Privacy Policy

Effective date: April 6, 2026

xysq is built on a simple belief: your memory belongs to you. This policy explains what data we collect, why we collect it, how we protect it, and the controls you have over it. We do not sell your data. We do not use your memories to train AI models. Everything you store stays yours.

1. Who We Are

xysq ("we", "us", "our") is a consent-first memory layer for AI agents. We operate the service at xysq.ai and the API at api.xysq.ai. To contact us about privacy, email privacy@xysq.ai.

2. What We Collect

Information you provide

Memories — the text content you or your AI agents store through xysq.
Account information — your email address and display name, provided via Auth0 login (email/password or Google).
Profile data — optional fields you choose to fill in: occupation, location, bio, and social links.

Information generated automatically

Activity logs — which agents accessed which memories and when (used for your dashboard, not for advertising).
API tokens — stored as one-way SHA-256 hashes; the raw token is shown to you once and never stored in plain text.
Usage metadata — memory counts, timestamps, and tags attached to memories.

What we do NOT collect

We do not use cookies for tracking or advertising.
We do not collect payment information directly (Stripe handles billing if applicable).
We do not read or analyse your memory content for advertising purposes.

3. How We Use Your Data

We use your data solely to operate and improve the xysq service:

Storing, indexing, and retrieving your memories on demand.
Authenticating you and your connected AI agents.
Displaying activity and usage statistics on your dashboard.
Enforcing memory quotas and plan limits.
Sending transactional emails (account-related only — no marketing without explicit opt-in).
Diagnosing errors and improving reliability.

We never sell your data, share it with advertisers, or use your memories to train AI models.

4. Third-Party Services

We use the following sub-processors to operate xysq. Each is contractually bound to protect your data:

Provider	Purpose	Data shared
Auth0 (Okta)	Authentication & identity	Email, name
Supabase	Database (sessions, profiles, logs)	User ID, activity metadata
Google Cloud Platform	Hosting & infrastructure	All data at rest (encrypted)
OpenAI (ChatGPT)	Optional GPT integration	Memory content you store via the GPT

When you use xysq via the ChatGPT Custom GPT, your conversation passes through OpenAI's systems. Please review OpenAI's Privacy Policy for how they handle conversation data.

5. Data Retention

Memories — retained until you delete them or close your account.
Activity logs — retained for 12 months, then automatically purged.
Device sessions — expired sessions are pruned hourly.
Account data — deleted within 30 days of account closure.

6. Your Rights & Controls

You have full control over your data at all times:

Access — view all stored memories from your dashboard.
Edit — update or correct any memory at any time.
Delete — remove individual memories or all memories at once.
Export — request a full export of your data by emailing us.
Revoke agent access — disconnect any AI agent from the Connected Agents page; that agent immediately loses access to your memory.
Close account — permanently delete your account and all associated data from Settings.

If you are in the European Economic Area (EEA) or the UK, you also have rights under GDPR including the right to restriction of processing and the right to lodge a complaint with your local supervisory authority. If you are in California, you have rights under the CCPA including the right to know, delete, and opt out of sale (we do not sell data).

7. Security

We apply industry-standard security measures to protect your data:

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via GCP).
API tokens are stored as one-way SHA-256 hashes — we cannot recover your raw token.
Authentication is handled by Auth0 with RS256-signed JWTs.
Access to production systems is restricted to authorised personnel only.

If you discover a security vulnerability, please disclose it responsibly to security@xysq.ai.

8. Children's Privacy

xysq is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at privacy@xysq.ai and we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. When we do, we will update the effective date at the top and, for material changes, notify you via email or an in-app notice. Your continued use of xysq after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

For privacy questions, data requests, or to exercise your rights, contact us at:

privacy@xysq.ai

We respond to all privacy requests within 30 days.