exponential.im logo exponential.imSign in

Privacy Policy

Effective Date: January 14th, 2026

Introduction

Welcome to Exponential. We value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our service.

Information We Collect

We collect the following types of information when you use Exponential:

Account Information

  • Name and Email: Provided when you sign up or sign in via an authentication provider (Google, Discord, Notion).
  • Profile Picture: Retrieved from your authentication provider if available.
  • Authentication Provider: Which service you use to sign in (Google, Discord, or Notion).

Content You Create

  • Projects: Project names, descriptions, statuses, and priority levels you create.
  • Goals and Outcomes: Strategic goals and measurable outcomes you define.
  • Actions: Tasks and action items you create and track.
  • Journal Entries: Daily reflections and planning notes you write.
  • Workspace Data: Workspace names, settings, and organizational structure.

Usage Data

  • Device Information: Browser type, operating system, and device type.
  • Log Data: Pages visited, features used, and timestamps of your activity.
  • Session Information: Login times and session duration.

Third-Party Integration Data

  • Google: Calendar events, contacts, and profile information (see detailed Google section below).
  • Fireflies.ai: Meeting transcripts and notes if you connect this integration.

Cookies and Similar Technologies

  • Session Cookies: Essential cookies to maintain your login session and preferences.
  • Authentication Tokens: Secure tokens to verify your identity across requests.

We do not use third-party advertising or tracking cookies.

Google User Data

When you connect your Google account to Exponential, we access specific Google user data to provide our CRM and productivity features. This section describes exactly what data we access, how we use it, and how we protect it.

Data We Access

Depending on the features you enable, we may request access to the following Google data:

  • Basic Profile Information: Your name, email address, and profile picture for account identification.
  • Google Calendar Events: Event titles, descriptions, times, locations, attendee names and email addresses, and conference/meeting links. This allows us to display your schedule and identify contacts you interact with.
  • Google Contacts: Names, email addresses, phone numbers, organization names, job titles, and profile URLs (including LinkedIn). This enables our CRM features to help you manage your professional relationships.

How We Use Google Data

  • Calendar Display: We display your calendar events within the app to help you plan your day and track meetings.
  • Event Creation: With your permission, we can create calendar events on your behalf (e.g., scheduling tasks).
  • Contact Relationship Management: We import your contacts into our CRM to help you track professional relationships, meeting history, and interaction frequency.
  • Interaction Tracking: We analyze calendar attendees to identify contacts you frequently meet with and calculate relationship strength scores.

Data Sharing

We do not sell, rent, or share your Google user data with third parties except in the following limited circumstances:

  • Service Providers: We use secure cloud infrastructure (Vercel, Railway) to host our application. These providers do not have access to your decrypted data.
  • Legal Requirements: We may disclose data if required by law, court order, or government request.

We do not use Google user data for advertising purposes. We do not allow humans to read your data except where necessary to provide support at your request, or for security purposes.

Data Storage & Protection

  • Encryption at Rest: Sensitive contact information (email addresses, phone numbers, social media handles) is encrypted using AES-256-GCM encryption before storage in our database.
  • Encryption in Transit: All data transmitted between your browser, our servers, and Google is encrypted using TLS/HTTPS.
  • Calendar Event Caching: Calendar events are cached temporarily (up to 15 minutes) in memory to improve performance. Events are not permanently stored in our database.
  • OAuth Token Security: Your Google authentication tokens are stored securely and used only to access Google APIs on your behalf. We use short-lived access tokens with automatic refresh.
  • Access Controls: Your data is isolated to your workspace and can only be accessed by authenticated users within that workspace.

Data Retention & Deletion

  • Contact Data: Imported contacts are retained in your workspace until you delete them or delete your account. You can delete individual contacts at any time from the CRM.
  • Calendar Data: Calendar events are cached for up to 15 minutes and are not permanently stored.
  • Account Deletion: You can request complete deletion of your account and all associated data by contacting us at privacy@exponential.im. We will process deletion requests within 30 days.
  • Disconnecting Google: You can disconnect your Google account at any time from your account settings. This immediately revokes our access to your Google data. Previously imported contacts will remain in your CRM unless you explicitly delete them.

Revoking Access

You can revoke Exponential's access to your Google account at any time by:

  1. Disconnecting Google from your Exponential account settings, or
  2. Visiting your Google Account permissions page and removing Exponential from the list of connected apps.

Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements.

How We Store Your Data

We take the security of your data seriously. Here is how we store and protect your information:

Infrastructure

  • Application Hosting: Our application is hosted on Vercel, a secure cloud platform with SOC 2 Type 2 compliance.
  • Database: Your data is stored in a PostgreSQL database hosted on Railway with automated backups.
  • Data Location: Our primary infrastructure is located in the United States and European Union regions.

Security Measures

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
  • Encryption at Rest: Sensitive data such as contact information and integration tokens is encrypted using AES-256-GCM before storage.
  • Access Controls: Your data is isolated to your account and workspace. Only authenticated users can access their own data.
  • Authentication Security: We use industry-standard OAuth 2.0 for authentication and store only secure session tokens.

Backups

Our database is automatically backed up daily. Backups are encrypted and retained for disaster recovery purposes.

How We Use Your Information

We use the information we collect for the following specific purposes:

Service Delivery

  • Display your projects, goals, outcomes, and actions in the application
  • Sync and display your calendar events from connected integrations
  • Store and retrieve your journal entries and daily planning notes
  • Manage your workspaces and organizational structure

Personalization

  • Remember your preferences and workspace settings
  • Provide personalized views based on your usage patterns
  • Maintain your session across visits

Communication

  • Send account-related notifications (password resets, security alerts)
  • Notify you of important service updates or changes
  • Respond to your support requests and inquiries

Security and Compliance

  • Detect and prevent fraudulent activity or abuse
  • Ensure compliance with applicable laws and regulations
  • Enforce our Terms of Service

Data Retention

We retain your data for as long as necessary to provide our services and fulfill the purposes described in this policy:

  • Account Data: Retained until you delete your account or request deletion.
  • Content You Create: Projects, goals, actions, and journal entries are retained until you delete them or delete your account.
  • Usage Logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.
  • Integration Data: Google Calendar events are cached for up to 15 minutes. Imported contacts are retained until you delete them.
  • Backups: Database backups containing your data are retained for up to 30 days.

When you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention).

Data Sharing

We do not sell, rent, or trade your personal data. We only share your information in the following limited circumstances:

  • Service Providers: We use trusted third-party services (Vercel for hosting, Railway for database) to operate our platform. These providers only have access to data necessary to perform their services and are bound by data protection agreements.
  • Legal Requirements: We may disclose data if required by law, court order, or government request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.
  • With Your Consent: We may share data with third parties when you explicitly authorize us to do so.

We use industry-standard security measures including encryption at rest and in transit to safeguard your information.

Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data and account.
  • Data Portability: Request your data in a portable format.
  • Withdraw Consent: Disconnect third-party integrations at any time.

To exercise any of these rights, please contact us at privacy@exponential.im.

Contact

If you have any questions or concerns regarding this Privacy Policy, please contact us at privacy@exponential.im