Privacy Policy

We collect what we need to run Exocorp for you. We don’t sell your data. We don’t train AI models on it. Our business model is Credits, not your information.

For the AI part of your exocorp specifically: we use a BYOK (bring-your-own-key) model. Your agents call language-model providers through your own provider accounts. The token traffic doesn’t pass through us. The model provider’s privacy practices apply to that traffic, not ours.

The rest of this page goes into specifics.

Account information. When you sign up, we collect your name, email, and any organization details you provide.

Usage information. How you interact with the platform — what exocorps you provision, configuration changes, lifecycle actions you take, approvals you grant, comments you write, audit events.

Exocorp data. The data your exocorp generates and stores in its runtime — teams, mandates, work items, runs, knowledgebase entries, workspace files. We host this so the exocorp can use it. It belongs to you.

Payment information. Card details and billing addresses are collected and processed by our third-party payment provider. We don’t store full card numbers on our servers; we store a payment-method token and the billing metadata needed for invoicing and refunds.

Technical information. IP address, browser type, device information, and access timestamps when you use the service. Used for security, debugging, and basic operational analytics.

Some things would be useful to us but we’ve chosen not to collect them. So you know:

• Model API token traffic. Your exocorp’s prompts, model responses, and the agent-to-model chatter go through your own provider account. We route the calls but don’t inspect or store the payloads.
• Cross-exocorp data. Each exocorp runs in an isolated runtime. We don’t aggregate data across customers’ exocorps for any purpose.
• Third-party advertising trackers. We don’t use ad networks or behavioral profiling.
• Training data. We don’t use your exocorp’s data, your configurations, or your usage patterns to train AI models. Period.

We use your information to:

• Provide, operate, and improve Exocorp
• Process Credit top-ups, run auto-refill, and handle refunds
• Send transactional communications — billing receipts, security notices, service alerts
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with legal obligations

We don’t send marketing email unless you opt in. If you do and change your mind, every email has an unsubscribe link.

Exocorp orchestrates AI agents that act on behalf of your exocorp. Here’s where the data actually flows:

• Inside your runtime: the agent’s working state, memory, and the work it does live in your exocorp’s isolated runtime. We host the runtime but the data belongs to you.
• To your model provider: when an agent calls a language model, the call goes from your runtime directly to the model provider you configured (using your API keys). The provider sees those prompts and responses; we don’t.
• To auxiliary services: if your exocorp uses plugins or other third-party services (Twilio, Postmark, etc.), those services see the data your exocorp sends them. Their privacy practices apply.

We don’t use your inputs, outputs, or any of your exocorp’s activity to train models — ours or anyone else’s.

We share information only when one of these applies:

• Service providers we use to run Exocorp. Payment processing, infrastructure hosting, error monitoring, email delivery. These providers see only the data they need to do their job, and they’re contractually required to handle it confidentially.
• Legal compliance. If we’re required to disclose information by law, regulation, court order, or government request, we’ll do so — and we’ll notify you when we’re legally permitted to.
• Business transfers. If Exocorp is acquired or merges with another company, your information may transfer to the new entity, subject to this policy or one with at least equivalent protections.

We don’t sell personal information. We don’t share it with advertisers or data brokers.

We use industry-standard measures to protect your information — encryption in transit and at rest, access controls, audit logging, regular security review.

No system is perfectly secure. We’ll notify you promptly if a security incident affects your data. If you spot a vulnerability, please report it to support@exocorp.ai with [Security] in the subject.

While your account is active, we keep your information for as long as needed to run the service.

When you close your account:

• Your exocorp’s runtime data is retained for up to 90 days so you can recover the account if you change your mind or export data after the fact
• After 90 days, runtime data is deleted. Backups are purged within 30 days of that
• Some records (billing, tax, audit logs needed for compliance) are retained longer where law requires — typically 7 years for tax records

We use essential cookies to keep you signed in and to remember basic preferences. We don’t use cookies for advertising or for tracking you across other sites.

We use a basic, privacy-respecting analytics tool to understand aggregate platform usage — how many people visit a docs page, where they navigate from. The data is aggregate and doesn’t identify you individually.

If you’re in the EU, EEA, or UK, you have rights under the GDPR. If you’re in California, you have rights under the CCPA. Most other jurisdictions have similar laws. The rights enumerated below apply regardless of where you are.

Your data may be transferred to and processed in jurisdictions where we or our service providers operate. Where the law requires, we use standard contractual clauses or equivalent mechanisms to keep your data protected during transfer.

You have the right to:

• Access the personal information we hold about you
• Correct information that’s inaccurate or incomplete
• Delete your information (subject to legal retention requirements)
• Export your information in a portable format
• Restrict or object to certain kinds of processing
• Withdraw consent for processing based on consent (where applicable)

To exercise any of these, email support@exocorp.ai from the account’s email address. We’ll verify your identity and respond within 30 days — usually faster.

Exocorp isn’t directed at children under 18 and isn’t suitable for minors’ use. We don’t knowingly collect personal information from anyone under 18. If we discover we have, we’ll delete it.

We may update this policy as the service evolves or as legal requirements change. When we make material changes, we’ll notify you by email or through the service. The version at the top of this page is the current one.

Questions about this policy or your data? Email support@exocorp.ai or use the contact page.