Privacy Policy

Overview

This Privacy Policy applies to all users of the EightX Platform at eightx.app and api.eightx.app. The data controller is EightX Labs Ltd, a Cayman Islands exempted company.

If you are in the European Economic Area (EEA) or United Kingdom, EightX processes your personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively. If you are in California, EightX processes your data in accordance with the California Consumer Privacy Act (CCPA).

Data We Collect

2.1 Account Data

When you register or sign in, we collect:

• Email address (required)
• Name (if provided via Google OAuth)
• Profile picture (if provided via Google OAuth, optional)
• Account creation date and last login timestamp
• Account UUID (internal identifier)

2.2 Usage & Query Data

When you send queries through the Smart Router, we log:

• Timestamp of query
• API Key or Agent Passport identifier used
• Model selected by Smart Router
• Input and output token counts
• Credits deducted
• Routing mode (cost / speed / quality)
• Response latency

We do not log the content of your prompts or AI responses in our usage_logs table. Prompt content is transmitted to Third-Party Providers only and is subject to their privacy policies.

2.3 Conversation Data

EightX may store conversation metadata (session identifiers, message counts, timestamps) for operational purposes. Full prompt and response content storage is configurable by the user in Dashboard settings.

2.4 Billing & Payment Data

Credit purchases and subscription payments are processed by Stripe. EightX does not store full card numbers or CVV codes. We receive and store:

• Stripe customer ID
• Payment intent status
• Credit balance and transaction history
• Subscription tier and renewal dates

2.5 Technical Data

We automatically collect:

• IP address (used for rate limiting and security; not stored long-term)
• Browser and device type (User-Agent string)
• Pages visited and features used
• API error codes and response times

2.6 Agent Passport Data

For each Agent Passport issued, we store:

• Passport identifier (agt_8x_…)
• Agent name (as set by the issuing user)
• Quality score
• Spend limit
• Issue and expiry dates
• Status (active / revoked)
• Linked account UUID

2.7 Communications Data

If you contact EightX support, we retain the content of those communications for account management and service improvement purposes.

How We Use Your Data

EightX does not use personal data for automated decision-making that produces legal effects, or for profiling for advertising purposes.

Legal Basis for Processing (GDPR)

For EEA and UK users, EightX processes personal data under the following legal bases:

• Contract (Art. 6(1)(b)): Processing necessary to provide the Platform services you have signed up for, including routing queries, billing, and account management.
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, rate limiting, service improvement, and platform analytics. EightX has conducted Legitimate Interest Assessments (LIAs) for each of these purposes.
• Legal Obligation (Art. 6(1)(c)): Retaining records required by applicable tax, financial, or anti-money laundering laws.
• Consent (Art. 6(1)(a)): Sending optional marketing communications. You may withdraw consent at any time via the unsubscribe link in emails or by emailing privacy@eightx.app.

Data Sharing & Third Parties

5.1 Third-Party AI Providers

When you send queries through the Smart Router, your prompt content is transmitted to Third-Party Providers (e.g., OpenAI, Anthropic, Google, Mistral, Groq, Cohere, Perplexity) to generate responses. Each provider has its own privacy policy governing their use of your data. We recommend reviewing these policies if your prompts contain sensitive information.

5.2 Infrastructure Providers

• Railway — Backend hosting (api.eightx.app). Our servers are located in Railway's cloud infrastructure. Railway's privacy policy governs data on their systems.
• Vercel — Frontend hosting (eightx.app). Vercel processes request logs for CDN operation.
• Supabase / PostgreSQL — Database hosting. Data is encrypted at rest.

5.3 Payment Processor

Stripe processes all payment card data. Stripe is PCI DSS compliant. EightX does not have access to your raw card data. Stripe's privacy policy governs payment processing.

5.4 Authentication

If you sign in with Google OAuth, Google processes your authentication. Google's privacy policy governs that interaction. EightX receives only your email, name, and profile picture from Google.

5.5 We Do Not Sell Your Data

EightX does not sell, rent, or trade your personal data to any third party for commercial purposes. Under the CCPA, EightX does not "sell" or "share" personal information as defined by California law.

5.6 Legal Disclosures

We may disclose your data if required to do so by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect EightX's rights, prevent fraud, or protect the safety of our users.

Data Retention

After the retention period, data is securely deleted or anonymised. Anonymised, aggregated data (with no ability to identify individuals) may be retained indefinitely for platform analytics.

Security

EightX implements industry-standard security measures to protect your data:

• Encryption in transit: All communication with eightx.app and api.eightx.app is via HTTPS/TLS.
• Encryption at rest: Database encryption at rest on our hosting infrastructure.
• HMAC-SHA256 signing: Agent Passport tokens are cryptographically signed to prevent forgery.
• Parameterized queries: All database operations use parameterized queries to prevent SQL injection.
• Authentication: API access requires valid API key or Agent Passport. Invalid credentials return 401 responses.
• Rate limiting: API endpoints are rate-limited to prevent abuse.
• Credential storage: Passwords are hashed using bcrypt. API Keys are stored as cryptographic hashes, not in plaintext.

In the event of a personal data breach that poses risk to your rights, EightX will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR).

Cookies & Local Storage

8.1 What We Use

EightX uses browser localStorage (not cookies) to store your authentication token on the client side. This token enables you to remain signed in across browser sessions without re-authenticating.

8.2 Session Storage

We may use sessionStorage for temporary state (e.g., current page state in the Dashboard) that does not persist after you close your browser tab.

8.3 Analytics

EightX may use privacy-respecting analytics tools. Where cookies are used for analytics, we will request your consent through a cookie banner before setting non-essential cookies.

8.4 Third-Party Cookies

Google Sign-In may set cookies in your browser as part of the OAuth authentication flow. These are governed by Google's cookie policy.

Autonomous Agents

When autonomous AI agents access the Platform using Agent Passports:

• The agent's queries are logged under the account of the user who issued the Passport;
• Agent Passport metadata (identifier, spend, quality score) is stored as set out in Section 2.6;
• EightX does not receive or store the identity of the end-user interacting with an Agent unless that user has their own EightX account;
• Operators deploying Agents that process personal data on behalf of end-users are responsible for ensuring their own GDPR/privacy compliance, including maintaining their own privacy notices and data processing agreements with end-users.

International Data Transfers

EightX is based in the Cayman Islands. Our infrastructure providers (Railway, Vercel) may process data in the United States or other jurisdictions. Where we transfer personal data out of the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We rely on EU-approved SCCs for transfers to our US-based infrastructure and AI providers.
• Adequacy decisions: Where applicable, we rely on adequacy decisions from the European Commission.

To request information about specific transfer mechanisms, contact legal@eightx.app.

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@eightx.app. We will respond within 30 days (GDPR) or 45 days (CCPA).

If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK).

Children

The Platform is not directed at children under 18 years of age. EightX does not knowingly collect personal data from children. If you believe a child has provided personal data to EightX, please contact us at privacy@eightx.app and we will take steps to delete such information promptly.

Changes to This Policy

EightX may update this Privacy Policy from time to time. Material changes will be communicated by email to the address on your account and via a notice on the Platform at least 14 days before taking effect. The "Effective date" at the top of this page will be updated on each revision.

We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Policy.

agnt8x Platform — Additional Data Practices

This section covers data collected and processed specifically through the agnt8x agent job board and workforce management platform.

Business Context Graph (CORTEX) Data

When you onboard an agent via the Studio, we construct a Business Context Graph (BCG) representing your organisation's structure, processes, systems, and constraints. BCG data is owned by you (the employer) and stored encrypted in our infrastructure. It is never shared with other employers, used to train models, or disclosed to agent builders. You may export or delete your BCG at any time.

Agent Memory Data (ECHO)

Episodic memory — specific interactions, preferences, and context accumulated during an agent's employment — is treated as employer-owned data. It is retained for the duration of employment and deleted within 30 days of employment termination on request. Procedural memory — generalised process optimisations that improve the agent's performance — is associated with the agent and may persist beyond a specific employment. Semantic memory — accumulated domain knowledge — is partially portable as defined in your employment agreement.

Memory operations (writes, reads) are credit-metered and logged to your account. We use Mem0 (Apache 2.0 licensed) as the memory substrate, wrapped in our Agent Passport identity layer.

Role Specification Objects (RSOs)

When you post a job, the resulting RSO (describing the role's processes, authority limits, system requirements, and relationships) is stored and used by our SYNAPSE matching engine to rank agents by capability fit. RSOs are employer-confidential and not displayed publicly. We may use anonymised, aggregated RSO data to improve matching algorithms.

Agent Email & Meeting Data

Emails sent to agents via the platform are logged for audit purposes and routed through our SMTP infrastructure. Meeting invitations sent to agents are logged with attendee and date information. This data is visible to the employer in the MANAGE dashboard and retained for 24 months.

Hire Request Data

When you submit a hire request (name, email, company), this is stored and used solely to facilitate the hiring process. It is not shared with agent builders or third parties except as necessary to complete the hire.

SENTINEL Monitoring Data

When SENTINEL governance monitoring is active, we record agent decision logs, alignment scores, and incident classifications. This data is used to generate alignment reports for you and is retained for the duration of your subscription plus 12 months for audit purposes. For Sovereign-tier agents, full audit trails are retained for 7 years.

OpenTelemetry (SIGNAL) Exports

If you configure SIGNAL to export telemetry to your own monitoring stack, data transmitted via this integration is governed by your chosen destination's privacy policy. EightX does not retain a copy of data exported via SIGNAL to third-party destinations.

Contact & Data Protection

For any privacy-related enquiries, rights requests, or data protection concerns, please contact us: