Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy describes how Expe AI, Inc. ("Expe AI," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our website, platform, and related services (collectively, the "Service"). Expe AI is an AI-powered feedback collection and conversation tracking platform that processes messages received through WhatsApp.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Roles and Responsibilities

Expe AI operates in two capacities:

  • Data Processor: When organizations use Expe AI to collect and analyze feedback from their end users via WhatsApp, we act as a data processor on behalf of the organization (the data controller). The organization determines the purposes and means of processing end-user data.
  • Data Controller: For information we collect directly from our platform users (account holders, organization members), we act as the data controller.

If you are an end user communicating with an organization via WhatsApp, that organization's privacy policy governs how your data is used. This Privacy Policy applies to our platform users and describes how we process data on behalf of organizations.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name and email address
  • Password (hashed and salted, never stored in plain text)
  • Profile information
  • Organization membership details and role assignments
  • Two-factor authentication credentials (if enabled)
  • Google OAuth tokens (if you sign in with Google)

2.2 WhatsApp Message Data (Processed on Behalf of Organizations)

When end users send messages to an organization's WhatsApp number, we receive and process:

  • Phone numbers of message senders
  • Text messages including their content
  • Voice notes (audio files)
  • Images and their metadata
  • Message timestamps and delivery status
  • WhatsApp profile names (when available)

2.3 AI-Generated Data

Our Service uses artificial intelligence to process messages and generate:

  • Transcriptions of voice notes
  • Image descriptions and extracted text
  • Sentiment analysis scores and classifications
  • Category assignments for feedback
  • Topic clusters grouping related submissions
  • Summaries of conversations and feedback

2.4 Geolocation Data

We may collect approximate geographic location data based on:

  • Information provided in messages
  • Phone number country codes and area codes
  • Location data shared by end users via WhatsApp

2.5 Payment Information

When you subscribe to a paid plan, we collect:

  • Billing name and address
  • Payment method details (processed and stored by Stripe — we do not store full card numbers)
  • Transaction history and subscription status

2.6 Automatically Collected Information

When you use our platform, we automatically collect:

  • Browser and device information: browser type, operating system, screen resolution, device identifiers
  • Usage data: pages visited, features used, clicks, navigation patterns
  • Log data: IP address, access times, referring URLs, error logs
  • Cookies and similar technologies: see our Cookie Policy for details

3. How We Use Your Information

3.1 To Provide and Operate the Service

  • Process and deliver WhatsApp messages between organizations and their contacts
  • Run AI analysis on messages (transcription, categorization, sentiment analysis, summarization)
  • Generate topic clusters and dashboard analytics
  • Maintain contact records and conversation histories
  • Process payments and manage subscriptions

3.2 To Improve the Service

  • Monitor platform performance and reliability
  • Analyze usage patterns to improve features
  • Debug and fix technical issues
  • Develop new features based on aggregated usage insights

3.3 To Communicate with You

  • Send transactional emails (account verification, password resets, billing receipts)
  • Provide customer support
  • Send service updates and security alerts
  • Share product announcements (with your consent)

3.4 To Ensure Security and Compliance

  • Detect and prevent fraud, abuse, and unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect the rights and safety of our users

4. AI Processing and Third-Party AI Providers

Our Service relies on third-party AI providers to process message data. This is a core function of the Service and is necessary to deliver the features described above.

4.1 AI Providers We Use

| Provider | Purpose | Data Shared | |----------|---------|-------------| | OpenAI (GPT-5 Mini) | Text analysis, categorization, sentiment analysis, summarization, image understanding | Message text, image content | | ElevenLabs (Scribe V2) | Voice note transcription | Audio files from voice messages |

4.2 How AI Processing Works

  1. When an end user sends a WhatsApp message, it is received via the WhatsApp Cloud API.
  2. Text messages are sent to OpenAI for analysis (categorization, sentiment, summary).
  3. Voice notes are sent to ElevenLabs for transcription, then the transcript is analyzed by OpenAI.
  4. Images are sent to OpenAI's vision model for understanding and description.
  5. AI-generated results are stored in our database and displayed on organization dashboards.

4.3 AI Provider Data Practices

  • OpenAI and ElevenLabs process data according to their respective privacy policies and data processing agreements.
  • We use API-based access, which means these providers do not use your data to train their models (per their API terms of service).
  • Data sent to AI providers is transmitted over encrypted connections (TLS).

5. Third-Party Services

In addition to AI providers, we use the following third-party services:

| Service | Purpose | Data Shared | |---------|---------|-------------| | WhatsApp Cloud API (Meta) | Sending and receiving WhatsApp messages | Message content, phone numbers, media files | | Stripe | Payment processing and subscription management | Billing information, transaction details | | Resend | Transactional email delivery | Email addresses, email content | | Vercel | Platform hosting and deployment | Server logs, request data | | PostgreSQL provider | Database hosting | All stored platform data (encrypted at rest) |

Each third-party service processes data in accordance with their own privacy policies and our data processing agreements with them.

6. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

  • With AI and infrastructure providers: as described in Sections 4 and 5, to operate the Service
  • Within organizations: organization members can access data belonging to their organization based on their assigned role (owner, admin, or member)
  • With your consent: when you explicitly authorize sharing
  • For legal compliance: when required by law, regulation, legal process, or enforceable governmental request
  • To protect rights: when necessary to enforce our Terms of Service, protect our rights, or ensure the safety of our users
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with notice to affected users

7. Data Retention

  • Account data: retained for as long as your account is active, plus 30 days after deletion to allow for recovery
  • WhatsApp message data: retained according to the organization's configured retention policy. Organizations can delete data at any time through the platform.
  • AI-generated analysis: retained for as long as the associated message data exists
  • Payment records: retained for 7 years to comply with tax and accounting obligations
  • Server logs: retained for 90 days for security and debugging purposes

8. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: all data transmitted between your browser, our servers, and third-party providers uses TLS 1.2 or higher
  • Encryption at rest: database contents are encrypted at rest
  • Authentication: passwords are hashed using bcrypt; two-factor authentication is available
  • Access control: role-based permissions ensure users only access data within their organization
  • Multi-tenant isolation: organization data is logically separated to prevent cross-tenant access
  • Regular security audits: we regularly review our security practices and infrastructure

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

9.1 General Rights (All Users)

  • Access: request a copy of your personal data
  • Correction: request correction of inaccurate data
  • Deletion: request deletion of your account and associated data
  • Data portability: receive your data in a structured, machine-readable format
  • Objection: object to specific types of data processing

9.2 European Economic Area (GDPR)

If you are in the EEA, you have additional rights under the General Data Protection Regulation:

  • Legal basis: we process your data based on contract performance (to deliver the Service), legitimate interests (to improve and secure the Service), and consent (for optional communications)
  • Data transfers: data may be transferred to and processed in countries outside the EEA. We rely on Standard Contractual Clauses and adequacy decisions to ensure appropriate safeguards.
  • Supervisory authority: you have the right to lodge a complaint with your local data protection authority

9.3 California (CCPA/CPRA)

If you are a California resident:

  • You have the right to know what personal information we collect, use, and disclose
  • You have the right to request deletion of your personal information
  • You have the right to opt out of the sale of personal information (we do not sell personal information)
  • You have the right to non-discrimination for exercising your privacy rights
  • Categories of information collected: identifiers, commercial information, internet activity, geolocation data, professional information
  • Categories of sources: directly from you, automatically through the Service, from WhatsApp Cloud API

9.4 Brazil (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados, including confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing.

To exercise any of these rights, contact us at privacy@expe.city.

10. International Data Transfers

Expe AI operates globally. Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with all third-party providers
  • Compliance with applicable data transfer frameworks

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify active users via email
  • Display a prominent notice on our platform

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: contact@expe.ai