ExoBench Privacy Policy
Effective Date: May 5, 2026
Table of Contents
- New Policy Changes
- Overview
- Policy Scope
- Our Data Processing Activities
- Your Privacy Rights
- How to Submit a Privacy Request
- Data Retention
- Data Security
- Changes to Our Policy
- Cookie Addendum
New Policy Changes
No changes made since the Effective Date listed above.
Overview
ExoQuery LLC ("ExoQuery," "us," "we," or "our") owns and operates ExoBench (also referred to as "ExoQuery Benchmarker," which is a synonym of ExoBench, and collectively, the "Services"), made available through the websites at www.exobench.ai and connect.exobench.ai (together, the "Site"). To provide the Services, we collect "personal information" through our Site. "Personal information" generally means information that can directly or indirectly identify an individual or, in some cases, an individual's household. It does not include data that is anonymized, de-identified, or publicly available. This Privacy Policy ("Policy") describes how we collect, use, share, retain, and otherwise process your personal information.
If you have any questions about this Policy or wish to submit a privacy request or complaint, please contact us at:
- Email: info@exobench.ai
- Mail: 502 W 7th St, Ste 100, Erie, PA 16502-1333
- Attention: ExoQuery LLC
This Policy is incorporated into and governed by our Terms of Use.
IF YOU DO NOT AGREE WITH ANY ASPECT OF THIS POLICY, PLEASE DO NOT ACCESS OR USE THE SERVICES OR OTHERWISE PROVIDE US WITH YOUR PERSONAL INFORMATION. YOUR CONTINUED USE OF THE SERVICES SIGNIFIES YOUR ACCEPTANCE OF THIS POLICY. IF YOU LEARN OF A POTENTIAL VIOLATION OF THIS POLICY BY US OR AN OUTSIDE PARTY, PLEASE CONTACT US.
Policy Scope
The Services and this Policy apply to individuals who are 18 years of age or older. If you are not 18 years of age or older, you are NOT permitted to access or use the Services. If you learn that anyone younger than 18 has unlawfully provided us with personal information, please contact us, and we will take steps to delete such information. This Policy only applies to personal information that we, or our service providers, collect from you through the Services.
The Services are operated from the United States and are intended for users located in the United States. We do not target or actively market the Services to individuals in the European Economic Area, the United Kingdom, or Switzerland, and the Services are not designed to comply with the General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection. If you access the Services from outside the United States, you do so on your own initiative and are responsible for compliance with applicable local laws.
We may link to third-party services and external websites ("Third Parties") on our Site. We do not own or control these Third Parties and are not responsible for their content or privacy practices. Such Third Parties may have their own privacy policies, and you should consult those policies before visiting their websites or apps.
Our Data Processing Activities
For information on the personal information we collect, use, and share, please see the tables below. For information on our online tracking activities, please see the Cookie Addendum.
Personal Information We Collect About You
Table 1: Personal information collected and purposes of collection
| Information Type | Source | Purpose |
|---|---|---|
| Name and contact information (e.g., email address, name) | From you directly | To respond to your inquiries; to provide the Services to you |
| Your communications with us | From you directly | To respond to your inquiries; to provide customer support |
| Stripe customer ID, billing email, billing name, and subscription status | Returned to us by Stripe after you complete a transaction on Stripe's hosted checkout | To associate your account with your subscription; to provision and meter Service access; to send billing receipts and account notifications; to support billing inquiries |
| Authentication identifiers (GitHub, Google, or Microsoft account ID, email, and display name) | From your chosen OAuth provider when you sign in | To create and maintain your account; to associate Service activity with you |
| SQL queries and benchmark inputs (queries you submit to the benchmarker, including any literals or comments embedded in them) | From you directly via the Services or via MCP clients connected to the Services | To execute and benchmark your queries; to return execution plans, EXPLAIN ANALYZE output, and timing data; to debug Service errors |
| Database schema definitions and structural metadata (DDL, schema templates, and structural metadata) | From you directly via the Services | To provision benchmark databases against which to run your queries; to provide analysis of your schema structure |
| Service usage data (which tools you invoke, benchmark execution timing, error logs, system events) | Generated by your interactions with the Services | To operate, debug, and improve the Services; to enforce usage limits; to detect abuse |
| Device and Site activity information | Indirectly from your interactions with our Site | Please see our Cookie Addendum |
Note on SQL content. The Services exist to execute and benchmark SQL queries you submit. Those queries, and any schema definitions you submit alongside them, are processed and stored by us as necessary to operate the Services. You should not submit SQL containing personal information of third parties, production secrets, or other sensitive content.
General Purposes
Any personal information described in Table 1 above may also be processed for the following "General Purposes":
- To provide customer and IT support;
- To maintain the Site and Services;
- To comply with legal, law enforcement, and government requirements or requests;
- To monitor for fraud or illegal activity;
- To exercise our legal rights;
- To run our day-to-day business and facilitate corporate or other business transactions;
- For document retention and data storage purposes.
Sensitive Personal Information
We do not knowingly collect sensitive personal information. If you choose to provide sensitive personal information to us, you consent to us processing it in accordance with this Policy.
Personal Information Recipients
To provide the Services, we may share your personal information with the categories of third parties described below.
Table 2: Categories of third parties who may receive your personal information
| Recipient Type | Personal Information Type | Purpose |
|---|---|---|
| Cloud infrastructure providers (e.g., AWS) | All personal information described in Table 1, as necessary to operate the Services | To host the Services, store account information, and run data benchmarks |
| Payment Processor (Stripe) | Card number, expiration, CVC, and billing address — collected directly by Stripe through its hosted checkout. ExoQuery LLC does not receive or store full card numbers, CVC codes, or billing addresses. | To process payments for the Services. Stripe processes this data as an independent controller under its own privacy policy: https://stripe.com/privacy |
| OAuth identity providers (GitHub, Google, Microsoft) | Authentication request and response data | To authenticate your sign-in to the Services |
| Analytics providers (Google Analytics) | Site activity information | Please see our Cookie Addendum |
| Error monitoring providers (e.g., Sentry) | Service error logs and associated metadata | To detect, diagnose, and resolve Service errors |
General Recipients
The following third parties may receive any or all personal information listed in Table 1 in certain instances:
- Data storage providers, for document retention and data storage services;
- IT software, platform, and support service providers, for IT software, maintenance, and support;
- Auditors and legal advisors;
- Law enforcement, government authorities, and judicial bodies, in the event of a legal requirement, inquiry, or investigation;
- Potential purchasers of ExoQuery LLC, in the event of a change in ownership.
Your Privacy Rights
Depending on where you reside, you may have rights or choices that allow you to make requests with respect to your personal information (subject to applicable legal exceptions), including rights or choices to:
- Obtain confirmation that we accessed and processed your personal information;
- Obtain details about how we collect, use, and share your personal information;
- Access a copy of your personal information in a portable format;
- Delete your personal information (unless an exception under law applies);
- Correct your personal information;
- Opt out of the sale of your personal information or targeted advertising based on your browsing behavior (if applicable);
- Submit an appeal to us if we initially reject your privacy request;
- Submit a complaint to your applicable State Attorney General or regulatory authority;
- Not have discriminatory action taken against you for exercising your rights.
How to Submit a Privacy Request
If you would like to exercise any of the above rights ("Privacy Request"), please contact us at info@exobench.ai. We will not discriminate against you for exercising your rights under privacy laws.
Step 1: Verifying Your Request
Before we can fulfill your Privacy Request, we need to (i) verify your identity or your authority to make the request and (ii) confirm that the personal information you are requesting belongs to you.
For most requests, we will ask you to provide information that matches at least two pieces of personal information we store about you. If you would like to request specific pieces of personal information, you will need to match at least three pieces of information we store about you, and you must provide a signed declaration under penalty of perjury that you are the consumer whose personal information you are requesting. If you have a password-protected account with us, we may use our existing authentication procedures to verify your identity.
We may refuse any request if we are unable to verify the identity of the person making the request using commercially reasonable efforts. We will only use personal information provided in a Privacy Request to verify the requester's identity or authority to make the request.
Authorized Agents
You may grant an authorized agent written permission to submit Privacy Requests, but we may deny requests from an authorized agent if we are unable to verify your identity directly as the subject of the personal information at issue. We may require proof that you gave the authorized agent signed permission to submit the Privacy Request.
Step 2: Responding to Your Privacy Request
After verifying your identity, we will respond to your request by either fulfilling it or explaining why we are denying it. The timeframe for our response will vary based on the applicable law where you reside. If we deny your Privacy Request, you may have the option under applicable law to appeal by contacting us.
Deletion Requests
For deletion requests, removal of content by us does not guarantee complete removal in all places. The content may have been shared by other parties who act outside of any business relationship with us, or federal or state law may require us to retain it. We will do our best to accommodate your Privacy Request, but we cannot guarantee we can remove all personal information from the specified uses. If the Privacy Request relates to information we need to provide Services to you, you may not be able to use the Services properly moving forward. We reserve the right to maintain proper business records as required by law, or for legitimate business purposes to the extent permitted by law, even if such records contain your personal information.
Data Retention
We retain personal information as needed to operate the Services and for legitimate purposes such as ensuring the security of our data and systems, complying with our legal obligations, complying with tax and audit requirements, resolving disputes, conducting internal investigations, and enforcing our agreements or other legal rights. Actual retention timeframes vary depending on the type of personal information and the purposes for which we use it. If we determine that your personal information is no longer needed for the purposes described above, it will be deleted or anonymized so that it can no longer be attributed to you. Residual copies of your personal information may be removed from backup systems subject to our backup data retention schedule.
Data Security
We have implemented technical and organizational measures to address the risk of loss, misuse, alteration, or unauthorized disclosure of personal information under our control. We limit access to your personal information to those employees, agents, contractors, and other third parties who have a need to know such information to provide the Services or in instances where disclosure is necessary in special cases, such as a physical threat to you or others, as permitted by applicable law. We require that third parties only process your personal information to provide services to us or to implement security measures to keep your information confidential and secure.
Payment card data is collected and processed exclusively by our PCI-DSS compliant payment processor, Stripe. We receive only a Stripe customer identifier, billing email, billing name, and subscription status from Stripe; we do not receive, store, or have access to full card numbers, CVC codes, or billing addresses.
While we have employed security technologies and procedures to safeguard your personal information, no system or network can be guaranteed to be 100% secure, and we cannot guarantee that the information you send over the internet is fully secure. You should exercise discretion in what information you disclose or transmit through our Site. Email communications are typically not encrypted and should not be considered secure. If you have an account with us, you are responsible for maintaining the secrecy of your login credentials and for controlling access to your account.
Changes to Our Policy
We reserve the right to change this Policy at any time. Any substantive changes will be described in the New Policy Changes section of this Policy for a period of thirty (30) days. The Policy's effective date will always be listed at the top of the Policy. Changes will be prospective only, unless legally required otherwise. Your continued use of the Services after any changes constitutes your acceptance of the changes. If any changes are unacceptable to you, you should cease all use of the Services. We will not collect new types of personal information beyond what is disclosed in this Policy without providing you with notice prior to the collection of that personal information.
Cookie Addendum
This Cookie Addendum describes the cookies and online tracking technology that ExoQuery LLC uses on its Site. For general information on the personal information we collect, please see the main Policy.
Cookies
Cookies are small text files containing data that can identify your device. When you visit a website, a cookie is filed in your browser so that, on future visits, the website can recognize your device. Cookies can be developed by the website owner ("first-party cookies") or another external party ("third-party cookies"). Cookies serve different purposes including: (i) maintaining the general functioning of a website ("Essential Cookies"), (ii) personalizing a user's experience ("Personalization Cookies"), (iii) analyzing user interactions for performance and product analytics ("Analytical Cookies"), and (iv) using information for marketing purposes ("Marketing Cookies"). Cookies typically collect information about your device such as IP address, unique ID, browser, and information about how you interact with our Site.
We currently use Essential, Personalization, and Analytical cookies on our Site. The table below lists the third-party providers whose cookies may be set on our Site.
| Provider | Type | Purpose |
|---|---|---|
| AWS | Essential | Web hosting |
| AWS CloudWatch | Essential | Data logging (data security) |
| Vercel | Essential | Front-end hosting |
| Cloudflare | Essential | CDN and data security protection |
| Sentry | Essential | Error tracking |
| Stripe | Essential | Facilitate payments |
| GitHub OAuth | Personalization | Account authentication / session cookies |
| Google OAuth | Personalization | Account authentication / session cookies |
| Microsoft OAuth | Personalization | Account authentication / session cookies |
| Google Analytics 4 | Analytics | Site analytics — see below |
Google Analytics
Our Site uses Google Analytics, a web analytics service provided by Google Inc. ("Google"), that uses tracking technologies to analyze your use of and interaction with our Site. Information that Google may collect for this purpose may include page views, scrolls, videos or links that were clicked, a unique client ID attributable to your device, browser information, your approximate age, gender, interests, language settings, and approximate location metadata derived from your IP address (city, state, and country) (collectively, "Google Analytics Data"). Google Analytics Data is transmitted to and stored on a Google server in the United States, where it is analyzed for purposes of generating reports on web traffic patterns ("Google Analytics Reports"). Google may transfer Google Analytics Data and Reports to third parties if required by law or if third parties process such information on behalf of Google. A general overview of Google's data privacy practices for Google Analytics is available at https://support.google.com/analytics/answer/6004245. For more information, please review Google's privacy policy. To opt out of being tracked by Google Analytics, you may download and install the Google Analytics Opt-out Browser Add-on.
Opt Out of Cookies
You can opt out of cookies on our Site through your browser by changing your browser cookie settings to block or delete cookies (see Chrome, Safari, Firefox). If you are using any other web browser, please consult that browser's official support documents. To learn more about opting out of certain kinds of tracking that occur when you browse the internet, visit the Network Advertising Initiative website and the Digital Advertising Alliance website.
To exercise the rights described in this Policy, please see the Your Privacy Rights and How to Submit a Privacy Request sections of the main Policy.
Global Privacy Control Signals
Some browsers offer a Global Privacy Control ("GPC") signal that allows you to opt out of certain processing of your personal information. We honor GPC signals to the extent required by applicable law.