Legal

Privacy Policy

📅 Effective May 4, 2026 🏢 ExanorOS LLC 📍 Lima, Ohio 📄 Version 1.1

01 Introduction

ExanorOS LLC ("ExanorOS," "Company," "we," "us," or "our") provides an AI-powered workspace and communication management platform that allows users to connect third-party services such as email, calendar, messaging, business, and financial platforms and interact with them through a conversational interface.

This Privacy Policy explains how we collect, use, process, store, disclose, and protect information when you access or use ExanorOS, including our website, platform, APIs, integrations, onboarding flows, automation tools, and related services.

By using ExanorOS, you acknowledge that your information will be handled as described in this Privacy Policy.

02 Important Notice About AI Processing

ExanorOS uses artificial intelligence systems to help read, summarize, classify, prioritize, draft, recommend, and — where authorized — perform actions across connected services. AI systems may make mistakes. ExanorOS does not guarantee that AI-generated summaries, classifications, recommendations, or actions will be accurate, complete, appropriate, or aligned with your expectations.

Because ExanorOS may process sensitive business communications, calendar data, messages, financial records, and user-defined preferences, you should not connect accounts or submit information unless you are authorized to do so and comfortable with the processing described in this Policy.

03 Information We Collect

3.1 Account Information

  • Name, email address, business name, role or title
  • Login credentials or authentication identifiers
  • Subscription status and billing-related account details
  • Customer support communications

3.2 Connected Account Data

When you connect third-party services, ExanorOS may access data from those services depending on the permissions you grant. This may include:

  • Email content, metadata, sender/recipient information, subject lines, attachments
  • Calendar events, titles, invitees, descriptions, and times
  • Messages and threads across connected platforms
  • Contact information, invoice and payment data, financial summaries
  • Other data made available through connected APIs

We only access connected data to provide, maintain, secure, improve, or support the Service, or as otherwise authorized by you.

3.3 User Configurations and Onboarding Preferences

During onboarding and ongoing use, you may provide preferences, rules, instructions, tone guidelines, escalation preferences, approval settings, and automation levels. ExanorOS uses these to guide AI behavior, but AI interpretation may be incomplete, inconsistent, or incorrect.

3.4 AI Interaction Data

We may collect prompts, commands, user messages, AI-generated responses, summaries, suggested and approved actions, feedback on AI outputs, and conversation history within the platform.

3.5 Automation and Audit Log Data

To operate and secure the Service, we may maintain logs of connected accounts, permissions, automation settings, AI outputs, actions taken, user approvals and rejections, system errors, API requests, timestamps, and security events.

3.6 Payment and Billing Information

Payment is processed by Stripe. We may receive subscription plan, billing status, payment confirmation, transaction identifiers, billing email, and last four digits of payment card. We do not store full credit card numbers on our own systems.

3.7 Website and Device Information

We may collect IP address, browser type, device type, operating system, referring URL, pages viewed, time on pages, cookies and similar identifiers, log files, approximate location from IP, and usage analytics.

04 How We Use Information

  • Provide the ExanorOS platform and authenticate users
  • Connect third-party accounts and perform user-authorized actions
  • Read, summarize, classify, and prioritize communications
  • Apply onboarding preferences and user configurations
  • Maintain audit logs and process subscriptions and payments
  • Provide customer support and debug errors
  • Improve reliability, performance, and develop new features
  • Detect fraud, abuse, spam, security threats, and unauthorized access
  • Comply with legal obligations and enforce our Terms of Agreement
  • Monitor system health and communicate service updates

05 Legal Bases for Processing

Where applicable under GDPR or similar laws, we process personal data based on:

Performance of a contract
To provide the Service you requested.
Consent
Where you authorize integrations, cookies, or specific uses.
Legitimate interests
To secure, improve, maintain, and operate the Service.
Legal obligations
To comply with applicable laws, tax rules, subpoenas, or regulatory requirements.
User direction
Where you instruct ExanorOS to process or act on data from connected accounts.

06 Third-Party Integrations

When you connect a third-party account, you authorize ExanorOS to access and process data from that account within the permissions granted. Currently active integrations include:

  • Google Workspace — Gmail, Google Calendar, Google Meet
  • Microsoft — Outlook, Teams, Exchange
  • Slack
  • Telegram
  • QuickBooks
  • HubSpot
  • Stripe
  • Calendly

Additional integrations may be added over time and will be reflected in an updated version of this Policy. Your use of third-party services remains subject to those services' own terms and privacy policies. ExanorOS is not responsible for the privacy, security, or processing practices of third-party platforms.

07 Google API Data

ExanorOS's use and transfer of information received from Google APIs adheres to applicable Google API Services User Data Policy requirements, including Limited Use requirements.

Google user data accessed by ExanorOS is used only to provide or improve user-facing features prominent in the Service, such as email summarization, calendar management, workflow automation, and user-authorized actions.

  • We do not sell Google user data
  • We do not use Google user data for advertising
  • We do not allow humans to read Google user data except where necessary for security, support, legal compliance, debugging, or with your explicit consent

08 AI Providers and Subprocessors

To provide AI-powered features, ExanorOS may transmit relevant user data, prompts, and connected account context to third-party providers. Current subprocessors include:

  • Anthropic — AI processing via Claude
  • Vercel — Hosting and infrastructure
  • Airtable — Customer data storage
  • Stripe — Payment processing

Subprocessors may process personal data only as necessary to provide their services to ExanorOS. Where commercially reasonable, we use providers with appropriate contractual, technical, and organizational safeguards.

09 How We Share Information

9.1 With Your Connected Services

We may send data back to connected platforms when you instruct ExanorOS to perform actions such as sending an email, creating a calendar event, posting a message, or updating a record.

9.2 With Service Providers

We may share information with vendors that help us operate the Service — hosting, storage, AI processing, payment processing, analytics, monitoring, and security providers.

9.3 For Legal Reasons

We may disclose information to comply with law, respond to subpoenas or court orders, protect rights or safety, investigate fraud or abuse, enforce our Terms, or defend legal claims.

9.4 Business Transfers

If ExanorOS is involved in a merger, acquisition, asset sale, bankruptcy, or similar transaction, information may be transferred as part of that transaction.

9.5 With Your Consent

We may share information where you direct us or provide consent.

10 We Do Not Sell Personal Information

ExanorOS does not sell personal information. We do not sell connected account data, email content, calendar data, message content, financial records, prompts, or AI interaction data. We do not use customer data for third-party advertising.

11 Data Retention

We retain information as long as reasonably necessary to provide the Service, maintain your account, operate integrations, preserve audit logs, resolve disputes, comply with legal obligations, and maintain security. Retention examples:

  • Account data: retained while account is active
  • Billing records: minimum 7 years for tax and accounting compliance
  • Audit logs: up to 2 years for operational, legal, and security purposes
  • Connected account tokens: retained only while integration remains active
  • Deleted account data: deleted or de-identified within 90 days of verified request

12 Data Deletion and Account Closure

You may request deletion of your account or personal information by contacting privacy@exanoros.com. Upon verified request, we will delete or de-identify personal information unless retention is necessary for legal compliance, fraud prevention, security, tax obligations, dispute resolution, or legitimate business operations permitted by law.

Disconnecting a third-party integration may stop future access but may not automatically delete previously processed data, summaries, logs, or records.

13 Security

We use reasonable administrative, technical, and organizational safeguards to protect information, including:

  • AES-256-GCM encryption of OAuth tokens and credentials at rest
  • TLS 1.3 encryption in transit for all data transmission
  • OAuth-based permissions — we do not store third-party passwords
  • Per-customer credential isolation — no shared access between accounts
  • Rate limiting by subscription plan to prevent abuse
  • Audit logging of all automated actions
  • Access controls and least-privilege principles

However, no system is completely secure. We cannot guarantee absolute security. You are responsible for maintaining secure credentials, protecting your devices, reviewing connected account permissions, and promptly reporting suspected unauthorized access.

14 OAuth Tokens and Connected Account Credentials

ExanorOS stores encrypted tokens necessary to maintain authorized integrations with third-party services. We do not ask for your third-party account passwords where OAuth is available. You may revoke access through ExanorOS or directly through the relevant third-party platform at any time. Revoking access may disable features that depend on that integration.

15 Sensitive Information

Because ExanorOS may process email, calendar, messaging, and financial data, sensitive information may be included in connected account data. You should not connect or process information unless you are authorized to do so, such use complies with applicable law, you understand the risks of AI-assisted processing, and you have obtained required consents from employees, contractors, or customers where applicable.

16 Healthcare and HIPAA Notice

⚠ Important: ExanorOS is not intended for use with protected health information (PHI) unless ExanorOS has entered into a separate written Business Associate Agreement and confirmed HIPAA-supported workflows. Do not use ExanorOS to process PHI, patient communications, clinical records, or other HIPAA-regulated data without a separate HIPAA-compliant arrangement.

17 Financial Information Notice

ExanorOS may connect to financial or accounting systems where authorized. ExanorOS does not provide financial, tax, investment, accounting, or legal advice. Any AI-generated financial summaries, categorizations, reminders, or recommendations are informational only and must be independently verified. You remain responsible for all financial decisions, filings, payments, invoices, tax obligations, and business records.

18 Children's Privacy

ExanorOS is not intended for children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will take reasonable steps to delete it.

19 Cookies and Tracking Technologies

We may use cookies, local storage, and similar technologies to authenticate users, maintain sessions, remember preferences, understand website traffic, improve performance, detect abuse, and analyze product usage. You may control cookies through your browser settings. Some features may not work properly if cookies are disabled.

20 AI Usage Tiers and Human Review

ExanorOS classifies automation by risk level. The following table describes default behavior by tier:

Risk Tier Examples Default Behavior
Low Risk Summarizing emails, searching calendar, categorizing messages Autonomous; logged for review
Medium Risk Sending routine follow-ups, scheduling standard meetings Configurable; human approval available
High Risk Legal, medical, financial, or employment-related communications Never autonomous. Requires human review and manual trigger

AI systems can produce inaccuracies. Users are responsible for verifying the accuracy of AI-generated drafts before they are sent. All sensitive matters must be reviewed by a qualified human.

21 Automated Decision-Making

ExanorOS may use AI to classify, prioritize, summarize, recommend, or automate actions. ExanorOS is not intended to make legally significant decisions about individuals without appropriate human oversight. You should not use ExanorOS to make automated decisions that produce legal or similarly significant effects concerning individuals unless you have independently confirmed that such use complies with applicable law.

22 International Data Transfers

If you access ExanorOS from outside the United States, your information may be processed in the United States or other jurisdictions where we or our service providers operate. Data protection laws in those jurisdictions may differ from those in your location. Where required, we will use appropriate safeguards for international data transfers.

23 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have the right to know what personal information we collect, the categories of sources, the purposes for collection, and the categories of third parties to whom information is disclosed. You may also request deletion, correction, or access to your data, and opt out of sale or sharing if applicable.

ExanorOS does not sell personal information. To exercise rights, contact privacy@exanoros.com.

24 European, UK, and Similar Privacy Rights (GDPR)

If you are located in the EEA, UK, Switzerland, or another jurisdiction with similar privacy laws, you may have rights to access personal data, correct inaccurate data, delete data, restrict or object to processing, request portability, withdraw consent, and lodge a complaint with a supervisory authority.

Where ExanorOS processes personal data on behalf of a business customer, that customer may be the data controller and ExanorOS may be the processor. Contact privacy@exanoros.com to initiate any rights request.

25 Business Customer Data

If you use ExanorOS on behalf of a company, organization, or client, you represent that you have authority to connect accounts and submit data to ExanorOS. Business customers are responsible for providing required notices to employees, contractors, customers, and users; obtaining required consents; ensuring lawful use; configuring access controls; and responding to data subject requests where applicable.

26 Employee, Contractor, and Third-Party Communications

Connected accounts may contain personal information about individuals who are not direct users of ExanorOS, including employees, contractors, customers, vendors, or business contacts. You are responsible for ensuring that your use of ExanorOS to process such information complies with applicable laws, contracts, employment policies, confidentiality duties, and professional obligations.

27 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the website, platform, email, or other reasonable means. Continued use of ExanorOS after changes become effective means you acknowledge the updated Policy.

28 Contact Us

For privacy questions, requests, or concerns:

CompanyExanorOS LLC
Privacyprivacy@exanoros.com
Operationsops@exanoros.com
Address556 Honeysuckle Bend, Lima, OH 45807
Websiteexanoros.com

Appendix A — OAuth Connection Disclosure

Display near OAuth connection screens:

By connecting your account, you authorize ExanorOS to access and process data from that service to provide AI-powered summaries, recommendations, automations, and user-authorized actions. AI systems may make mistakes. You remain responsible for reviewing outputs, configuring automation settings, and verifying important information.

Appendix B — Onboarding Checkbox Language

Display during onboarding flow:

I understand that ExanorOS uses AI to interpret my preferences, summarize connected account data, and perform actions within the permissions I grant. I understand AI may be inaccurate or incomplete, and I remain responsible for reviewing important outputs and configuring automation appropriately.