Legal · Privacy

Privacy Policy

Last updated: April 30, 2026. We respect your privacy and protect your data with enterprise-grade security.

Introduction

Exron AI ("we", "us", "our") operates the platform at exron.app and provides AI-powered productivity tools including chat, phone assistance, meeting intelligence, and research services.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our services. By using Exron AI, you agree to this policy.

What We Collect

Account Information
  • Email address
  • Full name
  • Password (hashed with bcrypt)
  • Profile preferences
Usage Data
  • Chat conversations
  • Agent interactions
  • Feature usage patterns
  • API request logs
Optional Data (when you connect)
  • Google Workspace data (Gmail, Calendar, Drive) — only when you authorize
  • Phone call recordings and transcripts
  • Meeting transcripts (when agent joins)
  • Your own API keys (encrypted with Fernet)

How We Use Your Data

We use your data to:

  • Provide, maintain, and improve the service
  • Personalize your AI experience and remember context
  • Send verification, password reset, and service emails
  • Detect abuse, spam, and security threats
  • Generate billing records and track usage limits

We do not sell your data. Never have, never will.

Security & Storage

Bcrypt
Passwords hashed
Fernet
API keys encrypted
HTTPS
TLS 1.3 everywhere
httpOnly
XSS-proof cookies
Postgres RLS
DB-level tenant isolation
JWT + revocation
Token blocklist in Redis

Data is stored in PostgreSQL on secure cloud infrastructure (Railway). All traffic is encrypted in transit. Authentication uses httpOnly, SameSite=None cookies — tokens are never exposed to JavaScript.

Tenant isolation: every per-user table has Postgres Row-Level Security policies enabled. Even if a future code change forgot a WHERE user_id = ? clause, the database itself blocks cross-tenant reads. We swap to a non-superuser role on every authenticated request to ensure RLS engages.

Data retention

We keep different categories of data for different durations, in line with GDPR Article 5(1)(e) (“storage limitation”):

  • Active account data (threads, contacts, calendar, memories, documents) — kept while your account is active.
  • Deleted accounts — purged within 24 hours of deletion. Cascade delete drops every per-user row + revokes external resources (Google OAuth, Stripe subscription, Twilio number).
  • Backups — Railway snapshots roll off after 30 days. A deleted account is fully gone, including backups, by day 31.
  • Voice recordings & transcripts — retained 90 days, then auto-deleted unless you explicitly star/save the call.
  • Consent records (TCPA / GDPR audit trail) — kept for 7 years per legal-defence requirements. Cannot be deleted with the account.
  • Billing records (invoices, payment events) — kept for 7 years per accounting / tax law (also stored at Stripe).
  • Application logs (Railway) — rotated every 30 days. PII is scrubbed before logs leave the request handler.

Third-Party Services

We share minimal data with these trusted services to operate Exron AI. The full list — including the exact data each one receives, region, and their privacy policy — lives at /legal/sub-processors.

OpenAI
AI chat + Whisper + TTS
Anthropic
Claude models
Google AI
Gemini models + Gemini Live
Twilio
Voice and SMS
Recall.ai
Meeting bot
Deepgram
Speech-to-text
ElevenLabs
Text-to-speech
Stripe
Payment processing
Resend
Transactional emails
Railway
Backend + database hosting
Vercel
Frontend hosting
Sentry
Error tracking
Langfuse
LLM call tracing
PostHog
Product analytics
See the full sub-processors list

Your Rights

  • Right to deletion (GDPR Art. 17 / CCPA §1798.105) — Permanently delete your account and ALL associated data from Settings → Danger Zone. We immediately cascade-delete every row tied to your user_id AND revoke external resources (Google OAuth, Stripe subscription, Twilio number). No 30-day grace period — delete means delete.
  • Right to access (GDPR Art. 15) — Request a copy of all data we hold on you by emailing privacy@exron.app. We respond within 30 days as required.
  • Right to rectification (GDPR Art. 16) — Update your profile, name, timezone, and preferences from Settings.
  • Right to data portability (GDPR Art. 20) — Download a machine-readable JSON of every per-user record we hold (threads, messages, contacts, calendar, calls, memories, consent records, billing summary) from Settings → Privacy → Export my data. Limited to 3 exports per hour to prevent abuse. Vector embeddings are dropped (not portable to other vendors); everything else round-trips.
  • Right to object — Disable any marketing email, disconnect any integration (Google, Discord), or opt out of product analytics from Settings at any time.
  • Right to withdraw consent — Recording disclosure for voice calls is gathered live (see how); saying “no” immediately ends the call and prevents future calls to you for 30 days.

Cookies

We split cookies into two categories. The first time you visit, our cookie banner asks you to choose. You can change this any time from Settings → Privacy.

Strictly necessary (always on)

Required for the app to function — you can't opt out without breaking login. Per the EU ePrivacy Directive these don't require consent.

  • access_token — secure session (httpOnly, 24 h)
  • refresh_token — session renewal (httpOnly, 7 days)

Analytics (off by default, opt-in)

We use PostHog for product analytics — to see which features get used and where flows break. PostHog only fires events after you accept analytics in the cookie banner. We've configured PostHog withautocapture: false, ip: false, and never sends message bodies — only feature-level events (e.g. "user_onboarded", "agent_invoked").

No tracking pixels, no ad networks, no third-party advertising cookies. If you pick “Essential only” in the banner, PostHog never fires.

Children's Privacy

Exron AI is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has registered, contact us and we will delete the account immediately.

SMS & Voice Data Handling

A2P 10DLC Compliance Notice
  • Program: Exron AI Notifications — transactional SMS only (verification codes, task reminders, post-call summaries, AI assistant updates).
  • Opt-in: explicit toggle in Dashboard → Phone Assistant after email verification. Toggle is not pre-checked.
  • Opt-out: Reply STOP anytime to unsubscribe.
  • Help: Reply HELP for assistance, or email support@exron.app.
  • Message frequency: varies based on user activity — typically 0–5 messages per day.
  • Message and data rates may apply from your carrier.
  • Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. The only third-party processor of phone numbers is Twilio, our carrier-facing SMS provider, used solely for delivering the messages you opted into. Mobile opt-in data and consent records are never sold.
  • Carriers are not liable for delayed or undelivered messages.

Public proof of the opt-in flow (no login required): https://exron.app/sms-consent.

Voice calls made through Exron AI are recorded for transcription and intelligence features. Recordings are encrypted and accessible only to you. Delete them anytime from your phone history.

Policy Changes

We may update this policy as we improve the service. Material changes will be announced via email. Continued use after changes means you accept the updated policy.

Contact Us

Questions, concerns, or data requests?

support@exron.app