Legal
Privacy Policy
Last updated 8 July 2026
1. Who this policy covers
This policy applies to the Wexl AI platform, dashboard, and related services operated by WEXL.ai (“Wexl AI”, “we”, “us”). It covers the account holders and team members who sign in to use our products. Where we process personal data on behalf of a business customer (for example, the content you publish or the enquiries your assistant handles), that business is the data controller and we act as its processor under our customer agreement.
2. Information we collect
We collect only the information needed to provide the products you switch on:
- Account details — your name, work email, and authentication data used to create and secure your login.
- Business content — the profiles, prompts, drafts, and posts you create in our products, and the material you upload to generate content.
- Connected accounts — when you connect a social or business account (Facebook, Instagram, LinkedIn, Google Business), the access token and the destination identifier (Page, business account, or author) needed to publish on your behalf. See section 5.
- Usage & diagnostics — logs, timestamps, and error data that keep the service reliable and secure. We do not use these to build advertising profiles.
- Billing — if you purchase a paid subscription, our payments processor collects the payment details; we retain only the subscription status and invoices, never your full card number.
3. How we use your information
We use your information to:
- provide, operate, and secure the products you have enabled;
- generate, schedule, and — only with your explicit approval — publish content;
- authenticate you and prevent fraud or abuse;
- provide support and respond to your requests;
- meet legal, tax, and accounting obligations.
We do not sell your personal data, and we do not use the content of your connected accounts for advertising or to train third-party advertising models.
4. AI processing of your content
Our products use AI models to draft and refine content and to handle enquiries. To do this, the relevant content (for example, a prompt or a draft) is sent to our AI model provider for processing. This processing runs through an EU/UK endpoint configured for zero data retention — your content is used to produce the response and is not retained by the provider to train its models. We never send connected-account access tokens to the AI provider.
5. Connected social & business accounts
Connecting an account is optional and always initiated by you. When you connect Facebook, Instagram, LinkedIn, or Google Business, we request only the permissions required to identify the destination and to publish the posts you approve:
- Facebook & Instagram (Meta) — to list the Pages you manage, read the minimal Page / Instagram business-account details needed to target the right destination, and publish the posts you approve to them.
- LinkedIn — to identify you as the author and share posts you approve.
- Google Business — to manage and publish posts to the business locations you choose.
We handle the resulting access as follows:
- the access token is encrypted at rest (AES-GCM) and is write-only from your dashboard — it is never exposed to your browser, shown back to you, or shared;
- we use it solely to publish content you have explicitly approved and to resolve the correct destination — we do not read your private messages, browse your timeline, or post anything without your approval;
- we refresh the token automatically when a platform allows it, so publishing keeps working without you re-entering anything; and
- you can disconnect any account at any time, which immediately and permanently deletes the stored token and connection (see Deleting your data).
Our use of information received from Meta, LinkedIn, and Google APIs adheres to each platform’s developer and platform terms, including their limited-use requirements.
7. Where your data is stored
Your data is hosted in the European Union (Frankfurt, Germany). Where a sub-processor necessarily processes data outside this region, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) to protect it.
8. How we protect your data
We apply layered technical and organisational safeguards: encryption in transit, encryption at rest for sensitive credentials, strict per-account access controls at the database level, short-lived internal service tokens, and audit logging of sensitive actions. No system can be guaranteed perfectly secure, but we work to protect your data and to respond quickly if an issue arises.
9. How long we keep it
We keep personal data only for as long as your account is active or as needed to provide the service, then delete or anonymise it. Connected-account tokens are deleted the moment you disconnect. Some records (for example, invoices) are kept longer where the law requires it.
10. Your rights and choices
Subject to applicable law (including the GDPR for individuals in the EU/UK), you have the right to access, correct, export, or delete your personal data, to restrict or object to certain processing, and to withdraw consent. To exercise any of these, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority.
11. Deleting your data
You can remove a single connected account yourself in seconds, or ask us to delete your whole account and all associated data. Full, step-by-step instructions are on our Data Deletion page.
13. Children's privacy
Our products are for businesses and are not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
14. Changes to this policy
We may update this policy as our products evolve. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you in the product. Continuing to use Wexl AI after an update means you accept the revised policy.
15. Contact us
Questions about this policy or your data? Contact WEXL.ai at [email protected].