Privacy Policy

Your Trust, Our Priority

We protect your data with full transparency.

1. Who We Are

XFACTORAI LLC, registered in the United States, with its registered office at STE 210 - OFFICE 4812, 7345 W SAND LAKE RD, Orlando, Florida 32819 ("XFactorAi," "we," "us"), provides AI-powered negotiation and communication tools (the "Services"). We respect your privacy and are committed to protecting it.

2. What This Policy Covers

This Policy explains how we handle personal data when you use our Services, including:

  • What data we collect and process
  • Our role vs. your role in processing
  • Retention, transfers, and sub-processors
  • Your rights under laws like GDPR and CCPA/CPRA
  • Token usage and tracking
  • Account data storage
  • Chat and conversation storage

3. Our Role vs. Your Role

You (or your organization) are the Data Controller. You decide why and how to process your content.

We are the Data Processor. We act strictly on your instructions, process User Content to deliver the Services, and delete it when no longer needed.

If you store threads, you remain responsible for ensuring you have the right to keep that data (e.g., emails that involve other people).

By submitting User Content, you confirm you have obtained all necessary rights and consents. If you upload third-party data without a valid lawful basis, you are solely liable for any resulting claims, fines, or penalties. XFactorAi disclaims all responsibility.

4. What Data We Process

a. User Content

  • Emails, messages, documents, or recordings you submit.
  • Default Storage: All User Content is automatically stored in our secure backend database. There are no temporary sessions - all data is persisted by default.
  • We record minimal operational telemetry (routing decisions, analyzer gating, compliance mode, anonymized risk bands). This data is masked or anonymized and may be sent to third-party systems you configure (e.g., Salesforce, Slack, Zapier) via signed webhooks. You control these integrations.
  • User Content is retained until you delete it or close your account.

b. Operational Data

  • Metadata such as timestamps, request size, browser/device type, and status codes.
  • Used for security, auditing, and performance monitoring.
  • Does not include the contents of your inputs or outputs.

c. Authentication and Account Data

When you use our Services, including the Outlook Add-in, we collect and store the following account-related information:

Authentication Tokens:

  • Identity tokens (idToken) used for authentication and authorization
  • Tokens are stored securely in Microsoft Office roaming settings (Office.context.roamingSettings) when using the Outlook Add-in
  • Tokens are encrypted and used solely for service authentication
  • Tokens may be refreshed automatically to maintain service access

User Account Information:

  • Email address (username)
  • Display name
  • User ID (unique identifier)
  • Authentication provider (e.g., Google, Microsoft, Email/Password)
  • Profile photo URL (if provided)
  • Authentication timestamp
  • Account preferences and settings

Storage Location:

  • For Outlook Add-in users: Account data is stored in Microsoft Office roaming settings, which syncs across your Office installations
  • For web dashboard users: Account data is stored in our secure database
  • All account data is encrypted in transit and at rest

Retention:

  • Account data is retained for the duration of your account
  • Authentication tokens are refreshed periodically and old tokens are invalidated
  • Upon account deletion, all account data and tokens are permanently removed within 30 days

d. Token Usage Data

We track and store token usage information to manage service limits and provide usage transparency:

What We Track:

  • Number of tokens used (input and output tokens)
  • Token usage limits (based on your subscription plan)
  • Token usage percentage
  • Token usage history and trends

Storage:

  • Token usage data is stored in:
    • Office roaming settings (for Outlook Add-in users)
    • Our secure database (for all users)
  • Token usage is aggregated and associated with your account

Purpose:

  • Enforcing subscription limits and quotas
  • Providing usage visibility in the user interface
  • Billing and subscription management
  • Service optimization and capacity planning

Retention:

  • Token usage data is retained for the duration of your account
  • Historical usage data may be retained for up to 24 months for billing and analytics purposes
  • Aggregated, anonymized usage statistics may be retained longer for service improvement

e. Chat and Conversation Data

When you use our Services to generate responses, analyze content, or engage in conversations, all conversation data is automatically stored:

What We Store:

  • Conversation IDs (unique identifiers for each conversation session)
  • Conversation metadata (title, creation date, model used, system prompts)
  • Message history (user inputs and AI-generated responses)
  • Token counts per message
  • Conversation settings and preferences
  • Recent conversation references

Storage:

  • Default Behavior: All conversations are automatically stored in our secure PostgreSQL database. There are no temporary sessions - all data is persisted by default.
  • All conversations go through our backend and are stored:
    • Conversations are stored in our secure PostgreSQL database
    • Messages are associated with your user account
    • Conversation IDs may be stored locally in Office roaming settings (for Outlook Add-in users) for quick access
    • Recent conversation metadata is cached locally for performance

Storage Locations:

  • Primary storage: Secure cloud database (PostgreSQL)
  • Local caching: Office roaming settings (Outlook Add-in only)
  • Backup storage: Encrypted backups retained for up to 30 days

Retention:

  • All Conversations: Retained until you:
    • Manually delete the conversation
    • Delete your account
    • Request deletion via support
  • Backups: Automatically purged after 30 days
  • Local Cache: Cleared when you clear Office roaming settings or uninstall the add-in

Your Control:

  • You can delete individual conversations at any time
  • You can clear all conversation data from local storage
  • You can export your conversation data
  • Account deletion automatically removes all stored conversations

Data Sharing:

  • Conversation content is not shared with third parties except:
    • As necessary to provide the service (e.g., sending to OpenAI API for processing)
    • When required by law
    • With your explicit consent

5. How We Use Data

We use data only to:

  • Process your inputs and generate outputs
  • Provide and improve our Services
  • Maintain security and performance
  • Comply with legal obligations
  • Track token usage for subscription management
  • Authenticate and authorize your access
  • Store all conversations automatically (storage is always enabled)

We do not:

  • Sell your data
  • Use User Content for advertising
  • Repurpose User Content for unrelated purposes
  • Share conversation content with third parties for marketing

Default retention & residency: Unless you set stricter admin controls, we retain Raw Inputs for up to 90 days (all data is stored by default), Derived Metrics & Telemetry for up to 365 days, and Backups for a rolling 30-day cycle. Data is stored in your selected residency region (EU, US, AU, etc.) and never replicated cross-region without legal safeguards.

6. Data Retention

We retain data only as long as necessary:

  • User Content & Conversations: All content is stored by default and retained until you delete it or close your account.
  • Threads & Messages: Kept until you delete them or close your account.
  • Logs: Operational metadata retained for security, auditing, or legal compliance.
  • Authentication Tokens: Refreshed periodically; old tokens invalidated immediately.
  • Account Data: Retained for the duration of your account; deleted within 30 days of account closure.
  • Token Usage Data: Retained for the duration of your account; historical data may be retained up to 24 months.
  • Conversation Data:
    • All conversations: Retained until deletion or account closure
    • Backups: Purged after 30 days
  • Anonymization: Where possible, we may anonymize data instead of deleting it to preserve service integrity without retaining personal information.

Retention is guided by factors such as sensitivity of data, legal requirements, and technical feasibility.

7. Sub-Processors

We may use trusted sub-processors, including:

  • OpenAI API (for outputs)
  • Cloud hosting providers (infrastructure)
  • Microsoft Office Services (for Outlook Add-in integration and roaming settings)

We store and process data in your selected residency region. Cross-border transfers occur only with legal safeguards such as SCCs/UK Addendum or equivalent. In regions requiring localization (e.g., CN), processing is limited to that region.

We ensure all sub-processors apply appropriate security and privacy protections. Customers will be notified of new sub-processors.

8. International Data Transfers

We acknowledge requests within 10 business days where required (e.g., CCPA/CPRA) and respond within the legal timeframe (EU/UK: 1 month; US-CA/CO/VA/CT/UT: 45 days, extendable once). Exports include all metadata. Deletes cascade to backups and indices within 24h of completion.

EU/UK Users: We rely on Standard Contractual Clauses (SCCs) and the UK Addendum for transfers.

California Users: We comply with CCPA/CPRA rules for service providers.

Global Users: Transfers are protected by appropriate safeguards as required.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access – receive a copy of your personal data
  • Correct – update inaccurate or incomplete data
  • Delete – request erasure of your data ("right to be forgotten")
  • Restrict – limit how your data is used in certain cases
  • Portability – request a copy in a structured, machine-readable format
  • Object – object to certain types of processing
  • Withdraw consent – if processing is based on consent, withdraw at any time
  • Export Conversations – download your stored conversation data
  • Clear Local Data – remove data stored in Office roaming settings (Outlook Add-in)

To exercise these rights, contact us at contact@xfactorai.com. We will respond in accordance with applicable laws.

California-specific disclosure: We do not sell personal information. We only act as a service provider as defined under the CCPA/CPRA.

10. Security

We use encryption, access controls, monitoring, and regular reviews to protect data. However, no system is 100% secure. We encourage you to use caution when sharing sensitive content.

Security Measures:

  • Encryption in transit (TLS/SSL)
  • Encryption at rest for stored data
  • Secure token storage and management
  • Regular security audits and updates
  • Access controls and authentication
  • Monitoring and intrusion detection

If required by law, we will notify you of any data breach affecting your personal data.

11. Children's Privacy

Our Services are not directed at children under 18. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Policy from time to time.

  • Material changes: We will notify you through the Services or by email.
  • Minor updates: Reflected in the Policy posted online.

13. Jurisdictional Use of Services

You are responsible for ensuring that your use of the Services complies with the laws and regulations of your jurisdiction, including any restrictions on processing personal data. Certain features of the Services (such as automated processing of emails, texts, or recordings) may not be lawful in all regions.

By using the Services, you confirm that you have the necessary rights, permissions, and consents to upload or process any personal data through XFactorAi in your jurisdiction. XFactorAi does not accept responsibility for unlawful use of the Services in violation of applicable law.

14. Outlook Add-in Specific Information

Office Roaming Settings

When using the XFactorAi Outlook Add-in, certain data is stored in Microsoft Office roaming settings to provide a seamless experience across your Office installations:

Data Stored in Office Roaming Settings:

  • Authentication tokens (idToken)
  • User account information (username, displayName, userId, photoURL)
  • Authentication provider information
  • Token usage data
  • Conversation IDs (for quick access)
  • Recent conversation metadata
  • User preferences and settings
  • Theme preferences

Important Notes:

  • Office roaming settings sync across your Office installations (Desktop, Web, Mobile)
  • Data in roaming settings is managed by Microsoft and subject to Microsoft's privacy policy
  • You can clear roaming settings data at any time through Office settings
  • Clearing roaming settings will require you to re-authenticate

Data Control:

  • You can clear conversation IDs from local storage via the add-in interface
  • You can refresh token usage data manually
  • Account deletion removes all associated roaming settings data

15. Contact Us

For privacy questions or requests, contact us at:

XFACTORAI LLC
Email: contact@xfactorai.com
STE 210 - OFFICE 4812
7345 W SAND LAKE RD
Orlando, Florida 32819