Privacy Policy

Last updated: February 17, 2026

Exvora ("we", "us", "our") operates the Exvora platform and website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

1. Information We Collect

Account Information: When you register or join our waitlist, we collect your name, email address, organization name, role, sector, and any motivation text you provide.

Usage Data: We automatically collect information about how you interact with the platform, including pages visited, features used, timestamps, browser type, and IP address.

Waitlist Anti-Abuse Data: When you submit the early-access form, we store a coarse (truncated) network address and your browser user-agent string alongside your submission to prevent spam and abuse. We use Cloudflare Turnstile to verify the request is human; Turnstile may set a challenge token processed by Cloudflare.

Threat Intelligence Data: Data ingested from your configured feeds and sources is processed within your workspace. This includes intelligence feeds, API connections, and any manually submitted intelligence.

Cookies & Similar Technologies: We use essential cookies for authentication and session management. We do not use third-party advertising cookies. See our Cookie Policy for details.

2. How We Use Your Information

  • To provide, operate, and maintain the Exvora platform
  • To process and analyze threat intelligence within your workspace
  • To manage your account and provide customer support
  • To send service-related communications (security alerts, product updates)
  • To improve our platform, including AI model performance
  • To comply with legal obligations and enforce our terms
  • To detect and prevent fraud, abuse, and security incidents

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the services you requested
  • Legitimate Interest: Platform security, fraud prevention, and service improvement
  • Consent: Marketing communications (you may withdraw consent at any time)
  • Legal Obligation: Compliance with applicable laws and regulations

4. Data Sharing & Third Parties

We do not sell your personal data. We may share information with:

  • Infrastructure Providers: Cloudflare (website hosting via Workers, waitlist storage via D1, and bot protection via Turnstile) and email delivery services
  • AI Processing: Anonymized content may be processed by AI providers for entity extraction and analysis. No personal data is sent to AI providers.
  • Payment Processors: Stripe processes billing information directly; we do not store payment card details
  • Legal Requirements: When required by law, court order, or to protect our rights

5. Data Retention

We retain your account data for the duration of your subscription. Threat intelligence data is retained according to your workspace settings. Upon account deletion, personal data is removed within 30 days. Anonymized analytics data may be retained indefinitely. Waitlist submissions are retained until launch (or until you request removal) and then deleted. To request deletion of your waitlist entry, email privacy@exvora.ai.

6. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Workspace isolation with row-level security policies
  • Multi-factor authentication (TOTP)
  • Regular security audits and vulnerability assessments
  • Role-based access control (admin, analyst, viewer)

7. Your Rights

Under GDPR, NIS2, and applicable data protection laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Where processing is based on consent

To exercise any of these rights, contact us at support@exvora.ai. We will respond within 30 days.

8. International Data Transfers

Your data may be processed in the European Union. Where transfers occur outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Children's Privacy

Exvora is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the platform. Continued use of Exvora after changes constitutes acceptance of the updated policy.

11. Contact Us

For questions about this Privacy Policy or your personal data:

Exvora
Email: support@exvora.ai

12. Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.