Privacy Policy

Version 2025-07-14 · Last updated

1. Introduction

ExportKit ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our data export infrastructure service ("the Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, do not use the Service.

2. Data We Collect

We collect the following categories of information:

2.1 Account Information

  • Email address
  • Password (stored as a cryptographic hash)
  • Company name (if provided)
  • Billing information (processed by Stripe, not stored by us)

2.2 Usage Data

  • API requests and responses
  • Export job metadata (row counts, file types, timestamps)
  • IP addresses and request headers
  • Browser type and device information

2.3 Customer Data

Data you submit through the Service for export processing ("Customer Data"). We process this data solely to provide the Service and do not use it for any other purpose. You retain all rights to your Customer Data.

3. How We Use Your Data

We use the collected data for the following purposes:

  • Service Delivery: To provide, maintain, and improve the export infrastructure service
  • Authentication: To verify your identity and manage your account
  • Billing: To process payments and manage subscriptions
  • Communication: To send service notifications, export completion emails, and usage alerts
  • Security: To detect and prevent fraud, abuse, and security incidents
  • Analytics: To understand usage patterns and improve the Service (using anonymized, aggregated data only)
  • Legal Compliance: To comply with applicable laws and regulations

4. Data Retention

We retain your data for the following periods:

  • Account Data: Retained while your account is active and for 30 days after account deletion
  • Export Files: Retained for 7 days by default (configurable up to 90 days for paid plans)
  • Usage Records: Retained for the current billing period plus 12 months for billing reconciliation
  • Audit Logs: Retained for a minimum of 90 days for security and compliance purposes
  • Customer Data: Deleted immediately after export file generation or when the export file expires

5. Third-Party Processors

We use the following third-party service providers to process your data:

  • Stripe (United States) — Payment processing and subscription management
  • Resend (United States) — Email delivery for notifications and alerts
  • Cloudflare R2 (Global) — Temporary storage of export files
  • Neon (United States) — Database hosting with encryption at rest
  • Sentry (United States) — Error tracking and monitoring (anonymized data only)

A complete list of sub-processors is available at /sub-processors.

6. Your Rights

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws, you have the following rights:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing in certain circumstances
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@exportkit.com or use the data export and account deletion features in your Dashboard settings.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in Transit: All data transmitted to and from the Service is encrypted using TLS 1.2 or higher
  • Encryption at Rest: All data stored in our database is encrypted at rest
  • Access Controls: API key authentication, IP allowlisting, and role-based access controls
  • Audit Logging: All security-relevant actions are logged immutably for 90+ days
  • Vulnerability Management: Regular dependency scanning and security updates

8. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. We ensure that such transfers comply with applicable data protection laws through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Adequate security measures as described in this Privacy Policy

9. Cookies and Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication and session management (cannot be disabled)
  • Analytics Cookies: Used to understand usage patterns (optional, requires consent)

You can manage your cookie preferences through the cookie consent banner displayed on your first visit.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Dashboard at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

12. Contact Information

For questions about this Privacy Policy, to exercise your data subject rights, or to contact our Data Protection Officer (DPO), please reach out to:

Email: privacy@exportkit.com

Data Protection Officer: dpo@exportkit.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.