Privacy Policy

Effective date: 16 June 2026 · Operator: Vortix Pty Ltd (ABN 60 634 548 888) · Contact: hello@exodek.app

ExodeK is currently in controlled alpha. This Privacy Policy describes how the product works today. It will be updated as new features, integrations, or subprocessors are introduced. This document is a practical draft pending independent legal review before public commercial launch.

1. Who we are

ExodeK is operated by Vortix Pty Ltd, an Australian company. In this policy, “we”, “us”, “our” and “ExodeK” refer to Vortix Pty Ltd. “You” means the person using ExodeK at https://exodek.app.

2. What this policy covers

This policy explains what information ExodeK collects, why we collect it, how we use it, how we store it, who we share it with, and how you can control it. It applies to the ExodeK web application and the supporting services we operate.

3. Information we collect from you directly

When you create and use an ExodeK account, we collect:

Account information — your email address and password. Passwords are stored as one-way salted hashes; we do not retain your plain-text password.
Authentication tokens — short-lived access tokens and longer-lived refresh tokens used to keep you signed in.
Operational information — server logs (timestamps, request paths, response codes, IP addresses) used for security, debugging, and abuse prevention.

4. Google user data we access

When you choose to connect a Gmail account, ExodeK uses Google OAuth 2.0 to request the following permissions (“scopes”):

openid, email, profile — to identify the Google Account you connected.
https://www.googleapis.com/auth/gmail.readonly — read-only access to your Gmail messages, threads, labels, and settings.

ExodeK does not request permission to send, modify, or delete email on your behalf. ExodeK does not request access to your Drive, Calendar, Contacts, or any other Google product.

5. Why we access Gmail data

ExodeK accesses your Gmail data solely to provide the user-facing features visible to you in the application:

Display your email messages in the ExodeK inbox view.
Classify each message by urgency, category, and recommended disposition using AI.
Identify specific actions in messages (requests, deadlines, follow-ups) and surface them in the Action Centre.
Let you mark detected actions as in-progress, completed, or dismissed.

6. Limited Use of Google user data

ExodeK's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We use your Gmail data only to provide the user-facing features described in Section 5.
We do not sell your Gmail data.
We do not use your Gmail data for advertising.
We do not allow humans to read your Gmail data, except: (a) where you give specific consent for ExodeK staff to assist with a support request; (b) for security purposes such as investigating abuse; (c) to comply with applicable laws; or (d) where the data has been aggregated and anonymised and is used only for internal operations.
We do not transfer your Gmail data, except to AI subprocessors strictly required to provide the user-facing features above, as set out in Section 7.

7. AI processing and subprocessors

To classify messages and detect actions, ExodeK sends parts of each email (sender, subject, and message body excerpts) to an AI model. The current AI provider is:

Google Gemini 2.5 Flash, operated by Google LLC. Email content is sent to the Gemini API for the sole purpose of generating classifications and detected actions. The output is stored in ExodeK's database and shown to you in the application.

Google's use of data sent to Gemini is governed by Google's own privacy and API terms. ExodeK does not authorise any subprocessor to use your Gmail data for any purpose other than providing classifications and actions back to ExodeK.

If ExodeK changes AI providers or adds new subprocessors, this Privacy Policy will be updated to reflect the change before the new provider receives your data.

8. How we store your data

OAuth tokens for your connected Gmail account are encrypted at rest using AES-256-GCM before being written to our database. Encryption keys are stored separately from the database.
Email message content (sender, subject, body text, body HTML, attachments metadata) is synced to ExodeK's database so the application can display and classify it without re-querying Gmail on every request.
Classification and action records derived from your email are stored alongside the message they relate to.
Data is stored on managed cloud infrastructure located outside Australia. We use HTTPS for all data in transit.

9. Retention

We retain Gmail data, classifications, and actions for as long as you keep your Gmail account connected to ExodeK and your ExodeK account is active. When you disconnect Gmail or delete your account (see Section 11), we remove the associated stored Gmail data within 30 days. Some operational logs (without message content) may be retained longer for security and compliance purposes.

10. Sharing

We do not sell your personal information or your Gmail data. We share your data only with:

Infrastructure providers who host ExodeK's servers and database, under contracts that require them to process data only on our instructions.
AI subprocessors as described in Section 7.
Authorities, where required to comply with applicable law, court orders, or government requests.

11. Your controls

You can:

Disconnect Gmail at any time from inside ExodeK. This revokes ExodeK's access to your Gmail and schedules the deletion of associated stored data within 30 days.
Revoke ExodeK's Google permission directly at myaccount.google.com/permissions.
Request account deletion by emailing hello@exodek.app. We will confirm and complete deletion within 30 days.
Request a copy of the personal information we hold about you by emailing the same address.

See Support for step-by-step instructions.

12. Security

ExodeK applies industry-standard security controls including HTTPS-only transport, AES-256-GCM encryption of OAuth tokens at rest, scoped database access, network isolation of backend services, and short-lived authentication tokens with rotation. No system is perfectly secure; we cannot guarantee absolute protection against unauthorised access. If you believe a vulnerability or incident affects ExodeK, please contact us at hello@exodek.app.

13. Children

ExodeK is not directed at children under 16 and we do not knowingly collect data from them. If you believe a minor has provided personal information to ExodeK, contact us at hello@exodek.app and we will delete it.

14. Changes to this policy

We will update this policy when ExodeK's features, integrations, or subprocessors change. The current version is always available at https://exodek.app/privacy. If we make material changes, we will notify connected users before the changes take effect.

15. Contact

Privacy questions, deletion requests, and security reports: hello@exodek.app.

This policy is a practical draft and has not yet been independently reviewed by external legal counsel.