Privacy Policy
How Everything X1 collects, uses, and protects your information.
Effective date: June 18, 2026 · Version 2026-06-18
This Privacy Policy describes how DBR Labs, doing business as Everything X1 ("we," "us," or "our") collects, uses, shares, and protects information when you use Everything X1 ("EX1" or the "Service"), including our website (everythingx1.com), browser workspace, desktop application, and related APIs.
By using the Service, you agree to this Privacy Policy and our Terms of Service. If you do not agree, do not use the Service.
1. Who we are
Data controller: DBR Labs, doing business as Everything X1. Contact: legal@everythingx1.com. Support: support@everythingx1.com.
2. Information we collect
2.1 Account and identity
- Name, email address, password hash, account role, and subscription tier.
- Authentication tokens, session identifiers, and login timestamps.
- Optional social-login identifiers when you sign in with Google via Firebase.
2.2 Billing
- Subscription status, plan, and usage counters stored on our systems.
- Payment card and billing address are processed by Stripe; we receive limited billing metadata (for example, customer ID, invoice status, last four digits) but not full card numbers.
2.3 Workspace content
- Chat messages, prompts, AI outputs, and conversation metadata.
- Agent definitions, instructions, schedules, run logs, and tool policies.
- Tasks, pages, databases, structured records, and workspace settings.
- Files you upload, index, or reference in the workspace.
- Embeddings or derived representations created to power search or context features.
2.4 Integrations and credentials
- OAuth tokens and integration configuration for connected services (for example, Google, GitHub, Notion, Linear, Airtable, Slack).
- Bring-your-own-key (BYOK) provider API keys you save in Settings. Keys are encrypted using commercially reasonable measures before storage. We do not return raw keys to clients after save.
2.5 Desktop and local execution
- When you use EX1 Desktop, local files, repositories, shell commands, MCP endpoints, and environment data may be accessed on your device according to permissions you grant.
- We may store metadata about local execution events, consent records, and high-risk action approvals. Content processed locally may also be transmitted to our backend or model providers when you submit prompts, run agents, or sync workspace data.
2.6 Technical and security data
- IP address, browser or app version, device type, and request logs.
- Error reports, diagnostics, audit logs, and security events when enabled.
- Feature-flag state, usage metrics, and rate-limit counters.
2.7 Legal consent records
- Timestamps and versions when you accept Terms, Privacy Policy, BYOK notices, local execution warnings, or integration disclosures.
3. How we use information
We use information to:
- Provide, operate, secure, and improve the Service.
- Authenticate users and enforce subscriptions and usage limits.
- Route prompts and workspace content to AI model providers you select or authorize.
- Execute agents, automations, integrations, and tool actions you configure or approve.
- Process payments and communicate about billing, support, and product updates.
- Detect abuse, fraud, and security incidents.
- Comply with law and enforce our Terms and Acceptable Use Policy.
Model training: We do not use your workspace content to train our own foundation models. Third-party model providers you connect via BYOK or future platform-managed inference may process prompts and outputs under their own policies.
4. How we share information
We may share information with:
- Service providers (subprocessors) listed in our Subprocessor Disclosure, including hosting, database, payment, email, and authentication vendors.
- AI and integration providers when you connect keys, authorize OAuth, or run agents that call external APIs.
- Professional advisers (lawyers, accountants, insurers) under confidentiality obligations.
- Authorities when required by law or to protect rights, safety, and security.
- Business transfers in connection with a merger, acquisition, or asset sale, subject to continued protection.
We do not sell personal information.
5. Retention
We retain information for as long as your account is active and as needed to provide the Service, resolve disputes, enforce agreements, and comply with law. Typical retention includes:
- Account data — until account deletion plus a limited backup window.
- Workspace content — until you delete it or close your account, subject to backups.
- Billing records — as required for tax, accounting, and fraud prevention.
- Security and audit logs — for a limited operational period unless law requires longer retention.
- BYOK keys and integration tokens — until you delete them or disconnect the integration.
Deletion requests: email support@everythingx1.com. We will delete or anonymize personal data where feasible, except data we must retain by law or for billing disputes.
6. Security
We use commercially reasonable technical and organizational measures, including encryption in transit (TLS), access controls, and encrypted storage for sensitive credentials where implemented. No method of transmission or storage is 100% secure. Report concerns to security@everythingx1.com or see our Security & Responsible Disclosure Policy.
7. International transfers
We may process information in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for cross-border transfers.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or port personal information, and to object to certain processing. California residents may have additional rights under the CCPA/CPRA. EEA/UK users may have GDPR rights, including complaint rights with a supervisory authority.
To exercise rights, contact legal@everythingx1.com. We may verify your request before responding.
9. Children
The Service is not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. Contact us if you believe a child has provided information.
10. AI transparency
EX1 uses AI systems that may generate, transform, summarize, classify, or act on content you submit. AI outputs may be inaccurate or unsafe. We label AI-generated content in the product where practical. Do not rely on AI outputs for professional, legal, medical, financial, or safety-critical decisions without independent verification.
11. Changes
We may update this Privacy Policy. We will post the revised version with a new effective date and provide additional notice for material changes when practicable.
12. Contact
Privacy inquiries: legal@everythingx1.com
DBR Labs, doing business as Everything X1
This Privacy Policy is an operational draft pending counsel review. Confirm entity name, mailing address, retention schedules, and regional compliance before production launch.