Data Security + Management Policy
At EXPOSE Ai Pty Ltd (ABN 57 677 465 057) (“EXPOSE Ai”, “we”, “us”), we take data privacy, security and transparency seriously. This policy explains how we protect data, how long we keep it, and exactly how you can delete it. It complements our Privacy Policy, which covers collection, legal bases, vendor list, cookies and international transfers.
1) Scope & Alignment
- Scope: Website, apps and connected services operated by EXPOSE Ai.
- Frameworks: Privacy Act 1988 (Cth) incl. NDB, and where applicable GDPR/UK GDPR and CCPA/CPRA.
- Contact: info@exposeai.com.au
2) Security Controls (Summary)
- Access control: Least-privilege roles, MFA for admins, periodic access reviews.
- Encryption: TLS/HTTPS in transit; encryption at rest where supported by providers.
- Secrets & tokens: Stored server-side; rotation on role/incident triggers.
- Monitoring: Security/event logs with time-bound retention; alerting for anomalies.
- Vulnerability management: Regular patching and risk-based remediation.
- Backups & continuity: Versioned backups, restricted access, DR runbooks.
- Supplier due diligence: Contracts and reviews of key processors (see vendors in Privacy Policy).
3) Data Categories & Retention (High-level)
We keep personal information only as long as needed for the purposes described in our Privacy Policy or as required by law, then delete or de-identify it.
| Data category | Purpose | Typical retention | Disposition |
|---|---|---|---|
| Account/contact data | Provide service; support | 24 months from last interaction (unless legal hold) | Deletion from DB/mailboxes; backups expire per cycle |
| Marketing contact (email only) | News & offers (consented) | While subscribed; 24–36 months inactivity; suppression list kept to honour opt-outs | Remove from lists; retain opt-out flag only |
| Transactions & invoices | Accounting & tax | Up to 7 years (records requirements) | Secure archive then deletion |
| Security/server logs | Fraud/abuse detection; reliability | ~12 months (shorter if feasible) | Log rotation & deletion |
| Analytics (aggregated) | Performance & usage | Provider default (e.g., GA4 14 months typical) | Automatic expiry per provider settings |
4) Data Deletion Instructions
You can request deletion at any time. Some data must be retained for legal compliance (e.g., tax records) or security. We separate what we delete immediately vs. what we retain narrowly and for how long.
4.1 In-App / Website Deletion (Self-Service)
- Log in to your account (app or website).
- Go to Account Settings → Privacy.
- Select Delete My Data and follow the prompts.
- Verify your request (password or 2FA).
- You’ll receive a confirmation email with a tracking reference.
- We remove personal data from active systems (see exclusions below).
- Final confirmation is sent upon completion.
Backups: Related data in backups is not accessed and is purged automatically at the end of the backup lifecycle.
4.2 Email Deletion Request (Manual)
Email info@exposeai.com.au with the subject “Data Deletion Request”, and include your account email plus any connected business handles (e.g., Page or IG username). We may request reasonable verification to protect your account.
4.3 Platform-Specific (Connected Accounts)
- Meta (Facebook/Instagram): Revoke our app in your Facebook/Instagram Settings → Business Integrations / Apps and Websites to stop further access. Then email us to delete any stored data linked to your Page/IG handle. We remove stored tokens and cached content/insights collected by features you enabled.
- Google OAuth integrations (if used): Remove our app under myaccount.google.com → Security → Third-party access, then email us for deletion of any related stored data.
- Email marketing: Use the unsubscribe link to stop marketing. To delete your marketing profile, email us—note we keep a suppression flag to ensure you aren’t re-added.
4.4 What We Delete vs. What We May Retain
- Deleted immediately: Profile/contact fields in active systems; user preferences; stored OAuth tokens; cached media/insights collected for enabled features; support tickets (barring legal holds).
- Retained narrowly (legal/legitimate reasons): Transaction records and tax invoices; minimal security logs; and an unsubscribe/suppression flag to honour your opt-out. These are kept only as long as required and then securely deleted.
4.5 Timelines
- Self-service deletion: Usually near-real-time for active systems; confirmation email on completion.
- Manual/email requests: Acknowledgement within 5 business days; completion within 30 days unless complexity or legal retention applies (we’ll notify you).
- Backups: Purged automatically at end of the defined backup cycle.
5) Incident Response & Notifications
- Detection & triage: Security alerts are triaged by severity; containment steps executed promptly.
- Forensics & remediation: Root-cause analysis, patching, key/token rotation and additional hardening where required.
- Notification: If legally required, affected users and the OAIC/regulators are notified with guidance on mitigating steps.
6) Exercising Your Rights & Contact
For access/correction and other rights, see our Privacy Policy or contact us at info@exposeai.com.au.