Privacy Policy
Last updated: January 2026
1.Information We Collect
When you use Exceptio, we collect and process the following categories of personal data:
1.1 Account Information
We collect your email address and name when you create an account. This data is processed and stored through Supabase, our authentication and database provider.
1.2 Case Documents
You may upload case documents (primarily PDFs) for analysis. These documents can be up to 100MB in size and may contain sensitive legal information including criminal case materials.
1.3 Processed Data
When documents are processed, we create and store:
- Document chunks (sections of your documents for analysis)
- Vector embeddings (3072-dimensional mathematical representations used for semantic search)
- Chat history with AI assistants
- AI agent analysis results
- Research notes you create
1.4 Transaction Data
We maintain a complete audit log of all credit transactions, including purchases and usage. This data is retained indefinitely for accounting and compliance purposes.
2.How We Use Your Information
We use your personal data for the following purposes:
- Document Analysis: Processing your uploaded documents through our AI systems to provide legal research insights and analysis.
- Semantic Search: Creating and querying vector embeddings to enable intelligent search across your case materials.
- AI Assistance: Providing chat-based AI assistants and specialized analysis agents for criminal defense work.
- Credit Management: Tracking credit purchases, usage, and maintaining billing records.
- Service Improvement: When monitoring is enabled, analyzing usage patterns to improve our AI models and user experience.
3.Third-Party Services
To provide our service, we transmit your data to the following third-party providers. Each provider processes data according to their own privacy policies:
| Service | Data Transmitted | Purpose |
|---|---|---|
| Supabase | All user data | Database storage and authentication |
| OpenAI | Document chunks | Text embeddings (text-embedding-3-large) |
| OpenRouter | Document text, queries | LLM inference (GPT-5.2, Gemini) |
| Cohere | Search results | Search result reranking (rerank-v3.5) |
| Google Gemini | Case summaries | Text-to-speech audio generation |
| Stripe | Payment information | Credit purchases (Card, iDEAL) |
| Langfuse | Full LLM traces | Performance monitoring (if enabled) |
4.Data Retention
We retain your data according to the following policies:
- User Data: Retained indefinitely until you delete your account or request data deletion.
- Credit Transactions: Retained indefinitely as part of our audit log for accounting and compliance purposes.
- AI Provider Retention: Third-party AI providers may retain data transmitted to them according to their own policies. OpenAI and other providers typically retain data for up to 30 days for abuse monitoring.
5.Critical Disclosures
Important information about how your data is processed:
5.1 Document Transmission
When you upload and analyze documents, including criminal case materials, these documents are transmitted to multiple AI providers for processing. This includes the text content of your documents being sent to OpenAI, OpenRouter, Cohere, and potentially Google for various analysis functions.
5.2 Embedding Limitations
Vector embeddings (the mathematical representations of your document content) cannot be encrypted at rest in a way that preserves their functionality. Encryption would break the vector search capability that enables semantic search across your documents. While embeddings alone cannot be directly converted back to original text, they do represent the semantic content of your documents.
5.3 AI Training
We do not use your data to train our AI models. However, third-party AI providers may have their own policies regarding data usage. We select providers that offer API agreements where data is not used for training, but you should review each provider's current data usage policies.
6.Your GDPR Rights
Under the General Data Protection Regulation (GDPR) and the Dutch implementation (AVG), you have the following rights:
6.1 Right of Access
You have the right to request a copy of all personal data we hold about you. Contact us to request an export of your data.
6.2 Right to Erasure
You have the right to request deletion of your personal data. When you delete your account or request data deletion, we perform a cascading delete that removes all associated data including documents, embeddings, chat history, and analysis results.
6.3 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
6.4 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
6.5 Right to Lodge a Complaint
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been violated.
7.Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party providers, is encrypted using TLS.
- EU Data Residency: Our primary database is hosted in the European Union through Supabase's EU region, ensuring your data remains within EU jurisdiction.
- Access Controls: Access to production data is strictly limited to authorized personnel on a need-to-know basis.
- Regular Audits: We conduct regular security reviews of our systems and third-party integrations.
8.Contact Information
For questions about this Privacy Policy or to exercise your data protection rights, please contact us:
We will respond to your request within 30 days as required by GDPR.