Exit Evaluation System

Privacy Policy

Last updated: 2026-05-23

Beta notice. This document is a working draft pending legal review before the Service exits closed beta. For closed-beta participants, a manual engagement agreement supplements this policy. Material questions to privacy@exit-evaluation.com.

1. Who we are

Exit Evaluation System (the "Service") is operated by Exit Advisory Group Pty Ltd (ACN to be confirmed) ("we", "us", "our"). We are the data controller for personal information collected through the Service.

2. Information we collect

We collect the following categories of personal information:

  • Account details: name, email address, organisation name, role.
  • Authentication metadata: sign-in timestamps, IP address, user agent.
  • Deal-related data: seller names, ABNs, ACNs, industry, deal stage, intake responses, generated artefacts.
  • Financial data: data retrieved from your connected Xero file at your direction (Profit & Loss, Balance Sheet, transactions, payroll, etc.).
  • Communications: messages exchanged with the AI within the Service, support correspondence.
  • Technical data: error logs, performance metrics, audit events.

3. How we use information

  • To provide the Service: generating valuations, IMs, add-back schedules, and related artefacts.
  • To authenticate users and protect account security.
  • To improve the Service, with anonymised or aggregated data only.
  • To send transactional emails (sign-in links, invitations, share-link notifications).
  • To comply with legal obligations and respond to lawful requests.

4. AI processing

We use Anthropic's Claude API to generate artefacts from your data. Your data is sent to Anthropic via the API for the duration of the generation. Anthropic does not use our customers' API inputs or outputs to train their models (per Anthropic's commercial terms). Generated content is returned to us and stored against your deal.

5. Data sharing

We share personal information only with:

  • Sub-processors: Supabase (database + auth, AU Sydney region), Anthropic (AI inference, US), Vercel (hosting), Resend (transactional email), Inngest (background jobs), Upstash (rate limiting), Sentry (error monitoring), PostHog (product analytics). A full list is in our Data Processing Agreement.
  • Recipients you authorise: when you generate a share link or email an IM to a buyer.
  • Legal requirements: when compelled by law or to protect rights, property, or safety.

We do not sell personal information.

6. Where data is stored

Primary data is stored in Supabase in Sydney, Australia (ap-southeast-2). Backups are retained per Supabase's default policy. AI inference happens in Anthropic's US-region infrastructure. Email is dispatched via Resend.

7. Retention

We retain your data for as long as your organisation has an active subscription. On deletion request or subscription end, data is soft-deleted for 30 days then permanently deleted, except where we are required to retain it for legal, tax, or audit purposes.

8. Your rights

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion (subject to legal retention requirements).
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Contact us at the email below to exercise any of these rights.

9. Security

Xero access and refresh tokens are encrypted at rest using AES-256-GCM. Tenant data is isolated via Postgres row-level security. Audit events are append-only. All connections use TLS. Despite these measures, no system is completely secure; we cannot guarantee absolute security.

10. Changes

We may update this policy. Material changes will be notified by email to active account holders at least 14 days before taking effect.

11. Contact

Privacy questions: privacy@exit-evaluation.com.