Privacy Policy
Exponential · exponential.at · last updated 2026-07-09
This privacy policy describes what data the Exponential service and its apps (web, Android, iOS, and desktop — together “Exponential”, “the service”) collect, how it is used, stored, shared, and deleted. Exponential is operated by Dennis Strähhuber, Germany (“we”). It applies to the hosted cloud service at app.exponential.at. If you connect the apps to a self-hosted Exponential instance instead, the operator of that instance is responsible for the data it stores; this policy then applies only to what the apps themselves do on your device.
1. Data we collect
- Account data. When you sign in with Google we receive your name, email address, and profile picture URL via Google’s OAuth flow (scopes
openid, profile, email). We request no other Google scopes and never access your contacts, mail, files, calendar, or location. - Content you create. Workspaces, projects, issues, comments, labels, and file attachments (including screenshots submitted through the feedback widget) are stored so the service can function. Issue and comment text may contain whatever you choose to write.
- Feedback widget and public-board submissions. If a site operator embeds our feedback widget and you submit feedback through it, we store what you send — your message and optional screenshot — plus the page URL you were on, your browser’s user-agent and viewport/screen size, and any email, name, or custom data the host site chooses to pass along with your submission. The same applies when you report an issue through the form on a public feedback board, where you can optionally leave your email address. This lets the site operator triage and follow up on your report — the members of the operator’s workspace who handle feedback can see your email and message. Your email is never exposed to anonymous or public-board viewers.
- Push notification tokens. If you enable push notifications on Android or iOS, a Firebase Cloud Messaging device token is stored to deliver them. The token identifies the app install, not your physical device identity.
- GitHub integration data. If you connect the Exponential GitHub App, we store the installation reference and repository names you connect. Repository access tokens are short-lived and minted on demand; we do not store your GitHub password or personal access tokens.
- Billing data. Paid subscriptions are processed by Creem (merchant of record). We store your subscription state and a customer reference; payment card details never touch our servers.
- Technical logs. Standard server logs (IP address, request path, timestamps) are kept short-term for security and operations. We run no third-party analytics, no ad networks, and no tracking pixels.
2. How data is used
Data is used solely to provide the service: authenticating you, syncing your boards in real time across your devices, sending the notifications you enabled, operating the GitHub and billing integrations you chose, and answering support requests. We do not use your data for advertising or profiling, we do not sell it, and we do not use it to train machine-learning models.
3. Sharing and processors
We share data only with the processors required to run the service:
- Hetzner Online GmbH (Germany) — servers and object storage for attachments.
- Google Firebase Cloud Messaging — delivery of push notifications (receives the device token and the notification payload).
- Resend — transactional email (receives your email address and the message content, e.g. notification, account-verification, and password-reset emails).
- Creem — subscription billing (merchant of record; receives the billing details you enter with them).
- GitHub — only if you connect the GitHub App; repository operations happen through GitHub’s API on your behalf.
There are no data brokers, ad networks, or analytics providers. Content you place on a public feedback board is visible to that board’s members; member identities on public boards are shown anonymized.
4. Storage and protection
- All traffic between your devices and the service uses TLS (HTTPS).
- Data is stored in a PostgreSQL database and S3-compatible object storage on servers in Germany (Hetzner), reachable only from the application servers.
- Access is session-authenticated; workspace data is only synced to members of that workspace. Server-side authorization enforces the same rules for every API call.
5. Retention and deletion
Your data is retained while your account is active. You can delete issues, comments, attachments, projects, and workspaces yourself inside the app — deletions are immediate and propagate to all synced devices. You can also delete your entire account and all associated data directly in the product: on the web under Account → Notifications → Danger Zone, and in the mobile apps under Settings → your server → “Delete account”. Deletion is immediate and removes your personal workspaces and everything you created. Alternatively, email dennis@straehhuber.com from the address tied to your account; requests are honoured within 30 days. Revoking Google access is possible anytime at Google Account → Third-party access.
Limited Use disclosure
Exponential’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Children
The service is a professional productivity tool and is not directed at children under 16. We do not knowingly collect data from children.
Changes to this policy
If this policy changes, the “last updated” date at the top of the page will be revised. Material changes that reduce user protections will be communicated to registered users by email before they take effect.
Contact
Data controller: Dennis Strähhuber, Germany (see the Imprint for the full postal address). Questions about this policy and all data-deletion requests: dennis@straehhuber.com.