AI transparency

coExploro provides automated product analysis of publicly accessible SaaS products for research and competitive benchmarking. A user pastes a URL; we produce a product teardown — a structured, scored summary drawn from AI vision extraction, four persona analyses, and a cross-persona synthesis.

This page documents which AI models we use, where your data lives, how human oversight works, and which sub-processors touch your analyses. It is a research-classification disclosure under EU AI Act Article 4. We do not make automated decisions about identified individuals, and we do not profile people.

Each analysis runs through a multi-stage pipeline. The table below lists the model in each role as of the last-updated date above. Provider-side routing may relocate requests to a region selected by the provider — we do not claim single-region routing for third-party model providers.

We analyse only the URLs you submit. For each URL, we visit the page(s) with a headless browser, capture screenshots, and extract observable facts with vision models. We do not crawl pages you did not request.

Submitted URLs must resolve to public HTTP/HTTPS hosts. We reject loopback, private network ranges, link-local addresses, credentialed URLs, and non-standard ports before any browser runs; the same check re-runs immediately before navigation to prevent DNS rebinding.

coExploro is a research-classification tool under ADR-0031 — it exists to help people compare and understand product surfaces, not to target or profile individuals. We do not extract personal information by design; where a screenshot incidentally captures a visible name or email on a public page, it persists as an image artefact, not as a structured person record.

We do not train AI models on your submissions, on the outputs we produce, or on any data captured during an analysis. We do not sell your analyses. Analyses are transmitted only to the active sub-processors disclosed below (infrastructure vendors and the AI model providers that run the pipeline); they are not shared with any other third parties for advertising, resale, or training.

The third-party model providers we use (Google, Anthropic, OpenAI) receive prompts and, at the extraction and grounding stages, screenshots. Each provider is bound by its own published terms of service, which we treat as the ceiling for provider-side behaviour, not as a substitute for our own commitment. We do not opt into provider-side programmes that would allow customer prompts or outputs to be used for improving shared models. Provider-side request retention is governed by provider terms; we do not control it directly.

The pipeline is deliberately two-tier so that observable facts and interpretative opinions stay separated:

• Extraction (Gemini 3 Flash) — reads the screenshots and returns observable facts only: components seen, layout, visible copy, calls-to-action, and a 7-dimension UX score.
• Persona evaluation (Gemini 3 Flash × 4, in parallel) — four AI analyst roles (Product Manager, Marketing, UX, Designer) evaluate the extracted facts. Personas never see the raw screenshots; they reason over the extraction output alone.
• Synthesis (Claude Sonnet 4.6) — merges the four persona outputs into the final teardown shown on screen.

Every finding carries a reference to the component that produced it, so an opinion can always be traced back to the specific part of the screenshot it is grounded in.

You retain full control of each output. A teardown is a draft for you to read, edit, share, or discard at your discretion; nothing is actioned on your behalf beyond producing the teardown itself.

coExploro makes no automated decisions about identified individuals within the meaning of GDPR Article 22. The pipeline does not profile, score, rank, or select people — it describes publicly visible product surfaces.

• The UX score is heuristic. It is calibrated against the pattern of observable product surfaces; it is not an audited, certified, or industry-benchmarked metric.
• Persona coverage is limited to four roles. Real-world stakeholder diversity exceeds this; treat the outputs as starting points for team discussion, not as a replacement for it.
• English is the only supported interface language at launch. Non-English pages are still analysed, but the narrative outputs are English-only.
• We monitor upstream model drift via observability tooling, but drift detection is not automated. Outputs for the same URL may differ from run to run because the underlying models are stochastic.

We process the URLs you submit and the analyses derived from them. We are the data controller for user-submitted analyses under the GDPR. The lists below distinguish vendors that currently process your data from vendors contracted for planned features that are not yet live.

Active AI model providers

Each pipeline stage has a primary provider and a fallback chain. If the primary call fails, the same stage is retried on the next provider in the chain, which receives the same payload the primary would have received (including screenshots on image-bearing stages).

• Google (Gemini 3 Flash) — primary provider for the extraction stage (receives screenshots and prompts) and the persona evaluation stage (text-only prompts). Secondary fallback for the synthesis stage (text-only). Region: global (per provider).
• Anthropic (Claude Sonnet 4.6) — primary provider for the synthesis stage (text-only prompts). Secondary fallback for the extraction stage (receives screenshots and prompts when invoked) and the persona evaluation stage (text-only). Region: global (per provider).
• OpenAI (GPT-5.4 mini) — first-line fallback for every stage. Receives screenshots and prompts when serving as the extraction fallback; receives text-only prompts at the persona and synthesis stages. Region: global (per provider).

Active infrastructure sub-processors

• Railway Pro — application hosting, PostgreSQL, Redis. Region: US Virginia (us-east4-eqdc4a).
• Cloudflare R2 — screenshot and document storage. Bucket location: ENAM (Eastern North America). No EU jurisdictional restriction is configured for the active bucket.
• Browserbase — headless Chromium sessions for URL capture. Region: multi-region (cloud Chromium).
• Langfuse Cloud — LLM observability: receives per-AI-call trace metadata (model name, stage identifier, prompt / completion token counts including Anthropic cache tokens, latency, fallback status). Input fields are limited to analysis ID and URL origin + pathname (query and hash stripped); raw prompts, model outputs, and user content are not sent. Region: US. Active when LANGFUSE_PUBLIC_KEY and LANGFUSE_SECRET_KEY are configured; tracing is gracefully disabled otherwise.
• Resend— transactional email delivery for account password reset (single-purpose today; account verification and operational notifications may follow). Receives recipient email, the password-reset link (containing a short-lived single-use token), and standard SMTP envelope metadata. No analysis content, no marketing content, no persistent profile data. Delivery region is provider-configurable; account data, email metadata, logs, and API records are stored in the US per Resend's published data-residency documentation. Active when RESEND_API_KEY and RESEND_FROM_EMAIL are configured; sending is a no-op (logged warning) when keys are absent, so local dev and CI run without delivering email.

Planned sub-processors (not yet integrated)

• Paddle — Merchant of Record, planned for subscription billing at paid-tier launch. Entity: Ukraine / EU.

No data flows to a planned sub-processor until it is integrated. When a planned vendor goes live we will update this page, bump the last-updated date, and add a version-history entry before the integration ships.

Retention (active stack).Application and infrastructure logs are retained for 30 days by default. Stored screenshots and analysis records are retained indefinitely at present — automated account-triggered deletion is not yet available. You may request deletion of your analyses, screenshots, or other data held about you at any time via the feedback channel below; fulfilment today is handled manually by the coExploro team. Your right to erasure under GDPR Article 17 applies regardless of whether automated deletion is available. Provider-side request retention is governed by each provider's terms. Retention terms for planned sub-processors will be stated here before those vendors process any data.

Session continuity. Where repeat captures of the same domain require authentication or cookie-wall dismissal, we may retain browser cookies observed during capture. Cookies are scoped to your account and the target domain; they are never reused across accounts.

Questions about this document, the models we use, or the data we hold should reach us at admin@coexploro.com. We respond within five working days.

• 2026-05-11 — v1.3: infrastructure region disclosure aligned with ADR-0043 and current deploy evidence: Railway is US Virginia, R2 bucket location is ENAM rather than an EU jurisdiction, and Resend wording now distinguishes configurable email delivery region from US-hosted account data and email metadata.
• 2026-05-10 — v1.2: Resend moved from planned to active infrastructure sub-processors following integration of password-reset email delivery (PRD-01 / PR #8). Per-vendor wording describes the single-purpose scope (recipient email + reset link + SMTP envelope metadata; no analysis content) and the optional-keys no-op behaviour for local dev / CI.
• 2026-04-24 — v1.1: Langfuse Cloud moved from planned to active infrastructure sub-processors following integration (PRD-33 v1.1 / F3).
• 2026-04-23 — v1.0 initial publication.