What we collect,
and what we never will.

This policy applies to people who create an Exodocs account, members invited into an organisation, and visitors to our website. Where your organisation administers an Exodocs account on your behalf, that organisation is the controller of the workspace data, and Exodocs processes it as a service provider under their instructions.

Account & profile

• Identity: your name and email address.
• Authentication: a salted bcrypt hash of your password (never the password itself) and, if you enable two-factor authentication, an encrypted TOTP secret and backup codes.
• Organisation: the organisation you belong to, your role (owner, admin, or member), and invitation status.

Integration & workspace data

• Integration credentials you provide (Notion or Confluence tokens, GitHub access tokens, and Slack webhook URLs), stored encrypted at rest and isolated per organisation.
• Documentation metadata: page titles, last-edited timestamps, and freshness scores of the pages you connect.
• Code metadata: commit SHAs, messages, authors, and the file paths that changed. We persist file paths only. Diffs and sampled source files used for AI analysis are deleted on completion and never retained as a persistent store.
• Cached content with a 24-hour expiry: documentation page text and repository file trees, used to compute scores and power AI features.

Billing

• Subscription data: your plan, billing interval, and subscription status. Payment card details are handled directly by Stripe. Exodocs never sees or stores card numbers.

Usage & technical

• Operational logs: request metadata and error diagnostics needed to run and secure the service.
• Audit records: a log of meaningful actions taken within your organisation (who connected what, invited whom, and when).

• To provide the core service: matching commits to documentation pages, scoring freshness, and sending alerts.
• To power AI features you enable: mapping suggestions, drift summaries, and documentation generation.
• To authenticate you, secure your account, and prevent abuse.
• To bill your subscription and provide support.
• To communicate service notices and, only if you opt in, product updates.

We do not sell your data, use it for advertising, or use your private workspace content to train our own models.

Where the GDPR or similar laws apply, we process your data on the basis of contract (to deliver the service you signed up for), legitimate interests (to secure and improve the service), consent (for optional communications and AI features you switch on), and legal obligation (for tax and accounting records).

We share data only with the sub-processors that make Exodocs work: hosting and database, caching, AI processing, payments, and the integrations you connect (GitHub, Notion, Confluence, Slack). The full list, with what each one processes and where, is maintained on our Security page.

We may also disclose information if required by law, or to protect the rights, safety, and security of Exodocs and its users. If Exodocs is ever involved in a merger or acquisition, we will notify you before your data becomes subject to a different privacy policy.

When you use AI features, relevant context is sent to our AI provider, Anthropic, for processing. That context includes commit messages, file paths, documentation page text, and, for documentation generation, sampled source files. Untrusted content is sanitised against prompt-injection patterns before it reaches the model.

We keep data only as long as it is needed. When you remove a documentation page or repository, we deactivate it and stop tracking it immediately. When you disconnect an integration, its stored credentials are removed from our database right away. Cached page content and file trees expire automatically within 24 hours.

When a subscription lapses or you close your account, your organisation enters a 90-day suspension grace period, after which all of its data, including deactivated pages and repositories, is permanently purged. You can request earlier deletion at any time.

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. Most of this is self-service inside the app; for anything else, email us and we will action verified requests within 30 days.

• Access & correction: view and edit your profile and organisation data in settings.
• Deletion: remove pages, repositories, or your whole organisation from settings, or ask us to.
• Portability: request an export of your organisation's data.

Exodocs uses a single, essential session cookie to keep you signed in and to protect against cross-site request forgery. We do not use third-party advertising or cross-site tracking cookies. Because our cookies are strictly necessary to operate the service, no consent banner is required to set them.

We may update this policy as the product evolves. Material changes will be announced in-app or by email, and the "last updated" date above will change. Continued use after an update means you accept the revised policy.