Overview
EightX does not sell your personal data. We do not use your prompts or AI outputs to train our own models. We collect the minimum data needed to provide, improve, and secure the Platform.
This Privacy Policy applies to all users of the EightX Platform at eightx.app and api.eightx.app. The data controller is EightX LLC, a Cayman Islands exempted company.
If you are in the European Economic Area (EEA) or United Kingdom, EightX processes your personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively. If you are in California, EightX processes your data in accordance with the California Consumer Privacy Act (CCPA).
Data We Collect
2.1 Account Data
When you register or sign in, we collect:
- Email address (required)
- Name (if provided via Google OAuth)
- Profile picture (if provided via Google OAuth, optional)
- Account creation date and last login timestamp
- Account UUID (internal identifier)
2.2 Usage & Query Data
When you send queries through the Smart Router, we log:
- Timestamp of query
- API Key or Agent Passport identifier used
- Model selected by Smart Router
- Input and output token counts
- Credits deducted
- Routing mode (cost / speed / quality)
- Response latency
We do not log the content of your prompts or AI responses in our usage_logs table. Prompt content is transmitted to Third-Party Providers only and is subject to their privacy policies.
2.3 Conversation Data
EightX may store conversation metadata (session identifiers, message counts, timestamps) for operational purposes. Full prompt and response content storage is configurable by the user in Dashboard settings.
2.4 Billing & Payment Data
Credit purchases and subscription payments are processed by Stripe. EightX does not store full card numbers or CVV codes. We receive and store:
- Stripe customer ID
- Payment intent status
- Credit balance and transaction history
- Subscription tier and renewal dates
2.5 Technical Data
We automatically collect:
- IP address (used for rate limiting and security; not stored long-term)
- Browser and device type (User-Agent string)
- Pages visited and features used
- API error codes and response times
2.6 Agent Passport Data
For each Agent Passport issued, we store:
- Passport identifier (agt_8x_…)
- Agent name (as set by the issuing user)
- Quality score
- Spend limit
- Issue and expiry dates
- Status (active / revoked)
- Linked account UUID
2.7 Communications Data
If you contact EightX support, we retain the content of those communications for account management and service improvement purposes.
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide Platform services | Account, usage, billing data | Contract |
| Process payments & manage Credits | Billing, usage logs | Contract |
| Authenticate API requests | API Keys, Agent Passports | Contract |
| Security & fraud prevention | IP address, usage patterns | Legitimate interest |
| Rate limiting & abuse prevention | IP address, API Key usage | Legitimate interest |
| Platform analytics & improvement | Aggregated usage data | Legitimate interest |
| Customer support | Account, communications | Contract / Legitimate interest |
| Legal compliance | Account, billing data | Legal obligation |
| Service communications (outages, updates) | Email address | Contract / Legitimate interest |
| Marketing (opt-in only) | Email address | Consent |
EightX does not use personal data for automated decision-making that produces legal effects, or for profiling for advertising purposes.
Legal Basis for Processing (GDPR)
For EEA and UK users, EightX processes personal data under the following legal bases:
- Contract (Art. 6(1)(b)): Processing necessary to provide the Platform services you have signed up for, including routing queries, billing, and account management.
- Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, rate limiting, service improvement, and platform analytics. EightX has conducted Legitimate Interest Assessments (LIAs) for each of these purposes.
- Legal Obligation (Art. 6(1)(c)): Retaining records required by applicable tax, financial, or anti-money laundering laws.
- Consent (Art. 6(1)(a)): Sending optional marketing communications. You may withdraw consent at any time via the unsubscribe link in emails or by emailing privacy@eightx.app.
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 3 years post-closure | Legal / disputes |
| Usage logs (metadata) | 24 months | Billing audit / analytics |
| Billing records | 7 years | Tax / financial compliance |
| Agent Passport records | Duration of account | Identity / security |
| IP address logs | 30 days | Security / rate limiting |
| Support communications | 3 years from last communication | Service quality |
| Marketing consent records | 5 years from withdrawal | GDPR compliance |
After the retention period, data is securely deleted or anonymised. Anonymised, aggregated data (with no ability to identify individuals) may be retained indefinitely for platform analytics.
Security
EightX implements industry-standard security measures to protect your data:
- Encryption in transit: All communication with eightx.app and api.eightx.app is via HTTPS/TLS. API keys and Agent Passport tokens are transmitted only over encrypted connections.
- Encryption at rest: Database encryption at rest on our hosting infrastructure.
- HMAC-SHA256 signing: Agent Passport tokens are cryptographically signed to prevent forgery.
- Parameterized queries: All database operations use parameterized queries to prevent SQL injection.
- Authentication: API access requires valid API key or Agent Passport. Invalid credentials return 401 responses. No unauthorised data is exposed.
- Rate limiting: API endpoints are rate-limited to prevent abuse.
- Credential storage: Passwords are hashed using bcrypt. API Keys are stored as cryptographic hashes, not in plaintext.
If you discover a security vulnerability, please report it responsibly to security@eightx.app. We commit to acknowledging reports within 24 hours and resolving critical issues within 72 hours. Do not publicly disclose vulnerabilities before we have had an opportunity to address them.
In the event of a personal data breach that poses risk to your rights, EightX will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR).
Autonomous Agents
When autonomous AI agents access the Platform using Agent Passports:
- The agent's queries are logged under the account of the user who issued the Passport;
- Agent Passport metadata (identifier, spend, quality score) is stored as set out in Section 2.6;
- EightX does not receive or store the identity of the end-user interacting with an Agent unless that user has their own EightX account;
- Operators deploying Agents that process personal data on behalf of end-users are responsible for ensuring their own GDPR/privacy compliance, including maintaining their own privacy notices and data processing agreements with end-users.
If your use case involves Agents processing personal data of your end-users at scale, please contact privacy@eightx.app to discuss a Data Processing Agreement (DPA).
International Data Transfers
EightX is based in the Cayman Islands. Our infrastructure providers (Railway, Vercel) may process data in the United States or other jurisdictions. Where we transfer personal data out of the EEA or UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): We rely on EU-approved SCCs for transfers to our US-based infrastructure and AI providers.
- Adequacy decisions: Where applicable, we rely on adequacy decisions from the European Commission.
To request information about specific transfer mechanisms, contact legal@eightx.app.
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data EightX holds about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data, subject to retention obligations.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interest, including for marketing.
Right to Restriction
Request that we restrict processing of your data in certain circumstances.
Withdraw Consent
Withdraw consent for marketing at any time without affecting prior lawful processing.
CCPA Rights
California residents may request disclosure, deletion, and opt-out of sale (EightX does not sell data).
To exercise any of these rights, contact us at privacy@eightx.app. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.
If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK).
Children
The Platform is not directed at children under 18 years of age. EightX does not knowingly collect personal data from children. If you believe a child has provided personal data to EightX, please contact us at privacy@eightx.app and we will take steps to delete such information promptly.
Changes to This Policy
EightX may update this Privacy Policy from time to time. Material changes will be communicated by email to the address on your account and via a notice on the Platform at least 14 days before taking effect. The "Effective date" at the top of this page will be updated on each revision.
We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Policy.
Contact & Data Protection
For any privacy-related enquiries, rights requests, or data protection concerns, please contact us: