Privacy Policy

1. Introduction

Exodia, Inc. (“Exodia,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information when you visit our website at exodia.co, use our platform, applications, and services (collectively, the “Service”), or otherwise interact with us.

This Privacy Policy applies to all users of the Service, including individual users, municipal employees, government officials, partner program participants, and visitors to our website. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our privacy practices, please do not use the Service.

We may update this Privacy Policy from time to time. We encourage you to review this page periodically to stay informed about our privacy practices.

2. Information We Collect

We collect several categories of information depending on how you interact with the Service:

2.1 Information You Provide Directly

• — Account Information: When you create an account, we collect your name, email address, password, organization or municipal affiliation, job title, and contact information.
• — Waitlist and Partner Program Data: When you join our waitlist or apply to our Partner Program, we collect your name, email address, role or occupation, geographic area or town of interest, and any additional information you provide in your application.
• — Municipal and Government Data: If you use the Service in connection with a municipal or government entity, we may collect data related to public records, meeting agendas, minutes, permits, ordinances, budgets, and other government documents that you upload or process through the Service.
• — User Content: Any content, data, files, documents, or other materials you submit, upload, or transmit through the Service.
• — Communications: When you contact us via email, support requests, feedback forms, or other channels, we collect the content of your communications along with any metadata (such as timestamps and email addresses).
• — Payment Information: If you make a purchase or subscribe to a paid plan, we collect billing information such as your payment card number, billing address, and transaction history. Payment card data is processed by our third-party payment processor and is not stored on our servers.
• — Survey and Research Data: If you participate in surveys, interviews, or user research, we collect your responses and any information you voluntarily provide.

2.2 Information Collected Automatically

• — Device and Browser Information: We collect information about the device and browser you use to access the Service, including device type, operating system, browser type and version, screen resolution, and device identifiers.
• — Log Data: Our servers automatically record information when you access the Service, including your IP address, access times, pages viewed, links clicked, referring URL, and the page you visited before navigating to our Service.
• — Usage Data: We collect information about how you use the Service, including features accessed, actions taken, frequency and duration of activities, search queries, and interaction patterns.
• — Location Data: We may collect approximate location information based on your IP address. We do not collect precise geolocation data unless you explicitly grant permission.
• — Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies to collect information about your browsing behavior and preferences. See Section 9 (Cookies and Tracking Technologies) for more details.

2.3 Information from Third Parties

• — Authentication Providers: If you sign in using a third-party authentication service (such as Google or Microsoft), we receive your name, email address, and profile information from that provider.
• — Public Sources: We may collect information from publicly available sources, including government websites and public records, to enhance the Service.
• — Partners and Integrations: If your organization integrates the Service with third-party tools or platforms, we may receive data from those integrations as necessary to provide the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

• — Create and manage your account
• — Process and fulfill your requests, including document processing, agenda generation, and other Service features
• — Provide customer support and respond to inquiries
• — Process payments and manage subscriptions
• — Facilitate Partner Program activities, including matching partners with municipalities

3.2 Improving and Developing the Service

• — Analyze usage patterns and trends to improve functionality and user experience
• — Conduct research and development to build new features and products
• — Test and troubleshoot new features before release
• — Train and improve our machine learning models and AI capabilities, subject to applicable data processing agreements

3.3 Communications

• — Send you transactional messages, such as account confirmations, security alerts, and support responses
• — Send you product updates, newsletters, and marketing communications (with your consent where required by law)
• — Notify you of changes to our policies or the Service

3.4 Safety and Security

• — Detect, investigate, and prevent fraud, abuse, and unauthorized access
• — Monitor for security threats and vulnerabilities
• — Enforce our Terms of Service and other policies
• — Protect the rights, property, and safety of Exodia, our users, and the public

3.5 Legal Compliance

• — Comply with applicable laws, regulations, and legal processes
• — Respond to lawful requests from public authorities, including national security or law enforcement requirements
• — Establish, exercise, or defend legal claims

4. Legal Bases for Processing

If you are located in the European Economic Area (EEA), United Kingdom (UK), or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases:

• — Contractual Necessity: Processing necessary to perform our contract with you, including providing the Service and managing your account.
• — Legitimate Interests: Processing necessary for our legitimate interests, including improving the Service, ensuring security, and marketing our products, provided these interests are not overridden by your rights.
• — Consent: Processing based on your explicit consent, such as receiving marketing communications or enabling optional cookies. You may withdraw consent at any time.
• — Legal Obligation: Processing necessary to comply with applicable laws and regulations.
• — Public Interest: Where applicable, processing necessary for the performance of a task carried out in the public interest, particularly in the context of municipal and government services.

5. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including cloud hosting and infrastructure, payment processing, email delivery, analytics, customer support tools, and security monitoring. These providers are contractually obligated to use your information only as necessary to provide services to us and are required to maintain appropriate security measures.

5.2 Municipal and Government Entities

If you use the Service on behalf of a municipal or government entity, we may share relevant information with authorized personnel within that entity as necessary to provide the Service. Data processed on behalf of government entities is handled in accordance with applicable public records laws and data processing agreements.

5.3 Partner Program Participants

If you participate in our Partner Program, limited information (such as your name, role, and area of interest) may be shared with municipalities or other partners to facilitate program activities. We will notify you before sharing any such information.

5.4 Business Transfers

In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal information.

5.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements. We will attempt to notify you of such requests unless prohibited by law or court order.

5.6 Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5.7 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

6. Municipal and Government Data

We recognize the sensitive nature of municipal and government data processed through the Service. The following additional protections apply:

• — Government data is processed solely for the purpose of providing the Service as specified in applicable data processing agreements
• — We maintain physical, technical, and administrative safeguards designed to meet or exceed applicable government data security standards
• — Government data is logically separated from other customer data
• — Access to government data is restricted to authorized personnel on a need-to-know basis
• — We comply with applicable public records laws and Freedom of Information Act (FOIA) requirements
• — Upon termination of a government contract, data is returned or securely deleted in accordance with the applicable agreement and records retention requirements
• — Government data is not used for training machine learning models without explicit authorization from the government entity

7. Data Security

We implement and maintain comprehensive security measures designed to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• — Encryption: Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption
• — Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles for all systems
• — Infrastructure Security: Our infrastructure is hosted on SOC 2 Type II certified cloud providers with regular security audits and penetration testing
• — Monitoring: Continuous monitoring for security threats, anomalous activity, and unauthorized access attempts
• — Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with applicable laws
• — Employee Training: All employees with access to personal data receive regular security and privacy training

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• — Account Data: Retained for the duration of your account and for up to 30 days after account deletion to allow for account recovery
• — Transaction Records: Retained for up to 7 years as required for tax and financial reporting purposes
• — Usage and Log Data: Retained for up to 12 months for analytics and security purposes, then aggregated or deleted
• — Communications: Support communications are retained for up to 3 years after resolution
• — Municipal Data: Retained in accordance with the applicable data processing agreement and government records retention schedules
• — Marketing Data: Retained until you unsubscribe or withdraw consent, plus a suppression record to honor your opt-out

When personal information is no longer needed, we securely delete or anonymize it. Anonymized data that cannot reasonably be used to identify you may be retained indefinitely for research and analytical purposes.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with the Service. The types of cookies we use include:

• — Strictly Necessary Cookies: Required for the Service to function properly, including authentication, security, and session management. These cookies cannot be disabled.
• — Functional Cookies: Enable enhanced features and personalization, such as remembering your preferences and settings.
• — Analytics Cookies: Help us understand how the Service is used, which pages are most popular, and how users navigate. We use this data to improve the Service.
• — Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness. These cookies may be set by third-party advertising partners.

You can control cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, but doing so may affect the functionality of the Service. You may also opt out of interest-based advertising through industry opt-out mechanisms such as the Digital Advertising Alliance (DAA) or the Network Advertising Initiative (NAI).

We also use web beacons (clear GIFs or pixel tags) in emails and on our website to track open rates, click-through rates, and browsing behavior for analytics and marketing purposes.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

• — Right to Access: Request a copy of the personal information we hold about you, including the categories of data collected, the purposes of processing, and the categories of third parties with whom data has been shared.
• — Right to Rectification: Request correction of inaccurate or incomplete personal information.
• — Right to Deletion: Request deletion of your personal information, subject to certain exceptions (such as legal obligations or legitimate interests).
• — Right to Restrict Processing: Request that we limit the processing of your personal information in certain circumstances.
• — Right to Data Portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format, and request that we transfer it to another controller.
• — Right to Object: Object to the processing of your personal information based on legitimate interests or for direct marketing purposes.
• — Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
• — Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at privacy@exodia.co. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• — Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share personal information.
• — Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• — Right to Correct: You have the right to request correction of inaccurate personal information.
• — Right to Opt Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• — Right to Limit Use of Sensitive Information: If we collect sensitive personal information, you have the right to limit our use and disclosure of such information.

You may exercise these rights by contacting us at privacy@exodia.co or through an authorized agent. We will not discriminate against you for exercising your CCPA/CPRA rights.

12. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from the laws of your country.

If you are located in the EEA, UK, or Switzerland, we ensure that transfers of personal data to countries outside these regions are protected by appropriate safeguards, including:

• — Standard Contractual Clauses (SCCs) approved by the European Commission
• — Adequacy decisions by the European Commission for certain countries
• — The EU-U.S. Data Privacy Framework, where applicable
• — Binding Corporate Rules, where applicable
• — Your explicit consent, where appropriate and permitted by law

13. Third-Party Services and Links

The Service may contain links to or integrations with third-party websites, services, or applications that are not operated or controlled by Exodia. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices, content, or data collection of any third party.

Third-party services we may integrate with or link to include:

• — Cloud storage and document management providers
• — Authentication and single sign-on providers
• — Analytics and monitoring tools
• — Payment processors
• — Communication platforms

We encourage you to review the privacy policies of any third-party services before providing them with your personal information or allowing them to collect data about you.

14. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@exodia.co.

If we become aware that we have collected personal information from a child under the applicable age threshold without parental consent, we will take steps to promptly delete that information from our systems.

15. Do Not Track Signals

Some browsers offer a “Do Not Track” (DNT) setting that sends a signal to websites you visit indicating that you do not want to be tracked. There is currently no universally accepted standard for how to respond to DNT signals. At this time, we do not respond to DNT signals, but we respect your privacy choices through the cookie preferences and opt-out mechanisms described in this policy. We will continue to monitor developments around DNT technology and update our practices accordingly.

16. Automated Decision-Making

The Service may use automated processing, including artificial intelligence and machine learning, to assist with document analysis, data extraction, agenda preparation, and other features. These automated processes are designed to support and augment human decision-making, not replace it.

If automated processing results in a decision that significantly affects you, you have the right to request human review of that decision, express your point of view, and contest the decision. To exercise this right, contact us at privacy@exodia.co.

17. Data Protection Officer

If you have questions or concerns about our privacy practices or wish to exercise your privacy rights, you may contact our Data Protection Officer at dpo@exodia.co. Our Data Protection Officer is responsible for overseeing our compliance with applicable data protection laws and ensuring that your privacy rights are respected.

18. State-Specific Privacy Rights

In addition to California, residents of certain other U.S. states may have additional privacy rights under state law, including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states that have enacted comprehensive privacy legislation.

These rights may include the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise these rights, please contact us at privacy@exodia.co. If your request is denied, you may have the right to appeal our decision by contacting us at the same address.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• — Post the updated Privacy Policy on this page with a revised “Last updated” date
• — Notify you via email or through a prominent notice on the Service prior to the changes taking effect
• — Where required by law, obtain your consent before applying material changes to the processing of your personal information

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will make every effort to resolve your concerns in a timely and satisfactory manner. If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.