Exodus Enterprises — Privacy Policy

Exodus Enterprises, LLC and our affiliates and subsidiaries ("Exodus," "we," "us," "our") are committed to privacy by design. This Policy explains what personal data we collect, how and why we use it, with whom we share it, how long we retain it, and what rights and controls you have.

Primary Contacts
• Website: exoclub.com
• Email: support@exoclub.com
• Phone: 1-833-271-2956
• Mailing: 1712 Pioneer Ave, Ste 105, Cheyenne, WY 82001, USA
• California Office (no in-person retail): 7535 Irvine Center Dr, Suite 200, Irvine, CA 92618, USA

GDPR Roles • Controller: Exodus Enterprises, LLC

We sell regulated products (e.g., nicotine vapes, CBD/THC, kratom) only where lawful. Eligibility checks apply.

1) Scope

This Policy covers personal data processed via exoclub.com and related subdomains, ecommerce/wholesale flows, customer support, and marketing properties. Region-specific notices may supplement this Policy (see Section 17 for U.S. state privacy).

2) What we collect (data minimization)

We collect only what is necessary for specified purposes:

• Identity & Contact: name, billing/shipping addresses, email, phone.
• Account & Preferences: login (hashed), saved addresses, consent flags, communication choices.
• Orders & Fulfillment: items purchased, timestamps, delivery notes; where supported and lawful, proof-of-delivery artifacts (timestamp/geotag and, if enabled, PoD photo designed to avoid faces/interiors).
• Payment Metadata: tokenized identifiers, auth/capture results, refunds/chargebacks, risk signals. We do not store full card numbers.
• Compliance & Eligibility: date of birth and verification outcomes; sanctions screening status; fraud-prevention signals.
• Business Verification (Wholesale/regulated): legal entity (“Shop Information”), business address, industry classification, EIN/tax ID, reseller permits, authorized buyer identity, and government ID images/verification results when required by law or platform policy.
• Marketing & Engagement (consent): subscriptions, open/click events, campaign attribution, referrals.
• Technical & Usage: IP, device/browser, OS, cookie/SDK IDs, page interactions, error telemetry, coarse geolocation from IP.

We do not intentionally collect special-category data. If you include such data in free-text fields, we minimize or delete it unless a clear legal ground applies.

3) Sources of data

• You (checkout, forms, support, events, opt-ins)
• Automated means (cookies/SDKs; see Section 10)
• Processors/partners (payments, carriers/3PLs, address validation, age/business verification)
• Lawful third-party sources (sanctions lists, address databases) where permitted

4) Why we use data (purposes) & our lawful bases

• Commerce & Fulfillment (contract): checkout, payments, shipping, returns, support.
• Compliance & Risk (legal obligation/legitimate interests): age/eligibility checks; business verification (IDs/EIN/permits); sanctions screening; product safety; tax/accounting.
• Security & Fraud Prevention (legitimate interests): abuse detection, service protection, rate-limiting, troubleshooting.
• Product Improvement & Analytics (legitimate interests/consent): service quality, A/B tests, performance monitoring, with privacy controls and opt-outs.
• Marketing/Ads & Personalization (consent): email/SMS, audience measurement, partner programs.
• Disputes/Chargebacks (contract/legitimate interests): representment and evidence handling consistent with card/ACH rules.

5) Sharing & disclosure

We share personal data with:

• Processors under DPAs and instructions:
  WordPress/WooCommerce (CMS/ecommerce), Vercel (hosting/CDN/edge), Salesforce & Pardot/Account Engagement (CRM/B2B MA), Klaviyo (email/SMS orchestration), Authorize.net and Chargent (payments orchestration), AWS and Hetzner (infrastructure/analytics jobs), carriers/3PLs/label & tracking platforms, security/support tools (WAF/CDN, bot mitigation, error logging, ticketing).
• Affiliates/Subsidiaries/Manufacturing or Co-Marketing Partners:
  For products they manufacture or that we sell/fulfill on their behalf, we may process payments through their merchant accounts/gateways and share only the minimum data needed for verification, fulfillment, support, recalls/warranties, and compliance.
• Independent third parties for their own marketing only if you opt in (granular, revocable).
• Authorities/Legal: where required by law or to protect rights, users, and the public.
• Corporate transactions: as part of a merger, acquisition, financing, or sale, subject to confidentiality and continued protections.

We do not sell your data in the conventional sense. For U.S. privacy laws, certain “sharing” for cross-context behavioral advertising may occur only with consent and is opt-outable (see Section 17).

6) International transfers & safeguards

Where data is transferred outside the EEA/UK (including to the U.S. and China), we use appropriate safeguards:

• EU SCCs (2021/914) with required modules and annexes;
• UK IDTA or UK Addendum to SCCs;
• Supplementary measures: encryption in transit/at rest, access controls, minimization/pseudonymization, TIAs aligned with EDPB guidance.
  China (PIPL): where partners/processors are subject to PIPL, appropriate CAC cross-border mechanisms (e.g., standard contract filings/security assessments) are expected, in addition to EU/UK safeguards when EEA/UK data is involved.

7) Security

We maintain appropriate technical/organizational measures: TLS, AES-256 (or equivalent) at rest where applicable, MFA for privileged access, least-privilege IAM, network segmentation, RBAC, code reviews, vulnerability scanning, periodic pen-tests, incident response with 72-hour regulator notice when required (GDPR Arts. 33–34).

8) Retention

We keep data only as long as needed or required by law, then securely delete or anonymize it. A summary is below; additional internal schedules apply.

9) Telephony, recordings, and optional channels

We use Nextiva for telephony. Where lawful, calls may be recorded for quality/compliance (see Phone Policy). With your request/consent, we may communicate via WhatsApp or iMessage; content uses end-to-end encryption but service metadata may be processed by those platforms. You can opt to use email/phone only.

10) Cookies, SDKs, and analytics

We use:

• Strictly Necessary (essential for checkout, authentication, availability, fraud).
• Performance/Analytics (only with consent): Google Analytics, PostHog (deployed with privacy-enhancing settings).
• Marketing/Advertising (only with consent): audience measurement and personalization.

Manage preferences via our cookie banner or your browser settings. You can withdraw consent at any time without affecting purchases.

11) Children’s data

Our Services are not directed to children. We do not knowingly collect personal data from individuals under 16 (or higher local age as required). If you believe a minor provided data, contact us to delete it.

12) Your rights (EEA/UK)

Subject to conditions/exemptions, you may request: access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests and to direct marketing at any time). Where processing relies on consent, you may withdraw it at any time.

• How to exercise: email support@exoclub.com or call 1-833-271-2956.
• We acknowledge in < 24 hours and respond within one month; complex cases may be extended by up to two months with notice.
• We may request reasonable information to verify your identity.

13) U.S. State Privacy Rights (including California CPRA)

If you reside in a state with a comprehensive privacy law (e.g., California, Colorado, Connecticut, Virginia, Utah), you may have some or all of the following rights: access/know, correct, delete, data portability, and the right to opt out of:

• “Sale” of personal information (as defined by law),
• “Sharing” for cross-context behavioral advertising (targeted ads), and
• Profiling for decisions producing legal or similarly significant effects.

We do not sell personal information in the conventional sense. Some analytics/ads uses may be considered “sharing.” You can opt out via:

• The cookie banner/preferences;
• A “Do Not Sell or Share My Personal Information” link (where provided);
• The Global Privacy Control (GPC) signal, which we honor for browser-level opt-outs in California.

Sensitive Personal Information (e.g., government ID images used for age/business verification) is used only for permitted purposes (security/eligibility/compliance) and not for additional purposes without consent. We do not use SPI to infer characteristics about you.

To exercise or appeal a decision, contact support@exoclub.com. You also may lodge a complaint with your state attorney general.

14) Payments & affiliate/partner merchants of record

Payments are processed by Authorize.net and/or via Chargent within Salesforce. Where a subsidiary/affiliate/partner fulfills your order, payment may be processed through that entity’s approved gateway/merchant account. We receive tokens and metadata—not full PANs. Card network/ACH rules apply to retries and representment (see Terms of Service §§ 5–7).

15) Proof of delivery; photos & geotags (minimization)

For certain deliveries or regulated goods, we may collect timestamp/geotag and a PoD photo that avoids faces/interiors where feasible. These artifacts are retained only through dispute/claims windows and then minimized or deleted per Section 8.

16) Changes to this Policy

We update this Policy when our practices or laws change. We will communicate material changes through reasonable means and update the effective date above.

17) How to contact us & complaints

Data Subject Requests / Privacy Questions
• Email: support@exoclub.com
• Phone: 1-833-271-2956

Supervisory Authorities
EEA/UK users may lodge complaints with a Data Protection Authority (e.g., the UK ICO). A list of EEA DPAs is available from the European Data Protection Board.

Related Policies & Resources

• GDPR Compliance — Privacy & data protection
• Data Protection — Security measures
• Terms of Service — Legal agreement
• Cookie Policy — Cookie usage & consent
• Contact Support — Get help
• Help Center — FAQ & resources