Your privacy is important to us. This policy explains how we collect, use, and protect your information.
Effective Date: February 17, 2026
Last Updated: February 18, 2026
This Privacy Policy describes how Exordia Cloud LLC ("Exordia," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our B2B SaaS platform for consulting discovery workshops (the "Service").
This policy is provided in accordance with the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), the Colorado Privacy Act ("CPA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Connecticut Data Privacy Act ("CTDPA"), and other applicable US state privacy laws (collectively, "US Privacy Laws").
Exordia Cloud LLC
Email: admin@exordiacloud.com
We collect information that you provide directly to us, information collected automatically when you use the Service, and information from third-party sources. The categories of personal information we have collected in the preceding 12 months include:
When you create an account, we collect:
Exordia Cloud authenticates users through supported identity providers, including Google OAuth and Microsoft Entra ID. We access identity-provider profile information (such as name, email address, and profile image) solely for account creation and authentication purposes.
Google API Limited Use Disclosure
Exordia Cloud's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, sell it to third parties, or use it to determine creditworthiness.
When you use the Service, you may submit:
Note: This content may contain personal data of third parties (e.g., your clients' stakeholders). You are responsible for ensuring you have appropriate consent or legal basis to share such information.
When business customers submit Customer Data through the Service, Exordia generally processes that Customer Data as a processor or service provider on behalf of the customer organization (the controller or business). If you are a data subject included in a customer's data, privacy requests relating to that data may need to be directed to the relevant customer organization first.
We automatically collect:
When you use AI features, we process:
When you subscribe to a paid plan, payment is processed by our third-party payment processor, Stripe. We collect:
We do not store credit card numbers, bank account details, or other sensitive payment credentials. All payment data is handled directly by Stripe in accordance with Stripe's Privacy Policy.
We collect information when you:
We process your personal data based on the following legal grounds:
To provide and maintain the Service, process your transactions, and fulfill our contractual obligations to you.
Examples: Account management, service delivery, customer support
For our legitimate business interests, provided these do not override your fundamental rights.
Examples: Product improvement, security monitoring, fraud prevention, analytics
To comply with applicable laws, regulations, and legal processes.
Examples: Tax compliance, responding to lawful requests, audit requirements
Where you have given specific consent for particular processing activities. AI-assisted content generation requires explicit opt-in consent and is blocked without it. Other consent preferences (analytics, marketing communications, and third-party sharing) are recorded for compliance and applied as described in this Policy and product settings; some processing necessary to provide, secure, and operate the Service may continue regardless of those preferences.
Examples: AI content generation (required opt-in), marketing communications, optional analytics
We use the information we collect to:
The Service uses artificial intelligence and automated processing to enhance your experience. In accordance with applicable privacy laws, we provide the following disclosures:
Our AI features include:
We use the following AI service providers:
Anthropic (Claude)
Purpose: Natural language processing for requirements generation and content analysis
Data Processed: Text content from workshops submitted by users
Location: United States
Google Cloud Vertex AI
Purpose: Machine learning models for content processing and analysis
Data Processed: Text content from workshops submitted by users
Location: United States
AI processing is currently performed in United States regions. EU data residency for AI processing is not currently available.
Important Notice
Under applicable privacy laws, you have the right to:
We share your information only as described in this policy. We do not sell your personal information to third parties.
We engage third-party service providers to perform functions on our behalf. These providers have access to personal information only to perform their functions and are obligated to maintain confidentiality.
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, hosting, database | United States |
| Anthropic | AI processing (Claude) | United States |
| Google Vertex AI | AI processing | United States |
| Google OAuth | Authentication | Global |
| Microsoft Entra ID | Authentication | Global |
| Stripe | Payment processing | United States |
| Postmark | Transactional email delivery | United States |
| Upstash Redis | Rate limiting and application caching | United States |
If you use the Service as part of an Organization, other members of your Organization (particularly administrators) may access certain information about your account and activities.
We may disclose your information if required to do so by law or in response to:
If Exordia is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.
Core application data is stored and processed in the United States. Our primary infrastructure and databases are hosted in US data centers.
By using the Service, you acknowledge that your information will be stored and processed in the United States. Some authentication-related processing by third-party identity providers may occur globally, subject to those providers' own infrastructure and policies.
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account; deleted upon eligible request, subject to platform integrity constraints | Service provision |
| Workshop content | Duration of account; deleted upon eligible request, subject to platform integrity constraints | Service provision |
| Usage logs | Automatically purged (default 90 days, configurable per deployment) | Security, debugging |
| AI usage records | Automatically purged (default 12 months, configurable per deployment) | Billing, compliance |
| Audit logs | Automatically purged (default 90 days, configurable per deployment); may be archived per legal requirements | Security, legal compliance |
| Backup data | Up to 30 days after source deletion | Disaster recovery |
Upon account deletion request, we will delete or anonymize your personal information within a commercially reasonable timeframe (typically within 30 days), subject to eligibility requirements (e.g., sole organization administrators must first transfer administrative rights), legal obligations, and platform integrity constraints. Automated log cleanup runs on a scheduled basis for usage logs, AI usage records, and audit logs.
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data. This section provides additional information required under Articles 13 and 14.
Processing necessary to provide the Service you have subscribed to.
Examples: Account creation, workshop functionality, AI processing of your content, customer support
Processing necessary for our legitimate business interests, balanced against your rights.
Examples: Product improvement, security monitoring, fraud prevention, aggregated analytics
Processing necessary to comply with applicable laws and regulations.
Examples: Tax compliance, responding to lawful requests, audit log retention
Where you have given explicit consent for specific processing activities. You may withdraw consent at any time.
Examples: Marketing communications, optional analytics, feedback surveys
For GDPR-related inquiries, you may contact our data protection point of contact:
Data Protection Contact
Exordia Cloud LLC
Email: admin@exordiacloud.com
In addition to the rights listed in Section 10, EEA/UK residents have the right to:
Right of Access
Art. 15Obtain confirmation of whether we process your data and receive a copy of it.
Right to Rectification
Art. 16Have inaccurate personal data corrected and incomplete data completed.
Right to Erasure
Art. 17Request deletion of your personal data, subject to legal retention obligations.
Right to Restriction
Art. 18Request restriction of processing in certain circumstances.
Right to Data Portability
Art. 20Receive your data in a structured, machine-readable format.
Right to Object
Art. 21Object to processing based on legitimate interests or for direct marketing.
You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of EU Data Protection Authorities can be found on the European Data Protection Board website.
Your personal data may be transferred to and processed in the United States. For transfers of personal data from the EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the data processing terms of our infrastructure and AI service providers.
Enterprise customers requiring dedicated data processing terms may review and request execution of our Data Processing Addendum (DPA), which includes Standard Contractual Clauses and UK transfer terms. Contact us at the address above to initiate a DPA.
In accordance with GDPR Article 22, we inform you that the Service uses AI-assisted processing to generate requirements and map workshop notes. These outputs are recommendations only and are not used to make decisions that produce legal effects or similarly significantly affect you. All AI outputs require human review before use. You may opt out of AI features at any time.
We retain personal data only for as long as necessary for the purposes set out in this policy and as required by applicable law. When the lawful basis for processing is consent, we will delete or anonymize the data promptly upon withdrawal of consent, unless another lawful basis applies. See Section 8 for specific retention periods.
You have the following rights regarding your personal information:
Right to Know
Request disclosure of personal information collected, used, disclosed, or sold.
Right to Delete
Request deletion of personal information, subject to certain exceptions.
Right to Correct
Request correction of inaccurate personal information.
Right to Opt-Out
Opt out of the sale or sharing of personal information. Note: We do not sell personal information.
Right to Non-Discrimination
Not be discriminated against for exercising your privacy rights.
Right to Limit Use of Sensitive Personal Information
Limit use and disclosure of sensitive personal information.
Sensitive Personal Information Disclosure
The Service collects account credentials (via OAuth — we do not store passwords) and email addresses. We do not collect or process other categories of sensitive personal information as defined under the CPRA (e.g., Social Security numbers, financial account details, precise geolocation, racial/ethnic origin, biometric data, health information, or contents of private communications). Any sensitive personal information incidentally present in user-submitted workshop content is processed solely for purposes of providing the Service and is not used for profiling, advertising, or purposes beyond those permitted under Cal. Civ. Code § 1798.121.
California "Shine the Light" Law: California residents may request information regarding disclosure of personal information to third parties for direct marketing purposes.
To exercise any of these rights, please:
We will respond to your request within 45 days. We may need to verify your identity before processing your request. If we require additional time, we will notify you of the extension and the reason within the initial 45-day period. For access and data portability requests specifically, you may make up to two requests per 12-month period. Deletion, correction, and opt-out requests are not subject to this limit.
Operational note: At present, withdrawal of AI processing consent immediately disables AI features. Other preference withdrawals are honored where applicable to optional processing activities and communications, but do not disable processing that is strictly necessary for service delivery, security, legal compliance, or core business operations.
You may designate an authorized agent to submit privacy requests on your behalf. To do so, you must provide the agent with written permission signed by you and submit proof of the authorization when making the request. We may still require you to verify your own identity directly with us. Authorized agent requests should be sent to admin@exordiacloud.com with the subject line "Authorized Agent Request."
If we decline to take action on a privacy request, you may appeal that decision by emailing admin@exordiacloud.com with the subject line "Privacy Appeal." We will respond to appeals within 60 days. If we deny your appeal, we will provide information on how to contact the relevant state attorney general if you wish to submit a complaint.
In the preceding 12 months, we have disclosed the following categories of personal information for business purposes (e.g., to service providers and sub-processors):
| Category | Disclosed To | Purpose |
|---|---|---|
| Identifiers (name, email) | Auth providers, email provider | Authentication, transactional email |
| Commercial information (subscription data) | Payment processor (Stripe) | Billing and subscription management |
| Internet activity (usage logs) | Infrastructure provider (GCP) | Service delivery, security monitoring |
| Professional information (workshop content) | AI providers (Google Vertex AI, Anthropic) | AI-assisted content processing |
We have not sold or shared (as defined by CPRA) personal information in the preceding 12 months. We do not sell personal information or share it for cross-context behavioral advertising.
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Encryption
Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls
Role-based access control and principle of least privilege
Infrastructure
Hosted on Google Cloud Platform with enterprise-grade security controls
Monitoring
Continuous security monitoring and incident response
While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure. For more information, please visit our Trust & Security page.
Authorized Exordia personnel may access your data as necessary to provide the Service, investigate support requests, and ensure platform security. Such access is logged, time-limited, and subject to confidentiality obligations.
If we determine that an unauthorized breach of security has resulted in unauthorized access to your personal data, we will notify you without unreasonable delay and within 72 hours of determination where feasible. Notification will describe the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach. We will also notify relevant supervisory authorities as required by applicable law.
We use only strictly necessary cookies for authentication and security. We do not use advertising, marketing, or third-party tracking cookies. For full details, see our Cookie Policy.
Our essential authentication cookies include:
__Host-authjs.session-token (production) / authjs.session-token (development) — Maintains your authenticated session (7-day duration, Secure, HttpOnly)__Host-authjs.callback-url (production) / authjs.callback-url (development) — Stores the redirect URL during OAuth sign-in (session duration, Secure, HttpOnly)__Host-authjs.csrf-token (production) / authjs.csrf-token (development) — Protects against cross-site request forgery (session duration, Secure, HttpOnly)You can control cookies through your browser settings. Blocking essential cookies will prevent you from logging in. See our Cookie Policy for details.
Since we do not use tracking or advertising cookies, Do Not Track (DNT) browser signals do not change your experience on our platform. We recognize Global Privacy Control (GPC) browser signals as a valid expression of your privacy preferences. Because we do not sell personal information or share it for cross-context behavioral advertising, the activities that GPC is designed to restrict do not occur on our platform. For additional privacy rights requests, see Section 10.
The Service is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at admin@exordiacloud.com, and we will take steps to delete such information.
The Service is not designed for use with data regulated under HIPAA, FERPA, GLBA, or similar sector-specific regulations unless a separate written agreement is in place. If you believe your use case involves regulated data categories, please contact us at admin@exordiacloud.com before submitting such data.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. If we make material changes, we will:
We encourage you to review this Privacy Policy periodically for any changes.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will respond to your inquiry within a reasonable timeframe and in accordance with applicable law.