Skip to main content
E
GDPR Compliance & Data Protection - How Exodus Enterprises complies with the GDPR/UK GDPR and protects your personal data across our sites, storefronts, and services.

September 30, 2025

Compliance

GDPR Compliance & Data Protection

GDPR Compliance & Data Protection

Exodus Enterprises (“Exodus”, “we”, “us”, “our”) is committed to rigorous privacy and data protection under the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR. This page explains in detail how we collect, use, share, store, secure, and transfer your personal data when you interact with exoclub.com (opens in a new window), our ecommerce storefronts, and our support and marketing channels. It also explains your rights and how to exercise them.

GDPR Compliance Snapshot

< 24 hours
DSR Acknowledgment
100%
DPIA Coverage
TLS / AES-256
Encryption Standard
Annual
Security Audits

What is GDPR?

GDPR and the UK GDPR grant strong rights to individuals and impose strict obligations on organizations. Core principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. For independent guidance, see the EU GDPR portal (opens in a new window), the European Data Protection Board (opens in a new window), and the UK Information Commissioner’s Office (opens in a new window).

1. Who we are and how to contact us

Website: exoclub.com (opens in a new window)
Email: support@exoclub.com
Phone: 1-833-271-2956

Headquarters (Mailing)
1712 Pioneer Ave, Ste 105
Cheyenne, WY 82001, USA

California Office (No in-person retail)
7535 Irvine Center Dr, Suite 200
Irvine, CA 92618, USA

Controller: Exodus Enterprises

If you are in the EEA or UK, you can reach us at support@exoclub.com for GDPR-related matters.

2. Scope and audience

This notice applies to personal data we process via exoclub.com and related subdomains (including help.exoclub.com), our ecommerce and fulfillment flows, customer support, and our marketing properties. It primarily addresses individuals in the EEA and UK whose data is processed under GDPR/UK-GDPR. If local law requires additional disclosures, we will publish region-specific addenda and link them here.

Regulated products: We sell recreational/alternative products (for example, nicotine vapes, CBD/THC, kratom) where lawful. We implement age/eligibility checks and apply jurisdiction-specific compliance controls.

3. Definitions we rely on

  • Personal data: any information relating to an identified or identifiable person.
  • Controller: determines purposes/means of processing.
  • Processor: processes personal data on the controller’s documented instructions.
  • Joint controllers: jointly determine purposes/means for a defined initiative (Art. 26 GDPR).
  • International transfer: moving personal data outside the EEA/UK.
  • SCCs: Standard Contractual Clauses (EU mechanism for international transfers).
  • IDTA: UK International Data Transfer Agreement (or UK Addendum to SCCs).
  • PIPL/CAC: China’s Personal Information Protection Law and Cyberspace Administration of China transfer mechanisms.

4. Principles we follow

We process personal data in accordance with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. These guide concrete design decisions, vendor vetting, minimization of fields, role-based access controls, and deletion routines.

5. What personal data we collect

We practice data minimization and collect only what is necessary for specified purposes:

  • Identity & contact: name, billing/shipping address, email, phone.
  • Account & preferences: account credentials (hashed), saved addresses, communication choices, consent flags.
  • Orders & fulfillment: items purchased, order timestamps, delivery instructions, returns; where supported and lawful, proof-of-delivery artifacts (timestamp/geo and, if enabled, photo designed to avoid faces/interiors).
  • Payment metadata: tokenized payment identifiers, authorization results, refund/chargeback metadata. We do not store full card numbers.
  • Compliance & eligibility: date of birth and verification outcomes for regulated products, sanctions screening status, fraud-prevention signals.
  • Business customer verification (B2B nicotine or wholesale): business name (“shop info”), trading name, business address, industry classification, EIN or local tax ID numbers, reseller permits where applicable, authorized buyer identity (name, role, work email/phone), and government ID images/verification results when required to confirm legal purchasing eligibility.
  • Marketing & engagement: subscription status, open/click events, campaign attribution, referral data.
  • Technical & usage: IP address, device/browser type, OS, cookie/SDK identifiers, pages viewed, session logs, coarse location inferred from IP, error telemetry.

We do not intentionally solicit special-category data (e.g., health, religion). If you include such details in free-text fields, we minimize or delete them unless a clear legal ground applies.

6. How we obtain data

  • Directly from you: checkout, account creation, support channels, forms, events, email/SMS opt-ins.
  • Automatically: cookies/SDKs and similar technologies on our sites and in emails (see Section 13).
  • From processors/partners: payment processors, carriers/3PLs, address validation, fraud/age verification services.
  • Lawful third-party sources: address databases, sanctions lists, and other compliance resources, where permitted.

7. Our lawful bases for processing

  • Contract (Art. 6(1)(b)) — taking steps at your request and performing orders: checkout, payments, delivery, customer support.
  • Legal obligation (Art. 6(1)(c)) — tax/accounting retention, consumer protection, age/eligibility checks for restricted products, sanctions compliance, and business identity verification obligations where applicable.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, service protection and security monitoring, product improvement, internal analytics/reporting; implemented with balancing tests and controls. You can object (see Section 17).
  • Consent (Art. 6(1)(a)) — email/SMS marketing, non-essential cookies/SDKs, and any disclosure of your data to independent third parties for their own marketing or independent purposes. Consent is granular, informed, and revocable at any time without affecting your purchases.

Automated checks and profiling

We use automated signals (for example, fraud and age/business gating). These do not produce legal or similarly significant effects without human review. You may request human intervention and contest a decision.

8. What we do with your data

  • Commerce & fulfillment: order processing, payment authorization, shipping, delivery confirmation, returns/exchanges, chargebacks.
  • Customer care: responding to inquiries, account administration, service notifications, warranty/recall communications.
  • Compliance & risk: age/eligibility checks, business customer verification (EIN/tax ID, reseller permits, government ID where required), product safety monitoring, sanctions screening, regulatory reporting, fraud prevention.
  • Marketing (with consent): newsletters, offers, product updates, personalized recommendations, audience measurement.
  • Product quality & site improvement: analytics, A/B testing, error debugging, performance monitoring, security telemetry.

9. Our processors and core platforms

We engage processors under Data Processing Agreements (DPAs) requiring confidentiality, security, purpose limitation, and return/deletion at end of service.

9.1 WordPress & WooCommerce (CMS & ecommerce)

Storefront content, cart/checkout, extensions for taxes, shipping, and fraud-prevention where applicable.
Policies: automattic.com/privacy (opens in a new window), woocommerce.com/document/woocommerce-and-gdpr (opens in a new window)

9.2 Vercel (hosting/CDN/edge)

Build/host pipeline and edge delivery for parts of our web infrastructure.
Policy: vercel.com/legal/privacy-policy (opens in a new window)

9.3 Salesforce Sales Cloud & Pardot/Account Engagement (CRM & B2B MA)

Lead, account, opportunity management; B2B marketing flows.
DPA: salesforce.com/data-processing-addendum.pdf (opens in a new window)

9.4 Klaviyo (email/SMS orchestration)

Consent capture, subscriptions, segmentation, campaign and transactional messaging (where permitted).
Policy: klaviyo.com/privacy (opens in a new window)

9.5 Authorize.net & Chargent (payments orchestration)

  • Authorize.net: gateway tokenization, authorization, capture, settlement; dispute/chargeback metadata. Overview: authorize.net (opens in a new window)
  • Chargent (Salesforce managed package): orchestration/routing to supported gateways (including Authorize.net), token vaulting in Salesforce context, and recurring charges where configured. Vendor: appfrontier.com (opens in a new window) (if you are using AppFrontier’s Chargent)
    Exodus does not store full PANs. Payment data flows follow PCI-DSS responsibilities defined by the PSP/gateway and our DPA arrangements.

9.6 AWS (infrastructure/processing for analytics & internal ops)

We use Amazon Web Services for secure infrastructure supporting analytics processing, internal batch jobs, and resilient storage for certain logs or datasets with strict access controls and encryption at rest/in transit.
Policies & compliance center: aws.amazon.com/compliance/programs/ (opens in a new window)

9.7 Hetzner (infrastructure for analytics & internal ops)

We use Hetzner for secure infrastructure supporting analytics or internal workloads, with encryption and minimized data scopes.
Policy: hetzner.com/legal/privacy-policy (opens in a new window)

9.8 DocuSign (electronic signatures)

We use DocuSign for secure electronic signature workflows on contracts, agreements, and authorized documents. DocuSign processes signer information (name, email, signature data) and maintains audit trails. Policy: docusign.com/company/privacy-policy (opens in a new window) DPA: docusign.com/trust/data-processing-addendum (opens in a new window)

9.9 Fulfillment & carriers

Carriers, courier networks, label/track platforms, and 3PLs (with minimized delivery data and lawful proof-of-delivery).

9.10 Security & support

Helpdesk/ticketing, WAF/CDN, bot mitigation, error logging, and operational monitoring.

10. Analytics and insights platforms

We use analytics only with your consent via our cookie banner or preference tools.

10.1 Google Analytics

Used to understand site usage and improve services.
How Google uses personal information: google.com/intl/en/policies/privacy/ (opens in a new window)
Opt-out browser add-on: tools.google.com/dlpage/gaoptout (opens in a new window)
We configure GA with privacy controls such as limited retention and IP controls where available.

10.2 PostHog

Product analytics and event insights to improve user experience.
Privacy policy: posthog.com/privacy (opens in a new window)
We prefer privacy-enhancing settings (for example, masking, minimized event properties, shorter retention) and may deploy regional hosting options where appropriate.

Important: Analytics and marketing cookies/SDKs are not set unless you consent. You can withdraw consent at any time via our cookie banner/preferences or your browser settings.

11. Telephony & messaging channels

We communicate with clients through several channels. By default we minimize the personal data processed via each channel and apply role-based access, logging, and retention consistent with this notice.

11.1 Nextiva (telephony)

We use Nextiva for phone systems (contact center/VoIP). See our separate Phone Policy for call recording/configuration details, if applicable.
Nextiva information: nextiva.com (opens in a new window)

11.2 WhatsApp (optional client messaging)

If a client requests or agrees, select communications may occur via WhatsApp. End-to-end encryption applies to message content between endpoints; however, metadata may be processed by WhatsApp/Meta per their policies.
WhatsApp privacy: whatsapp.com/legal/privacy-policy (opens in a new window)

11.3 iMessage (optional client messaging)

If a client requests or agrees, select communications may occur via iMessage. Apple’s end-to-end encryption applies to message content between endpoints; service metadata may be processed per Apple’s policies.
Apple privacy: apple.com/legal/privacy/ (opens in a new window)

Channel choice: You can choose not to use WhatsApp or iMessage and may request email or phone only. Core order communications do not require these optional channels.

12. Third-party marketing and data exchange

We will only share your personal data with independent third parties (including partners) for those parties’ own marketing or independent purposes if you have explicitly opted in.

  • Consent is granular (per partner/purpose/channel), informed, and revocable at any time via our preferences or by contacting us.
  • Your ability to purchase from us is not conditioned on providing this consent.
  • We propagate unsubscribes/suppressions downstream to processors involved in messaging, where technically feasible.

Carrier notifications: We may share your contact details with carriers solely to complete delivery and related notifications (processor role). This is not “third-party marketing.”

13. Cookies, SDKs, and similar technologies

We use the following categories:

  • Strictly necessary: essential for checkout, authentication, availability, and fraud prevention.
  • Performance/analytics: to understand site use and make improvements — only with consent.
  • Marketing/advertising: to measure campaigns and personalize messaging — only with consent.

Manage preferences through our cookie banner and your browser settings. Guidance from regulators:

14. International transfers and safeguards

Where personal data is transferred outside the EEA or UK — including to the United States, China, and other countries without an adequacy decision — we implement appropriate safeguards:

  • EU: European Commission Standard Contractual Clauses (SCCs) 2021/914 with required modules and annexes.
  • UK: International Data Transfer Agreement (IDTA) or UK Addendum to SCCs.
  • Supplementary measures: encryption in transit and at rest, strict access controls, data minimization/pseudonymization, purpose limitation, vendor due diligence, and Transfer Impact Assessments (TIAs) aligned with EDPB Recommendations 01/2020.

China-specific note: For partners/processors in China subject to the Personal Information Protection Law (PIPL), we expect use of appropriate CAC cross-border transfer mechanisms (for example, CAC standard contract filings or security assessments) where required. These obligations are in addition to EU/UK safeguards when EEA/UK data is involved.

15. Security controls

We maintain layered technical and organizational measures appropriate to risk:

  • Technical: TLS for data in transit; AES-256 (or equivalent) at rest where applicable; hardened key management; MFA for privileged access; network segmentation; least-privilege IAM; rate limiting; secure SDLC; backups and DR; vulnerability scanning; periodic penetration testing.
  • Organizational: trained personnel; confidentiality undertakings; access reviews; change-management; vendor security reviews; incident response with 72-hour supervisory authority notification where required (Arts. 33–34 GDPR).
  • Data minimization: minimizing fields shared with carriers and partners, hashing emails for certain analytics/attribution contexts (with consent), and strict retention schedules.

16. Data retention and deletion

We keep personal data only as long as necessary for the stated purpose or as required by law. We periodically review stores and securely delete or anonymize data that is no longer needed.

Core retention periods (additional internal schedules apply). We retain only what is necessary and required by applicable law.
Data TypeRetention PeriodLegal Basis
Account InformationActive account + 2 yearsContract
Order/Invoice Records7–10 years (jurisdiction dependent)Legal obligation
Age/Eligibility VerificationRequired statutory period onlyLegal obligation
Business Customer Verification (IDs/EIN/Permits)Statutory period for regulated-product purchasing + limitation period for legal claims (typically 5–10 years after last transaction, depending on jurisdiction)Legal obligation / Legitimate interests
Proof-of-Delivery ArtifactsUntil disputes/claims windows close, then minimizedLegitimate interests / Legal obligation
Marketing Subscriptions & LogsUntil consent withdrawn or inactivity thresholdConsent
Support Tickets3 yearsLegitimate interests
Security Logs1 yearLegitimate interests

Why we retain business verification longer: Regulated/nicotine wholesale transactions may require us to evidence eligibility, tax status, and due diligence for authorities or legal claims. We therefore keep limited verification records for the statutory period plus relevant limitation periods, then minimize or delete.

17. Your privacy rights (EEA/UK)

Subject to conditions and legal exemptions, you may exercise:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion when conditions apply.
  • Restriction — limit processing in specific scenarios.
  • Portability — receive data in a structured, commonly used, machine-readable format.
  • Object — to processing based on legitimate interests and to direct marketing at any time.
  • Withdraw consent — for processing based on consent; withdrawal does not affect prior lawful processing.
  • Automated decisions — request human review, express your view, and contest outcomes.

Important limitations

The right to erasure is not absolute. We may retain certain records to comply with legal obligations (for example, tax and accounting; regulated-product purchasing evidence), resolve disputes, or enforce agreements.

18. How to exercise your rights

Email: support@exoclub.com
Phone: 1-833-271-2956

We acknowledge requests within 24 hours and respond within one month of receipt. For complex requests, we may extend by up to two additional months and will notify you. We may request reasonable information to verify your identity.

Exercising your GDPR/UK GDPR rights
Request TypeStandard Response TimeWhat we may need from you
Access1 monthIdentity verification
Rectification72 hoursDetails showing what to correct
Erasure1 monthLegal basis review
Portability1 monthTarget controller details
Restriction72 hoursContext of dispute/verification
Objection (Legitimate Interests/Marketing)1 month (marketing: immediate)Your specific grounds or opt-out

Speed up verification

Include the email used on your account, recent order number(s), approximate order dates, and—if requested for age/ID or business verification—limited proof solely for verification.

19. Records of processing, DPIAs, and TIAs

  • Records of Processing Activities (ROPA): We maintain Art. 30 GDPR-compliant records describing categories of data subjects, personal data, purposes, recipients, transfers, safeguards, and retention.
  • DPIAs: We assess high-risk processing (for example, regulated product flows, age/business verification, fraud controls) following guidance from the EDPB and ICO.
  • TIAs: For international transfers, we perform Transfer Impact Assessments and implement technical/contractual/organizational measures in line with risk.

20. Transparency about vendors and roles

We keep an up-to-date vendor and partner inventory and role mapping. A current list is available on request.

High-level vendor/partner roles and safeguards
CategoryExamplesRole under GDPRKey Safeguards
CMS & EcommerceWordPress, WooCommerceProcessorDPA; SCCs/IDTA + TOMs; Automattic Privacy
Hosting/CDN/EdgeVercelProcessorDPA; SCCs/IDTA + TOMs; Vercel Privacy
Cloud IaaS / Analytics JobsAWS, HetznerProcessorDPA; SCCs/IDTA; encryption; access restriction
CRM & Marketing AutomationSalesforce, Pardot/Account Engagement, KlaviyoProcessorDPA; SCCs/IDTA + TOMs
Analytics/InsightsGoogle Analytics, PostHogProcessorConsent only; DPA; SCCs/IDTA; GA opt-out add-on
Payments & OrchestrationAuthorize.net, ChargentProcessorPCI alignment via PSP; tokenization; DPA; SCCs/IDTA
Fulfillment & CarriersCarriers, 3PLs, label/track platformsProcessorMinimized delivery data; PoD controls; DPA
TelephonyNextivaProcessorDPA; SCCs/IDTA; see Phone Policy
Electronic SignaturesDocuSignProcessorDPA; SCCs/IDTA; audit trails; encryption
Messaging (optional)WhatsApp, iMessageIndependent PlatformsE2EE for content; platform policies apply; metadata may be processed
Security & SupportHelpdesk, WAF/CDN, bot mitigation, error loggingProcessorDPA; SCCs/IDTA; strict access control
Manufacturing/Co-Marketing PartnersSelect partners incl. ChinaIndependent or Joint ControllerSCCs/IDTA + PIPL/CAC where applicable; opt-in for independent marketing

Analytics disclosure (clarity required by many templates): “We share your Personal Information with third parties to help us use your Personal Information, as described above. For example, we use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/ (opens in a new window). You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout (opens in a new window).”
For PostHog, see: posthog.com/privacy (opens in a new window).

21. Disclosures required by law

We may disclose personal data where required by law, regulation, or legal process, including to competent authorities, courts, and regulators, or to protect our legal rights, users, and the public. We narrowly tailor such disclosures and record them where appropriate.

22. Complaints and supervisory authorities

We aim to resolve concerns promptly. You also have the right to lodge a complaint with your local Data Protection Authority in the EEA/UK (for example, the ICO in the UK: ico.org.uk/make-a-complaint (opens in a new window)). See the European Data Protection Board members directory: edpb.europa.eu (opens in a new window).

23. Links, third-party sites, and social media

Our properties may link to third-party sites with their own privacy practices. Review those policies; this notice does not cover their processing. For additional platform privacy resources, see CNIL: cnil.fr/en (opens in a new window).

24. Changes to this notice

We update this notice when our practices or laws change. We will communicate material changes through our usual channels and reflect the new effective date below.

Effective date: September 30, 2025
Version: 1.0

Topics

  • GDPR
  • UK GDPR
  • Privacy
  • Data Protection
  • International Transfers
  • Security

Author

Legal Team
GDPR Compliance & Data Protection | Exodus Help Center