Privacy Policy

01Who we are

This Privacy Policy describes how XAGI Labs Private Limited ("XAGI Labs", "we", "us" or "our"), a private limited company incorporated under the Companies Act, 2013 of India, collects, uses, discloses and protects information when you visit tryatlasagi.com (the "Site"), download or use ATLAS (the "Software"), or otherwise interact with our products and services (collectively, the "Services").

Our registered office is at Thiruvananthapuram, Kerala 695019, India. We are subject to the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules 2021"), the Digital Personal Data Protection Act, 2023 ("DPDP Act") together with the rules notified thereunder, the Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020.

For the purposes of the DPDP Act, XAGI Labs is a Data Fiduciary. For users in the European Economic Area ("EEA") and the United Kingdom, XAGI Labs is a data controller under the General Data Protection Regulation ("GDPR" / "UK GDPR"). For users in California, we are a business under the California Consumer Privacy Act ("CCPA") as amended by the CPRA. This Privacy Policy is published in compliance with Rule 3 of the SPDI Rules and Section 5 of the DPDP Act and constitutes a binding electronic record under Section 10A of the Information Technology Act, 2000.

02Scope of this policy

This policy applies to personal data we process when you:

• Visit the Site or any subdomain of tryatlasagi.com or xagilab.com;
• Sign up to our waitlist, newsletter, or other forms;
• Create an account, sign in, or use ATLAS on desktop (macOS, Windows) or via the Chrome companion extension;
• Connect ATLAS to third-party platforms such as Telegram, Discord, Slack, Matrix, WhatsApp, email (IMAP/SMTP), Gmail or Google Workspace at your direction;
• Contact us by email, social media, or our support channels.

This policy does not apply to third-party services you connect to ATLAS. Those services have their own privacy policies and you should review them carefully.

03Information we collect

3.1 Information you provide directly

• Account & identity data: name, email address, mobile number (when used for OTP-less sign-in), profile picture, display name.
• Waitlist & communication data: any information you submit through forms, surveys, support tickets, or email correspondence.
• Payment data (when paid plans launch): ATLAS is currently in closed alpha and we do not collect any payment information. When paid plans are introduced, billing details will be collected by our payment processor; we will never see or store full card numbers — only a token, last-four digits and brand for receipts and reconciliation.

3.2 Conversational & task data

When you use ATLAS, we process the messages, voice recordings, screenshots, files, and tool inputs you send to the agent. This is necessary for ATLAS to "think, act, and remember" as advertised.

3.3 Memory & long-term context

ATLAS is designed around persistent memory. Most memory is stored locally on your device (in data/memories.db) and never leaves it. Some account-scoped state — credit balance, subscription status, encrypted session tokens — is stored on our backend (Convex) so the product can work across devices.

3.4 Telemetry & technical data

• IP address, approximate location derived from IP, country and timezone;
• Device data: operating system, OS version, browser type and version, screen resolution, hardware identifiers used to enforce per-device licensing;
• Usage data: pages visited, features used, error reports, performance traces, anonymised crash logs.

3.5 Information from connected services

When you authorise ATLAS to connect to a third-party service (for example, Google, Telegram, Discord, Slack, GitHub) we receive only the scopes you grant. We do not request more data than is needed for the feature you enabled, and you can revoke access at any time from the third party's settings.

04How we use your information

We use the information described above to:

• Provide, operate, maintain and improve the Services;
• Authenticate users, manage accounts and enforce credit balances;
• Route requests to the appropriate AI model, tool or agent;
• Personalise responses based on stored memory, traits and preferences;
• Detect, investigate and prevent fraud, abuse, and security incidents;
• Send transactional messages (account, security, billing, status updates);
• Send product updates and marketing communications when you have opted in — you can opt out at any time;
• Comply with applicable legal, tax and regulatory obligations;
• Aggregate and de-identify data for analytics and research, where the result cannot reasonably be linked back to you.

05Legal basis for processing

Where the GDPR or UK GDPR applies, our legal bases are:

For users in India, processing is carried out under the consent and legitimate uses provisions of the DPDP Act, 2023.

06How we share information

We disclose personal information only in these limited cases:

• Service providers (sub-processors) who help us run the Services — see the next section for the current list;
• Connected platforms at your direction — when you ask ATLAS to send a Telegram message or fetch a Google Calendar event, the relevant data is shared with that platform on your behalf;
• Legal authorities when we are compelled by a valid court order, subpoena or law-enforcement request, after verifying it. We will challenge overbroad requests where lawful;
• Corporate transactions — in the unlikely event of a merger, acquisition or asset sale, your information may be transferred to the successor entity, subject to this policy;
• With your consent, for any other purpose we describe at the time you give it.

07Sub-processors & AI providers

To deliver the Services we rely on a small number of carefully selected vendors. The current list is:

We bind every sub-processor to written contractual terms equivalent to this policy. We review the list at least annually and will update it here when material changes occur. The current up-to-date list is always available on this page.

Inference providers receive only the prompt and conversation context required to produce a response. Per the agreements we have signed with them and the terms they publish, they do not retain that data beyond the period necessary to operate their service, and they do not use it to train their foundation models.

08International data transfers

Because the internet, our team and our sub-processors are global, your information may be transferred to and processed in countries other than the one in which you reside, including India and the United States.

When personal data of users in the EEA, UK or Switzerland is transferred to a country that has not received an adequacy decision from the relevant authority, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

09Data retention

We keep personal information only for as long as we need it for the purposes described in this policy or as required by law:

• Account data: for the life of your account plus up to 90 days after you close it, to allow recovery and resolve disputes;
• Conversational data sent to the model: stored locally on your device by default; cloud copies (if you opt into sync) are encrypted and deleted within 30 days of account closure;
• Billing records: retained for 8 years to comply with Indian and other tax laws;
• Server logs and security events: 90 days, then aggregated and de-identified;
• Marketing preferences: until you withdraw consent or 3 years after your last interaction.

You can request earlier deletion at any time — see Your rights.

10Security measures

We implement reasonable security practices and procedures consistent with the SPDI Rules, 2011, the DPDP Act, 2023 and ISO/IEC 27001-aligned controls. Specifically:

• Application-layer encryption (ECDH P-256 key exchange + AES-256-GCM authenticated encryption) for all model-bound traffic between the client and our Convex backend, on top of TLS 1.2+;
• API keys for foundation-model providers are held only as Convex environment variables on the server — they are never shipped with the desktop or web client;
• A secrets-sanitiser module scans tool outputs and strips API keys, bearer tokens, AWS keys, GitHub/Slack/Discord tokens, PEM private keys, JWTs and similar credentials before they are returned to the model;
• Sandboxed and least-privilege execution of agent tools, with the prohibitions in the Acceptable Use Policy enforced at the tool layer;
• Role-based access control, audit logging, and the principle of least privilege for our internal team;
• Periodic security reviews, dependency scanning and patch management.

No method of transmission or storage is 100% secure. In the event of a personal-data breach, we will:

• Notify the Data Protection Board of India in the manner and within the timelines prescribed under the DPDP Act and the rules made thereunder;
• Report cyber-security incidents to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware, in compliance with the CERT-In Directions dated 28 April 2022 issued under Section 70B(6) of the Information Technology Act, 2000;
• Notify affected individuals and competent supervisory authorities (such as EEA member-state authorities or the UK ICO) within 72 hours where the GDPR or UK GDPR applies;
• Take all reasonable steps to mitigate the impact and prevent recurrence.

11Your rights

Depending on your jurisdiction, you have some or all of the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you;
• Correction — ask us to correct inaccurate or incomplete data;
• Erasure — ask us to delete your data, subject to legal retention obligations;
• Restriction — ask us to limit how we process your data;
• Portability — receive your data in a structured, commonly used machine-readable format;
• Objection — object to processing based on our legitimate interests, including profiling;
• Withdraw consent — for processing based on consent, you can withdraw it at any time;
• Nominate — under the DPDP Act, you may nominate another individual who can exercise your rights in the event of your death or incapacity;
• Lodge a complaint — with your local supervisory authority (the Data Protection Board of India, your EEA Member State authority, the UK ICO, or the California Privacy Protection Agency).

To exercise any of these rights, email privacy@xagilab.com. We will verify your identity and respond within 30 days (or 45 days for complex requests). We do not charge a fee for reasonable requests.

12Children's privacy

The Services are not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a child without verified parental consent, we will delete it promptly. Parents or guardians who believe their child has used the Services may contact us at privacy@xagilab.com.

13Cookies & tracking

The Site uses a small set of strictly necessary and analytics cookies. Detailed information, including how to control them, is in our Cookie Policy.

14Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page;
• Post a notice on the Site or inside ATLAS;
• Where required, send you an email and obtain fresh consent before the change takes effect.

Your continued use of the Services after a change becomes effective constitutes your acceptance of the revised policy.

15Contact & grievance officer

In compliance with Rule 5(9) of the SPDI Rules, 2011, Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and Section 8(10) of the DPDP Act, 2023, you may contact our Grievance Officer with any privacy question, request, complaint or content-related grievance: