Legal
Privacy Policy
Last updated: June 7, 2026
This Privacy Policy explains how ExitPage.one ("ExitPage", "we", "us", or "our") processes personal data when you use ExitPage.one, the dashboard, published exit pages, and related services (the "Service").
For account, billing, security, support, and product analytics data, ExitPage is the controller. For personal data that you choose to place into an exit page about your own users, customers, team, or business, you are responsible for having a lawful basis to publish that content and ExitPage hosts it as part of providing the Service.
1. Controller and contact
The controller for the Service is ExitPage, the operator of ExitPage.one. You can contact us about privacy matters at [email protected].
We have not appointed a Data Protection Officer because we do not currently believe one is required for our processing. If that changes, we will update this Policy.
2. Personal data we process
Account data
We process your name, email address, password hash, OAuth profile data if you sign in through an OAuth provider, plan, account settings, and authentication/session data.
Exit page content
We process the content you create: product names, logos, page text, shutdown information, contact emails, social links, recommended alternatives, custom domains, styling choices, SEO metadata, and published HTML.
Billing data
Payments are processed by Creem as Merchant of Record. We receive limited billing status information such as your plan, payment confirmation, product purchased, customer email, and transaction metadata. We do not store full card numbers or payment method details.
Usage, security, and log data
When you use the Service, we may process IP address, browser and device information, request URLs, timestamps, referrer, error logs, rate-limit events, and actions taken in the dashboard. We use this for security, troubleshooting, abuse prevention, and improving the Service.
Published page analytics
When someone views a published exit page, we record page view counts, timestamp, referrer, user agent, country when available, and a hashed IP-derived value. Published exit pages do not use analytics cookies.
3. Purposes and legal bases
- Provide the Service: account creation, login, page editing, hosting, publishing, custom domains, previews, and exports. Legal basis: contract.
- Payments and plan access: checkout, payment confirmation, invoicing support, tax and accounting records, and fraud prevention. Legal bases: contract, legal obligation, and legitimate interests.
- Transactional communication: password resets, account notices, payment confirmations, support replies, and important service notices. Legal bases: contract and legitimate interests.
- Security and abuse prevention: authentication, rate limiting, logging, investigating misuse, preventing spam, phishing, malware, and unauthorized access. Legal basis: legitimate interests.
- Published page analytics: showing page owners basic analytics about their published pages without cookies. Legal basis: legitimate interests.
- Legal compliance: tax, accounting, law enforcement requests, dispute handling, and enforcing our rights. Legal basis: legal obligation and legitimate interests.
- Optional communications: product updates or marketing, if we offer them. Legal basis: consent or legitimate interests where permitted by law. You can opt out at any time.
We do not sell personal data. We do not use personal data for third-party advertising.
4. Sharing and processors
We share personal data only where needed to run the Service, comply with law, or protect rights. Categories of recipients include:
- Infrastructure and storage providers for hosting, databases, uploaded files, backups, and delivery of published pages.
- Email providers for transactional emails and support communications.
- Payment provider: Creem, which acts as Merchant of Record for paid purchases and may process data as an independent controller for payment, tax, fraud, compliance, and customer support purposes.
- OAuth providers if you choose to sign in through them.
- Professional advisers and authorities where required for accounting, legal compliance, disputes, or lawful requests.
- Public visitors when you publish an exit page. Published content is public by design.
5. International transfers
Some providers may process personal data outside your country, including outside the European Economic Area or the United Kingdom. Where required, we rely on adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards. Payment-related data may also be processed by Creem according to its own privacy and compliance terms.
6. Retention
- Account data: kept while your account is active, then deleted or anonymized within a reasonable period after account deletion unless we must keep it longer.
- Exit page content: kept while your account or published page remains active. If you unpublish or delete content, it is removed from active service areas, subject to backup cycles and legal holds.
- Published page analytics: kept while the related page exists, unless you delete the page or account.
- Security logs: kept only as long as reasonably needed for security, troubleshooting, and abuse prevention.
- Billing and tax records: kept for the period required by applicable tax, accounting, chargeback, and audit rules. This may be up to 7 years or longer where legally required.
- Backups: removed on a rolling schedule. Deleted data may remain in encrypted backups until those backups expire.
7. Your rights
Depending on where you live, and especially if GDPR or UK GDPR applies, you may have the right to request access, correction, deletion, restriction, portability, and objection to certain processing. Where processing is based on consent, you may withdraw consent at any time without affecting processing that already happened lawfully.
You also have the right to lodge a complaint with your local data protection supervisory authority. If you are in the EEA, you can contact the authority in your country of residence, workplace, or where you believe an issue occurred.
To exercise privacy rights, email [email protected]. We may need to verify your identity. We aim to respond within one month, unless the request is complex or numerous, in which case applicable law may allow an extension.
8. Cookies and similar technologies
The dashboard uses only cookies or similar storage that are necessary for login, authentication, security, and preferences. These are required to provide the Service and do not require opt-in consent under EU cookie rules.
We do not currently use advertising cookies or third-party analytics cookies. If we add non-essential cookies or tracking technologies, we will request consent before setting them where required by law and provide a way to withdraw that consent.
Published exit pages, including subdomains like yourproduct.exitpage.one, do not use analytics cookies. Some templates may use local storage only to remember a visitor's display preference, such as light or dark mode. We also collect basic server-side page view analytics as described above.
9. Security
We use technical and organizational measures such as HTTPS, hashed passwords, access controls, rate limiting, and limited access to production systems. No service can be guaranteed completely secure, so please use a strong unique password and contact us immediately if you suspect unauthorized access.
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate action.
11. Changes
We may update this Privacy Policy as the Service, providers, or law changes. If changes are material, we will provide reasonable notice through the Service or by email. The date at the top shows the latest revision.
12. Contact
For privacy questions or requests, contact:
ExitPage
[email protected]