns.

For users in the EEA, the UK, and Switzerland, processing happens under one of the five GDPR Article 6 legal bases below. CCPA, LGPD, and PIPEDA equivalents are mapped onto these in the underlying records of processing activities (RoPA), available to your DPO under NDA.

1. a
   Performance of contract — Art. 6(1)(b)

   Processing required to deliver the workspace, the IDE, the agent runtime, the orchestrator, and the support service you signed an order form for. Without this, there is no service.
2. b
   Legitimate interests — Art. 6(1)(f)

   Limited operational uses balanced against your rights — fraud and abuse detection, runtime telemetry, security monitoring, internal analytics. We document each balancing test on file (LIA), available to your DPO under NDA.
3. c
   Consent — Art. 6(1)(a)

   Used only where the law requires opt-in. Examples: marketing email to free-tier users, optional research-program participation, non-essential cookies. Consent is granular, recorded with a timestamp, and withdrawable in one click.
4. d
   Legal obligation — Art. 6(1)(c)

   Tax records, sanctions screening, retention of audit logs to meet SOC 2 and ISO 27001 control objectives, and compliance with binding regulatory orders. We narrowly scope these processes and review them annually.
5. e
   Vital interests — Art. 6(1)(d)

   Used only in the rare case where life or physical integrity is at risk — a credible safety threat surfaced through a workspace, for example. Has never been invoked in production; documented for completeness.

We share personal data with three kinds of third parties: sub- processors who help us run the service, professional advisers under confidentiality, and authorities where the law compels us. We do not sell personal data, and we do not share it with advertisers — there is no advertising stack on this product.

The full, current list of sub-processors with entity name, region, purpose, and DPA links is published on the Trust Center — /trust — and updated within 30 days of any material change. The categories below summarize the live list.

Retention is set by category, not by mood. The defaults below are aligned to GDPR storage-limitation, HIPAA recordkeeping, and the control objectives of SOC 2 and ISO 27001. Where a category can be shortened by a tenant administrator, the "control" column says so.

• Workspace artifacts (code, files, diffs)
  Your control · default for life of workspace
  Delete via UI or API · purged within 24h
• Prompts and completions
  0-day default · configurable up to 30 days
  Tenant-level retention setting
• Audit logs
  7 years · configurable upward to 10
  Immutable · WORM storage · hash-chained
• Account data
  Life of account + 30 days
  Deletion request honored within 30 days
• Billing records
  10 years · tax-law obligation
  Cannot be deleted before period
• Telemetry (aggregate)
  13 months
  Rolled up to monthly aggregates after 90 days

The rights below are guaranteed under GDPR (EEA, UK), CCPA / CPRA (California), LGPD (Brazil), PIPEDA (Canada), and parallel regimes where applicable. They are honored regardless of where you live — we apply the strictest standard globally.

• 01
  Access
  Get a copy of the personal data we hold about you, in machine-readable form.
• 02
  Rectification
  Correct inaccurate or incomplete data — directly in-product or via a request.
• 03
  Erasure
  Have your personal data deleted, subject to legal-retention floors (audit, billing).
• 04
  Restriction
  Pause our processing while a complaint or correction is being resolved.
• 05
  Portability
  Export your account and workspace data as JSON or tar.zst at any time.
• 06
  Objection
  Object to processing on legitimate-interests grounds; we honor unless overridden.
• 07
  Automated-decision opt-out
  We do not run solely-automated decisions with legal effect; you can confirm in writing.

The exAI service is not directed at users under 16, and we do not knowingly collect personal data from minors. Our customer is, in all cases, a working engineering team or an enrolled enterprise — not a consumer audience. Account creation requires confirmation that the registrant is at least 16 (or 18 in jurisdictions where that is the local age of digital consent).

If you are a parent or guardian and you believe a minor has created an account or that we hold data about a minor, write to privacy@exai.cloud and we will delete the account and all associated data within ten business days. We do not market to children, do not profile them, and do not run age-gated experiments on the service.

We use three categories of browser-side storage. There are no advertising trackers, no third-party retargeting, and no cross-site identifiers anywhere on this product. The cookie banner exposes per-category controls that take effect immediately.

We notify you by email and in-product banner at least 30 days before any material change to this policy takes effect. "Material" means a change to who controls the data, what we collect, why we use it, who we share it with, or how long we keep it. Editorial fixes (typos, link rot, clearer wording) are listed in the changelog without notice.

The current version is shown at the top of this page. Each prior version remains accessible at /privacy?v=YYYY-MM-DD for at least 36 months after supersession.

For privacy questions, rights requests, or breach notifications, please reach out via the channel that matches your jurisdiction. We acknowledge inside 72 hours and respond substantively inside 30 days — usually inside ten business days.