Legal

Privacy Policy

Effective: January 1, 2024 · Last updated: March 15, 2026

Overview

EXFIRA Inc. ("Exfira," "we," "our," or "us") operates the Exfira AI governance platform. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services, website, and related products.

By using Exfira, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our services.

Data We Collect

We collect information in the following categories:

  • Account Information — Name, email address, company name, and billing details when you create an account or subscribe to a plan.
  • Usage Data — API request metadata (timestamps, latency, token counts, model identifiers, workspace IDs). We do not store the content of prompts or model responses by default.
  • Technical Data — IP addresses, browser type, operating system, and referring URLs collected via access logs and analytics.
  • Communications — Messages you send us via email or support channels.
  • Payment Data — Processed by our payment processor (Stripe). We do not store full card numbers on our systems.

How We Use Data

We use collected information to:

  • Provide, maintain, and improve the Exfira platform and services.
  • Process payments and manage subscriptions.
  • Send transactional communications (receipts, alerts, security notices).
  • Respond to support requests and troubleshoot issues.
  • Detect and prevent fraud, abuse, and security threats.
  • Comply with legal obligations.
  • Send product updates and marketing communications (you may opt out at any time).

We will never sell your personal data to third parties.

Data Sharing

We may share data with:

  • Service Providers — Third-party vendors who assist in operating our platform (cloud hosting, payment processing, email delivery). These parties are contractually bound to keep data confidential.
  • Legal Authorities — When required by law, court order, or governmental authority.
  • Business Transfers — In connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.

Retention

We retain account data for the duration of your subscription plus 90 days after termination to allow for reactivation or export. Audit log metadata is retained for up to 24 months unless a longer retention period is configured by your organization. You may request deletion of your data at any time.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data ("right to be forgotten").
  • Object to or restrict processing of your data.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time where processing is consent-based.

To exercise these rights, contact us at privacy@exfira.io. We will respond within 30 days.

Security

We implement industry-standard technical and organizational measures to protect your data — including AES-256 encryption at rest, TLS 1.3 in transit, access controls, and regular third-party security audits. No system is impenetrable; if you believe your account has been compromised, contact us immediately at security@exfira.io.

Cookies

We use strictly necessary cookies for session management and authentication. We use analytics cookies (with your consent) to understand usage patterns and improve our services. You may decline non-essential cookies via your browser settings or our cookie consent banner.

Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a prominent notice in the dashboard at least 30 days before changes take effect. Continued use of the services after that date constitutes acceptance of the updated policy.

Contact

For privacy-related inquiries: