Privacy Policy

Last updated: 11 May 2026

1. Who we are

EXERAX LTD (“EXERAX”, “we”, “us”) is a private limited company registered in England & Wales. We are the data controller for personal data processed via this website and the EXERAX platform.

Our registered address and ICO registration number are available on request from [email protected].

2. What we collect

We collect only what we need to run the service. That includes:

• Account information — name, email address, password hash (bcrypt, never the plain password), 2FA secret if enabled, optional Google or GitHub identifiers if you sign in via OAuth.
• Organisation data — company name, plan, members, content you upload, integration API keys (encrypted at rest with AES-256).
• Operational data — IP address, user agent, session timestamps, and audit log entries for security and abuse prevention.
• Billing data — processed by Stripe. We see the last four digits of your card and your invoice history; the full card details never touch our servers.

3. Why we collect it

We use your data to:

• provide and maintain the EXERAX service;
• authenticate you and protect your account;
• send transactional emails (verification, password reset, billing);
• investigate abuse, fraud, or security incidents;
• improve the product based on aggregate usage patterns;
• send marketing emails — only if you have opted in. You can opt out at any time.

4. Legal basis for processing

Under UK GDPR (and EU GDPR for EU customers), we rely on:

• Contract — to deliver the service you signed up for;
• Legitimate interest — for security, fraud prevention, and product analytics;
• Consent — for marketing emails and non-essential cookies;
• Legal obligation — for tax records and lawful disclosure requests.

5. Who we share it with

We share data only with the sub-processors required to run the service:

• DigitalOcean — managed Postgres, App Platform hosting (UK/EU region).
• Cloudflare — WAF, DDoS protection, R2 object storage, Pages hosting, Turnstile.
• SendGrid (Twilio) — transactional email.
• Stripe — payments.
• Mailchimp — marketing emails, only if you opted in.
• Grafana Cloud — observability metrics (no personal data).

We never sell your personal data. We never share it for advertising. We disclose data to law enforcement only when compelled by a valid UK legal process.

6. How long we keep it

• Account data: while your account is active, plus 90 days after closure for billing reconciliation.
• Audit logs: 12 months.
• Invoices: 7 years (UK statutory).
• Marketing opt-in records: until you opt out, plus 24 months for evidence of consent.

7. International transfers

Your data is stored in the UK and EU only. Some of our sub-processors (e.g. Stripe, SendGrid) may transfer data outside the UK/EU under approved Standard Contractual Clauses or equivalent safeguards.

8. Your rights

Under UK GDPR you have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• request erasure (subject to legal retention requirements);
• object to or restrict processing;
• port your data to another provider;
• withdraw consent at any time for processing based on consent;
• lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email [email protected]. We respond within 30 days.

9. Cookies

We use a minimal set of strictly necessary cookies for authentication and security. Analytics and marketing cookies are off by default and only activate after explicit consent. Full details in our Cookie Policy.

10. Children

EXERAX is not intended for users under 16. We do not knowingly collect personal data from anyone under 16; if you believe we have, contact us and we'll delete it.

11. Changes to this policy

We'll post the updated date at the top of this page whenever we make changes. For material changes, we'll email account holders at least 14 days before they take effect.

12. Contact us

Email [email protected] or write to us via the address listed on our contact page.