Privacy Policy

Effective Date: April 1, 2025  ·  Last Updated: April 25, 2026

This Privacy Policy explains how XO Labs Inc ("XO", "we", "us", or "our") collects, uses, shares, and protects information about you when you access or use the XO platform and services available at xo.builders and associated subdomains (collectively, the "Services").

Capitalized terms used but not defined here have the meanings given in our Terms and Conditions.

By using the Services, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Services.

1. Information We Collect

1.1 Information You Provide Directly

  • Account information — name, email address, username, and password when you register.
  • Payment information — billing address and payment method details. Card data is processed and stored by our third-party payment processor; XO does not store full card numbers.
  • Profile and settings — any additional details you add to your account profile or workspace configuration.
  • Communications — messages you send to us via email, support channels, or feedback forms.
  • Affiliate program data — if you participate in the affiliate program, we collect referral identifiers and payout information.

1.2 Information Generated by Your Use of the Services

  • Agent and Workspace data — the prompts, instructions, memory, and configuration you provide when building or deploying Agents through XO Workspaces.
  • Deployment data — code, container configurations, logs, and application files you upload or deploy through XO Launchpad.
  • MCP and API usage — records of API calls made through the XO MCP Server, including request metadata (timestamps, endpoint, model used) but not necessarily the full content of those requests depending on your plan and configuration.
  • Usage and interaction data — pages visited, features used, clicks, session duration, and other behavioral signals within the platform.
  • Log and diagnostic data — IP addresses, browser type, device identifiers, operating system, referring URLs, and error logs generated automatically when you access the Services.

1.3 Information from Third Parties

  • LLM Providers — when you connect a Model from an LLM Provider (e.g., Anthropic, OpenAI, Google, Mistral), we may receive metadata about API calls (such as token counts and request status) but we do not store the full content of prompts or completions unless you have explicitly enabled logging features.
  • Third-party sign-in — if you register using a third-party account (e.g., GitHub, Google), we receive basic profile information such as name, email, and avatar from that provider.
  • Channel integrations — when you connect Agents to messaging platforms such as Telegram, WhatsApp, or Slack, we may receive metadata about those connections (channel identifiers, webhook status) as needed to maintain the integration.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Services — process your account registration, run your Agents and Deployments, and maintain platform functionality.
  • Process payments — charge subscription fees, manage billing, and handle refunds or disputes.
  • Improve the Services — understand how users interact with the platform, identify bugs, and develop new features.
  • Communicate with you — send transactional emails (account confirmations, billing receipts, security alerts) and, where you have opted in, product updates and announcements.
  • Support you — respond to your questions, troubleshoot issues, and process support requests.
  • Enforce our Terms — detect, investigate, and address fraud, abuse, or violations of our Terms and Conditions.
  • Legal compliance — meet applicable legal obligations, respond to lawful requests, and protect our legal rights.

We will not use your Content or Agent data to train or fine-tune AI models without your explicit consent.

3. LLM Providers and Your Data

XO enables you to bring and connect your own LLM Provider (e.g., Anthropic Claude, OpenAI GPT, Google Gemini, Meta Llama, Mistral). When you do so:

  • Data routing — prompts, instructions, and context you configure are transmitted to your chosen LLM Provider on your behalf. XO acts as infrastructure for that transmission; we do not independently process or retain the content of those transmissions beyond what is necessary to deliver the response to you, unless logging is explicitly enabled.
  • LLM Provider data practices — each LLM Provider has its own privacy policy and data handling practices, including policies on whether they log, retain, review, or use your inputs for model improvement. XO has no control over and is not responsible for how LLM Providers handle data you send to them. You should review the privacy policy of each LLM Provider you connect before use.
  • API key storage — if you store LLM Provider API keys within the Services, we encrypt them at rest. However, you are responsible for the security of your keys and for revoking them if compromised.
  • Your data obligations — if you are sending personal data about your end users through a Model via XO, you are responsible for ensuring you have the appropriate legal basis to do so and that you have disclosed this in your own privacy notices.

4. How We Share Your Information

We do not sell your personal data. We share information only as described below.

  • Service providers. We share data with vendors who help us operate the Services, including cloud infrastructure providers, payment processors, email delivery services, analytics platforms, and customer support tools. These vendors are bound by data processing agreements and may only use your data to provide services to us.
  • LLM Providers. As described in Section 3, data you route through the Services to an LLM Provider is shared with that provider per your configuration. This sharing is at your direction.
  • Third-party integrations. When you connect Third-Party Services (Telegram, WhatsApp, Slack, GitHub, etc.), information necessary to operate those integrations is shared with the relevant platforms.
  • Business transfers. If XO is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is subject to a materially different privacy policy.
  • Legal requirements. We may disclose information if required to do so by law, regulation, legal process, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of XO, our users, or the public.
  • With your consent. We may share your information for purposes not listed here with your explicit consent.

5. Cookies and Tracking Technologies

We use cookies and similar technologies (local storage, session storage, pixels) to:

  • Keep you logged in and maintain your session.
  • Remember your preferences and settings.
  • Analyze usage patterns and platform performance.
  • Serve and measure the effectiveness of any communications.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services. We do not currently respond to "Do Not Track" browser signals, as there is no industry-standard protocol for doing so.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. Specifically:

  • Account data is retained for the duration of your account and for up to 90 days following account closure, after which it is deleted or anonymized.
  • Deployment and Agent data (logs, container data, workspace configurations) may be deleted upon account closure or plan expiry. You are responsible for exporting data you need before closing your account.
  • Billing records are retained for as long as required by applicable tax and financial regulations (typically 7 years).
  • Anonymized or aggregated data may be retained indefinitely for analytical purposes and does not identify you individually.

7. Security

We implement industry-standard technical and organizational measures to protect your information, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials and API keys. Notify us immediately at hello@xo.builders if you believe your account has been compromised.

8. Your Rights

Depending on where you are located, you may have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete data.
  • Deletion — request that we delete your personal data, subject to legal retention obligations.
  • Portability — request a machine-readable export of your data.
  • Objection / Restriction — object to or request restriction of certain processing activities.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

EEA, UK, and Switzerland

If you are located in the European Economic Area, United Kingdom, or Switzerland, XO processes your data as a data controller. The legal bases for processing include contract performance, legitimate interests, legal obligation, and consent. You may lodge a complaint with your local data protection authority.

California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used, to delete personal information, to correct inaccurate personal information, to opt out of the sale or sharing of personal information (we do not sell personal information), and to non-discrimination for exercising these rights. To exercise your rights, contact us at hello@xo.builders.

To exercise any of the above rights, submit a request to hello@xo.builders. We will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling a request.

9. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected such information, contact us at hello@xo.builders and we will take prompt steps to delete it.

10. International Data Transfers

XO is based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We take steps to ensure that cross-border transfers comply with applicable data protection laws, including through the use of standard contractual clauses where required.

11. Links to Other Services

The Services may contain links to third-party websites, tools, and platforms. This Privacy Policy applies only to the Services operated by XO. We are not responsible for the privacy practices of any third-party service and encourage you to review their privacy policies before sharing information with them.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the platform before the changes take effect. Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree, you must stop using the Services.

13. Contact

For questions, requests, or concerns about this Privacy Policy or your personal data, contact us at:

XO Labs Inc

2093 Philadelphia Pike, Claymont Delaware 19703

Email: hello@xo.builders

Copyright © 2025 XO INC
All rights reserved
BlogContactTerms of ServicePrivacy PolicyDocsVibe ShowdownETHPHX Culture Jam
XLinkedInGitHubInstagramYouTube