Privacy Policy

1. Who we are

cxoctl (“cxoctl,” “we,” “us”) operates the cxoctl platform — a software service that runs AI “executive” agents (CMO, CFO, and related) to help founders analyze their business. This policy explains what personal data we collect, how we use it, and the choices you have. It applies to cxoctl.ai and any subdomain we operate (including app.cxoctl.ai, cmoctl.com, cfoctl.com).

For questions about this policy, contact hello@cxoctl.ai.

2. Information we collect

We collect the following categories of information:

• Account data. Your name, email address, and authentication credentials when you create an account.
• Workspace data. The workspace name, website URL, company description, and business context you provide during onboarding.
• Connector credentials. OAuth tokens or API keys you grant cxoctl to access third-party services (Google Analytics, Google Search Console, Stripe, GitHub, etc.). All credentials are encrypted at rest using AES-256-GCM.
• Third-party service data. Metrics, analytics, repository metadata, financial records, and related content that cxoctl pulls from connected services on your behalf.
• Conversation data. The messages you exchange with the AI agents, the documents the agents produce, and the history of actions you approve.
• Billing data. When you subscribe to a paid plan, Stripe collects payment information on our behalf. cxoctl stores only a Stripe customer identifier and subscription status — we do not store card numbers.
• Usage and technical data. Log files, IP addresses, browser type, and timestamps necessary for security, debugging, and service operation.

3. Google user data

When you connect Google Analytics or Google Search Console to cxoctl via Google OAuth, we request the following scopes:

• https://www.googleapis.com/auth/analytics.readonly — read-only access to your Google Analytics 4 properties
• https://www.googleapis.com/auth/webmasters.readonly — read-only access to your Google Search Console sites

We use this data only to:

• Display metrics, charts, and reports inside your cxoctl workspace
• Provide the AI CMO agent with context so it can produce analyses and recommendations you have asked for
• Generate strategy documents and notifications based on observed trends in your data

Limited Use compliance. cxoctl’s use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google user data to serve advertisements, and we do not sell this data.
• We do not use Google user data to train generalized machine learning models. Data is only passed through AI models (Anthropic Claude) at inference time to generate responses to your requests, and those requests are not used to train the underlying model.
• Humans do not read Google user data except (a) with your explicit consent for troubleshooting; (b) where required by law; or (c) where the data has been aggregated and anonymized.
• Google user data is encrypted in transit (TLS) and at rest (AES-256-GCM for credentials; encrypted database storage for derived metrics).

You can revoke cxoctl’s access to your Google account at any time by visiting Google Account Permissions or by disconnecting the connector inside your cxoctl workspace under Settings → Connectors. When you disconnect, cxoctl immediately deletes the OAuth tokens and stops further data pulls.

4. How we use your information

• To provide and operate the cxoctl service
• To run the AI agents that analyze your data and produce the insights, documents, and recommendations you request
• To process payments and manage subscriptions (via Stripe)
• To communicate with you about account changes, product updates, and support requests
• To detect, prevent, and investigate fraud and abuse
• To comply with legal obligations

We do not sell your personal data. We do not share your workspace data or third-party connector data with other cxoctl customers.

5. Service providers we use

We share data with the following categories of sub-processors:

• Anthropic— to run the AI models that power the agents. Your messages, connector data, and document content are sent to Anthropic’s API at inference time. Anthropic does not train on this data per their zero data retention commitments.
• Vercel — hosting, serverless compute, and edge delivery
• Stripe — payment processing
• Inngest — durable background job execution (connector syncs, document generation)
• Postgres hosting — managed database provider for workspace data storage

Each sub-processor is bound by contract to handle data only for the purposes of providing their service to cxoctl.

6. Data retention

We retain your account and workspace data for as long as your account is active. Connector data and generated documents are retained according to your subscription tier (see the Pricing page). When you delete your account, we delete your personal data within 30 days, except where we are required to retain certain records for legal, tax, or fraud-prevention purposes. Derived aggregates that cannot be linked back to you may be retained.

7. Security

We use industry-standard security measures to protect your data, including TLS for data in transit, AES-256-GCM for encrypting connector credentials at rest, scoped database access, and least-privilege service-account keys. No method of transmission or storage is 100% secure, and we encourage you to use a strong password and enable two-factor authentication where available.

8. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent for processing based on consent

To exercise any of these rights, email hello@cxoctl.ai. We will respond within 30 days.

9. International transfers

cxoctl is operated from the United States. If you access the service from outside the US, you consent to the transfer and processing of your information in the United States. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) when transferring data from the European Economic Area or United Kingdom.

10. Children

cxoctl is not directed to children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or in-product notification before taking effect. The “Last updated” date at the top reflects the latest revision.

12. Contact

For privacy questions, data requests, or concerns about how cxoctl handles your information, email hello@cxoctl.ai.