Privacy Policy
ExChek, Inc. (βExChek,β βwe,β βusβ) is a Delaware corporation with a principal place of business in Dover, DE. This Privacy Policy describes how we handle information in connection with the ExChek skill, API, documentation, and websites (the βServiceβ).
1. Information We Collect
Our Service is designed to minimize data collection. We do not require an account to use the free ExChek skill or to read our documentation. When you use our public API (e.g., health or eCFR snapshot endpoints), we may receive and temporarily log technical data such as IP address, request path, and timestamp for operational and security purposes. We do not sell this data.
2. Done-with-you Engagement Data
If you contact us by email about a Done-with-you engagement, we collect only the information you voluntarily provide (typically: company name, contact name, email, title, and a description of your needs). We use this solely to scope and deliver the engagement and to provide support. We do not sell, share, or use this data for any other purpose.
For enterprise customers using the paid exchek-engine plugin: CRM and ERP API credentials you supply are stored only in your own private repository or local $${CLAUDE_PLUGIN_DATA} directory. ExChek does not access, store, or transmit your CRM or ERP credentials on our servers.
3. Telemetry
ExChek skills include optional telemetry to help us understand usage patterns and improve the product. Telemetry is disabled by default and must be explicitly opted into by the user.
What is tracked (when opted in): skill name, execution duration, success or failure status, skill version, operating system, agent platform, and engine version.
What is never tracked: code, file paths, repository names, prompts, user input, AI output, company names, item descriptions, ECCN results, screening results, classification data, CRM data, API keys, credentials, or any personally identifiable information (PII).
Local telemetry data is stored on your machine at ~/.exchek/analytics/events.jsonl and is always available to you regardless of cloud opt-in. Cloud telemetry (when opted in) transmits anonymous events to our database with strict access controls and is retained for 90 days before aggregation. You can disable all telemetry at any time by setting the EXCHEK_TELEMETRY environment variable to off or updating .exchek/telemetry.json.
4. Payments
Enterprise payments are processed by Stripe. We store Stripe session IDs and customer IDs for reference and support purposes. We never store, access, or process payment card numbers. For optional donations via blockchain or payment gateway, transactions are processed by third parties; we may receive wallet addresses or transaction identifiers only as provided by those third parties or by you.
5. GitHub Repository Access
Enterprise clients receive a private GitHub repository containing their customized ExChek Engine. ExChek retains admin access to the repository for the purpose of delivering updates. Client configuration data in .exchek/ remains in the client's repository and is not transmitted to ExChek servers. Updates are delivered via automated pull requests that preserve client customizations.
6. Cookies and Similar Technologies
Our documentation and marketing sites may use cookies or similar technologies for essential functionality (e.g., preferences, security). We use Vercel Analytics for basic site analytics (page views, web vitals). We do not use third-party advertising cookies.
7. Third-Party Services
Our Service may link to or rely on third-party services (e.g., eCFR.gov, Trade.gov, GitHub, Stripe, Resend, Supabase, Vercel, Cal.com). Their privacy practices govern data they collect. We encourage you to review their policies.
8. Data Retention and Security
We retain operational and security logs only as long as necessary. Enterprise client records are retained for the duration of the subscription plus one year. Telemetry data (when opted in) is retained for 90 days before aggregation. We take reasonable steps to protect data we hold, but we cannot guarantee absolute security.
9. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, or delete personal data we hold. To exercise these rights or ask questions, contact us at matt@exchek.us.
10. Changes
We may update this Privacy Policy from time to time. The current version will be posted in our documentation. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
ExChek, Inc., Dover, DE. Privacy inquiries: matt@exchek.us.