Privacy Policy

Last updated: March 25, 2026

1. What we collect

When you use expacti, we collect:

• Account information: email address, hashed password, organization name.
• Command data: commands submitted for approval, reviewer decisions, timestamps. This is the core of the product.
• Session data: PTY recordings (if session recording is enabled), session metadata.
• Usage data: API call counts, feature usage, for billing and product improvement.

2. How we use it

• To provide the service (command approval queue, reviewer notifications, audit log)
• To calculate billing and enforce plan limits
• To send transactional emails (approval notifications, account alerts)
• To improve the product

We do not sell your data. We do not use your command content for training AI models.

3. Data retention

Command history and audit logs are retained according to your plan:

• Free: 30 days
• Pro: 1 year
• Enterprise: configurable

You can export your data at any time from the dashboard. On account deletion, data is removed within 30 days.

4. Self-hosted deployments

If you run expacti on your own infrastructure, your data never leaves your servers. We have no access to command content, audit logs, or user data in self-hosted deployments.

5. Third-party services

We use:

• Cloudflare: TLS termination and DDoS protection
• Stripe: payment processing (we never see raw card numbers)
• Hetzner/DigitalOcean: infrastructure hosting (EU region)

6. Your rights (GDPR)

If you are in the EU/EEA, you have the right to access, correct, export, and delete your personal data. Contact us at [email protected].

7. Contact

Questions about this policy: [email protected]