Privacy Policy
Effective Date: April 11, 2026
Last Updated: June 14, 2026
1. Introduction
Three Grey Hairs LLC ("Company," "we," "us," or "our") operates the Exodus Cleric mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this policy, please contact us at chris@exoduscleric.com.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Who We Are
Three Grey Hairs LLC is the data controller responsible for your personal data collected through the Exodus Cleric Service. Our principal place of business is in the State of Nevada, United States.
- Email: chris@exoduscleric.com
- Website: www.exoduscleric.com
3. Information We Collect
3.1 Information You Provide Directly
- Account credentials: email address and password (passwords are encrypted and never stored in plain text)
- Profile information: name (optional), home state, exit state, transition date
- Location data by date: US state or foreign country for each day you log
- Notes: optional text notes associated with day entries
- Home and prior addresses: street address, city, state, and ZIP code (used to detect when GPS pings are near these locations)
- Apple Calendar event titles, locations, dates, and notes: read from your device when you choose to import calendar events. Parsing runs entirely on your device; only the state you confirm becomes part of your record, not the event content itself. Professional- and Executive-tier users have an optional per-event prompt to send a single ambiguous event to our AI assistant (Anthropic Claude) for state identification — this is a separate, explicit user action initiated only when an on-device parse fails.
- Photos and documents: receipts, utility bills, IDs, and similar files you upload as supporting evidence for day entries. Stored encrypted at rest; visible only to you and any advisor you grant access via a share link.
- Location pin drops: GPS coordinates and the short note you write describing why the location matters (e.g., a doctor visit). Stored with timestamps as part of your record.
- Two-factor authentication setup: if you enable 2FA, a TOTP secret and one-time backup codes are stored encrypted on our servers and on your device.
- Chat messages with our AI assistant: the text of any conversation you have with Claude inside the app. Messages are encrypted at rest in our database and sent to Anthropic to generate responses.
- Feedback messages: any feedback you submit via the in-app feedback form, along with device model, operating system, and app version metadata captured automatically to help us reproduce issues.
3.2 Information Collected Automatically
- Device information: device type, operating system version, unique device identifiers
- Usage data: features accessed, screens viewed, actions taken within the app
- Log data: IP address, browser type, pages visited (website only), date and time of access
- Crash reports and performance data: technical information to help us identify and fix issues
- Background GPS location captures: when you grant "Always" location permission and enable GPS polling, the app records approximate latitude and longitude at 8:00 AM, 6:00 PM, and 11:55 PM in your local time, along with reverse-geocoded state and address. These captures are used to suggest day entries you must still manually confirm.
- Anonymous aggregate analytics: if you opt in via Settings → Anonymous Insights, banded category-level events (no personally identifiable information) are recorded in a separate analytics database to help us understand product usage at the cohort level. You can opt out at any time.
3.3 Information from Third Parties
We receive information from the following third-party services:
- Apple: crash reports, App Store analytics, and performance metrics through Apple's standard developer tools. Users may opt out through iOS Settings.
- Stripe: payment confirmation and subscription status. We do not receive or store your full payment card numbers.
- RevenueCat: in-app purchase receipt validation and subscription lifecycle events for iOS purchases.
- Anthropic (Claude AI): receives the content of any messages you send our AI assistant. Professional- and Executive-tier users may also explicitly send a single calendar event (one at a time, per user opt-in) when on-device parsing cannot identify the state. Used only to generate responses or inferences returned to you; does not train Anthropic's models on your data under our service terms.
- Resend: handles transactional email delivery (welcome, password reset, onboarding drip). Email addresses are processed to deliver the message.
- Sentry: receives error and crash event metadata to help us debug issues. Personally identifying fields are scrubbed before transmission.
3.4 Future Data Collection (Not Currently Active)
The following capabilities are planned for future versions. We will update this Privacy Policy and obtain appropriate consents before activating these features:
- Voice data for voice-based entry features
4. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process and fulfill subscription payments
- Calculate and display your state residency analysis
- Generate alerts and notifications about your residency status
- Send transactional emails (account creation, password reset, subscription receipts)
- Respond to customer support inquiries
- Improve and develop new features of the Service
- Monitor and analyze usage patterns to improve user experience
- Detect, prevent, and address technical issues and security threats
- Comply with legal obligations
We do not use your residency data, location history, or personal information for advertising purposes. We do not sell your personal information to third parties.
5. Legal Basis for Processing (California Residents)
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information. We process your personal information under the following legal bases:
- Performance of a contract: Processing necessary to provide the Service you have subscribed to
- Legitimate interests: Improving our Service, preventing fraud, and ensuring security
- Compliance with legal obligations: Meeting our legal and regulatory requirements
- Consent: Where you have explicitly consented to specific processing activities
6. How We Share Your Information
6.1 Service Providers
We share your information with trusted third-party service providers who assist us in operating the Service:
- Supabase (Supabase Inc.): Database hosting and authentication services. Your data is stored on AWS infrastructure in the United States.
- Stripe (Stripe, Inc.): Payment processing. Stripe is PCI-DSS compliant and processes payment information directly.
- Vercel (Vercel Inc.): Website and API hosting. Vercel may log request metadata including IP addresses.
- Expo (Expo Technology Inc.): Mobile application build and distribution services.
- Anthropic (Anthropic, PBC): AI-powered document analysis (future feature). We will provide additional disclosure and obtain consent before activating this feature.
6.2 Professional Sharing
If you choose to use the advisor sharing feature, you may generate a secure link to share your residency data with a tax professional or attorney. This sharing is entirely voluntary, limited to read-only access, and revocable by you at any time. We do not share your data with professionals without your explicit action.
6.3 Legal Requirements
We may disclose your information if required by law or in response to valid requests by public authorities. We will notify you of such disclosure to the extent permitted by law.
6.4 What We Do Not Do
- Sell your personal information to third parties
- Share your residency data or location history with data brokers
- Use your data for targeted advertising
- Share your information with your former state of residence or any tax authority
7. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service:
- Account data: Retained for the duration of your account plus 30 days after account deletion
- Day entry and residency data: Retained for the duration of your account, then permanently deleted 30 days after account deletion
- Payment records: Retained for 7 years as required by applicable tax and accounting laws
- Log data: Retained for 90 days for security and debugging purposes
You may request deletion of your data at any time. Note that we may be required to retain certain information for legal compliance purposes.
8. Data Security
We implement industry-standard security measures to protect your personal information:
- All data transmitted between the app and our servers is encrypted using TLS/SSL
- Passwords are hashed using industry-standard algorithms and never stored in plain text
- Authentication tokens are stored using iOS Secure Enclave via expo-secure-store
- Database access is protected by Row Level Security ensuring users can only access their own data
- Payment processing is handled entirely by Stripe, which maintains PCI-DSS Level 1 compliance
- Access to production systems is restricted to authorized personnel only
While we implement these safeguards, no method of transmission over the Internet is 100% secure. In the event of a data breach, we will notify you as required by applicable law including California Civil Code Section 1798.82.
9. Your Rights
9.1 Rights of California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to Know: Request information about the personal information we have collected about you and how it is used
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale: We do not sell your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to what is necessary to provide the Service
9.2 How to Exercise Your Rights
To exercise your rights, contact us at chris@exoduscleric.com with the subject line "Privacy Rights Request." We will respond within 45 days. We may need to verify your identity before processing your request.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us at chris@exoduscleric.com.
11. Third-Party Links and Services
The Service may contain links to third-party websites or services not owned or controlled by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.
12. International Data Transfers
Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction. We transfer data to the United States and process it there. By using the Service, you consent to this transfer. We take all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy.
13. Beta Program
If you are participating in our beta program, you have agreed to our Beta Participation Agreement in addition to this Privacy Policy. Beta users should be aware that:
- Beta versions of the Service may contain bugs or errors
- Beta data may be reset or deleted during the testing period
- We may collect additional diagnostic information during beta to improve the Service
- Feedback you provide during beta testing may be used to improve the Service
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of changes by posting the new policy on this page, updating the "Last Updated" date, and sending in-app notification or email for material changes. Your continued use of the Service after changes are posted constitutes your acknowledgment of those changes.
15. Contact Us
If you have any questions about this Privacy Policy, please contact us:
- Email: chris@exoduscleric.com
- Website: www.exoduscleric.com
- Mail: Three Grey Hairs LLC, 1580 Grand Point Way, #33932, Reno, NV 89533
For California residents exercising CCPA/CPRA rights, please include "Privacy Rights Request" in the subject line.