Xponent21 Privacy Policy

1. Introduction

Xponent21, LLC (“Xponent21,” “we,” “us,” or “our”) is a digital marketing and AI optimization agency headquartered in Richmond, Virginia. This Privacy Policy explains how we collect, use, store, and share information—including Google user data—across the suite of applications and services we operate.

This policy applies to all Xponent21-owned applications and platforms that access Google APIs or collect user data, including:

  • CARL AIO — AI SEO retainer management and internal operations platform
  • CARL Writes — content workflow engine for AI search optimization
  • Discover AIO — AI search visibility discovery and community lead generation platform
  • CARL Intelligence — prompt intelligence and brand visibility tracking tool
  • Liberating Facilitator — free meeting facilitation tool covering all 33 Liberating Structures

By using any Xponent21 application or service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services.

 

2. Google API Services — User Data Policy

Xponent21’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only the minimum Google data necessary to deliver the features of each application, and we do not use Google user data for advertising or AI model training.

2.1 Data Accessed

Depending on the application you use and the integrations you authorize, Xponent21 may access the following types of Google user data:

Identity & Profile Data

  • Name and email address — used for authentication and account identification across all Xponent21 applications
  • Google profile picture — used for display within application interfaces
  • Google account user ID — used for secure session management

Google Workspace Data (where explicitly authorized)

  • Gmail message metadata and content — accessed only when you connect Gmail to enable workflow automation in CARL AIO
  • Google Calendar events and availability — accessed only when you connect Calendar for scheduling and content planning features
  • Google Drive files and folders — accessed only when you authorize Drive integration for content storage and reporting
  • Google Sheets data — accessed for reporting, analytics dashboards, and content performance tracking where you enable this integration

Search & Analytics Data (where explicitly authorized)

  • Google Search Console property data — accessed in Discover AIO and CARL AIO to support AI search visibility analysis
  • Google Analytics data — accessed where you connect a Google Analytics property to support performance reporting and optimization recommendations

2.2 Data Usage

Xponent21 uses Google user data solely to deliver the features you have authorized. We do not use Google user data for advertising targeting, third-party profiling, or any purpose unrelated to the specific application features described in this policy.

Authentication & Access

  • Google Sign-In is used to authenticate users and maintain secure sessions across Xponent21 applications
  • Your Google account identity is used to associate your account with your organization’s Xponent21 workspace

Application Features

  • CARL AIO uses Google Workspace data (Gmail, Calendar, Drive where authorized) to power AI SEO retainer management workflows and internal operations
  • CARL Writes uses Google data to support content workflow automation, including scheduling, drafting pipelines, and performance tracking for AI search optimization
  • Discover AIO uses Google Search Console and Analytics data to generate AI search visibility reports and surface optimization recommendations
  • CARL Intelligence uses profile and authentication data to track brand visibility across AI platforms including ChatGPT, Claude, Gemini, and Perplexity
  • Liberating Facilitator uses profile data only for authentication; it does not access Google Workspace, Search Console, or Analytics data

Service Improvement

  • Aggregated, de-identified usage data may be used to improve the functionality and reliability of our applications
  • We do not use individual Google user data to train AI or machine learning models without your explicit, separate consent

2.3 Data Sharing

Xponent21 does not sell, rent, or trade Google user data to third parties. We share data only in the following limited circumstances:

Service Providers

  • Trusted third-party service providers (cloud hosting, database, and analytics infrastructure) process data on our behalf under strict confidentiality agreements and are prohibited from using it for any independent purpose

Platform Integrations

  • Where you authorize integrations with third-party platforms (e.g., HubSpot, Supabase, Slack, Notion), data required to enable those integrations is shared with those platforms subject to their own privacy policies
  • You control which integrations are active and may revoke access at any time

Legal Requirements

  • We may disclose data if required by law, regulation, legal process, or enforceable governmental request, and will notify affected users where legally permitted

Business Transfers

  • In the event of a merger, acquisition, or asset sale, user data may transfer to the successor entity under the same privacy commitments described in this policy

2.4 Data Storage & Protection

Xponent21 takes appropriate technical and organizational measures to protect Google user data against unauthorized access, disclosure, alteration, or destruction.

Storage Infrastructure

  • User data is stored in secure, access-controlled cloud environments (primarily Supabase-backed infrastructure)
  • Data in transit is protected using industry-standard TLS encryption
  • Data at rest is encrypted using AES-256 or equivalent standards

Access Controls

  • Access to Google user data is restricted to Xponent21 personnel and contractors who require it to perform their role
  • All personnel with data access are subject to confidentiality agreements and data handling standards
  • We implement role-based access controls within our applications and infrastructure

Security Practices

  • OAuth tokens and credentials are stored securely and never transmitted in plaintext
  • We follow Google’s OAuth 2.0 security best practices, including token refresh, scope minimization, and explicit consent
  • We conduct periodic security reviews of our applications and infrastructure

2.5 Data Retention & Deletion

Retention Periods

  • Google OAuth tokens are retained only as long as necessary to maintain your active session or authorized integration, and are revoked upon account disconnection
  • User profile data (name, email) is retained for the duration of your account and deleted within 30 days of account closure
  • Application data associated with your Google account is retained for as long as your account is active or as required to deliver contracted services

Data Deletion Requests

You have the right to request deletion of your data at any time. To submit a request:

  • Email privacy@xponent21.com with the subject line “Data Deletion Request”
  • Include your name, email address, and the specific applications or data types you want deleted
  • We will confirm receipt within 5 business days and complete deletion within 30 days

Revoking Google Access

  • You may revoke Xponent21’s access to your Google account at any time via myaccount.google.com/permissions
  • Revocation immediately terminates our ability to access your Google data; previously collected data will be deleted per our standard retention schedule

 

3. Application-Specific Data Practices

The following disclosures describe data practices specific to each Xponent21 application and supplement the general Google API practices in Section 2.

3.1 CARL AIO

CARL AIO is Xponent21’s AI SEO retainer management and internal operations platform. It is used by the Xponent21 AI SEO team to manage client retainer accounts, coordinate work, and replace legacy tools such as Asana for the strategist team.

  • Google Scopes used: profile, email, Gmail (read, where authorized), Google Calendar (read/write, where authorized), Google Drive (read/write, where authorized), Google Search Console (read, where authorized), Google Analytics (read, where authorized)
  • Google Workspace data is used only to power operational workflows and client coordination features that you explicitly enable
  • Search Console and Analytics data is used to generate AI search visibility reports and optimization recommendations for client accounts
  • Access is restricted to authenticated Xponent21 personnel and authorized client contacts

3.2 CARL Writes

CARL Writes is Xponent21’s content workflow engine, built to support AI search optimization content production. It replaces AirOps for the strategist team and manages content pipelines from brief to publication.

  • Google Scopes used: profile, email, Google Drive (read/write, where authorized), Google Docs (read/write, where authorized), Google Sheets (read, where authorized)
  • Google Drive and Docs data is accessed only to support content drafting, storage, and delivery workflows that you explicitly enable
  • Google Sheets data is accessed to support content performance tracking and reporting where authorized
  • Content data is not shared across client accounts or used for any purpose beyond delivering the content workflow features you have authorized

3.3 Discover AIO

Discover AIO is a live community platform that builds AI search credibility and feeds leads into Xponent21’s AI SEO practice. It provides users with tools to discover their AI search visibility and understand how to improve it.

  • Google Scopes used: profile, email, Google Search Console (read, where authorized), Google Analytics (read, where authorized)
  • Search Console and Analytics data is used only to generate visibility reports and recommendations for the authenticated user’s connected properties
  • Data is not shared across user accounts or used to benchmark against other Discover AIO users without explicit consent
  • An agency-facing version of Discover AIO is in development; this policy will be updated to reflect its specific data practices upon launch

3.4 CARL Intelligence

CARL Intelligence is a prompt intelligence and brand visibility tracking tool that monitors how brands appear in AI-generated responses across ChatGPT, Claude, Gemini, and Perplexity. It is available as a free tier tool that drives leads into the CARL AIO AI SEO team.

  • Google Scopes used: profile, email
  • CARL Intelligence does not access Google Search Console, Gmail, Google Drive, Google Calendar, or Google Analytics data
  • Google credentials are used exclusively for authentication and account identification
  • Prompt tracking data and brand visibility results are stored securely and associated only with your account

3.5 Liberating Facilitator

Liberating Facilitator is a free meeting facilitation tool covering all 33 Liberating Structures. It is offered as a public resource and lead generation tool for Xponent21’s Development practice.

  • Google Scopes used: profile, email (where Google Sign-In is used)
  • Liberating Facilitator does not access Google Workspace, Search Console, Analytics, or any Google data beyond basic profile information for authentication
  • No facilitation session data is associated with or shared via your Google account

 

4. General Privacy Practices 

4.1 Information We Collect

In addition to Google user data, Xponent21 may collect:

  • Account registration information (name, email, organization, role)
  • Usage data (features used, session duration) to support product improvement
  • Communications you send to us (support requests, feedback)
  • Billing information for paid services, processed through secure third-party payment processors; Xponent21 does not store payment card data

4.2 Cookies & Tracking

Our applications use cookies and similar technologies for authentication, session management, and analytics. You may control cookie settings through your browser; disabling certain cookies may limit application functionality. 

4.3 Children’s Privacy

Xponent21’s applications are not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us at privacy@xponent21.com. 

4.4 Your Rights

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, or restrict processing of your information. To exercise any of these rights, contact us at privacy@xponent21.com.

4.5 Third-Party Links

Our applications may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we encourage you to review their own privacy practices.

 

5. Contact Information

For questions, concerns, or data requests related to this Privacy Policy, please contact: 

Xponent21, LLC
Attn: Privacy Officer
Richmond, Virginia
Email: privacy@xponent21.com
Web: xponent21.com/privacy-policy

 

6. Updates to This Policy

This Privacy Policy was last updated on April 1, 2026. We may update this policy periodically to reflect changes in our applications, data practices, or legal requirements. Material changes will be communicated to users via email or in-application notice at least 30 days before taking effect.

Continued use of our applications after the effective date of any update constitutes acceptance of the revised policy.