Last updated: November 16 2025
This Privacy Policy describes how BFF Labs, Inc. (referred to here as "EXO", "we", "us", or "our"), collects, uses, and discloses information when you access or use our website and web application (the "Service"). By using the Service you consent to the practices described below.
We collect the information you provide when you create an account or otherwise interact with the Service. This includes identifiers such as email address and display name; user-entered fitness and wellness information such as workouts, exercise and fitness logs, nutrition entries, sleep notes, and lifestyle or well-being entries; any files you upload; the text of conversations you conduct with our AI; technical and usage logs recorded by our servers; and cookies or similar technologies that help manage sessions and analytics.
We use personal information to deliver, personalize, and improve the Service; to maintain security, prevent misuse, and debug or audit system performance; to analyze aggregated, de-identified trends that inform product development; and to comply with legal obligations.
Where the EU or UK GDPR applies, we rely on the following grounds: necessity for performance of a contract when providing the Service; our legitimate interests in maintaining and improving safety, reliability, and accuracy; your explicit consent for processing optional or sensitive health data; and compliance with legal requirements.
EXO is not a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act. Please do not upload protected health information that you are unwilling to share under this Policy.
We do not sell personal data. We disclose it only to service providers that process information on our behalf under confidentiality obligations or to law-enforcement or regulatory authorities when required by law. If we transfer personal data as part of a corporate restructuring, we will do so only to an entity that is bound by privacy terms at least as protective as these.
Data in transit is protected by TLS encryption; data at rest is encrypted by our infrastructure providers. Access to systems is controlled through role-based permissions and audited regularly. These controls dramatically reduce risk, yet no online service can be guaranteed 100 percent impervious to compromise. We continuously monitor for vulnerabilities and will notify you promptly if an incident affecting your data occurs.
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer period is required or allowed by law.
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data and to restrict or object to certain processing. California residents have additional rights under the CCPA, including rights to know, delete, and not be discriminated against for exercising privacy rights. To make a request please contact us at team@withexo.com.
The Service does not currently respond to browser "Do Not Track" signals.
The Service is not directed to children under 13 in the United States or under 16 in the European Economic Area or United Kingdom, and we do not knowingly collect personal data from individuals in these age groups.
We may transfer personal data to the United States or other jurisdictions where we or our subprocessors operate. Where required, we rely on standard contractual clauses or other approved safeguards to protect such transfers.
We may revise this Privacy Policy from time to time. If changes are material we will notify you by email, in-app notice, or both before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
For privacy questions or requests please email team@withexo.com.