EXUM · Legal

Privacy Policy

Effective: June 9, 2026

This policy explains what Exum collects, why, and what we do with it. It covers the Exum website, sign-in, paid plans, and the Exum ChatGPT app (and other clients that connect via the Model Context Protocol, "MCP"). Third-party products you use to reach us — for example OpenAI's ChatGPT or Google sign-in — have their own privacy notices; this policy covers Exum's practices only. If anything is unclear, email support@pyxl.ai.

01

Who we are

Exum is a crypto market intelligence platform. The service is operated by the team behind Exum ("we", "our", "us"). For the purposes of GDPR, we act as the data controller for the personal data described below.

02

What we collect

We only collect what we actually need to run the product:

  • Account data — email address, display name (if you set one), and a hashed password (bcrypt) when you sign up with credentials. If you sign in with Google, we also receive your Google profile picture and the OAuth identifier.
  • Billing data — when paid plans launch, Stripe processes your card and stores the customer ID we hold against your account. We never store full card numbers.
  • Usage data — your tier, your alert subscriptions, your watchlist, and which charts you look at. Used to make the product work and to improve it.
  • ChatGPT / MCP usage — when you connect the Exum app inside ChatGPT or another MCP client, we process OAuth authorization, tool calls (for example opening a chart or markets list), and limited account fields needed to answer those tools (email, display name, tier). We log tool metadata and widget interactions (such as symbol picks and "Open on Exum" clicks) for product analytics — not the full text of your ChatGPT conversation.
  • Technical data — IP address and approximate geo (country / region / city, derived from headers) at the moment of sign-up, captured for fraud prevention and abuse triage. We do not run cross-site tracking.
  • Cookies / local storage — a NextAuth session cookie (signed JWT, not readable by JavaScript) plus small preferences in localStorage (theme, sidebar widths, layout). No third-party tracking cookies.
03

Why we use it

  • To authenticate you and keep your session secure.
  • To serve features that match your billing tier (free / pro / alpha).
  • To process subscription payments and prevent fraud.
  • To send you transactional email — alert triggers you subscribed to, security notices, billing receipts. We do not send marketing email without explicit consent.
  • To debug crashes and improve product quality.
  • To operate the Exum ChatGPT app: authenticate you via OAuth, run MCP tools, render in-chat widgets, and measure which features drive visits to the full Exum desk.
04

ChatGPT app, OAuth, MCP, and widgets

When you connect Exum inside ChatGPT or another MCP client, you authorize access through OAuth. We process each tool call to fulfill your request and return structured results to the host application.

  • Host environment — the client that runs the conversation (for example OpenAI's ChatGPT) receives tool inputs and outputs as part of your session. Their privacy policy and terms also apply to how they handle that data.
  • Typical tool response data — we aim to return only what the feature needs: a limited account summary (user id, email, display name, tier), chart/market payload (symbol, interval, prices from public feeds, recent events), and links to open the full Exum desk. We do not intentionally expose payment card numbers, password secrets, or unrelated profile fields in MCP tool responses.
  • Widgets — some tools load UI from our domains inside the host environment (embedded chart and markets views). Those views fetch public market data from our APIs and may record product analytics events (for example tool opens and CTA clicks) as described below.
  • What we do not do via MCP — our tools do not post to social networks, send email or SMS, execute trades, or publish to third-party websites on your behalf. Data flows to the host application, to our APIs and storage, and — when you choose — to the Exum website when you follow an "Open on Exum" link.
05

Sub-processors

We use a small set of vendors. Each has a privacy posture you can read directly:

  • Supabase (PostgreSQL hosting) — stores your profile, alerts, and snapshot cache. EU/US regions.
  • Vercel (application hosting + cron) — runs the web app and scheduled jobs. Receives request logs.
  • Google — only if you sign in with Google. We receive only the fields described above.
  • Stripe — payments processor for paid plans (when launched). Stripe receives your card data directly; we never see it.
  • OpenRouter — routing layer to large language models that power AI features (Screener, Layout Composer, Insights). We send the asset snapshot and your free-text query; we do not send your email or any other identifier.
  • PostHog — product analytics (event-level, not session replay). Used on the website and for the ChatGPT app (MCP tool calls, widget funnel events, AI feature usage). We honour Do-Not-Track and the "Reject all" consent choice where applicable on the web app.
  • OpenAI — only as the host when you use Exum inside ChatGPT. OpenAI processes your conversation, tool inputs, and tool outputs under their own policies; we do not control their retention.
  • Public market data sources (CoinGecko, Binance, DefiLlama, Santiment, Snapshot, Reddit, news RSS) — fetched server-side. Your queries are not forwarded to them.
06

AI features and your prompts

When you use AI Screener, AI Layout, or AI Insights, the request is forwarded through OpenRouter to a large language model. The payload includes the structured asset snapshot and the text you typed (if any). We do not include your email, name, or account ID in that payload. We keep an in-memory result cache keyed by the input hash to share answers across users when conditions are identical, which also reduces our own API spend.

Models accessed via OpenRouter are subject to their own retention policies; we ask for "no training" routes where the provider supports it.

07

How long we keep it

  • Account data: until you delete the account.
  • Alert triggers: 90 days, then aggregated and the per-user link is removed.
  • Snapshot cache: 1–24 hours per timeframe, never tied to your account ID.
  • Server logs: 14 days at Vercel, then rotated out automatically.
  • Billing records: 7 years to comply with tax law in most jurisdictions where we operate.
  • MCP OAuth tokens: until you revoke access in ChatGPT, disconnect the app, or we invalidate the token for security reasons.
  • Product analytics (PostHog): per PostHog's project retention settings (typically up to 1 year for event data).
08

Your rights

Wherever you are, you can ask us to access, export, correct, or delete your personal data. Email support@pyxl.ai from the address on your account. We respond within 30 days.

You can sign out and delete your account directly from /account at any time. Deletion is irreversible — your alerts, watchlist, and history are removed within 24 hours.

09

Security

Passwords are stored only as bcrypt hashes (cost factor 12). Sessions are signed JWTs stored in a HttpOnly cookie. All traffic is TLS-only. Database access is restricted to the server-side service-role key — there is no public REST surface on Supabase.

We will notify affected users within 72 hours of confirming a breach that involves their personal data.

10

Children

Exum is not directed at children under 16, and we do not knowingly collect data from them. If you are a parent and believe we have collected data about your child, email support@pyxl.ai and we will delete it.

11

Changes to this policy

When we change this policy materially, we update the Effective date at the top and notify active users by email at least 14 days before the change takes effect.

12

Contact

Privacy questions: support@pyxl.ai.
Anything else: support@pyxl.ai.