Privacy Policy — Exagon Global

1. Introduction

Exagon B.V. ("Exagon Global", "we", "us", or "our") — trading as Exagon Global — respects your privacy and is committed to protecting personal data in accordance with applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and where relevant the California Consumer Privacy Act (CCPA/CPRA).

Exagon Global is the brand under which we deliver our services worldwide. Our Netherlands headquarters operates through Exagon B.V.. Our United Kingdom operations are conducted by Exagon Global Ltd. For the purposes of this Privacy Policy, Exagon B.V. is the data controller unless otherwise stated.

This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal information when you visit https://exagonglobal.com, use https://app.exagonglobal.com (our "Platform"), interact with our AI assistants, submit enquiry forms, subscribe to communications, or otherwise engage with our enterprise technology, AI, CRM, and digital services.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of our Services.

2. Data Controller

The data controller responsible for your personal data is:

Exagon B.V.

Registered office: Dordrecht, Netherlands

Email: privacy@exagonglobal.com

General enquiries: info@exagonglobal.com

For EU/EEA data subjects, you may contact us at privacy@exagonglobal.com regarding any privacy matter, including exercising your rights under GDPR.

3. Scope of This Policy

This policy applies to personal data processed through:

The Exagon Global marketing website at https://exagonglobal.com
The Exagon client platform and Social Media AI application at https://app.exagonglobal.com
Demo environments, contact forms, booking flows, and live-chat or AI assistant interactions
Email, SMS, WhatsApp, and other messaging channels operated on behalf of clients through our automation stack
Enterprise consulting, implementation, and support engagements
Events, webinars, and partner programmes

Client data (Processor role)

When we provide CRM, marketing automation, AI agent, or communication services to business clients, we often process personal data on behalf of those clients as a data processor. In those cases, the client's privacy policy governs the relationship with their end users, and our processing is governed by a Data Processing Agreement (DPA). This Privacy Policy primarily addresses situations where Exagon Global acts as the data controller.

4. Information We Collect

4.1 Information you provide directly

Identity data: name, job title, company name
Contact data: email address, telephone number, postal address
Account credentials: username, encrypted password, authentication tokens
Commercial data: service interests, project requirements, billing details
Communications: messages sent via contact forms, support tickets, chat, or AI assistants
Marketing preferences: newsletter opt-ins, SMS opt-ins, channel preferences
Content you upload: documents, knowledge-base files, social content, CRM records (for platform users)

4.2 Information collected automatically

Device and browser data: IP address, user agent, operating system, device identifiers
Usage data: pages viewed, features used, click paths, session duration, referral URLs
Log data: timestamps, error reports, API calls, authentication events
Cookie and similar technologies data as described in our Cookie Policy
AI interaction metadata: conversation timestamps, channel type, resolution status (not used to train public models without consent)

4.3 Information from third-party sources

We may receive information from integration partners, social platforms (when you connect accounts), payment processors, analytics providers, and publicly available business directories — always subject to your authorisation or the partner's lawful basis.

4.4 Mobile and SMS-specific data

If you opt in to SMS or mobile messaging programmes operated by Exagon Global, we collect your mobile telephone number, opt-in timestamp, consent method, message delivery status, and your responses (including STOP/HELP keywords).

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. How We Use Your Information

We process personal data for the following purposes:

Providing, operating, and improving our website, Platform, and AI services
Creating and managing user accounts and client sub-accounts
Delivering CRM, marketing automation, social media management, and communication workflows
Responding to enquiries, support requests, and demo bookings
Sending service-related notifications, security alerts, and administrative messages
Sending marketing communications where you have opted in (you may withdraw consent at any time)
Operating SMS and email programmes you have explicitly subscribed to
Training, tuning, and quality-assuring AI models within your tenancy or with your consent
Analytics, product development, and performance monitoring
Fraud prevention, security monitoring, and abuse detection
Compliance with legal obligations, court orders, and regulatory requests
Establishing, exercising, or defending legal claims

6. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

Contract performance — processing necessary to deliver services you or your organisation have requested
Legitimate interests — improving our services, securing our systems, B2B marketing to corporate contacts, and preventing fraud, balanced against your rights
Consent — marketing emails, SMS programmes, non-essential cookies, and certain AI features
Legal obligation — tax, accounting, regulatory, and law-enforcement requirements
Vital interests — rarely, to protect an individual's life or physical safety

7. How We Disclose Information

We do not sell personal data. We do not rent or trade contact lists. We disclose personal data only as described below.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

7.1 Service providers and subprocessors

We engage trusted infrastructure and software providers to deliver our Services. These providers process data only on our instructions and under contractual data-protection obligations. Key categories include:

Cloud hosting and content delivery (e.g. VPS, CDN providers)
Platform infrastructure — Exagon Social Media AI (CRM, marketing automation, funnel, calendar, SMS, email) and associated messaging providers
Payment processors and billing platforms
Email and transactional messaging providers
SMS aggregators and telecommunications carriers (solely to deliver messages you have opted into)
AI and machine-learning API providers (where features require external inference, subject to DPA and data-minimisation)
Analytics, monitoring, and error-tracking tools
Customer support and ticketing systems
Professional advisers (lawyers, accountants, auditors) under confidentiality

7.2 Business clients

If you are an end customer of one of our business clients (e.g. you interact with a clinic, agency, or enterprise using Exagon-powered automation), your data is primarily controlled by that client. We process it as their processor.

7.3 Legal and safety

We may disclose information when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect rights, safety, and security.

7.4 Business transfers

In connection with a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred subject to confidentiality and continued protection consistent with this policy.

8. International Data Transfers

Exagon Global operates globally. Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our subprocessors maintain infrastructure.

When transferring data outside the EEA, we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, or adequacy decisions, supplemented by transfer impact assessments where required.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

Account and Platform data: for the duration of your subscription plus up to 90 days after termination (unless earlier deletion is requested)
Contact and enquiry records: up to 3 years from last interaction
Marketing consent records: for the duration of consent plus 3 years for audit purposes
SMS opt-in/opt-out logs: minimum 4 years for regulatory compliance
Server logs and security records: typically 12–24 months
Contract and billing records: 7 years (statutory accounting requirements in the Netherlands)

10. Your Privacy Rights

Depending on your location, you may have the following rights:

Access — request a copy of personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — request deletion ("right to be forgotten") where applicable
Restriction — limit processing in certain circumstances
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interests or direct marketing
Withdraw consent — where processing is consent-based, without affecting prior lawful processing
Automated decision-making — not be subject to solely automated decisions with legal effects, where applicable

How to exercise your rights

Submit requests to privacy@exagonglobal.com. We respond within 30 days (extendable by 60 days for complex requests). We may verify your identity before processing requests.

You have the right to lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP) — https://autoriteitpersoonsgegevens.nl.

11. Cookies & Tracking

We use cookies and similar technologies as described in our Cookie Policy at /legal/cookie-policy. You can manage preferences through your browser settings and, where available, our cookie consent banner.

12. Security Measures

We implement technical and organisational measures including encryption in transit (TLS), access controls, role-based permissions, audit logging, vulnerability management, and staff security training. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

See our Security page at /legal/security for further detail on our security programme.

13. Children's Privacy

Our Services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided us data, contact privacy@exagonglobal.com and we will delete it promptly.

14. AI & Automated Processing

Our Platform includes AI-powered features such as autonomous agents, content generation, lead scoring, and conversation routing. These systems assist human decision-making and customer interactions; they do not make solely automated decisions producing legal or similarly significant effects without human oversight unless explicitly configured and disclosed by your organisation.

AI outputs may be inaccurate. Users should review AI-generated content before relying on it for regulated, financial, medical, or legal purposes.

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated "Last Updated" date. Continued use after changes constitutes acceptance where permitted by law. For material changes affecting SMS programmes, we will provide notice as required by carriers and applicable regulations.

16. Contact Us

For privacy questions, data subject requests, or DPA enquiries:

Exagon B.V. — Privacy Office

Email: privacy@exagonglobal.com

Postal: Dordrecht, Netherlands

Website: https://exagonglobal.com