Sticky Banner Visual Mobile 3

Spring deal: Get a free upgrade for 3 months on annual offers.

Spring deal: Free upgrade on annual offers. Claim now!

Claim Now!
  • Expressai-privacy-policy

Privacy Policy for ExpressAI

Powered by ExpressVPN

Your privacy is important to us. This Privacy Statement (the “Statement”) describes how ExpressAI, an artificial intelligence chat service operated by ExpressVPN (“ExpressAI,” “ExpressVPN,” the “Company,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal data and personal information when you access or use the ExpressAI service, website, or related features, materials, and services (collectively, the “Services”). This Statement also describes the rights and choices available to you under applicable data protection and privacy laws.

By accessing, using, or otherwise interacting with ExpressAI (the “Services”), you acknowledge and understand that any data processed in connection with your use of the Services is handled in accordance with this Privacy Policy (the “Privacy Policy”). This Privacy Policy describes the limited categories of data processed through the Services, the purposes for which such data is processed, and the safeguards implemented to protect user privacy. This Privacy Policy is intended to be read in conjunction with, and as a supplement to, the applicable terms of service governing ExpressAI.

1. Legal Framework and Operator

The Services are operated by ExpressVPN (“ExpressVPN,” “ExpressAI,” “we,” “us,” or “the Company”). For the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), ExpressVPN acts as the data controller. For the purposes of applicable United States privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), ExpressVPN acts as a business.

ExpressAI is designed and operated with privacy as a core principle. Our overriding policy is to process as little user data as technically and legally possible in order to provide a functional, secure, and privacy-preserving AI chat service.

2. Data That May Be Processed and How It Is Used

ExpressAI does not operate as a data-harvesting platform and does not process user data for advertising, profiling, or behavioral analysis. Data processing is limited to what is strictly necessary to provide, secure, and maintain the Services.

2.1 Core ExpressAI Processing Activities

In order to provide the Services, ExpressAI may process the following limited categories of data.

Account and Access Data. Where access to the Services requires authentication, the Company processes minimal account-level identifiers, such as an email address or subscription status, solely for the purpose of verifying access rights and maintaining session integrity. The legal basis for this processing under the GDPR and UK GDPR is the performance of a contract.

Chat Inputs and Outputs. User inputs are processed transiently for the sole purpose of generating responses. ExpressAI does not use user prompts or outputs for advertising, profiling, or marketing purposes. Chat content is not reviewed by humans as a matter of course. Where chat history is saved at the user’s direction, it is stored in a manner designed to prevent unauthorized access. The legal basis for this processing is the performance of a contract and, where applicable, the user’s explicit request.

Payment Information. If a paid subscription is purchased, payment processing is handled by third-party payment providers. ExpressAI does not store full payment card details. Any retained payment-related metadata is limited to what is necessary for billing, fraud prevention, and compliance purposes. The legal basis for this processing is the performance of a contract and compliance with legal obligations.

Security and Abuse Prevention Data. Limited technical data may be processed to detect, prevent, and mitigate abuse, fraud, or attempts to compromise the integrity or availability of the Services. The legal basis for this processing is ExpressVPN’s legitimate interest in protecting the Services and users.

2.2 Data Minimisation and Non-Use Commitments

ExpressAI does not intentionally collect precise geolocation data, advertising identifiers, or cross-service tracking data. ExpressAI does not sell personal data, does not share personal data for cross-context behavioral advertising, and does not use personal data to train advertising profiles.

3. Third-Party Processing

To operate the Services, ExpressVPN relies on a limited number of service providers acting as data processors. Such processors are contractually bound to process data solely on ExpressVPN’s instructions, to maintain confidentiality, and to implement appropriate security measures. Processors do not retain or use ExpressAI chat content for their own purposes.

Payment processing and customer support services may involve processing in jurisdictions outside the European Union or the United Kingdom. Where such transfers occur, they are governed by appropriate safeguards, including standard contractual clauses or equivalent lawful transfer mechanisms.

4. Data Disclosure

ExpressVPN does not voluntarily disclose user data to third parties. Any disclosure of personal data will occur only where ExpressVPN is legally required to do so pursuant to a binding and valid legal obligation, such as a court order or other lawful request issued by a competent authority. Disclosures are limited to the minimum data required by law.

5. User Rights and Control

Users may access, correct, delete, or export personal data associated with their ExpressAI account through the account interface or by contacting ExpressVPN support. Where accounts are suspended due to violations of applicable terms, users may still submit requests relating to their personal data, subject to legal limitations.

Under the GDPR and UK GDPR, users have the right to access, rectify, erase, restrict, or object to the processing of their personal data, as well as the right to data portability, subject to applicable conditions and exceptions. Users also have the right to lodge a complaint with a competent supervisory authority.

6. California Privacy Rights (CCPA/CPRA)

This section applies solely to residents of the State of California.

Under the CCPA/CPRA, California residents have the right to know what categories of personal information are collected and for what purposes, the right to request access to or deletion of personal information, the right to correct inaccurate personal information, and the right to limit the use or disclosure of sensitive personal information, where applicable.

ExpressAI collects only limited personal information necessary to provide and secure the Services, such as account identifiers, session data, and content voluntarily submitted by users. ExpressVPN does not sell personal information and does not share personal information for cross-context behavioral advertising. ExpressAI does not use or disclose sensitive personal information for purposes other than those expressly permitted by law.

California residents will not be discriminated against for exercising their privacy rights. Requests may be submitted using the contact details provided below and will be processed in accordance with applicable law, subject to identity verification.

7. Data Security

ExpressVPN implements technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, secure infrastructure design, and regular security assessments. While no system can be guaranteed to be completely secure, ExpressVPN is committed to maintaining a high standard of data protection consistent with the privacy-focused nature of the Services.

8. Data Retention

Personal data is retained only for as long as necessary to provide the Services, comply with legal obligations, and enforce applicable terms. When personal data is no longer required, it is deleted or irreversibly anonymized in accordance with internal retention policies.

9. Children

The Services are not directed to children and are not intended for use by individuals under the age of sixteen, or such higher age as may be required under applicable law. ExpressVPN does not knowingly collect personal data from children.

10. Modifications to This Privacy Policy

Within the limits of applicable law, ExpressVPN reserves the right to modify this Privacy Policy at any time. Users are responsible for reviewing the Privacy Policy periodically. Continued use of the Services following the effective date of any modification constitutes acceptance of the revised Privacy Policy.

11. Contact

Questions, concerns, or requests relating to this Privacy Policy or the processing of personal data may be directed to:

Data Protection Officer

ExpressVPN

Email: dpo@expressvpn.com

Where required by law, users may also lodge a complaint with the competent supervisory authority.

Get Started