Privacy Policy

1. Who we are

Data controller: DBR Labs, doing business as Everything X1. Contact: legal@everythingx1.com. Support: support@everythingx1.com.

2. Information we collect

2.1 Account and identity

• Name, email address, password hash, account role, and subscription tier.
• Authentication tokens, session identifiers, and login timestamps.
• Optional social-login identifiers when you sign in with Google via Firebase.

2.2 Billing

• Subscription status, plan, and usage counters stored on our systems.
• Payment card and billing address are processed by Stripe; we receive limited billing metadata (for example, customer ID, invoice status, last four digits) but not full card numbers.

2.3 Workspace content

• Chat messages, prompts, AI outputs, and conversation metadata.
• Agent definitions, instructions, schedules, run logs, and tool policies.
• Tasks, pages, databases, structured records, and workspace settings.
• Files you upload, index, or reference in the workspace.
• Embeddings or derived representations created to power search or context features.

2.4 Integrations and credentials

• OAuth tokens and integration configuration for connected services (for example, Google, GitHub, Notion, Linear, Airtable, Slack).
• Bring-your-own-key (BYOK) provider API keys you save in Settings. Keys are encrypted using commercially reasonable measures before storage. We do not return raw keys to clients after save.

2.5 Desktop and local execution

• When you use EX1 Desktop, local files, repositories, shell commands, MCP endpoints, and environment data may be accessed on your device according to permissions you grant.
• We may store metadata about local execution events, consent records, and high-risk action approvals. Content processed locally may also be transmitted to our backend or model providers when you submit prompts, run agents, or sync workspace data.

2.6 Technical and security data

• IP address, browser or app version, device type, and request logs.
• Error reports, diagnostics, audit logs, and security events when enabled.
• Feature-flag state, usage metrics, and rate-limit counters.

2.7 Legal consent records

• Timestamps and versions when you accept Terms, Privacy Policy, BYOK notices, local execution warnings, or integration disclosures.

3. How we use information

We use information to:

• Provide, operate, secure, and improve the Service.
• Authenticate users and enforce subscriptions and usage limits.
• Route prompts and workspace content to AI model providers you select or authorize.
• Execute agents, automations, integrations, and tool actions you configure or approve.
• Process payments and communicate about billing, support, and product updates.
• Detect abuse, fraud, and security incidents.
• Comply with law and enforce our Terms and Acceptable Use Policy.

Model training: We do not use your workspace content to train our own foundation models. Third-party model providers you connect via BYOK or future platform-managed inference may process prompts and outputs under their own policies.

4. How we share information

We may share information with:

• Service providers (subprocessors) listed in our Subprocessor Disclosure, including hosting, database, payment, email, and authentication vendors.
• AI and integration providers when you connect keys, authorize OAuth, or run agents that call external APIs.
• Professional advisers (lawyers, accountants, insurers) under confidentiality obligations.
• Authorities when required by law or to protect rights, safety, and security.
• Business transfers in connection with a merger, acquisition, or asset sale, subject to continued protection.

We do not sell personal information.

5. Retention

We retain information for as long as your account is active and as needed to provide the Service, resolve disputes, enforce agreements, and comply with law. Typical retention includes:

• Account data — until account deletion plus a limited backup window.
• Workspace content — until you delete it or close your account, subject to backups.
• Billing records — as required for tax, accounting, and fraud prevention.
• Security and audit logs — for a limited operational period unless law requires longer retention.
• BYOK keys and integration tokens — until you delete them or disconnect the integration.

Deletion requests: email support@everythingx1.com. We will delete or anonymize personal data where feasible, except data we must retain by law or for billing disputes.

6. Security

We use commercially reasonable technical and organizational measures, including encryption in transit (TLS), access controls, and encrypted storage for sensitive credentials where implemented. No method of transmission or storage is 100% secure. Report concerns to security@everythingx1.com or see our Security & Responsible Disclosure Policy.

7. International transfers

We may process information in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for cross-border transfers.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port personal information, and to object to certain processing. California residents may have additional rights under the CCPA/CPRA. EEA/UK users may have GDPR rights, including complaint rights with a supervisory authority.

To exercise rights, contact legal@everythingx1.com. We may verify your request before responding.

9. Children

The Service is not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. Contact us if you believe a child has provided information.

10. AI transparency

EX1 uses AI systems that may generate, transform, summarize, classify, or act on content you submit. AI outputs may be inaccurate or unsafe. We label AI-generated content in the product where practical. Do not rely on AI outputs for professional, legal, medical, financial, or safety-critical decisions without independent verification.

11. Changes

We may update this Privacy Policy. We will post the revised version with a new effective date and provide additional notice for material changes when practicable.

12. Contact

Privacy inquiries: legal@everythingx1.com
DBR Labs, doing business as Everything X1