Privacy Policy

1. Information We Collect

Account Information

When you register for an account, we collect your name, email address, organization name, and password. If you sign up through a third-party authentication provider, we receive your profile information from that provider.

Uploaded Employee Data

To provide the Service, you may upload employee-related data including:

• Documents from shared drives (Google Drive, OneDrive, SharePoint)
• Chat exports (Slack, Microsoft Teams)
• Calendar exports (Google Calendar, Outlook)
• Email archives
• Code repository history and content (GitHub, GitLab, Bitbucket)
• Wiki exports (Confluence, Notion)

This data may contain personally identifiable information (PII) of the departing employee and other individuals mentioned in the artifacts. Our PII detection module automatically scans content and flags sensitive data for your review.

Usage Data

We automatically collect certain information when you access or use the Service, including your IP address, browser type, operating system, referring URLs, pages viewed, access times, and interactions with the Service. This data helps us improve performance and user experience.

2. How We Use Information

We use the information we collect to:

• Provide the Service: Process uploaded data through our AI analysis pipeline, generate knowledge transfer documents, and deliver reports to your account.
• Identify Sensitive Data: Flag PII and credentials found in artifacts via the Security Review document so you can handle them appropriately.
• Communicate: Send you account-related notifications, security alerts, report completion updates, and (with your consent) product updates.
• Ensure Security: Detect and prevent fraud, abuse, and unauthorized access to the Service.
• Comply with Legal Obligations: Respond to legal requests, enforce our Terms of Service, and protect our rights.

We do NOT use your artifact data to:

• Train AI models or machine learning systems
• Build profiles of individuals
• Share with third parties for marketing or any other purpose
• Aggregate with data from other clients

3. Data Processing

When you initiate an offboarding report, uploaded content is processed through our AI analysis pipeline. This includes extraction of key knowledge, relationship mapping, risk assessment, and generation of transfer documents. AI processing is performed on a temporary basis; raw uploaded content is not retained beyond the processing window except as described in Section 5 (Data Retention).

4. AI Provider Processing

Our analysis process uses AI language models to extract and synthesize knowledge from your artifacts. When AI services are used:

• Data sent to AI providers is covered by their enterprise data processing agreements which prohibit training on customer data.
• We select AI providers that do not retain input data beyond the processing session.
• We can disclose which AI providers are used upon request.
• If you use the self-hosted or CLI mode, all processing happens locally on your own infrastructure with your own API key — no data is sent to our servers.

5. Data Retention

We retain data according to a tiered purge schedule:

• Tier 1 — Raw Uploaded Data: Raw source files (email archives, chat logs, documents, etc.) are purged within 30 days of report completion. Once your report is generated and delivered, the original uploaded files are permanently deleted from our systems.
• Tier 2 — Processed Reports and Metadata: Generated reports, extracted knowledge documents, and associated metadata are retained for the duration of your active subscription plus 90 days. After account termination or subscription cancellation, Tier 2 data is purged within 90 days unless you request earlier deletion.

Account information (name, email, organization) is retained for as long as your account is active and for a reasonable period thereafter for legal and business purposes.

6. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Access Controls: Role-based access controls ensure that only authorized personnel within your organization can access your data. Internal access to customer data is restricted on a need-to-know basis.
• Audit Logging: All access to sensitive data is logged and monitored. Your organization can review audit logs through the Service.
• Secure Deletion: All artifacts and generated documents are securely deleted after the retention period. No client data is stored in public cloud storage or shared environments.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Third-Party Services

We use the following third-party services to operate the platform:

• Stripe: We use Stripe to process payments. When you provide payment information, it is transmitted directly to Stripe and is subject to Stripe's Privacy Policy. We do not store your full credit card number on our servers.
• Email Provider: We use a third-party service to send transactional emails such as account verification, password resets, and report completion notifications. Email addresses are shared with this provider solely for delivering these communications.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

8. Departing Employee Privacy

We recognize that the artifacts we analyze may contain personal information about the departing employee and others. Our Security Review document identifies PII found in artifacts so you can handle it appropriately. We recommend that clients:

• Ensure artifact export and sharing complies with your organization's employment policies and applicable laws.
• Consult legal counsel regarding employee notification requirements in your jurisdiction.
• Restrict access to confidential documents (Security Review, Integrity Report, Access Revocation) to authorized personnel.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you or your engagement.
• Correction: Request that we correct any inaccurate or incomplete personal information.
• Deletion: Request immediate deletion of all data related to your engagement at any time.
• Data Export: Export your reports and account data at any time through the Service, or request a machine-readable copy of your personal data.
• Objection: Object to any processing of your data beyond what is necessary to deliver the Service.

To exercise any of these rights, please contact us at privacy@exit-insights.com. We will respond to your request within 30 days.

10. International Data Transfers

Our services are operated from the United States. If you are located outside the United States, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer. For EU/EEA clients, we can provide a Data Processing Agreement (DPA) upon request.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.

13. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@exit-insights.com.