Privacy Policy
Last updated: 7 July 2026
1. Introduction
QX Labs (qxlabs.com) is operated by Quantera Ltd (“QX Labs”, “we”, “us”, or “our”). We provide the QX platform (the “Service”): an AI agent and automation workspace where teams build agents, grids, flows, and knowledge vaults, connect third-party apps, and deploy work across channels such as Slack, email, WhatsApp, and Microsoft Teams.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, create an account, or use the Service. By using the Service, you agree to the practices described here.
Questions can be sent to hello@qxlabs.com or security@qxlabs.com.
Key definitions
Customer Data means data submitted to or processed by the Service on your behalf, including account and organisation information; connection credentials (for example OAuth tokens and API keys); workspace settings; agents, grids, flows, and knowledge vault content; conversation threads and outputs; files and attachments; and service and audit logs generated in connection with your use of the Service.
Our role: controller and processor
For some personal data we act as a controller— we decide why and how it is processed. This covers account registration and authentication, billing, website and analytics data, advertising measurement, support enquiries, and our own staff records. This Privacy Policy describes that processing.
For personal data contained in the content you and your users put into the Service (Customer Data), we act as a processor on your behalf, and your organisation is the controller. That processing is governed by our Data Processing Addendum (DPA), which is incorporated into our Platform Terms of Service and applies automatically to business customers. Our DPA is available on request via our Trust Center.
2. Information we collect
We collect only the information necessary to provide, maintain, secure, and improve the Service.
A. Account and organisation information
When you register for or use the Service, we may collect:
- Name, email address, organisation name, role, and other details you provide during signup, onboarding, or account settings.
- Authentication identifiers from identity providers you choose (for example Google or Microsoft single sign-on), including your email address and basic profile information as permitted by that provider.
- Organisation membership, billing tier metadata, and workspace configuration.
B. Connection credentials and integrations
When you connect third-party services, we store credentials and metadata needed to maintain those integrations, including OAuth tokens, API keys, granted scopes, and connected account identifiers. Credentials you mark as shared within your organisation may be available to other authorised members according to your role-based access controls.
C. Platform content and records
We store content needed to operate the Service, including:
- Agents, grids, flows, knowledge vaults, and workspace files you create or configure.
- Conversation history, run outputs, execution logs, and billing or credit usage records.
D. Third-party service data
When you connect integrations and run agents, grids, or flows, we access data from connected third-party services only within the scopes and permissions you authorise, as needed to execute the automations you configure.
E. Service logs and website data
We also collect:
- Service, audit, and security logs (for example timestamps, error logs, and trace data for workflow and agent runs).
- Website analytics and cookie data on our marketing site, as described in our Cookie Policy.
- Advertising measurement data (for example ad click identifiers and sign-up conversion events) on our marketing site and platform, as described below and in our Platform Terms of Service.
- Information you provide when you contact us or book a demo.
3. How we use your information
We use the information described above to:
- Provide, operate, and improve the Service.
- Authenticate users, maintain integrations, and execute agents, grids, flows, and scheduled jobs at your direction.
- Process relevant portions of Customer Data through AI systems to generate outputs at your direction. We do not use Customer Data for advertising, and we do not use Customer Data to train our own or third-party foundation models.
- Maintain security, detect abuse, and comply with legal obligations.
- Measure the effectiveness of our advertising and attribute sign-ups to ad campaigns.
- Send service-related communications and, where you have opted in, marketing communications you can opt out of at any time.
We do not sell your personal data.
Legal bases (UK/EEA)
Where UK or EU data protection law applies and we act as a controller, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service and managing accounts | Performance of a contract |
| Billing and keeping financial records | Contract; legal obligation |
| Securing the Service and preventing abuse | Legitimate interests |
| Website analytics (www.qxlabs.com) | Consent (via our cookie banner) |
| Website advertising measurement (www.qxlabs.com) | Consent (via our cookie banner — Marketing category) |
| Platform sign-up conversion measurement (platform.qxlabs.com) | Contract (acceptance of Platform Terms and this Privacy Policy at account creation or sign-in) |
| Marketing communications (where applicable) | Consent or legitimate interests; opt out anytime |
4. How we disclose or share information
We share information only as necessary to provide and support the Service, subject to appropriate safeguards:
A. Service providers (subprocessors)
We use vendors to host and operate the Service. These providers may process Customer Data on our behalf solely to provide, secure, and support the Service under data processing agreements or equivalent contractual protections.
Our full subprocessors list is maintained in our Trust Center. Key subprocessors include:
| Subprocessor | Purpose | Data potentially processed |
|---|---|---|
| Microsoft Azure | Cloud hosting and infrastructure | Service data, logs, and stored content |
| MongoDB Atlas | Database | Customer Data and account records |
| Cloudflare | CDN, edge security, email delivery | Network metadata and request logs |
| Stripe | Payments and billing | Billing contact info and transaction metadata |
| OpenAI | AI inference (when selected) | Prompt and context needed to generate outputs |
| Anthropic | AI inference (when selected) | Prompt and context needed to generate outputs |
| Google (Gemini API) | AI inference (when selected) | Prompt and context needed to generate outputs |
| Google (Gmail / Calendar / Sheets / Docs / Drive) | Integrations (if enabled by customer) | Data accessed via integration scopes authorized by customer |
| Microsoft (Outlook / OneDrive / Teams) | Integrations (if enabled by customer) | Data accessed via integration scopes authorized by customer |
| Slack | Integrations (if enabled by customer) | Data accessed via integration scopes authorized by customer |
| Composio | Integration infrastructure | Connected account metadata and tool execution payloads |
| PostHog | Product and website analytics | Usage events and identifiers (as configured) |
| Google (Google Ads) | Advertising measurement (click attribution and sign-up conversions; not Customer Data) | Ad click identifiers and conversion events |
| Meta (Facebook Pixel) | Advertising measurement (page views, audiences, and sign-up conversions; not Customer Data) | Browser identifiers, page views, and conversion events |
B. AI technology partners
When you invoke AI features, relevant portions of data may be sent to third-party AI providers (such as OpenAI, Anthropic, or Google) to generate responses. We require these providers to use your data only to provide the requested service and not for advertising or training their general models.
C. Within your organisation
Where you share credentials or other resources with your organisation, authorised members may access them according to their role and your configuration.
D. Legal and business transfers
We may disclose information if required by law, to protect users and the public, or in connection with a merger, acquisition, or sale of assets, subject to appropriate confidentiality protections.
5. Data storage and security
Production infrastructure for the Service is hosted in Europe. We apply technical and and organisational measures designed to protect Customer Data in line with the sensitivity of the information we process, including:
- Encryption in transit using TLS (minimum TLS 1.2) for data moving between your browser, our applications, and connected services.
- Encryption at rest for stored Customer Data, including managed database and storage encryption provided by our infrastructure providers.
- Additional application-layer encryption for sensitive fields such as integration credentials, API keys, access tokens, and refresh tokens before they are stored.
- Role-based access controls within customer organisations, least-privilege internal access for our staff, and monitoring of key systems.
Customer Data is treated as confidential. We collect and process personal data only for specific, legitimate purposes related to providing the Service, and we do not use it for unrelated purposes.
Further security information is available in our Trust Center.
International data transfers
Our production infrastructure is hosted in the European Union (Microsoft Azure, Germany West Central), and our agent sandboxes run in Frankfurt. However, EU hosting does not mean all processing stays in the EU. Some subprocessors — in particular the AI model providers used to generate outputs (such as OpenAI, Anthropic, and Google) — may process personal data outside the UK and EEA, and do not offer an EU-only residency guarantee for our usage.
Where personal data is transferred outside the UK or EEA, we rely on an appropriate safeguard, such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as incorporated into each provider's data processing terms. The processing location and transfer mechanism for each subprocessor are listed in our Trust Center.
6. Data retention and deletion
We retain Customer Data only for as long as there is a continued and valid reason to store or process it, including to provide the Service, meet contractual obligations, and comply with applicable law. When data is no longer necessary for the purpose for which it was collected, we delete or anonymise it in accordance with our internal retention and disposal practices. Indicative retention periods are:
| Data | Retention |
|---|---|
| Account, organisation, and Customer Data | For the life of the account; deleted on account or organisation deletion |
| Workspace temporary files | Automatically cleaned after 7 days |
| Billing and financial records | As required by tax and accounting law |
| Security and audit logs | Per business, contractual, and legal need |
| Encrypted backups | Purged on their normal rotation cycle after deletion |
You may request deletion of your information by contacting us at hello@qxlabs.com with sufficient details for us to verify your identity and the scope of the request. Organisation owners may also initiate deletion of organisation data from within the Service. We evaluate deletion requests for authenticity and may decline or defer a request where retention is required to fulfil legal obligations, resolve disputes, enforce our agreements, or where deletion would disrupt an active service you continue to use.
When deletion is performed, we remove Customer Data from active production systems (including databases and cloud storage). Copies in encrypted backups are purged on their normal rotation schedule rather than immediately in all cases. Where permitted, you may request a one-time export of your data before deletion.
Revoking a third-party integration stops new collection from that source but does not by itself delete data already stored in the Service. To remove stored data, use the in-product deletion features or contact us as described above.
7. Your rights
If you are located in the UK or EEA, you have rights regarding your personal data, including access, correction, erasure, restriction, objection, and data portability where applicable.
To exercise any of these rights, contact us at hello@qxlabs.com. We will respond within one month. You can also disconnect third-party integrations from the Credentials area of the Service and revoke access in the third party's own account settings.
8. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by an updated “Last updated” date at the top of this page. We encourage you to review it periodically.
9. Contact us
If you have questions about this Privacy Policy, contact hello@qxlabs.com or security@qxlabs.com.