Privacy Policy

Last updated: February 16, 2025

1. Introduction

Exoa ("we", "us", "our") provides a document intelligence API that transforms files into LLM-ready structured data. This Privacy Policy explains how we collect, use, and protect your information when you use our website and API services at exoa.ai.

2. Information We Collect

Account Information

When you create an account, we collect your email address and name. If you sign up via Google or GitHub OAuth, we receive your name and email from those providers. Passwords are securely hashed and never stored in plain text.

Uploaded Files

When you use our conversion service, you upload files for processing. Files are processed in memory and stored temporarily to deliver extraction results. We do not retain your files permanently — they are deleted after processing completes unless you choose to keep them in your document library.

Usage Data

We record page counts per conversion for billing purposes. We also log API call metadata (endpoint, method, status code, response time, IP address) for service monitoring and rate limiting.

API Keys

API keys are cryptographically hashed before storage. We never store your raw API key after initial generation.

3. How We Use Your Information

  • To provide, operate, and improve the Exoa service
  • To authenticate your identity and manage your account
  • To track usage for billing (page counts per conversion)
  • To send transactional emails (verification, password resets)
  • To enforce rate limits and prevent abuse
  • To respond to support requests

4. Data Storage & Security

Your data is stored in encrypted PostgreSQL databases. All communication with our API is encrypted via TLS. Session tokens are stored as httpOnly cookies to prevent cross-site scripting attacks.

We implement industry-standard security measures including password hashing, API key hashing, rate limiting, security headers, and request timeouts to protect your data.

5. Third-Party Services

We use Stripe to process payments. When you upgrade to a paid plan, your payment information is handled directly by Stripe. We do not store your credit card details on our servers. Stripe's use of your data is governed by their Privacy Policy.

If you sign up via Google or GitHub OAuth, those providers may share your name and email with us in accordance with their own privacy policies.

6. Data Sharing

We do not sell, rent, or share your personal data or uploaded files with third parties. Your uploaded content and extracted output belong to you. We will only disclose information if required by law or to protect our legal rights.

7. Cookies

We use session cookies solely for authentication. These are httpOnly cookies that keep you logged in and are not used for advertising or tracking purposes.

8. Data Retention

Uploaded files are deleted after processing unless you retain them in your document library. Account data is retained for the lifetime of your account. If you delete your account, we will delete your personal data and associated documents within 30 days.

9. Your Rights

  • Access and download your personal data
  • Correct inaccurate information
  • Delete your account and associated data
  • Object to data processing
  • Export your documents

To exercise any of these rights, contact us at the address below.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date.

11. Contact

If you have questions about this Privacy Policy, please contact us at [email protected].