TMPrivacy Policy
Last updated: June 2026
1. Introduction
Excede, Inc. ("we," "our," or "us") operates www.excede.ai and the excede platform and related services (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information in accordance with applicable U.S. federal and state laws, the General Data Protection Regulation (GDPR) and equivalent laws in the EEA, UK, and Switzerland, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws. We are committed to protecting your privacy and handling your data in a transparent, secure manner consistent with standard security and privacy frameworks.
2. Information We Collect
We collect information that you provide directly (e.g., account registration, profile, communications) and information we obtain automatically (e.g., usage data, device and log information). Categories of personal information we may collect include:
- Identifiers (e.g., name, email address, phone number, IP address, unique identifiers)
- Account and authentication data (e.g., credentials, OAuth tokens)
- Commercial information (e.g., subscription and billing information, credit card details processed by our payment provider)
- Internet or network activity (e.g., usage of the Service, API usage data, logs, browser type)
- Professional or employment-related information (e.g., company name, job title, organization, role)
- Integration data (e.g., data synced from third-party services you choose to connect, such as accounting, HR, time-tracking, or email/calendar systems)
- Communication data (e.g., emails you send or receive through the Service, support tickets, feedback you provide)
- Inferences drawn from the above (e.g., preferences, analytics)
We do not sell personal information. We may share personal information with service providers and as described in this policy. We collect and use this information for business and operational purposes, including providing the Service, security, compliance, and improving our offerings.
2.1. Data We Process on Behalf of Our Customers ("Customer Data")
In providing the Service, you and your users will submit or upload data into our platform ("Customer Data"). This Customer Data is processed by us on your behalf, and you are the "business" or "data controller" with respect to this data. We act as a "service provider" or "data processor."
Our processing of Customer Data is governed by the agreement between us and the customer organization you represent. We will only process Customer Data to provide, secure, and monitor the Service as instructed by you and will not use, disclose, sell, or retain Customer Data for any other commercial purpose.
2.2. Legal Basis for Processing (GDPR)
Where GDPR applies, we rely on the following legal bases for each category of data we collect:
| Data Category | Legal Basis |
|---|---|
| Account information (name, email, phone, company, job title) | Contract — necessary to provide the Service to you |
| Payment and billing information | Contract + Legal Obligation — to process payments and maintain tax/accounting records |
| Usage data and analytics (IP, pages visited, API usage, browser info) | Legitimate Interest — to improve the Service, maintain security, and understand usage patterns |
| Integration data (data from connected third-party services) | Contract — necessary to deliver the integration features you requested |
| Cookies and similar technologies (non-essential) | Consent — you must opt in before non-essential cookies are set |
| AI-assisted email personalization data | Consent — per-user opt-in required; revocable at any time |
| Security and fraud prevention data | Legitimate Interest — to protect the Service and users from threats |
| Mobile push notification data (device tokens, preferences, delivery timestamps) | Contract — required to deliver the core service features requested by the user; delivered via Supabase and Apple Push Notification service (APNs) |
Where we rely on legitimate interest, we have assessed that our interest does not override your rights and freedoms. You may object to processing based on legitimate interest at any time by contacting privacy@excede.ai.
3. How We Use Your Information
This section describes how we use information collected about our users for our own business purposes. For information on how we process data you submit into the Service, see Section 2.1 above.
We use the information we collect to:
- Provide, operate, maintain, and improve the Service
- Authenticate users and manage accounts and organizations
- Process payments and manage subscriptions
- Communicate with you about the Service and support
- Detect, prevent, and address security incidents and fraud
- Comply with legal obligations and enforce our terms
- Conduct analytics and improve user experience (consistent with your choices)
Data Retention Schedule
We retain personal information according to the following schedule. When your organization account is closed, all organization-scoped data is permanently deleted unless a specific legal hold or regulatory obligation requires longer retention.
| Data Category | Retention Period |
|---|---|
| Account and identity information (name, email, phone, role) | Retained while your organization account is active; deleted when the account is closed |
| Billing and financial records | Retained for 7 years from the date your organization account is closed, per tax and accounting requirements, then deleted |
| Automated lead-scoring data | Retained while your organization account is active; deleted upon verified request or when the account is closed |
| Data used for AI-assisted email personalization (opt-in only) | Retained while your organization account is active; deleted when you or your admin withdraw consent, or when the account is closed |
| Platform audit logs | Retained while your organization account is active; deleted when the account is closed |
| Technical and infrastructure logs (vendor-hosted) | Retained per hosting and monitoring provider retention policies, typically 30–90 days; not scoped to individual customer accounts |
| Session and cache data | Ephemeral; automatically expires within 1–30 minutes based on platform cache policies (rate-limit counters, API response caches). No session or cache data is retained beyond 1 hour. |
| Usage analytics | Retained while your organization account is active; aggregated, de-identified analytics may be retained indefinitely |
| Mobile push notification data (device tokens, preferences, delivery timestamps) | Retained while the mobile application is installed and the organization account remains active; permanently purged upon account closure or when a user deauthorizes notifications/removes the device. Apple APNs acts as a transient transport layer and does not retain notification content after delivery. |
| Records of your consent choices (cookies, AI features) | 3 years from the date consent was given, as required by GDPR to demonstrate that valid consent existed |
| Data subject access and deletion requests | 24 months after request closure, per CCPA record-keeping requirements |
3a. Automated Heuristic Scoring
The Service generates contact engagement scores using rule-based heuristics (not machine learning or large language models). These scores help customer organizations prioritize business outreach. Scoring factors include email engagement signals (send volume, response rates), proposal history and value, RFP participation, recency of interaction, and organization member engagement count. No personal characteristics such as age, gender, or ethnicity are used as scoring inputs.
Scored contacts (data subjects) have the right to object to automated scoring, request human review of a scoring decision, and request deletion of their scoring data under applicable data protection laws (including GDPR Article 22 and CCPA/CPRA). To exercise these rights, contact privacy@excede.ai. Requests are reviewed and resolved within 30 days.
AI-assisted draft generation uses large language models (Google Vertex AI) with organization-provided training instructions. Per-user email training requires individual opt-in consent, separate from organizational acceptance of the AI Features Addendum. Users may revoke training consent at any time through their account preferences.
3b. Mobile Application
Push Notifications.If you use our iOS application, we may request your permission to send you push notifications about account activity, project updates, and platform alerts. To deliver these notifications, your device's push token is shared with Apple Inc. solely for the purpose of message routing through Apple's Push Notification service (APNs). Apple does not have access to the content of your data through this process. You can disable push notifications at any time in your device's Settings app.
4. Security and Confidentiality
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Key measures include:
- Encryption: AES-256 encryption at rest for sensitive data; TLS 1.2 or higher for all data in transit
- Access controls: Role-based access control (RBAC) with the principle of least privilege; multi-factor authentication (MFA) required for all accounts
- Monitoring: Continuous security monitoring for unauthorized access and suspicious activity
- Backups: Daily encrypted backups with a minimum 30-day retention period, stored securely and tested quarterly
- Network security: Firewalls, DDoS protection, and regular security patching
- Vendor security: All service providers are required to protect personal information under contractual data processing agreements
Our practices are aligned with commonly recognized frameworks for security and confidentiality, including principles consistent with SOC 2 and ISO 27001. We are pursuing SOC 2 Type II certification with a target of Q4 2027, and ISO 27001 certification within 24 months of commercial availability. Pending certification, we conduct annual independent security assessments whose results are available to customers upon request.
In the event of a data incident that affects your personal information, we will notify affected customers within 24 hours of discovery, and notify regulators within 72 hours as required by GDPR and applicable state breach notification laws. For full breach notification procedures, see our Data Security Addendum.
5. Sharing and Disclosure
We may share personal information with: (a) service providers that assist in operating the Service (e.g., hosting, analytics, payment processing, identity providers), under contracts that limit use to our instructions and confidentiality; (b) professional advisors and as required by law or to protect rights and safety; (c) affiliates and in connection with a merger, sale, or other transfer of assets, with notice as required by law. We do not sell or share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.
A complete list of third-party sub-processors engaged to process personal data on our behalf, including their purposes and DPA status, is maintained on our Sub-Processor List.
6. Your Rights
6.1. Rights Under GDPR (EU/EEA/UK/Swiss Residents)
If you are located in the EU, EEA, UK, or Switzerland, you have the right to:
- Access: Request a copy of your personal data in a machine-readable format
- Rectification: Request correction of inaccurate or incomplete personal data
- Erasure: Request deletion of your personal data (subject to legal obligations)
- Restrict processing: Request that we limit how we use your data
- Data portability: Receive your data in a structured, commonly used format (CSV, JSON) or request transfer to another provider
- Object: Object to processing based on legitimate interest or for direct marketing
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Automated decision-making: Request human review of automated decisions that significantly affect you (see Section 3a)
To exercise any of these rights, contact privacy@excede.ai. We will respond within 30 days (or 10 business days for certain requests as required by GDPR).
Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
6.2. Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the right to:
- Know: Know what personal information we collect, how it is used, and with whom it is shared
- Access: Request a copy of your personal information
- Delete: Request deletion of your personal information
- Correct: Request correction of inaccurate personal information
- Opt-out: Opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising)
- Limit use: Limit use and disclosure of sensitive personal information
- Non-discrimination: Not receive discriminatory treatment for exercising these rights
To submit a request, contact privacy@excede.ai. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent; we may require proof of authorization. California residents may also use the link "Do Not Sell or Share My Personal Information" if we offer it on our website or in the Service.
CCPA 12-Month Disclosure
In the preceding 12 months, we have collected the following categories of personal information:
- Contact information: name, email, phone number, company name, job title
- Financial information: payment method and billing address (processed by Stripe)
- Usage data: IP address, browser type, pages viewed, features used, API usage
- Integration data: data synced from third-party services you connect (e.g., accounting, HR, time-tracking)
- Communication data: emails through the Service, support tickets, feedback
- Inferences: subscription tier, engagement scoring, usage analytics
Sources: Directly from you (account registration, Service usage), automatically (device/browser data, logs), and from third-party services you connect.
Business purposes: Providing and improving the Service, processing payments, security, compliance, and analytics.
Shared with: Service providers (see our Sub-Processor List) who are bound by contractual data processing agreements. We have not sold or shared personal information for cross-context behavioral advertising.
7. Cookies and Similar Technologies
We use the following categories of cookies and similar technologies:
- Essential cookies: Session cookies to keep you logged in and maintain security. These are strictly necessary for the Service to function and do not require consent.
- Analytics cookies: Vercel Analytics to understand how users interact with the Service and to improve performance. These are non-essential and require your consent before being set.
- Payment cookies: Stripe session cookies for secure payment processing. These are set only when you interact with payment features.
We do not use third-party advertising cookies, tracking pixels (such as Facebook Pixel), or any cookies that track you across other websites. We do not sell data to advertisers.
Consent: Non-essential cookies (analytics) require your consent before being activated. You can manage your cookie preferences through your browser settings or by adjusting your preferences when prompted. You can also disable analytics cookies at any time by clearing your browser cookies.
We honor Global Privacy Control (GPC) signals. When your browser sends a GPC signal, we automatically treat it as a request to opt out of non-essential cookies and tracking. You can learn more about GPC at globalprivacycontrol.org.
8. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us so we can delete it.
9. International Data Transfers
Excede is a US company. The Service is hosted and operated in the United States. If you are located in the EU, EEA, UK, Switzerland, or any other jurisdiction outside the United States, your personal information will be transferred to, stored, and processed in the United States.
For transfers of personal data from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to provide adequate safeguards. For UK transfers, we implement the UK International Data Transfer Addendum (UK IDTA). For Swiss transfers, we comply with the Swiss Federal Data Protection Act (FADP). Our SCCs are available at excede.ai/dsa/sccs.
You should be aware that US authorities may request data from US companies under certain laws, and such requests may not always require a court order. We will notify you of any government data access requests to the extent permitted by law. For details on supplementary safeguards (encryption, access controls, contractual restrictions, data minimization), see our Data Security Addendum.
10. Changes
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will provide additional notice as required by law (e.g., by email or a prominent notice in the Service). Your continued use of the Service after the effective date constitutes acceptance of the updated policy to the extent permitted by law.
11. Contact Us
For privacy-related questions, requests, or complaints, contact us at: privacy@excede.ai or call (201) 824-2307.
You may also write to us at:
Excede, Inc.1654 Calle Tulipan Suite 100
San Juan, Puerto Rico 00927-6242
Phone: (201) 824-2307
California residents may contact us regarding CCPA/CPRA rights and can request a list of categories of personal information we have disclosed to third parties for a business purpose in the preceding 12 months.
Data Protection Officer
We have not appointed a Data Protection Officer, as we do not meet the criteria requiring one under GDPR Article 37 (we do not engage in large-scale systematic monitoring or large-scale processing of special category data as a core activity). For any data protection inquiries, please contact dpo@excede.ai or use the contact details above.