Privacy Policy

Exum is a crypto market intelligence platform. The service is operated by the team behind Exum ("we", "our", "us"). For the purposes of GDPR, we act as the data controller for the personal data described below.

We only collect what we actually need to run the product:

• Account data — email address, display name (if you set one), and a hashed password (bcrypt) when you sign up with credentials. If you sign in with Google, we also receive your Google profile picture and the OAuth identifier.
• Billing data — when paid plans launch, Stripe processes your card and stores the customer ID we hold against your account. We never store full card numbers.
• Usage data — your tier, your alert subscriptions, your watchlist, and which charts you look at. Used to make the product work and to improve it.
• Technical data — IP address and approximate geo (country / region / city, derived from headers) at the moment of sign-up, captured for fraud prevention and abuse triage. We do not run cross-site tracking.
• Cookies / local storage — a NextAuth session cookie (signed JWT, not readable by JavaScript) plus small preferences in localStorage (theme, sidebar widths, layout). No third-party tracking cookies.

• To authenticate you and keep your session secure.
• To serve features that match your billing tier (free / pro / alpha).
• To process subscription payments and prevent fraud.
• To send you transactional email — alert triggers you subscribed to, security notices, billing receipts. We do not send marketing email without explicit consent.
• To debug crashes and improve product quality.

We use a small set of vendors. Each has a privacy posture you can read directly:

• Supabase (PostgreSQL hosting) — stores your profile, alerts, and snapshot cache. EU/US regions.
• Vercel (application hosting + cron) — runs the web app and scheduled jobs. Receives request logs.
• Google — only if you sign in with Google. We receive only the fields described above.
• Stripe — payments processor for paid plans (when launched). Stripe receives your card data directly; we never see it.
• OpenRouter — routing layer to large language models that power AI features (Screener, Layout Composer, Insights). We send the asset snapshot and your free-text query; we do not send your email or any other identifier.
• PostHog — product analytics (event-level, not session replay). Used to understand which features land. We honour Do-Not-Track and the "Reject all" consent choice.
• Public market data sources (CoinGecko, Binance, DefiLlama, Santiment, Snapshot, Reddit, news RSS) — fetched server-side. Your queries are not forwarded to them.

When you use AI Screener, AI Layout, or AI Insights, the request is forwarded through OpenRouter to a large language model. The payload includes the structured asset snapshot and the text you typed (if any). We do not include your email, name, or account ID in that payload. We keep an in-memory result cache keyed by the input hash to share answers across users when conditions are identical, which also reduces our own API spend.

Models accessed via OpenRouter are subject to their own retention policies; we ask for "no training" routes where the provider supports it.

• Account data: until you delete the account.
• Alert triggers: 90 days, then aggregated and the per-user link is removed.
• Snapshot cache: 1–24 hours per timeframe, never tied to your account ID.
• Server logs: 14 days at Vercel, then rotated out automatically.
• Billing records: 7 years to comply with tax law in most jurisdictions where we operate.

Wherever you are, you can ask us to access, export, correct, or delete your personal data. Email support@pyxl.ai from the address on your account. We respond within 30 days.

You can sign out and delete your account directly from /account at any time. Deletion is irreversible — your alerts, watchlist, and history are removed within 24 hours.

Passwords are stored only as bcrypt hashes (cost factor 12). Sessions are signed JWTs stored in a HttpOnly cookie. All traffic is TLS-only. Database access is restricted to the server-side service-role key — there is no public REST surface on Supabase.

We will notify affected users within 72 hours of confirming a breach that involves their personal data.

Exum is not directed at children under 16, and we do not knowingly collect data from them. If you are a parent and believe we have collected data about your child, email support@pyxl.ai and we will delete it.

When we change this policy materially, we update the Effective date at the top and notify active users by email at least 14 days before the change takes effect.

Privacy questions: support@pyxl.ai.
Anything else: support@pyxl.ai.