Section 01
Who We Are
Exobase ("we," "our," or "us") operates an AI-powered operating system for founders accessible at exobase.ai. For GDPR purposes, Exobase acts as the data controller for personal data you provide directly to us. Where we process data on your behalf (e.g., data in your workspace), we act as a data processor.
Privacy contact: privacy@exobase.ai
ℹ️
Controller vs. Processor
Controller = we decide what data to collect and why (account info, billing).
Processor = we process data you send through the platform on your instruction (your customers' data, project files).
Section 02
AI Disclosure (EU AI Act)
Exobase OS is an AI-powered platform. When you use our service, you interact with autonomous AI agents. In compliance with the EU AI Act (Regulation 2024/1689), effective August 2025, we disclose:
🤖
You are interacting with AI
All agents within Exobase OS are artificial intelligence systems — not human workers. Every automated decision with material effect on you is subject to your review in the Approval Inbox before it takes effect. You retain full human oversight and the right to override any AI-generated output.
AI-Generated Content
Code, marketing copy, financial forecasts, and other outputs generated by our AI agents may not be independently verified for accuracy. You are responsible for reviewing AI outputs before using them in production.
AI Content Labelling
Where content or decisions have been generated or significantly influenced by AI, Exobase labels them as such within the platform interface (e.g., "Agent Output," "AI Draft"). Do not rely on AI outputs without human review in regulated industries (healthcare, legal, financial advice).
Section 03
What We Collect
We collect only what we need to operate the platform:
| Category | Examples | Why |
|---|
| Account data | Name, email, password hash | Create and manage your account |
| Billing data | Payment method, subscription tier | Process payments via Stripe (we never see raw card numbers) |
| Usage data | Agent runs, credit consumption, feature usage | Provide the service, prevent abuse, generate billing summary |
| Project data | Prompts, code, outputs, agent logs | Execute your instructions; stored per your retention settings |
| Technical data | IP address, browser type, crash logs | Security, debugging, platform stability |
| Communications | Support emails, feedback submissions | Respond to your enquiries |
✅
We do NOT sell your data
Exobase has never sold personal data to third parties and will never do so. We do not use your data to train AI models without your explicit opt-in consent.
Section 04
How We Use Your Data
Service Delivery
Running AI agents, processing builds, storing outputs, managing credits, and providing the dashboard and all features described on our website.
Security & Fraud Prevention
Detecting and preventing unauthorised access, abuse of the credit system, or use of the platform for prohibited purposes (see Section 11).
Platform Improvement
Aggregated, anonymised usage analytics to understand which features are used most and where errors occur. This data cannot identify you.
Communications
Transactional emails (billing, security alerts, service updates) and, with your consent, product announcements. You can unsubscribe from marketing emails at any time.
Legal Compliance
Retaining records as required by applicable law, and responding to lawful requests from government authorities.
Section 05
Legal Basis for Processing (GDPR)
If you are in the EU/EEA, we process your data under the following legal bases:
| Processing Activity | Legal Basis |
|---|
| Account creation and service delivery | Performance of a contract (Art. 6(1)(b)) |
| Billing and payment processing | Performance of a contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Aggregated analytics | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Legal obligations (e.g., tax records) | Legal obligation (Art. 6(1)(c)) |
Section 06
Your Rights
Depending on your location, you have the following rights over your personal data. To exercise any right, email privacy@exobase.ai. We respond within 30 days.
👁️
Access
Request a copy of all data we hold about you (GDPR Art. 15, CCPA)
✏️
Rectification
Correct inaccurate or incomplete personal data (GDPR Art. 16)
🗑️
Erasure
Request deletion of your personal data ("right to be forgotten") (GDPR Art. 17, CCPA)
🚫
Restriction
Restrict how we process your data in certain circumstances (GDPR Art. 18)
📦
Portability
Receive your data in a machine-readable format (GDPR Art. 20)
🛑
Opt-Out (CCPA)
California residents: opt out of data sharing and automated profiling
Section 07
Data Retention
We keep your data only as long as necessary for its purpose:
| Data Type | Retention Period | Reason |
|---|
| Account data | Duration of account + 30 days after deletion | Allow account recovery window |
| Billing records | 7 years | Tax and accounting legal obligations |
| Agent run logs | 90 days (configurable in settings) | Debugging and audit trail |
| Project data (code, outputs) | Until you delete the project or close your account | Service functionality |
| Security / access logs | 12 months | Security incident investigation |
| Support correspondence | 3 years | Dispute resolution |
| Marketing consent records | Until consent withdrawn + 3 years | Proof of consent (GDPR) |
When you delete your account, we permanently delete all project data and personal data within 30 days, except where legal retention obligations apply.
Section 08
Subprocessors
We use the following third-party services to operate the platform. All are bound by data processing agreements (DPAs) and Standard Contractual Clauses (SCCs) where required.
Anthropic
AI model inference (Claude). Anthropic does not use API data to train models by default.
🇺🇸 USA
OpenAI
AI model inference (GPT). Subject to OpenAI API data usage policies.
🇺🇸 USA
Railway
Cloud infrastructure and deployment hosting.
🇺🇸 USA
Stripe
Payment processing. PCI-DSS compliant. We never store raw card data.
🇺🇸 USA / 🇮🇪 EU
PostgreSQL
Primary database for account, project, and agent data (self-hosted on Railway).
🇺🇸 USA
SendGrid / Resend
Transactional email delivery (account verification, alerts).
🇺🇸 USA
We will notify you of any new subprocessors at least 30 days before they are added.
Section 09
Cookies & Tracking
We use a minimal set of cookies:
| Cookie | Purpose | Duration | Consent? |
|---|
exo_session | Authentication session token | 7 days | No (strictly necessary) |
exo_csrf | CSRF security token | Session | No (strictly necessary) |
exo_prefs | UI preferences (theme, layout) | 1 year | No (functional) |
| Analytics cookies | Aggregated, anonymous usage stats (no cross-site tracking) | 90 days | Yes (you can decline) |
We do not use third-party advertising cookies, Facebook Pixel, Google Ads tracking, or any cross-site behavioural tracking.
Section 10
Copyright & Intellectual Property
Your Content
You retain full ownership of all content you upload or create within Exobase — including prompts, code, business documents, and data. You grant Exobase a limited, non-exclusive licence solely to process that content to deliver the service.
AI-Generated Outputs
Code, copy, plans, and other outputs generated by our AI agents on your instruction are assigned to you to the maximum extent permitted by law.
⚖️
Important: AI Copyright Uncertainty
In most jurisdictions (US, UK, EU), purely AI-generated content without sufficient human creative input may not qualify for copyright protection. We recommend reviewing any AI-generated work and adding meaningful human authorship before asserting copyright claims. This area of law is evolving rapidly.
Can I Sell What I Build with Exobase?
Yes — in most cases you can commercialise products and services built using Exobase immediately. The table below summarises what is and isn't permitted:
| What You Build | Can You Sell It? | Conditions |
|---|
| An app or SaaS product built using AI-generated code |
✓ Yes |
No restrictions — the product is yours to sell, license, or transfer. |
| Marketing copy, blog posts, or written content |
✓ Yes |
Recommend adding human authorship. Copyright protection may be limited for purely AI-generated text. |
| A product that re-packages raw AI outputs as an AI API |
✗ No |
You may not resell or sublicense raw model outputs as a standalone AI API service. This violates Anthropic and OpenAI upstream terms. |
| AI-generated outputs used to train a competing AI model |
✗ No |
Prohibited under Anthropic and OpenAI usage policies without explicit written permission. |
| Products in regulated industries (healthcare, legal, financial advice) |
⚠ Conditional |
See "High-Risk & Regulated Industries" below. Human review and compliance obligations apply. |
High-Risk & Regulated Industries (EU AI Act)
Under the EU AI Act, certain AI applications are classified as high-risk and carry additional legal obligations before they can be sold or deployed. If your product falls into any of the following categories, you must ensure compliance before commercialising:
- Healthcare & medical devices — AI-assisted diagnosis, treatment recommendations, or patient triage must comply with MDR/IVDR and cannot be sold as a final clinical decision tool without CE marking or equivalent approval.
- Legal & financial advice — AI outputs must not be presented as qualified legal, tax, or investment advice. A licensed professional must review and sign off before the advice is delivered to end clients.
- Hiring & HR systems — AI tools used in recruitment, performance evaluation, or employment decisions are high-risk under EU AI Act Annex III. Transparency, human oversight, and bias auditing are required.
- Credit scoring & insurance underwriting — AI-based creditworthiness assessments are high-risk. Explainability and human review rights are mandatory under GDPR Art. 22 and EU AI Act.
- Critical infrastructure — AI used to manage energy, water, transport, or public safety systems requires conformity assessments before deployment.
⚠️
Regulated industry? Get legal advice first.
Exobase does not provide legal or regulatory compliance advice. If you are building a product for a regulated sector, consult a qualified lawyer in your jurisdiction before selling or deploying it. Non-compliance can result in fines, injunctions, or criminal liability — none of which Exobase can be held responsible for.
Disclaimer of Warranty for AI Outputs
Exobase provides AI-generated outputs (code, copy, plans, forecasts) "as is" without warranty of any kind — express or implied — including warranties of merchantability, fitness for a particular purpose, accuracy, or non-infringement.
Specifically:
- No guarantee of correctness — AI-generated code may contain bugs, security vulnerabilities, or logic errors. Always review and test before deploying to production.
- No legal compliance guarantee — AI-generated contracts, privacy policies, or compliance documents may not reflect current law in your jurisdiction. Always have a qualified lawyer review before relying on them.
- No financial accuracy guarantee — Forecasts, financial models, and cost estimates produced by AI agents are illustrative only and not investment or accounting advice.
- Exobase's liability is limited — To the maximum extent permitted by law, Exobase's total liability for losses arising from your use or commercialisation of AI-generated outputs is limited to the fees you paid in the 3 months preceding the claim.
Upstream AI Licence Restrictions
Exobase uses Anthropic Claude and OpenAI GPT APIs. AI-generated outputs are additionally subject to the upstream providers' usage policies:
- You may not use AI outputs to train competing AI models without explicit permission from Anthropic or OpenAI.
- You may not sublicense, resell, or redistribute raw AI model outputs as a standalone AI API service.
- Applications you build using AI-generated code may be commercialised freely, subject to the conditions above.
Exobase Platform IP
The Exobase brand, logo, platform software, agent architecture, and documentation are proprietary to Exobase. You may not copy, reverse-engineer, or create derivative works of the Exobase platform itself.
Section 11
Prohibited Use
Exobase may not be used for any of the following purposes. Violations result in immediate account termination and may be reported to law enforcement:
- ✕ Developing, designing, or supporting weapons of mass destruction (biological, chemical, nuclear, radiological)
- ✕ Generating child sexual abuse material (CSAM) or any sexual content involving minors
- ✕ Facilitating human trafficking, forced labour, or exploitation
- ✕ Creating malware, ransomware, exploits, or cyberweapons
- ✕ Large-scale disinformation, deepfake creation, or coordinated inauthentic behaviour
- ✕ Financial fraud, identity theft, or impersonation of individuals or organisations
- ✕ Unlicensed medical, legal, or financial advice intended for public reliance
- ✕ Automated spam campaigns or unsolicited bulk communications
- ✕ Surveillance, stalking, or non-consensual tracking of individuals
- ✕ Circumventing Anthropic or OpenAI usage policies on a commercial basis
- ✕ Any activity that violates applicable local, national, or international law
🚨
Report Abuse
If you believe Exobase is being used for prohibited purposes, report it immediately to
abuse@exobase.ai. We investigate all reports within 24 hours.
Section 12
International Data Transfers
Exobase and several subprocessors are based in the United States. If you are in the EU/EEA or UK, your personal data will be transferred to and processed in the US. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) — EU-approved transfer mechanism with all US-based subprocessors
- EU–US Data Privacy Framework — where subprocessors are certified
- UK Adequacy Regulations — for transfers to/from the United Kingdom
You can request a copy of our transfer mechanisms by contacting privacy@exobase.ai.
Section 13
Children's Privacy
Exobase is not directed at or designed for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. If you believe a child has created an account, contact us at privacy@exobase.ai.
Section 14
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will:
- Email registered users at least 14 days before the change takes effect
- Display a notice in the Exobase dashboard
- Update the "Last updated" date at the top of this page
Continued use of the platform after the effective date constitutes acceptance of the updated policy.
Section 15
Contact Us
If you have questions about this policy, want to exercise your data rights, or need to report a concern:
Supervisory Authority: If you are in the EU and believe we have violated your data rights, you have the right to lodge a complaint with your local data protection authority (e.g., the Irish DPC, German BfDI, or French CNIL).
California Residents: For CCPA/CPRA requests, email privacy@exobase.ai with "CCPA Request" in the subject line.