Legal · Route /privacy
Privacy Policy.
This policy explains what personal data we handle, why, who else receives it, how long we keep it, and the rights you have.
Last updated 2 July 2026
In plain terms
ExcBrand runs a reputation cockpit for executives. To do that, we look at how the major AI engines and Google describe you, by your name and by a small number of topics you choose, and we help correct what is wrong and strengthen what is true. This policy explains what personal data we handle, why, who else receives it, how long we keep it, and the rights you have. We never invent facts about you, and we never publish anything without your approval.
1. Who is responsible for your data
The controller of your personal data is Athirium OÜ, registered in Estonia (the “Provider,” “we,” “us”).
The company that arranged your seat may also act as a joint or co-controller for the decision to enrol you. The split of responsibilities between the Provider and that company is set out in the data processing terms between them.
For any data-protection question, contact hello@excbrand.ai.
2. What we collect
- Identity and professional record: your name (and at most one tracked name variant), title, employer, and your public professional record, such as your published profile, biography, press coverage, and professional appearances.
- Your chosen topics: up to three aspirational terms that you, or the operator on your behalf and with your approval, select.
- Reputation and measurement data: what the AI engines and Google return when asked about your name and topics, including the tone of the answers (sentiment), how often you appear (visibility), whether the claims are accurate (accuracy), and which sources cite you (authority). Together these make up your Standing score.
- Approvals and interactions: the decisions you approve or adjust, and your messages to your AI Reputation Manager.
We process your professional public record. We do not seek personal, biometric, or voice data. If the engines themselves surface special-category data about you, see Section 8.
3. Where the data comes from
- You, or the operator acting on your behalf with your approval.
- Public sources, meaning your public professional profiles and published material.
- The AI engines and search, queried with your name and topics. The answers they return are themselves a source of the measurement data.
- Ahrefs Brand Radar, which provides sentiment, share-of-voice, and cited-page data about you.
4. Why we use it
- To measure how the AI engines and Google represent you (your Standing and its four parts).
- To prepare truthful corrections and content for your approval.
- To distribute approved material and confirm the engines pick it up.
- To report progress to you and to run the service.
5. Lawful basis
Our lawful basis is being finalized with counsel. Pending that, the processing relies on a combination of the following:
- Performance of a contract, to run your seat and report to you.
- Legitimate interests of the Provider and the company that enrolled you, in measuring and improving how you are represented across AI engines and search, balanced against your rights and freedoms.
- Consent, where it is required instead of legitimate interest for monitoring a named individual, and where special-category data is involved.
Where we rely on legitimate interests, you have the right to object, as described in Section 10.
6. Who receives your data
To deliver the service we send your name and chosen topics to the AI engines and search, and we use infrastructure and delivery providers. Our current sub-processors and recipients are:
AI engines and search (queried with your name and topics):
- Anthropic (Claude), United States
- OpenAI (ChatGPT), United States
- Perplexity, United States
- Google (Gemini and Google Search), United States / global
- SerpAPI (Google Search results retrieval), United States
Measurement, infrastructure, and delivery:
- Ahrefs Brand Radar (sentiment, share-of-voice, cited pages), EU / United States
- Supabase (database hosting), EU, Frankfurt
- Vercel (application hosting), United States / global edge
- SendGrid (email delivery), United States
- LinkedIn and X (distribution of approved content), United States / global
When we submit an executive’s profile to a curated third-party destination such as The Crest (thecrest.ai), only professional information is shared, and only after approval. Some of these recipients act as independent controllers for the content once it is published or submitted to them.
International-transfer safeguards are described in Section 7. Where the executed data-processing agreement or transfer terms for any recipient are still being confirmed, that recipient is used only for consented internal testing until confirmation is complete.
7. International transfers
Your data is stored in the EU (Supabase, Frankfurt). Some recipients listed in Section 6 are outside the EU and EEA, notably US-based AI and infrastructure providers. Where data leaves the EEA, we rely on the European Commission’s Standard Contractual Clauses or an applicable adequacy decision, depending on the recipient. The transfer mechanism for each recipient is recorded in our internal sub-processor register.
8. Special-category data
We do not ask for special-category data. Because the service queries AI engines about a named person, an engine’s answer could surface sensitive information, such as inferred political opinions or health. Our safeguards are a truth-only rule enforced by our Compliance and Voice function, and the fact that nothing is published without your explicit approval. Where special-category data is processed, we rely on an additional lawful condition, which is expected to be your explicit consent.
9. How long we keep it
- Active record (identity, topics, Standing history, approvals): for the life of your seat.
- After your seat ends: retained only for as long as necessary, then deleted or anonymized, except where the law requires a longer period.
- Measurement records are append-only by design. We do not rewrite historical measurements; a correction is reflected by a new measurement. Erasure of measurement data follows a defined deletion procedure described in our internal runbook.
10. Your rights
Subject to the conditions in data-protection law, you can ask us to:
- Access the personal data we hold about you.
- Correct anything inaccurate. You may edit your name to one variant, but the name itself is always tracked and cannot be removed, because it is essential to the service.
- Erase your data (“right to be forgotten”).
- Object to or restrict processing, including the legitimate-interest monitoring.
- Port your data to another provider.
- Withdraw consent where we rely on consent.
Your right to object to legitimate-interest monitoring is genuine and consequence-free. To exercise any right, contact hello@excbrand.ai. We respond within 30 calendar days; for complex requests we may extend by up to two further months and will tell you within the first 30 days if we do.
You also have the right to lodge a complaint with a supervisory authority, in particular the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), or your local authority.
11. Security
We host in the EU (Frankfurt) and apply row-level security on the database, least-scope access to third-party accounts, an append-only audit trail, and a practice of keeping personal data out of application logs. If a breach affects your data, we follow a defined process to assess it, notify the relevant authority where required within 72 hours, and notify you without undue delay where the risk to you is high.
12. Local-law notes
For executives in Ukraine, Azerbaijan, or other jurisdictions with their own data-protection rules, additional local notice, consent, registration, or cross-border requirements may apply. Where they do, we follow them in addition to this policy.
13. Cookies
Our use of cookies and similar technologies is described in the Cookie Notice at /cookies.
14. Changes to this policy
We may update this policy from time to time. When we make material changes we will update the “Last updated” date and, where a change affects how we process your data, we will inform affected data subjects. Where our sub-processors change, we update our register and re-issue notice to data subjects as required.
15. Contact
For privacy questions or to exercise your rights: hello@excbrand.ai.
Athirium OÜ, registered in Estonia.