Privacy Policy

Effective date: March 1, 2026

1. Who We Are

Expunct (“Expunct,” “we,” “us,” or “our”) operates the API and dashboard at expunct.ai. We provide PII detection and redaction infrastructure for developers and enterprises. This policy explains what data we collect, why, and your rights over it.

Questions or data requests: privacy@expunct.ai

2. Data We Collect

Account data

When you create an account: name, email address, organization name, and authentication information (managed by Clerk). If you subscribe to a paid plan, payment details are handled directly by Stripe — Expunct never stores raw card numbers.

Usage data

We log API requests including: timestamp, endpoint, HTTP status code, job ID, tenant ID, token count, and IP address. This data powers billing, analytics, and fraud detection.

Content you submit for processing

Files and text you upload for redaction are stored temporarily on our servers (in encrypted storage) to process your job. Input files and output results are retained for the duration specified by your plan (7 days for free, 30–365 days for paid tiers) and then automatically deleted. We do not use your content to train models or share it with third parties.

Cookies and browser data

Our dashboard uses session cookies for authentication. We use PostHog for product analytics (page views, feature usage — no content). You can opt out of analytics via your browser's Do Not Track setting or by contacting us.

3. How We Use Your Data

  • Provide, operate, and improve the Expunct service
  • Process billing and manage your subscription
  • Send transactional emails (receipts, quota warnings, security alerts)
  • Detect and prevent abuse or unauthorized access
  • Comply with legal obligations
  • Respond to support requests

We do not sell your personal data. We do not use submitted content for advertising or model training.

4. Data Sharing

We share data only with the following categories of service providers, under contractual obligations to protect it:

  • Clerk — user authentication and organization management
  • Stripe — payment processing and subscription management
  • Railway — cloud infrastructure hosting (US-based)
  • Sentry — error monitoring (anonymized stack traces, no content)
  • Grafana Labs — infrastructure metrics and logs (no content)

We may disclose data if required by law, court order, or to protect the rights and safety of Expunct and its users.

5. Data Retention

  • Processed content — deleted automatically per your plan's retention period (7–365 days)
  • Account data — retained while your account is active; deleted within 30 days of account closure
  • Billing records — retained for 7 years as required by financial regulations
  • Audit logs — retained per your plan tier; enterprise logs retained for 1 year

6. Your Rights

Depending on your location (EEA, UK, California, etc.), you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your account and associated data
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent for analytics

To exercise any of these rights, email privacy@expunct.ai. We will respond within 30 days. For account deletion, you can also use the Settings page in your dashboard.

7. Security

We use industry-standard security practices: TLS in transit, encryption at rest for stored files, hashed API keys (never stored in plaintext), and access controls limited to team members who need it. We regularly review our security posture.

If you discover a security vulnerability, please report it to security@expunct.ai.

8. International Transfers

Expunct operates from the United States. If you are located in the EEA or UK, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for such transfers. Contact us if you require a Data Processing Agreement (DPA) for GDPR compliance.

9. Children

Expunct is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy. For material changes, we will notify you by email or an in-dashboard notice at least 30 days before the changes take effect. Continued use after that date constitutes acceptance.

11. Contact

Expunct
privacy@expunct.ai