Privacy · v1.0

Your memory, yours.

This page tells you exactly what we collect, what we don't, who can see it, and how to delete it. Written by humans, in plain language, with no dark patterns.

Effective 23 · May · 2026  ·  Plain-English version

The short version Your conversations, files, and memory live on your device or in storage we ring-fenced to your account. We don't train shared models on your data. You can delete any of it, any time, and we'll be done within seven days.
Effective23 May 2026 OperatorXAGI Labs Private Limited

01Who this applies to

This policy covers anyone who visits xagilab.com, joins the waitlist at tryatlasagi.com, or uses ATLAS through any of our channels (desktop app, web, mobile, voice, or messaging integrations). We refer to ATLAS, our hosted services, and this website together as the "Service."

02What we collect, and why

We try to collect the smallest amount of data that lets ATLAS do useful work for you. Concretely:

  • Account basics — your email, name, and a hashed verification token. Used to log you in and reach you about the Service.
  • Conversations and memory — what you say to ATLAS, what ATLAS does for you, and the long-term memory it builds about your work. Used only to give you continuity across sessions.
  • Tool calls and audit log — every action ATLAS takes on your behalf (a file written, a message sent, a site visited) is logged so you can review it later.
  • Device and network metadata — IP address, browser/OS, locale. Used for security, fraud prevention, and rough product analytics. Coarsened to a region when we look at it.
  • Payment information — when ATLAS becomes paid, our payment processor (e.g. Stripe, Razorpay) handles card data directly. We never see or store your card number.

03What we don't do

  • We do not train shared foundation models on your data. The memory ATLAS builds about you stays bound to your account and isn't recycled into the next user's experience.
  • We do not sell, rent, or trade your data to third parties for advertising.
  • We do not read your memory or conversations except in narrow cases (see §7).
  • We do not use dark patterns to make data deletion or account closure harder.

04Where your data lives

ATLAS is designed to keep as much as possible on your device. The desktop app stores your long-term memory locally in an encrypted SQLite database under your user profile.

When ATLAS needs the cloud — for the LLM that powers it, for the live-voice backend, or for backup / sync — your data passes through Convex (our backend), a small number of model providers (Anthropic, OpenAI, Google), and our hosting provider. Each of these is bound by a written processor agreement that mirrors the terms above. The full list lives at /contact; reach out and we'll send you the current version.

05How long we keep it

  • Account data — for as long as your account is active, plus 30 days after closure.
  • Memory / conversations — until you delete them. You can delete any item, any thread, or wipe everything from the desktop app or via privacy@xagilab.com.
  • Audit logs — 90 days for security purposes.
  • Backups — encrypted, rolling 14-day window. Deleted items roll out of backups automatically.

06Your rights

Whatever jurisdiction you're in — India's DPDP Act, the EU's GDPR, California's CCPA — you have the right to:

  1. Access a copy of everything we hold about you.
  2. Correct anything that's wrong.
  3. Delete your account and all associated data.
  4. Object to or restrict specific processing.
  5. Port your data out in a machine-readable form.
  6. Lodge a complaint with your local data protection authority.

Email privacy@xagilab.com with the request. We aim to respond within 7 working days and complete within 30.

07When humans look at data

We treat looking at user data as a serious thing. The only times a human at XAGI Labs may see your data are:

  • You explicitly asked us for support and shared a session or excerpt.
  • We have a credible report of abuse, illegal activity, or imminent harm.
  • We're legally compelled by a valid order from a court with jurisdiction.
  • An on-call engineer is investigating a service incident and needs a minimal, time-boxed view of metadata (not contents) to fix it.

Every such access is logged. We publish an annual transparency report once we have non-trivial numbers to share.

08Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256-GCM for cloud storage; OS-level encryption for the local DB). Convex transports between the client and backend use ECDH-derived per-session keys layered on top of HTTPS. Our internal access uses hardware security keys.

No system is unbreakable. If we discover an incident affecting your data, we'll notify you within 72 hours of confirmation, with what we know and what we're doing.

09Children

ATLAS is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, write to privacy@xagilab.com and we'll delete it.

10Changes

If we update this policy in a way that materially changes how your data is handled, we'll email everyone with an active account at least 14 days before the change takes effect. Minor edits (typos, clarifications) are reflected in the "Effective" date above.

11Grievance officer & operating entity

Grievance Officer: Dheeraj Sivakumar (DIN 11727598), designated under IT Rules 2021 & DPDP Act 2023.
Privacy, complaints, data requests: privacy@xagilab.com
General contact: /contact

Operating entity: XAGI Labs Private Limited
Incorporated 18 May 2026 under the Companies Act, 2013, India.
CIN: U62011KL2026PTC103330
Registered office: No. 49/1492/1, Kripgardence, Poozhikunnu, Industrial Estate, Thiruvananthapuram, Kerala 695019, India.

— XAGI Labs Private Limited · Effective 24 May 2026

Questions?

If anything here feels off — tell us.

We don't run a "data protection officer" through a help desk script. Write a real email and a real person at the company will reply.

Email privacy@xagilab.com Read the terms