Privacy Policy

Effective Date: 12/04/2026
Last Updated: 12/04/2026

1. Introduction

Exclu respects the confidentiality, integrity, and sovereignty of user data. This Privacy Policy explains how Exclu collects, uses, protects, stores, and discloses personal data when you access our website, apply for access, create or use an account, communicate through the Exclu application, or interact with our support and security teams.

Exclu is built as a privacy-first communications platform. Our technical architecture is designed to reduce unnecessary collection, minimize metadata exposure, and avoid using public identifiers such as phone numbers or email addresses as the default identity layer for onboarding or in-app use.

This Privacy Policy applies to:

  • the Exclu website
  • the Exclu mobile and desktop applications
  • access review and onboarding workflows
  • support, abuse, and security operations
  • communications between you and Exclu

2. Data Controller

For the purposes of applicable data protection law, including the General Data Protection Regulation (GDPR), the data controller is:

Exclu, France.

If we appoint a Data Protection Officer, their contact details will be published here.

3. Our Privacy Architecture

Exclu is designed around data minimization and controlled exposure. In practical terms, this means:

  • no phone number or email is required for onboarding or in-app identity
  • end-to-end encryption is used for supported message content
  • private keys are intended to remain under device-side control
  • unnecessary persistent identifiers are avoided where possible
  • operational metadata is limited to what is necessary for service delivery, security, abuse prevention, and legal compliance
  • access to the platform is controlled through a reviewed onboarding model rather than open public signup

End-to-end encryption protects message content in transit and at rest within the cryptographic design of the service. However, no service can guarantee absolute confidentiality in every circumstance, including where a user device is compromised, a recipient exports content, or local screenshots or recordings are made.

4. Categories of Personal Data We Process

Depending on how you interact with Exclu, we may process the following categories of data.

4.1 Identity and access data

  • username or internal account identifier
  • invitation or approval reference
  • onboarding application details
  • account status and verification state
  • device registration data
  • authentication and session data

4.2 Contact and support data

  • information you provide when contacting support
  • support ticket contents
  • abuse or security report contents
  • optional business contact details if you choose to provide them

4.3 Technical and security data

  • IP address
  • device type, operating system, and app version
  • security event logs
  • login attempts and session timestamps
  • linked device records
  • anti-abuse and anti-fraud signals
  • integrity or risk indicators such as suspected rooted or jailbroken device state where supported

4.4 Communication-related metadata

Exclu is engineered to reduce communication metadata where possible. We may still process limited service metadata required to:

  • route messages
  • maintain delivery queues
  • synchronize linked devices
  • enforce abuse controls
  • investigate service integrity incidents

We do not describe encrypted message content here because supported message content is intended to remain inaccessible to us in ordinary operation.

4.5 Website and application usage data

If you use our website, we may process:

  • browser type and version
  • referral source
  • pages visited
  • approximate time and date of access
  • security and performance diagnostics

If analytics or cookies are used, they will be described in a separate Cookies Notice or in a dedicated section of this Privacy Policy.

5. Why We Process Personal Data

We process personal data for the following purposes:

5.1 To provide the service

We use personal data to create and administer accounts, approve access, authenticate users, maintain sessions, support linked devices, and deliver core platform functionality.

5.2 To protect platform security

We process technical and security data to detect unauthorized access, enforce access controls, investigate abuse, protect users, prevent fraud, and maintain the confidentiality and resilience of the platform.

5.3 To manage onboarding and access review

Exclu uses a controlled access model. We process onboarding and approval data to evaluate access requests, verify eligibility, and preserve the trust and security posture of the service.

5.4 To provide support

We use support data to respond to user requests, troubleshoot technical problems, and improve service reliability.

5.5 To comply with legal obligations

We may process data where necessary to comply with legal, regulatory, judicial, or law-enforcement obligations applicable to us.

5.6 To improve the platform

We may use limited technical and operational data to debug issues, improve performance, strengthen reliability, and refine security controls.

6. Legal Bases for Processing

Under GDPR, we rely on one or more of the following legal bases, depending on the context:

  • Performance of a contract where processing is necessary to provide the Exclu service to you
  • Legitimate interests where processing is necessary for platform security, fraud prevention, abuse mitigation, service improvement, and operational integrity, provided those interests are not overridden by your rights
  • Legal obligation where processing is required by applicable law
  • Consent where consent is required, such as for certain cookies, optional communications, or optional data fields

7. Message Content and Encryption

Exclu is designed so that supported private message content is protected using end-to-end encryption. In ordinary operation, we do not require access to plaintext message content in order to provide the core service.

This does not mean that all surrounding data is eliminated. Limited service data may still be processed for routing, delivery, abuse prevention, linked-device functionality, and security monitoring. Encryption protects message content, but it does not eliminate every possible privacy risk, including risks originating from endpoint compromise, malicious recipients, or insecure local backups outside our control.

8. Data Sharing and Recipients

We do not sell personal data.

We may disclose personal data only to the following categories of recipients where necessary:

  • infrastructure, hosting, and security service providers acting on our instructions
  • customer support providers, if used
  • legal, regulatory, or judicial authorities where disclosure is legally required
  • professional advisers such as lawyers, auditors, or insurers where necessary
  • acquirers or successors in connection with a merger, acquisition, or restructuring, subject to appropriate safeguards

Where third-party processors are used, we require them to process personal data under appropriate contractual and security obligations.

9. International Data Transfers

Exclu is based in France and aims to maintain strong data sovereignty controls. Where personal data is transferred outside the European Economic Area, we will use a lawful transfer mechanism recognized under applicable data protection law, such as adequacy decisions or appropriate contractual safeguards.

If your architecture is truly EU-only, you may tighten this section to say that user personal data is hosted and processed within the European Union, subject only to narrow exceptions required for security, legal compliance, or support tooling.

10. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including security, legal, operational, and dispute-resolution needs.

Retention periods may vary by data type:

  • onboarding and account records for the duration of the account and a limited period afterward
  • security logs for a limited and proportionate period based on risk and incident response needs
  • support records for as long as needed to resolve the issue and maintain support history
  • legal compliance records for as long as required by applicable law

Where possible, data is deleted, anonymized, or irreversibly de-identified when no longer needed.

11. Security Measures

Exclu uses technical and organizational measures designed to protect personal data, including measures such as:

  • access controls and role-based restrictions
  • encrypted transport
  • hardened key management where supported
  • secure storage controls
  • audit logging for privileged actions
  • environment segregation
  • incident detection and response procedures
  • application and infrastructure hardening
  • controlled access review procedures

No security measure is perfect, and no system can guarantee absolute security.

12. Your Rights

Subject to applicable law, you may have the right to:

  • access your personal data
  • rectify inaccurate data
  • erase data in certain circumstances
  • restrict processing in certain circumstances
  • object to certain processing based on legitimate interests
  • withdraw consent where processing is based on consent
  • receive your data in a portable format where applicable
  • lodge a complaint with a supervisory authority

If you are in France, you may contact the CNIL as the competent supervisory authority. CNIL is France’s data protection authority, and GDPR gives individuals rights to be informed and to exercise control over personal data processing.

To exercise your rights, contact us.

13. Children’s Privacy

Exclu is not intended for children under the age at which personal data processing would require parental authorization under applicable law, unless expressly stated otherwise. We do not knowingly allow unauthorized child access to the service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our service, security model, legal obligations, or operational practices. When we do, we will update the “Last Updated” date above and, where required, provide additional notice.

15. Contact

If you have questions about this Privacy Policy or our data practices, contact:

Exclu Privacy Team
France
Email: Contact Us