Thursday, July 2, 2026

Legal · Route /privacy

Privacy Policy.

This policy explains what personal data we handle, why, who else receives it, how long we keep it, and the rights you have.

Last updated 2 July 2026

In plain terms

ExcBrand runs a reputation cockpit for executives. To do that, we look at how the major AI engines and Google describe you, by your name and by a small number of topics you choose, and we help correct what is wrong and strengthen what is true. This policy explains what personal data we handle, why, who else receives it, how long we keep it, and the rights you have. We never invent facts about you, and we never publish anything without your approval.

1. Who is responsible for your data

The controller of your personal data is Athirium OÜ, registered in Estonia (the “Provider,” “we,” “us”).

The company that arranged your seat may also act as a joint or co-controller for the decision to enrol you. The split of responsibilities between the Provider and that company is set out in the data processing terms between them.

For any data-protection question, contact hello@excbrand.ai.

2. What we collect

We process your professional public record. We do not seek personal, biometric, or voice data. If the engines themselves surface special-category data about you, see Section 8.

3. Where the data comes from

4. Why we use it

5. Lawful basis

Our lawful basis is being finalized with counsel. Pending that, the processing relies on a combination of the following:

Where we rely on legitimate interests, you have the right to object, as described in Section 10.

6. Who receives your data

To deliver the service we send your name and chosen topics to the AI engines and search, and we use infrastructure and delivery providers. Our current sub-processors and recipients are:

AI engines and search (queried with your name and topics):

Measurement, infrastructure, and delivery:

When we submit an executive’s profile to a curated third-party destination such as The Crest (thecrest.ai), only professional information is shared, and only after approval. Some of these recipients act as independent controllers for the content once it is published or submitted to them.

International-transfer safeguards are described in Section 7. Where the executed data-processing agreement or transfer terms for any recipient are still being confirmed, that recipient is used only for consented internal testing until confirmation is complete.

7. International transfers

Your data is stored in the EU (Supabase, Frankfurt). Some recipients listed in Section 6 are outside the EU and EEA, notably US-based AI and infrastructure providers. Where data leaves the EEA, we rely on the European Commission’s Standard Contractual Clauses or an applicable adequacy decision, depending on the recipient. The transfer mechanism for each recipient is recorded in our internal sub-processor register.

8. Special-category data

We do not ask for special-category data. Because the service queries AI engines about a named person, an engine’s answer could surface sensitive information, such as inferred political opinions or health. Our safeguards are a truth-only rule enforced by our Compliance and Voice function, and the fact that nothing is published without your explicit approval. Where special-category data is processed, we rely on an additional lawful condition, which is expected to be your explicit consent.

9. How long we keep it

10. Your rights

Subject to the conditions in data-protection law, you can ask us to:

Your right to object to legitimate-interest monitoring is genuine and consequence-free. To exercise any right, contact hello@excbrand.ai. We respond within 30 calendar days; for complex requests we may extend by up to two further months and will tell you within the first 30 days if we do.

You also have the right to lodge a complaint with a supervisory authority, in particular the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), or your local authority.

11. Security

We host in the EU (Frankfurt) and apply row-level security on the database, least-scope access to third-party accounts, an append-only audit trail, and a practice of keeping personal data out of application logs. If a breach affects your data, we follow a defined process to assess it, notify the relevant authority where required within 72 hours, and notify you without undue delay where the risk to you is high.

12. Local-law notes

For executives in Ukraine, Azerbaijan, or other jurisdictions with their own data-protection rules, additional local notice, consent, registration, or cross-border requirements may apply. Where they do, we follow them in addition to this policy.

13. Cookies

Our use of cookies and similar technologies is described in the Cookie Notice at /cookies.

14. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Last updated” date and, where a change affects how we process your data, we will inform affected data subjects. Where our sub-processors change, we update our register and re-issue notice to data subjects as required.

15. Contact

For privacy questions or to exercise your rights: hello@excbrand.ai.

Athirium OÜ, registered in Estonia.

ExcBrand.AI

AI Reputation Management for executives.

Invite only. Set up for executives by their organization.

© 2026 ExcBrand.AI. Set in Fraunces, Inter Tight, and JetBrains Mono.