Privacy Policy

Exostar Privacy Policy

For the convenience of Exostar subscribers and visitors to the Exostar site, we may provide translations of the following in languages other than English at a later time. In such case, we will use reasonable efforts to provide accurate translations; however, Exostar does not guarantee the accuracy of any translation from the English and under no circumstance should any translation be relied upon without independent verification. Only the English language version is binding.


Issued May 1, 2016; updated July 14, 2021.

Exostar LLC and its affiliated companies (“Exostar” or “we”) respect the privacy of personally-identifiable information (“Personal Information”) collected from users of our services.  This Privacy Policy (“Policy”) explains how Exostar collects, uses, shares and discloses Personal Information, including via our websites and online portals (the “Exostar Sites”).

This Policy does not apply to, and Exostar is not responsible for: (i) the practices of any other companies or individuals, or (ii) any third-party websites, platforms, devices, applications or services that you access via links from Exostar’s website or web applications (“Third Party Services”).  We encourage you to review the privacy policies of any Third Party Services that you access.


We collect and use Personal Information in various ways across Exostar’s suite of supply chain management, secure collaboration, and risk and identity management services.

A. Registration Information.
We collect information when users register on Exostar Sites, including name, telephone numbers, email addresses, business address, and other attributes for particular applications (e.g. user role for application, start date of application trial, etc.) (“Registration Information”). We may collect Registration Information directly from a user, or from the user’s company.

Exostar uses Registration Information for administrative, billing and recordkeeping purposes, and to communicate with users about service updates, service adoption by their community and service maintenance. In order to promote community membership and increased adoption of our services, Exostar may disclose the name of the user’s company (without identifying the user) to other users and to potential community members. Exostar may also include the Registration Information in a User Directory for distribution to other users (please see section 3 below for details on how to opt out of the User Directory). Except as provided in this Privacy Policy or with the consent of the applicable user, Exostar will not disclose Registration Information to third parties.

B. User Information.
Users communicate, collaborate and exchange information with Exostar and other users (“User Information”). User Information includes, among other things, information submitted to Exostar Sites, or to other companies via Exostar Sites.

Exostar uses User Information primarily to provide the services on Exostar Sites, by making the User Information available on Exostar Sites as specified by users. Certain Exostar employees may also have access to User Information for administrative or security purposes. Except as provided in this Privacy Policy or with the consent of the applicable user, Exostar will not disclose User Information to third parties or to Exostar users other than ones to which the User Information was communicated.

C. Tracking Information.
When a user accesses Exostar Sites, Exostar Sites record and retain general data about the user’s use of Exostar Sites including the user’s domain name, the web page(s) from which the user entered Exostar Sites, the web page(s) which the user visited on Exostar Sites, and the amount of time the user spent on each web page of Exostar Sites (“Tracking Information”). Exostar may use third-party analytics tools to generate Tracking Information; third parties providing such tools are permitted to transfer Tracking Information only to Exostar.

Exostar uses Tracking Information to determine the attributes of users, and statistics and general information about usage of Exostar Sites, for both internal and external use. Except as provided in this Privacy Policy, Exostar will not disclose Tracking Information to third parties in a manner that reasonably permits such information to be identified with an individual user or specific user transaction (see section 2.B below regarding disclosure of Aggregated Data).

D. Identity Information
For our services providing identity proofing (i.e. verification) and credentialing, we collect various information associated with the individuals whose identities are being checked (“Identity Information”). Identify Information differs depending upon the type and level of proofing, and may include Registration Information, Tracking Information, user ID numbers associated with proofing, government-issued ID documents (e.g. passport, driver’s license), other legal documents (e.g. birth certificate, marriage license), documents regarding employment, credit history, details of physical and electronic credentials and tokens, nationality, citizenship, physical location and time zone, proofing appointment information, and proofing outcome information. Identity Information is collected in person, over video interfaces and via other forms of electronic communication.

Exostar uses Identity Information solely to provide proofing, credentialing and access services, to confirm credentials that have been issued, and to maintain the integrity of the proofing and credentialing process. We do not share Identity Information with the third parties, except as specified in section 2.C of this Policy or with the consent of the user to which the Identify Information relates.

E. Cookies.
Exostar uses “cookies”—small files stored in user web browsers—to improve the functions of Exostar Sites, including optimizing presentation of information, streamlining the log-in process, and recording user preferences. Cookies may store Personal Information including browser information, IP address and username. Please see regarding how to disable cookies. However, if a user disables cookies, he/she may not be able to log into or use certain features of Exostar Sites.

F. Other Information.
A user may choose to send Exostar a question via e-mail, register for a special service or otherwise communicate with Exostar. Exostar uses such information to communicate with users and to enhance Exostar Sites to better meet the needs of users. Except as provided in this Privacy Policy, Exostar will not disclose such information in a manner that reasonably permits such information to be identified with an individual user or specific user transaction.


California law requires businesses to disclose information regarding the rights of California residents pursuant to the CCPA. Any terms defined in the CCPA (Cal. Civ. Code Section 1798.140) have the same meaning when used in this section.

You may request that we disclose to you the following information covering the preceding 12 months:

(1) The categories of personal information we have collected about you;

(2) The categories of sources from which the personal information was collected;

(3) The business or commercial purpose for collecting or selling personal information;

(4) The categories of third parties with which we share personal information;

(5) The categories of personal information about you that we have sold and the categories of third parties to which the personal information was sold;

(6) The categories of personal information about you that we have disclosed for a business purpose and the categories of third parties to which the personal information was disclosed;

(7) The specific pieces of personal information we have collected about you.

You may request the disclosure of the information listed above by calling 703-793-7800 or submitting a request at Such a request may be referred to as a right to know request. Pursuant to California law, we will verify your identity before complying with any such request.

You have the right to request that we delete any personal information about you that we have collected from you, and that we direct any service provider to delete such personal information from its records. Such a request may be referred to as a request to delete. However, pursuant to the CCPA, your information may not be deleted under certain circumstances, including where maintenance of your personal information is necessary to: complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, to provide a good or service that you requested or that is reasonably anticipated within the context of your ongoing business relationship with us, or to otherwise perform a contract between us and you; to detect security incidents, protect against or prosecute fraudulent or illegal activity; to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us; to comply with a legal obligation; or to otherwise use your information internally in a lawful manner that is compatible with the context in which you provided the information.  For more information about these and other situations in which we may not delete your information, please see Cal. Civ. Code Section 1798.105(d).

You may request the deletion of your information by calling 703-793-7800 or submitting a request at Before deleting your personal information, we will verify your identity, as required by the CCPA.

You may use an authorized agent to submit a right to know request or a request to delete. To use an authorized agent, you must provide the agent with written authorization. In addition, you may be required to verify your own identity with us. We may deny a request from an agent that does not submit proof that they have been authorized by you act on your behalf. Such requirements, however, will not apply where you have provided the agent with power of attorney pursuant to Cal. Prob. Code Sections 4000 to 4465.

You have the right, at any time, to direct  us not to sell your personal information.  This right may be referred to as the right to opt-out.  You may opt out of the sale of your personal information by calling 703-793-7800 or creating a case at If we have a good faith, reasonable, and documented belief that a request to opt-out is fraudulent, we may deny the request. You may use an authorized agent to submit a request to opt-out on your behalf. To do so, you must provide the agent with written authorization do so. We may deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf.

In addition, we do not and will not sell the personal information of minors we have actual knowledge are under the age of 16 without affirmative authorization (known as “opt-in”).

In the preceding 12 months, we have collected the following categories of personal information about California residents from the following sources and for the following purposes. The CCPA requires that we refer to specific categories of personal information enumerated in the CCPA. We may collect only certain pieces of personal information described in a given category and may not collect certain pieces of personal information described in each category.

Category of Personal Information Collected Category of Source of Collection Business or Commercial Purpose of Collection
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.


Categories of personal information described in subdivision (e) of Section 1798.80 (any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.)


Characteristics of protected classifications under California or federal law.


Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.


Biometric information.


Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.


Geolocation data.


Audio, electronic, visual, thermal, olfactory, or similar information.


Professional or employment-related information.


Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).


Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.


In the preceding 12 months, we have sold the following categories of personal information about California residents to the following categories of third parties.

Category of Personal Information Sold Category of Third Party to Which Personal Information Disclosed


In the preceding 12 months, we have disclosed for a business purpose the following categories of personal information about California residents to the following categories of third parties (to the extent the disclosure was made to a third party).

Category of Personal Information Disclosed for a Business Purpose Category of Third Party to Which Personal Information Disclosed, To The Extent Disclosed To a Third Party

We will not discriminate against you because you exercised any of your rights under this section, including, but not limited to, by:

(1) Denying goods or services to you;

(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

(3) Providing a different level or quality of goods or services to you;

(4) Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may charge you a different price or rate, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your data.  In addition, we may offer financial incentives, including payments to you as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. We may also offer a different price, rate, level, or quality of goods or services to you if that price or difference is directly related to the value provided to us by your data.  We will notify you of such financial incentives. We will enter you into a financial incentive program only if you give us prior opt in consent which clearly describes the material terms of the financial incentive program, and which may be revoked by you at any time.  We will not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

We currently offer the below financial incentives:

Financial Incentive Summary of Financial Incentive and Material Terms Categories of Personal Information Implicated Opting In to Financial Incentive Right to Withdraw From Financial Incentive




Exostar shares Personal Information with certain third parties as described below, and takes responsibility for such sharing as provided in this Policy and applicable law.

A. Exostar Services.
The Exostar Portal and Exostar collaboration services are designed to be used for sharing information (including Personal Information) with third parties. Exostar enables such sharing to the extent authorized by each user and/or their company.

B. Aggregated Data.
Exostar may process and disclose information in aggregated form (based on Personal Information held by Exostar) that does not reasonably identify, the Subscriber, an individual user, or specific user transaction on Exostar Sites (“Aggregated Data”), including: (i) providing information regarding trends, purchasing patterns and retail intelligence and research; (ii) performing its obligations under agreements with third party licensors or other users; (iii) internal record keeping and reporting by Exostar; (iv) measuring the performance of third-party licensors and service providers; and (v) reporting performance and other statistical information concerning Exostar Sites.

C. Subcontractors.
Exostar may disclose Personal Information to third parties who support Exostar services, with appropriate agreements to ensure the information is used only for such service support and in accordance with this Policy.

D. Disclosure Under Law.
Exostar may disclose Personal Information if Exostar is required to make such a disclosure under applicable laws, or to report a violation or suspected violation of applicable laws to appropriate governmental authorities.

E. Sale of Company.
In the unlikely event of a sale of Exostar or its assets, Exostar is likely to disclose Personal Information to the new owners, subject to a requirement that such information be used only in accordance with this Privacy Policy and other contractual commitments to users.


Participation in Exostar Sites is voluntary. To opt out of processing of personal data pursuant to this Privacy Policy, a user should notify Exostar through as follows:

  • To opt out of the User Directory, the case subject line should state “Opt Out Directory” and the message to support field shall include the Exostar-issued ID number;
  • To opt out of receiving marketing communications from Exostar, the case subject line should state “Opt Out Communications” and the message to support field shall include the Exostar-issued ID number (if applicable); and
  • To opt out of both of the above, the case subject line should state “Opt Out All” and the message to support field shall include the Exostar-issued ID number (if applicable).

Notwithstanding any such opt-out request, Exostar reserves the right to continue to process user data for purposes related to Aggregated Data as set out in section 2.B. If an opt out would impair the user’s ability to use Exostar services or the integrity of Exostar services, Exostar may contact the user or the user’s employer to discuss and possibly limit the scope of the opt out.


Exostar applies the following policies on retention of Personal Information:

  • Registration Information, User Information, Tracking Information and Other Information associated with a user account may be retained for up to 3 years from account deletion. Some such information (including payment information, recently accessed sites and certain access credentials) is deleted immediately upon account deletion. If Personal Information of one user is associated with or stored on the account of a second user, the retention periods will be those for the account of the second user.
  • Identity Information used for proofing is retained for 7.5 years after the credential to which the proofing relates is revoked or expires.
  • Cookies are stored on user computers, and may be deleted at any time by the user (see section 1.E above).
  • Digital certificates and any data that contains Personal Information that is not included in any other format listed in this Policy are retained for no longer than two years.

When data is deleted from Exostar operating systems, it may remain in our back-up storage for a period of 11 years.


Users may request access to, correction or deletion of your Personal Information held by Exostar. Exostar may choose not to delete Personal Information where the data is necessary to the integrity of Exostar services or to the operation of services provided by Exostar to other users. EU customers of Exostar have certain rights to restriction of data processing and data portability to other service providers. Users may exercise any of these rights by following the process set forth at


Exostar uses extensive technological and organizational measures to protect Personal Information and other data from unauthorized disclosure, alteration, or destruction. However, data security presents many risks, and Exostar cannot guarantee that information will be 100% secure. Exostar relies on customers to select secure passwords, to protect those passwords, and to use appropriate security software on their devices. Please contact Exostar with any information regarding unauthorized use of Exostar Sites or other Exostar services.


Exostar is based in the United States, and information collected by Exostar is usually transferred to, processed, and/or stored in the United States. These transfers are authorized as follows:

  • Business Customers. Our customer contracts include standard contractual clauses for controller-to-processor transfers approved by the European Commission, with the customer as controller and Exostar as processor. See for further information.
  • Individuals. For certain services that involve direct collection of Personal Information from individuals (e.g. identity proofing), we obtain explicit consent to transfer of Personal Information to Exostar in the United States.

Exostar complies with the EU General Data Protection Regulation with respect to our activities in the EU and European Economic Area.


From time to time, Exostar may update this Policy to reflect changes in the law, changes in Exostar’s services, or for other reasons. If Exostar makes material changes to the Policy, Exostar will notify its users of the updated Policy by posting it on and via Online Support.


If you have inquiries or complaints about this Policy or your Personal Information, you should first contact the office of the Exostar chief privacy officer. If Exostar receives a written complaint, we will contact the person who made the complaint to follow up. Further contact information for our US and UK offices is available at

Exostar works with the appropriate regulatory authorities to resolve any complaints regarding Personal Information that we cannot resolve with our customers and users directly. If you are a EU/EEA customer of Exostar, you may also have the right to complain to the data protection authorities in your country, and, under certain conditions, to invoke binding arbitration.