This Privacy Policy describes how EXVIL LTD, a private limited company incorporated in England and Wales under company number 17141823, with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX (“Company”, “we”, “us”, “our”), collects, uses, discloses and protects personal data in connection with:
- the websites at exort.io and exort.io/en/account (the “Website”);
- our self-hosted advertising-tracking software product Exort (the “Tracker”), including data transmitted to our License Server when the Tracker validates a License or, where you have explicitly enabled it, transmits optional product telemetry;
- our customer support and billing operations.
This Policy should be read together with our Terms of Service.
For any questions about this Policy or to exercise the rights described in Section 4, contact us at [email protected].
1. Self-Hosted Disclaimer
The Tracker is designed to be installed and operated on your own server (or a third-party server you control). Accordingly, we do not have access to, and we do not collect, store or process:
- the traffic, click, conversion or attribution data you process through the Tracker;
- the personal data of your end users (the visitors of your landing pages, the recipients of your campaigns, etc.);
- your advertising creatives, landing-page content or campaign metadata.
All of that data remains on your server, exclusively under your control. You are the data controller for that data and are solely responsible for compliance with applicable data-protection laws (UK GDPR, EU GDPR, ePrivacy and others) in respect of it.
This Policy covers only the limited categories of personal data we receive in connection with our Website, your Account, the issuance and validation of your License, our billing operations and your support communications, as set out in the rest of this document.
2. Our Role
We act as a data controller for all processing activities described in this Policy. The lawful bases on which we rely are listed in Section 6 and against each entry of the Processing Activities table in Section 7.
For payment processing, the Company uses an external Payment Provider acting as our authorised reseller and Merchant of Record. The Payment Provider is Lemon Squeezy, LLC and its affiliates (privacy policy: https://www.lemonsqueezy.com/privacy). When you make a payment, the Payment Provider is the seller of record for the transaction and acts as an independent controller of the payment data it processes. The Payment Provider’s own privacy policy applies to that processing in addition to this Policy.
3. Modifications to this Policy
We may update this Policy from time to time. The updated version will be published on the Website with a new “Effective date”.
For material changes — including any change in the categories of personal data we collect, the purposes for which we use them, the third parties with whom we share them, the retention periods, or the safeguards for international transfers — we will notify you by email to the address associated with your Account or by notice in your Account at least thirty (30) days before the change takes effect. For minor or clarifying updates, the updated Policy is effective when posted.
4. Your Rights
Subject to applicable law (in particular, UK GDPR and EU GDPR), you have the right to:
a) request information about, and access to, the personal data we hold about you;
b) rectify any incorrect, inaccurate or incomplete personal data;
c) request erasure of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent on which the processing is based, or when the processing is unlawful;
d) request restriction of processing in specific circumstances;
e) receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (data portability);
f) object to processing of your personal data based on legitimate interests, or for direct marketing;
g) not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not currently use such automated decision-making — see Section 13);
h) withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of processing carried out before withdrawal); and
i) lodge a complaint with a supervisory authority — for the United Kingdom, the Information Commissioner’s Office (ICO) at https://ico.org.uk; for residents of an EU/EEA member state, the supervisory authority of your country of habitual residence, place of work or place of the alleged infringement.
To exercise these rights, contact us at [email protected]. We will respond to your request without undue delay and in any event within one (1) month of receipt, with the option to extend this period by a further two months for complex requests, in which case we will inform you of the extension and the reasons for the delay.
5. Personal Data We Collect
5.1 Data you provide directly
- Account registration: name, email address, country, company name (if applicable), VAT/tax identifier (if applicable), language preference.
- Authentication: password (stored as a salted hash; we never have access to the plaintext).
- Billing information: name, billing address, country and tax identifier — passed to the Payment Provider to issue an invoice and remit applicable taxes. We do not store full payment-card data; that is handled by the Payment Provider (see Section 8).
- Customer support: any information you choose to include in a support request (your message, screenshots, log excerpts, configuration details).
- Marketing preferences: whether you have opted out of marketing communications.
5.2 Data collected automatically when you use the Website
- Strictly necessary cookies: session identifier, language preference, IP address, region, security tokens.
- Analytics: if you have given consent, a third-party web-analytics service collects information about your visits (pages viewed, navigation paths, device type, region, IP address — typically truncated or anonymised). We use this only to understand site usage and improve the Website.
- Server logs: standard request logs (IP address, user-agent, timestamp, requested URL, response status) used for security and debugging.
5.3 Data transmitted by the Tracker to the License Server
When the Tracker validates a License (see Terms of Service §10), it transmits to the License Server:
- the License Key;
- the machine identifier of the server on which the Tracker is installed (a hash of stable hardware/software properties);
- the public IP address of that server;
- the Tracker version and operating system / runtime version;
- basic operational counters required to enforce plan limits (such as the number of active campaigns and the aggregated traffic volume against the applicable plan limit).
The Tracker does not transmit any of the data listed in Section 1.
5.4 Optional product telemetry (opt-in)
Where you have explicitly enabled product telemetry in the Tracker’s settings (it is disabled by default), the Tracker may also transmit:
- anonymised information about which features and screens of the Tracker are used and how frequently;
- error and crash reports, including stack traces, the Tracker version, the operating system and the runtime configuration of the server;
- basic performance metrics (request latency, database size, throughput, resource utilisation).
This data is associated with your License Key and the machine identifier, but is not linked to your name, business identity, end-user identifiers, or any of the data listed in Section 1. You may disable product telemetry at any time in the Tracker’s settings; previously transmitted data will continue to be retained as set out in Section 7.
5.5 Fraud and Trial-abuse-prevention data
To detect Trial abuse and fraud (multiple Trials per entity, fraudulent payments, unauthorised License Key reuse), we process:
- machine identifiers, IP addresses and registration metadata;
- payment-method fingerprints provided by the Payment Provider (for example, hashed card identifiers), but not full payment-card data;
- correlation flags between Accounts.
6. Lawful Bases for Processing
We rely on the following lawful bases under Article 6 of the UK GDPR / EU GDPR:
- Contract (Art. 6(1)(b)) — processing necessary to perform the contract you enter into when you create an Account, purchase a License, or use the Tracker (for example: account maintenance, License issuance and validation, billing, providing support).
- Legal obligation (Art. 6(1)(c)) — processing required by law, in particular UK accounting and tax legislation that requires us to retain billing records for a defined period.
- Legitimate interests (Art. 6(1)(f)) — processing necessary for our legitimate business interests, where these are not overridden by your rights and freedoms (for example: securing the Website and License Server, fraud and Trial-abuse prevention, basic Website functionality, soft-opt-in marketing of similar products to existing customers as permitted by applicable law).
- Consent (Art. 6(1)(a)) — for processing that requires your explicit, informed and freely given consent (for example: non-essential cookies and Website analytics, optional product telemetry, marketing communications where consent is required).
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
7. Processing Activities
| # | Purpose | Categories of data | Lawful basis | Retention |
|---|---|---|---|---|
| 1 | Website functionality | Session ID, language, region, IP address, security tokens | Legitimate interest (Art. 6(1)(f)) — making the Website available and secure | Up to 31 days |
| 2 | Website analytics | Session ID, IP address (truncated), region, device type, page actions | Consent (Art. 6(1)(a)) | Up to 12 months |
| 3 | Account maintenance | Name, email, country, company, VAT/tax ID, preferences | Contract (Art. 6(1)(b)) | While the Account is active and 1 year after deletion |
| 4 | License issuance and validation | License Key, machine identifier, server IP, Tracker version, plan-limit counters | Contract (Art. 6(1)(b)) | While the License is active and 2 years after termination |
| 5 | Billing and invoicing | Name, country, tax ID, invoice amount, Payment Provider reference | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) — UK accounting / tax records | 6 years (UK accounting requirement) |
| 6 | Payment processing and method storage | Payment-method token from the Payment Provider, masked PAN (last 4 digits, brand, expiry, issuing country) | Contract (Art. 6(1)(b)) and Legitimate interest (fraud prevention, Art. 6(1)(f)); explicit Consent (Art. 6(1)(a)) for storing payment method for future use | Until you delete the saved payment method, or up to 3 years after Account deactivation |
| 7 | Customer support | Name, email, Account ID, message content and attachments | Contract (Art. 6(1)(b)) | 2 years after the ticket is closed |
| 8 | Fraud and Trial-abuse prevention | Machine identifier, IP address, payment-method fingerprint, suspicious-activity flags | Legitimate interest (Art. 6(1)(f)) — protecting our business from fraud and abuse | 3 years after the suspicious activity is detected |
| 9 | Optional product telemetry | Feature usage, crash reports, performance metrics — only when enabled by you | Consent (Art. 6(1)(a)) | Until you disable telemetry, plus 1 year for retention of derived analyses |
8. Sharing with Third Parties
We share personal data only as necessary for the purposes described in this Policy, and only with the following categories of recipients:
a) Payment Provider — our authorised reseller and Merchant of Record for all paid transactions (see Section 2 for the current Payment Provider). We share with the Payment Provider the data necessary to issue an invoice and process payment (name, email, billing address, country, tax identifier, IP address at checkout). The Payment Provider handles full payment-card data on its own infrastructure, certified to PCI-DSS, and acts as an independent controller for the payment transaction.
b) Hosting infrastructure — our Website, Account, and License Server are hosted on third-party infrastructure. The hosting provider has the technical access required to operate the infrastructure but does not have independent rights to use your personal data.
c) Web analytics provider — a third-party analytics provider receives the data described in Section 5.2 if you have given consent through our cookie banner.
d) Transactional email and customer-support providers — third-party providers used to deliver service-related and (where applicable) marketing email, and to handle support communications. Access is limited to what is necessary for these services.
e) Professional advisers and authorities — our auditors, legal advisers and accountants on a need-to-know basis; competent governmental, regulatory or law-enforcement authorities where disclosure is required by law.
f) Successors in interest — see Section 14 (Change of Ownership).
We do not sell, rent or trade your personal data, and we do not use it for advertising purposes.
9. International Transfers
Our infrastructure is located within the United Kingdom and the European Economic Area (EEA). For most users, no transfer outside these regions takes place.
Where personal data is transferred to a country outside the UK or the EEA — for example, when you make a payment to the Payment Provider, which operates internationally, or when a third-party provider processes data in the United States — such transfer is protected by appropriate safeguards under Article 46 of the UK GDPR / EU GDPR, which include:
- the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses; and/or
- the European Commission’s Standard Contractual Clauses (SCCs);
- and any additional supplementary measures required to ensure an essentially equivalent level of protection.
You may request a copy of the safeguards applicable to a specific transfer by contacting [email protected].
10. Cookies
We use cookies and similar technologies on the Website. The cookies fall into two categories:
a) Strictly necessary cookies — essential for the Website to function (for example, to keep you logged in, to store your language preference, or to protect against cross-site request forgery). These cannot be disabled and are set without consent because the Website cannot operate without them.
b) Analytics cookies — used by our web-analytics provider to help us understand how the Website is used. These are set only after you have given consent through our cookie banner. You may withdraw consent at any time by changing your preferences in the cookie banner or by clearing cookies in your browser.
You can also configure your browser to block or alert you about cookies. If you reject non-essential cookies, the Website will continue to function, but some non-essential features may be unavailable.
11. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including for the purposes of satisfying legal, accounting or reporting obligations. Specific retention periods are listed in the table in Section 7.
After the applicable retention period expires, personal data is either securely deleted or anonymised so that it can no longer be linked to you.
12. Security
We take reasonable technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. These measures include encryption of data in transit (TLS) and at rest where appropriate, role-based access controls, authentication safeguards (including hashed passwords), regular security reviews, and least-privilege access for our personnel and providers.
You are responsible for safeguarding the credentials of your Account and for the security of the server on which you install the Tracker. We strongly recommend using a unique, strong password and enabling multi-factor authentication where available.
13. Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Where automated signals (such as fraud or Trial-abuse indicators) are used, the final decision to suspend or terminate a License or Account is reviewed and made by a human.
14. Data Breach Notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the UK ICO, where the UK is the lead authority) without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR / EU GDPR.
Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34).
15. Children’s Data
The Tracker is a B2B product intended exclusively for adult professionals. We do not knowingly provide our Website, Account or Tracker to, and do not knowingly collect personal data from, anyone under the age of 16. If you become aware that a person under 16 has provided personal data to us, please contact [email protected] and we will delete that information.
16. Marketing Communications
If you are an existing customer, we may send you marketing emails about our own similar products and services, on the basis of our legitimate interests and in accordance with applicable law (including the UK Privacy and Electronic Communications Regulations — UK PECR). Every marketing email contains a clearly visible unsubscribe link, and you may also opt out at any time by emailing [email protected] or by changing your preferences in your Account.
You will continue to receive transactional and service-related communications (security alerts, account notices, billing receipts, material changes to this Policy or to the Terms of Service) regardless of your marketing preferences, because they are necessary to perform the contract with you.
17. Change of Ownership / Business Transition
In the event of a merger, acquisition, reorganisation, sale of assets, insolvency or similar transaction, personal data may be transferred to the successor or acquirer as part of the transaction, in accordance with applicable data-protection law. We will give you notice of any such transfer and of any material change to this Policy that results from it.
18. Contact
EXVIL LTD Company number: 17141823 Registered office: 128 City Road, London, United Kingdom, EC1V 2NX Privacy contact: [email protected]
For complaints, you may also contact the UK Information Commissioner’s Office at https://ico.org.uk, or, if you reside in the EU/EEA, the supervisory authority of your country of residence.