Privacy Policy
Last updated: July 20, 2025
SIP FOR YOU IT SOLUTIONS DMCC, trading as xBRAINS AI (collectively “xBRAINS,” “we,” “us,” or “our”), values your privacy and is committed to protecting your personal information in accordance with applicable data‑protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the UAE Federal Decree‑Law No. 45 of 2021 (PDPL), and relevant Saudi Arabian regulations.
This Privacy Policy sets out how we collect, use, disclose, and safeguard personal information across two products:
• xBRAINS.ai – our public marketing website (the “Site”);
xAGENTS – our logged‑in, software‑as‑a‑service platform for building and operating AI agents (the “Platform”).
If you have any questions, please e‑mail us at info@xbrains.ai.
1. Scope & Roles
Last updated: July 20, 2025
Role
Details
Data Controller
SIP FOR YOU IT SOLUTIONS DMCC (Licence No. DMCC‑852426), Dubai, UAE
Applicability
Global – including users in the EU/EEA, UK, UAE, and Saudi Arabia
2. Personal Data We Collect
Last updated: July 20, 2025
The type and volume of data we process depends on how you interact with us.
2.1 Site – xBRAINS.ai
Category
Data
Source
Meeting Booking
Name, e‑mail address, any notes you submit
Provided by you via Cal.com
Usage Analytics
Truncated IP address, device/OS, browser type & settings, pages visited, timestamps
Collected automatically via Google Analytics 4
2.2 Platform – xAGENTS
Last updated: July 20, 2025
Category
Data
Purpose & Notes
Account
E‑mail (login), hashed password
Credentials are auto‑issued when your account is provisioned
Profile (optional)
Name, company, preferred UI language, timezone
Displayed inside your dashboard and used to localise features
Uploaded Content
Text, PDFs, TXT files, contact lists
Stored in encrypted form and used to train or augment your agents
Web‑scrape Data
Public webpages you instruct us to crawl
Saved as part of the agent knowledge base
Integrations
Gmail messages; CRM leads/contacts (HubSpot, Bitrix, Salesforce, Pipedrive, Zoho CRM, Microsoft Dynamics); Google Workspace files; Notion blog content
Pulled into the Platform at your request; messenger channels (Telegram, WhatsApp) push agent replies back
Conversation Logs
Full chat transcripts, status (active/inactive), timestamps
Retained for debugging, safety‑monitoring, and improvement; deletable on request
2.3 Automatic Data & Cookies
Last updated: July 20, 2025
We use only essential cookies plus Google Analytics 4 performance cookies. No advertising, cross‑site, or retargeting cookies are employed.
Cookie
Purpose
Duration
_ga
Anonymous visitor ID for performance analytics
14 months
_ga_*
Session state & engagement metrics
14 months
Uploaded Content
Text, PDFs, TXT files, contact lists
Stored in encrypted form and used to train or augment your agents
Web‑scrape Data
Public webpages you instruct us to crawl
Saved as part of the agent knowledge base
Integrations
Gmail messages; CRM leads/contacts (HubSpot, Bitrix, Salesforce, Pipedrive, Zoho CRM, Microsoft Dynamics); Google Workspace files; Notion blog content
Pulled into the Platform at your request; messenger channels (Telegram, WhatsApp) push agent replies back
Conversation Logs
Full chat transcripts, status (active/inactive), timestamps
Retained for debugging, safety‑monitoring, and improvement; deletable on request
Opt‑Out. You can refuse or delete analytics cookies via your browser settings. Disabling essential cookies may affect Site functionality.
3. Why We Use Personal Data & Legal Bases
Last updated: July 20, 2025
Purpose
Typical Date
Legal Basis*
Provide, configure & secure accounts, agents, and integrations
Account data, profile data, uploaded content
Contract (Art. 6 (1)(b) GDPR)
Schedule & confirm meetings
Session state & enName, e‑mailgagement metrics
Contract
Diagnose errors, improve models, and provide customer support
Logs, usage data
Legitimate Interests (Art. 6 (1)(f))
Web‑scrape DSite analytics & security monitoringata
Usage analytics, IP address
Legitimate Interests
IntegPayment processing (Stripe) – future featurerations
Payment card data (processed directly by Stripe)
Contract
Marketing e‑mails – future feature
E‑mail address
Consent (Art. 6 (1)(a))
*For users outside the GDPR/PDPL scope, we rely on the equivalent lawful grounds under local law.
We will never use your personal information for automated decision‑making that produces legal or similarly significant effects without your explicit consent.
4. Sharing & Sub‑Processors
Last updated: July 20, 2025
Recipient
Role
Location*
Cal.com
Meeting scheduler
EU & US
Google Analytics 4
Site metrics (aggregated)
ContraGlobal (EU IP truncation)ct
Diagnose MongoDB Atlaserrors, improve models, and provide customer support
Primary database (encrypted at rest)
UAE region
LLM Providers (OpenAI, Anthropic, Google, Meta, Mistral, Falcon)
Generate AI‑agent outputs; store prompts & model responses transiently
Various – SCCs or equivalent safeguards
Optional Integrations (e.g., Google Workspace, CRMs, Telegram, WhatsApp)
Data sync at your direction
As defined by each provider
Stripe
Payment processor (planned)
EU & US
*Exact hosting regions may vary; we select regions offering robust privacy protections wherever feasible.
5. International Transfers
Last updated: July 20, 2025
Our primary hosting is in the United Arab Emirates. If data is transferred to a country that has not received an adequacy decision from the European Commission (for EU data) or the UAE Data Office (for UAE data), we implement Standard Contractual Clauses or comparable safeguards, along with technical measures such as encryption and data‑minimisation.
6. Data Retention & Deletion
Last updated: July 20, 2025
Data Set
Typical Retention
Deletion Method
Site booking records
Until the meeting occurs or upon your request
Manual removal from Cal.com & internal CRM
GA4 analytics
14 months (shortest GA4 setting)
Automatic expiry in GA4
Platform account & profile
Life of account
Deactivated accounts purged after 12 months of inactivity
Uploaded documents & knowledge bases
Until you delete the agent project or request erasure
Self‑service delete or support ticket
Conversation logs
Indefinite (for debugging/safety); removed on request
Support ticket
We may retain minimal backups for up to 30 days beyond deletion to support disaster recovery.
7. Security Measures
Last updated: July 20, 2025
We deploy industry‑standard administrative, technical, and organisational safeguards:
• Encryption – TLS 1.3 in transit; AES‑256 at rest via MongoDB Atlas.
• Access Controls – role‑based permissions, multi‑factor authentication for staff.
• Audit & Monitoring – real‑time logging, anomaly detection, quarterly access reviews.
• Secure Development Lifecycle – code reviews, dependency scanning, and penetration tests by certified third parties.
• Business Continuity – geo‑redundant backups, disaster‑recovery plan with 24‑hour RTO.
Despite these best practices, no online service can guarantee absolute security. If we detect a breach affecting your data, we will notify you and relevant regulators as required by law.
8. Children’s Privacy
Last updated: July 20, 2025
• Site (xBRAINS.ai): not directed to children under 13.
• Platform (xAGENTS): not directed to individuals under 18.
We do not knowingly collect information from anyone below these ages. If you believe we have inadvertently processed such data, please contact us so we can delete it promptly
9. Your Rights & How to Exercise Them
Last updated: July 20, 2025
1 . Access – obtain a copy of the personal data we hold about you.
2. Rectify – correct incomplete or inaccurate data.
3. Erase – request deletion of data where no legal basis exists for retention.
4. Restrict – limit processing in certain circumstances.
5. Object – to processing based on legitimate interests or direct marketing.
6. Portability – receive data in a structured, machine‑readable format and transmit it to another controller.
7. Withdraw consent – where processing is based on consent, at any time.
9.1 Self‑Service Tools (Platform)
Last updated: July 20, 2025
Within xAGENTS you can:
Delete agent projects, uploaded documents, and knowledge bases;
Regenerate API keys; and
Disable specific integrations.
For log deletion, integration revocation, or other requests, e‑mail info@xbrains.ai. We aim to respond within 14 days (or 10 working days where mandated by UAE PDPL).
10. Automated Decision‑Making & Profiling
Last updated: July 20, 2025
We do not engage in fully automated decision‑making that produces legal or similarly significant effects on individuals. AI‑generated suggestions are always subject to human review before any binding decisions are made.
11. Changes to This Policy
Last updated: July 20, 2025
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide a prominent notice (e.g., in‑app banner or e‑mail). Your continued use of our products after the effective date constitutes acceptance of the revised Policy.
12. Contact Us
Last updated: July 20, 2025
xBRAINS AI
SIP FOR YOU IT SOLUTIONS DMCCE‑mail: info@xbrains.ai