Privacy Policy
Effective date: June 11, 2026
1. Introduction and Scope
Exacta, Inc. ("Exacta," "we," "us," or "our") is a Utah corporation providing business intelligence and analytics software for pest control companies. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit exacta.ai or useexacta.com (the "Sites") or use the Exacta platform (the "Service").
Two roles, two kinds of data. We handle data in two distinct capacities:
- Account & Site Data — Exacta as controller. Information about you (our user) and visitors to our Sites: account details, usage data, communications with us. We decide how and why this data is processed, and this Policy governs it directly.
- Customer Business Data — Exacta as processor/service provider. Operational data that our customers (pest control companies) upload to or sync with the Service. This data frequently contains personal information about the customer's own clients — homeowners' and property managers' names, service addresses, phone numbers, email addresses, payment records, and similar information ("End Customer Data"). For Customer Business Data, our customer is the controller (or "business" under U.S. state privacy laws) and Exacta processes it only on the customer's behalf and instructions, under our agreement with that customer (including a Data Processing Addendum where executed).
If you are an end customer of a pest control company that uses Exacta: your service provider — not Exacta — decides how your information is used. Please direct privacy questions and requests to them; Section 9 explains how we support those requests.
2. Information We Collect
Account information. Name, email address, company name, role, and password (stored hashed) when you create an account; billing details if you purchase a subscription.
Customer Business Data. Whatever form your use of Exacta takes — a free audit, ongoing monitoring, or a platform subscription — providing the Service requires us to pull a copy of your records onto our systems and process it there — "read-only" describes our access to your systems (we never write to or change anything in them), not what happens to the data, which is collected, stored, and processed as this Policy describes. The Service is built to ingest whatever operational data your business keeps, in whatever form it exists. Depending on what you upload or connect, this may include: customer and property records; job, appointment, and service records; technician service notes; treatment and chemical-application records; invoices, payments, and collections records; service agreements; expense and budget data; payroll and labor-cost data; fleet, GPS, and telematics data; customer reviews; and any other files you choose to upload (CSV, Excel, PDF, images, or exports from any system). Because uploads are open-ended, Customer Business Data may include any category of personal information that appears in your records. We process it to provide the Service, as described in Sections 3 and 5.
Integration credentials. API keys, OAuth tokens, and connection credentials for third-party services you choose to connect (e.g., Fieldwork, FieldRoutes, PestPac, GorillaDesk, QuickBooks Online, Samsara). Credentials are stored with field-level AES-256-GCM encryption and are never exposed to the browser.
Usage and device data. Pages visited, features used, log data, IP address, browser type, and performance metrics, collected automatically when you use the Sites or Service.
Cookies. Essential cookies for authentication and session management, and first-party analytics. We do not use third-party advertising cookies or cross-site tracking. See Section 10.
3. How We Use Information
We use information to:
- Provide, maintain, secure, and improve the Service;
- Ingest, normalize, structure, and de-duplicate your uploaded and synced business data;
- Compute KPIs, analytics, dashboards, and business intelligence outputs;
- Derive estimated values where your records have gaps (derived values are labeled as such in the Service);
- Sync data between your connected third-party services at your direction;
- Send service-related communications (account alerts, sync status, security notices);
- Respond to support requests;
- Detect, investigate, and prevent security incidents and abuse;
- Comply with legal obligations.
We do not use Customer Business Data to train AI models, and we contractually prohibit our AI subprocessors from doing so (Section 5). We may use aggregated, de-identified data to operate, benchmark, and improve the Service — and if we ever publish industry figures, they are anonymized and drawn only from pools large enough that no company (and no individual) could be identified.
4. Connected Third-Party Services
When you connect a third-party service, we access data on that platform only to the extent authorized by your OAuth consent or the API credentials you provide, and only to provide the Service to you — on a read-only basis: we never write to or change anything in your connected systems. Disconnecting an integration immediately revokes our access, and deletion of the data we already pulled follows the timeline in Section 8. We do not sell, share, or use your third-party data for any other purpose.
Specifically for QuickBooks Online: we access your accounting records — which may include customers, invoices and line items, payments, credit memos, accounts-receivable aging, chart of accounts, expenses, purchase transactions, and vendor and employee records — to reconcile your field-service data against your books (for example, surfacing invoiced-but-uncollected revenue) and to compute financial KPIs within your Exacta dashboard. We do not modify your QuickBooks data.
Your use of each connected service remains governed by that provider's own terms and privacy policy.
5. AI-Assisted Data Processing
Exacta uses large language models from Anthropic, PBC (the Claude API) to power core features of the Service. Depending on which features you use, the following processing occurs:
| Feature | What is sent to Anthropic |
|---|---|
| Data ingestion — structure discovery & schema mapping | Column headers and sample rows from files you upload, so the model can determine each file's structure and map it into your Exacta database. Because this operates on raw uploads, samples may contain any data present in the file — including client names, contact details, addresses, and financial figures. |
| Service note & treatment parsing | Text of technician service notes, which may include property addresses, unit numbers, client names, and service descriptions. |
| Route & technician analysis | Job, schedule, and route data used to produce route-efficiency insights. |
| Review analysis | Text of customer reviews, which routinely includes reviewer names. |
| Entity resolution (duplicate detection) | Client name strings, compared to link records referring to the same person or business. |
In plain terms: if it's in your data, it may transit Anthropic's API — including personal information about your clients where it appears in your records.
What Anthropic may do with it: process it to return results to Exacta — nothing else. Under Anthropic's commercial API terms, data submitted via the API is not used to train models and is not retained beyond limited operational windows. See Anthropic's usage policies.
We also use Google Maps Platform (Geocoding and Distance Matrix APIs) to compute property coordinates and drive times between service stops. Property addresses are sent to Google for this purpose, governed by the Google Maps Platform Terms of Service.
We maintain a current list of subprocessors (including all AI providers) and update it before adding any new one. We do not use your data to train our own or any third party's AI models.
6. How We Disclose Information
Your data is never sold and never shared. Concretely: no third party ever receives your data for its own purposes — not advertisers, not data brokers, not other companies, not "partners." The only parties who touch your data are service providers acting strictly on our instructions to run the Service for you (listed below), which is how every cloud service operates. We disclose information only:
- To subprocessors that help us operate the Service — hosting and database infrastructure (Vercel, Supabase), AI processing (Anthropic), geocoding (Google), and similar providers — each bound by contractual confidentiality and data-protection obligations;
- At your direction, including through integrations you connect;
- Within your company, to users authorized under your account;
- For legal reasons, where required by law, subpoena, or to protect rights, safety, or the integrity of the Service;
- In a business transfer (merger, acquisition, financing, or sale of assets), in which case this Policy continues to apply until you are notified otherwise.
7. Security
Customer data is stored in Supabase (PostgreSQL) with row-level security enforcing tenant isolation — every record is scoped to your company and inaccessible to other customers. Integration credentials use field-level AES-256-GCM encryption and are never sent to the browser. All data is transmitted over HTTPS/TLS. No system is perfectly secure; we encourage strong, unique passwords and prompt reporting of any suspected unauthorized access to support@useexacta.com.
8. Data Retention and Deletion
We retain your data while your account is active. Deletion of the copy of your records we hold is triggered by any of the following, whichever happens first:
- You revoke access (one click, any time): our access to your systems ends immediately, and we delete the pulled copy of your records within 90 days;
- Your free audit doesn't convert to a subscription: we delete the pulled copy within 90 days of the readout;
- Your subscription terminates: you have a 30-day window to export your data, and we delete Customer Business Data within 90 days;
- You ask us to: you may request deletion of your account and associated data at any time.
Deletion excludes only what law requires us to keep and backup copies that age out on a fixed schedule.
-day window across all triggers is a PROPOSAL pending your review — Will has deliberately not finalized it. Confirm it is operationally accurate (backup cycles) and consistent with the landing page's "revoke in one click" promise, which the page scopes to access, not deletion.]
9. Your Privacy Rights
All users. You may access, correct, export, or delete your personal information, and disconnect any integration, at any time — through the Service or by contacting support@useexacta.com. We respond to verifiable requests within the timeframes required by applicable law.
U.S. state privacy rights. Several states — including California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia — have privacy laws granting residents rights such as knowing what personal information is collected, accessing and obtaining a copy, correcting, deleting, and opting out of sale or targeted advertising. These laws apply to companies above certain size and data-volume thresholds. To the extent any of these laws applies to Exacta, we will honor the rights it provides — and regardless of legal obligation, the access, correction, export, and deletion capabilities described above are available to all users. We do not sell personal information and do not engage in targeted advertising. We will not discriminate against you for exercising a privacy right, and where applicable law provides an appeal process for declined requests, we follow it.
End Customer Data. If a pest control company processes your information through Exacta, that company is responsible for honoring your privacy rights. Submit requests to that company directly; Exacta supports its customers in fulfilling verified requests (access, deletion, correction) as their processor.
10. Cookies, Analytics, and Do Not Track
We use essential cookies (authentication, session management, security) and first-party product analytics. We do not use third-party advertising cookies, cross-site tracking, or social-media pixels on the Service. Because we do not track users across third-party sites, there is no behavior to change in response to browser "Do Not Track" signals; we treat universal opt-out signals (e.g., Global Privacy Control) as a valid opt-out of any applicable sharing, of which there currently is none.
11. Children's Privacy
The Service is a business tool for companies, not directed to children under 13 (or the age required by local law), and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact support@useexacta.com and we will delete it.
12. Where Data Is Processed
Exacta is operated from the United States, and data is stored and processed in the United States. If you access the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S.
13. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by email or in-app notice and update the effective date above. Changes apply prospectively from their effective date.
14. Contact
Exacta, Inc.
223 Cougar Blvd #557, Provo, UT 84604