Privacy Policy for ExpressAI
Powered by ExpressVPN
Your privacy is important to us. This Privacy Statement (the "Statement") describes how ExpressAI, an artificial intelligence chat service operated by ExpressVPN ("ExpressAI," "ExpressVPN," the "Company," "we," "us," or "our"), collects, uses, discloses, and otherwise processes personal data and personal information when you access or use the ExpressAI service, website, or related features, materials, and services (collectively, the "Services"). This Statement also describes the rights and choices available to you under applicable data protection and privacy laws.
By accessing, using, or otherwise interacting with ExpressAI (the "Services"), you acknowledge and understand that any data processed in connection with your use of the Services is handled in accordance with this Privacy Policy (the "Privacy Policy"). This Privacy Policy describes the limited categories of data processed through the Services, the purposes for which such data is processed, and the safeguards implemented to protect user privacy. This Privacy Policy is intended to be read in conjunction with, and as a supplement to, the applicable terms of service governing ExpressAI.
1. Legal Framework and Operator
The Services are operated by ExpressVPN ("ExpressVPN," "ExpressAI," "we," "us," or "the Company"). For the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), ExpressVPN acts as the data controller. For the purposes of applicable United States privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), ExpressVPN acts as a business.
ExpressAI is designed and operated with privacy as a core principle. Our overriding policy is to process as little user data as technically and legally possible in order to provide a functional, secure, and privacy-preserving AI chat service.
2. Data That May Be Processed and How It Is Used
ExpressAI does not operate as a data-harvesting platform and does not process user data for advertising, profiling, or behavioral analysis. Data processing is limited to what is strictly necessary to provide, secure, and maintain the Services.
2.1 Core ExpressAI Processing Activities
In order to provide the Services, ExpressAI may process the following limited categories of data.
Account and Access Data. Where access to the Services requires authentication, the Company processes minimal account-level identifiers, such as an email address or subscription status, solely for the purpose of verifying access rights and maintaining session integrity. The legal basis for this processing under the GDPR and UK GDPR is the performance of a contract.
Chat Inputs and Outputs. User inputs are processed transiently for the sole purpose of generating responses. ExpressAI does not use user prompts or outputs for advertising, profiling, or marketing purposes. Chat content is not reviewed by humans as a matter of course. Where chat history is saved at the user's direction, it is stored in a manner designed to prevent unauthorized access. The legal basis for this processing is the performance of a contract and, where applicable, the user's explicit request.
Payment Information. If a paid subscription is purchased, payment processing is handled by third-party payment providers. ExpressAI does not store full payment card details. Any retained payment-related metadata is limited to what is necessary for billing, fraud prevention, and compliance purposes. The legal basis for this processing is the performance of a contract and compliance with legal obligations.
Security and Abuse Prevention Data. Limited technical data may be processed to detect, prevent, and mitigate abuse, fraud, or attempts to compromise the integrity or availability of the Services. The legal basis for this processing is ExpressVPN's legitimate interest in protecting the Services and users.
2.2 Data Minimisation and Non-Use Commitments
ExpressAI does not intentionally collect precise geolocation data, advertising identifiers, or cross-service tracking data. ExpressAI does not sell personal data, does not share personal data for cross-context behavioral advertising, and does not use personal data to train advertising profiles.
3. Third-Party Processing
To operate the Services, ExpressVPN relies on a limited number of service providers acting as data processors. Such processors are contractually bound to process data solely on ExpressVPN's instructions, to maintain confidentiality, and to implement appropriate security measures. Processors do not retain or use ExpressAI chat content for their own purposes.
Payment processing and customer support services may involve processing in jurisdictions outside the European Union or the United Kingdom. Where such transfers occur, they are governed by appropriate safeguards, including standard contractual clauses or equivalent lawful transfer mechanisms.
4. Data Disclosure
ExpressVPN does not voluntarily disclose user data to third parties. Any disclosure of personal data will occur only where ExpressVPN is legally required to do so pursuant to a binding and valid legal obligation, such as a court order or other lawful request issued by a competent authority. Disclosures are limited to the minimum data required by law.
5. User Rights and Control
Users may access, correct, delete, or export personal data associated with their ExpressAI account through the account interface or by contacting ExpressVPN support. Where accounts are suspended due to violations of applicable terms, users may still submit requests relating to their personal data, subject to legal limitations.
Under the GDPR and UK GDPR, users have the right to access, rectify, erase, restrict, or object to the processing of their personal data, as well as the right to data portability, subject to applicable conditions and exceptions. Users also have the right to lodge a complaint with a competent supervisory authority.
6. California Privacy Rights (CCPA/CPRA)
This section applies solely to residents of the State of California.
Under the CCPA/CPRA, California residents have the right to know what categories of personal information are collected and for what purposes, the right to request access to or deletion of personal information, the right to correct inaccurate personal information, and the right to limit the use or disclosure of sensitive personal information, where applicable.
ExpressAI collects only limited personal information necessary to provide and secure the Services, such as account identifiers, session data, and content voluntarily submitted by users. ExpressVPN does not sell personal information and does not share personal information for cross-context behavioral advertising. ExpressAI does not use or disclose sensitive personal information for purposes other than those expressly permitted by law.
California residents will not be discriminated against for exercising their privacy rights. Requests may be submitted using the contact details provided below and will be processed in accordance with applicable law, subject to identity verification.
7. Data Security
ExpressVPN implements technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, secure infrastructure design, and regular security assessments. While no system can be guaranteed to be completely secure, ExpressVPN is committed to maintaining a high standard of data protection consistent with the privacy-focused nature of the Services.
8. Data Retention
Personal data is retained only for as long as necessary to provide the Services, comply with legal obligations, and enforce applicable terms. When personal data is no longer required, it is deleted or irreversibly anonymized in accordance with internal retention policies.
9. Children
The Services are not directed to children and are not intended for use by individuals under the age of sixteen, or such higher age as may be required under applicable law. ExpressVPN does not knowingly collect personal data from children.
10. Modifications to This Privacy Policy
Within the limits of applicable law, ExpressVPN reserves the right to modify this Privacy Policy at any time. Users are responsible for reviewing the Privacy Policy periodically. Continued use of the Services following the effective date of any modification constitutes acceptance of the revised Privacy Policy.
11. Contact
Questions, concerns, or requests relating to this Privacy Policy or the processing of personal data may be directed to:
Data Protection Officer
ExpressVPN
Email: dpo@expressvpn.com
Where required by law, users may also lodge a complaint with the competent supervisory authority.
Cookie Policy for ExpressAI
Last Updated: January 28, 2026
1. Purpose and Scope
This Cookie Policy ("Policy") describes the use of cookies and browser-based storage technologies by ExpressAI, an artificial intelligence chat service operated by ExpressVPN ("ExpressAI," "we," "us," or "our"), in connection with users' access to and use of the service.
This Policy is intended to satisfy applicable transparency obligations under Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), Directive 2002/58/EC as amended (the "ePrivacy Directive" or "Cookie Law"), and all other applicable data protection and privacy laws.
ExpressAI deploys exclusively first-party cookies and storage mechanisms that are strictly necessary for the provision, security, and integrity of the service. ExpressAI does not employ analytics cookies, advertising cookies, tracking pixels, fingerprinting technologies, or third-party tracking mechanisms of any kind.
2. Definition of Cookies and Storage Technologies
"Cookies" are small text files placed on a user's device by a website or application for the purpose of enabling core technical functionality. Browser storage technologies, including localStorage and sessionStorage, serve analogous functional purposes, either persistently or for the duration of a browser session.
3. Cookies and Storage Technologies in Use
All cookies and storage items described below are first-party, strictly necessary for the operation of ExpressAI, and exempt from consent requirements pursuant to GDPR Recital 32 and Article 5(3) of the ePrivacy Directive, as they are essential to the provision of the service expressly requested by the user.
| Type | Name / Key | Purpose | Retention |
|---|---|---|---|
| Session Cookie | Session ID | Authenticates user sessions and maintains a secure login state | 24 hours |
| localStorage | master_password_created | Records primary password setup status to prevent repeated prompts | Persistent |
| localStorage | master_password_created_{krn} | Tracks primary password status on a per-subscription basis | Persistent |
| sessionStorage | processed_code | Prevents duplicate OAuth token exchanges during authentication | Tab closure |
Clarification on KRN: "KRN" refers to a subscription identifier processed using a one-way cryptographic hash function. The original identifier cannot be reconstructed from the stored value.
4. Legal Basis for Processing
The processing of cookies and storage data described in this Policy is conducted pursuant to the following legal bases under Article 6 GDPR:
- Session ID cookie: Article 6(1)(b) (processing necessary for the performance of a contract, namely the provision of an authenticated service) and Article 6(1)(f) (legitimate interests in ensuring service security and preventing unauthorized access).
- localStorage and sessionStorage items: Article 6(1)(b), as such processing is strictly necessary to deliver the functionality explicitly requested by the user, including authentication integrity and password persistence.
No processing is carried out for profiling, marketing, behavioral analysis, or other non-essential purposes.
5. User Rights and Control
Although the cookies and storage mechanisms described herein are essential to the operation of ExpressAI, users retain the following controls and rights:
- Browser-level controls: Users may configure their browser settings to block or delete cookies and local storage (e.g., via Chrome, Firefox, Safari, or Edge). Please note: Disabling session cookies will terminate authenticated sessions, and clearing local storage will reset password-related prompts.
- Data subject rights: To the extent that personal data is processed, users retain all rights afforded under the GDPR, including the rights of access, rectification, erasure, and restriction of processing. Requests may be directed to ExpressVPN's Data Protection Officer.
- Consent exemption: As ExpressAI uses only strictly necessary technologies, no cookie consent banner is displayed, in accordance with EDPB Guidelines 04/2020.
6. Security Measures
ExpressAI and ExpressVPN implement appropriate technical and organizational measures, including:
- Cryptographically secure random generation of session identifiers;
- Enforcement of Secure (HTTPS-only) and httpOnly attributes on session cookies;
- Use of industry-standard cryptographic hashing algorithms (including SHA-256 or stronger) for hashed identifiers;
- Regular independent third-party security audits conducted by ExpressVPN.
7. Amendments to This Policy
Material changes to this Policy will be communicated by:
- Updating this Policy with a revised "Last Updated" date; and
- Providing an in-service notification upon the user's next login where changes materially affect functionality.
8. Contact Information
For inquiries, data subject requests, or privacy-related concerns, please contact:
Data Protection Officer
Email: dpo@expressvpn.com