EPX Privacy Policy

1. Scope

This Privacy Policy applies to information we collect from or about visitors, account holders, customers, end users, prospects, administrators, support requestors, business contacts, partner applicants, event participants, and other individuals who interact with the Services.

This Privacy Policy does not apply to third-party websites, applications, platforms, tools, communications channels, or services that are not controlled by EPX, even if they interoperate with the Services or are linked from the Services. Those third parties maintain their own privacy notices, security practices, and terms.

2. Roles of EPX

Depending on the context, EPX may act as either:

• Controller / business with respect to personal information we collect for our own business purposes, such as account registration, platform analytics, billing, support, sales, marketing, fraud prevention, security, and administration of the network and platform; or
• Processor / service provider with respect to Customer Content and related personal information that we process on behalf of a customer or workspace in connection with the Services.

If you use the Services through an organization, workspace, or managed deployment, that organization may act as the controller of certain personal information, and EPX may process that information on its behalf.

3. Information We Collect

We collect information you provide directly to us, information collected automatically when you use the Services, information we receive from administrators, other users, and third parties, and information generated through your use of EPX tools, workflows, and network features.

3.1 Information you provide

We may collect the following categories of information you provide directly to us:

• Contact and account information, such as your name, email address, username, company name, title, password, mailing address, billing address, and phone number.
• Profile and workspace information, such as your biography, business objectives, operating preferences, role settings, approval rules, instructions, prompts, policies, team structures, and other configuration data.
• Content you upload, submit, post, generate, or otherwise make available through the Services, including prompts, messages, documents, spreadsheets, databases, images, audio, video, notes, tactics, installs, software tools, templates, workflows, connectors, playbooks, forms, support materials, and other materials (collectively, "Customer Content").
• Communications with EPX, including emails, support requests, demo requests, chats, surveys, recordings, meeting notes, and correspondence.
• Billing and transaction information, such as subscription details, invoices, payment status, tax information, and limited payment metadata. Payment card processing may be handled by third-party processors, and EPX may not store full card numbers.

3.2 Information from your use of the Services

We may automatically collect or generate:

• Device, browser, operating system, language, and usage information.
• Log data, such as timestamps, IP addresses, approximate location derived from IP, pages viewed, referring URLs, clicks, session duration, crash data, and diagnostics.
• Authentication and security events, such as login attempts, token activity, permission changes, workflow approvals, audit trails, and account recovery events.
• Workflow and execution metadata, such as run times, trigger events, action history, approval states, execution paths, connector activity, error logs, and operational metrics.
• AI usage data, such as model selections, prompt metadata, output metadata, token usage, latency, and safety-control events.

3.3 Credentials, secrets, and connected accounts

To provide the Services, EPX may receive, store, proxy, or otherwise process credentials and secret material associated with connected services, including API keys, OAuth grants, access tokens, refresh tokens, webhook secrets, connector secrets, session credentials, and similar authentication artifacts (collectively, "Credentials").

We use Credentials to authenticate integrations, run authorized workflows, maintain connections, and enable requested functionality. Depending on the feature, Credentials may be stored in encrypted form, held temporarily in memory, transmitted to subprocessors, or refreshed automatically.

You are responsible for:

• ensuring you have authority to connect each account, integration, or data source;
• granting only the permissions and scopes you intend to authorize;
• reviewing the security and privacy implications of each connected service;
• documenting and maintaining back up codes for all of your connected systems;
• rotating, revoking, or disabling Credentials when access is no longer appropriate; and
• promptly notifying EPX if you believe any Credentials have been compromised.

3.4 Information from third parties

We may receive information from third-party platforms, data providers, payment processors, analytics providers, advertising partners, business partners, social networks, connected tools, public sources, and other users.

If you enable an integration or workflow involving a third-party service, that service may provide EPX with data, metadata, permissions, account details, usage information, and content associated with the integration.

3.5 Network and collaboration information

If you participate in the EPX network, workspaces, feeds, groups, or collaboration features, we may collect and process posts, comments, shares, recommendations, ratings, interactions, profile visibility settings, invitations, relationship metadata, and other collaboration-related activity.

4. How We Use Information

We use personal information to:

• provide, operate, maintain, secure, support, and improve the Services;
• create and administer accounts, subscriptions, workspaces, permissions, and approvals;
• authenticate users and integrations;
• enable workflows, agents, automations, webhooks, APIs, MCP connectors, and related functionality;
• process Customer Content and produce outputs, recommendations, summaries, drafts, analyses, and other platform functionality;
• administer the account-holder network and collaboration features;
• communicate with you about the Services, transactions, support, updates, changes, and security matters;
• analyze usage, troubleshoot issues, monitor quality, and improve performance;
• prevent fraud, abuse, misuse, security incidents, and unlawful activity;
• comply with legal obligations, enforce contracts, establish or defend claims, and protect the rights, safety, and property of EPX, users, and others;
• market and promote the Services where permitted by law; and
• conduct internal business operations such as finance, accounting, audits, reporting, and corporate transactions.

5. Legal Bases

Where required by applicable law, we rely on one or more of the following legal bases:

• performance of a contract;
• compliance with legal obligations;
• legitimate interests, such as operating and improving the Services, securing the Services, preventing abuse, and administering our business;
• consent, where required; and
• other lawful bases permitted by applicable law.

6. AI Features and Data Use

The Services may use AI models, automated reasoning, classifiers, retrieval systems, agentic workflows, and third-party AI providers to process Customer Content and generate outputs.

EPX may route requests among different models, providers, tools, and environments in order to provide the functionality you request. Depending on your configuration, prompts, Customer Content, metadata, and outputs may be processed by EPX, by subprocessors, or by integrated third-party services.

Unless EPX expressly states otherwise in a written agreement or product setting, EPX does not use Customer Content submitted through paid business workspaces to train a general-purpose EPX foundation model. EPX may, however, use service data, operational telemetry, feedback, de-identified information, security signals, and other non-customer-specific data to operate, secure, analyze, and improve the Services as permitted by law and contract.

If you deliberately connect or route data to a third-party model provider, application, or service through APIs, MCP connectors, webhooks, or other integrations, the handling of that data may also be subject to that third party's terms and privacy practices. Be sure to understand your security and privacy models with all third party processors.

7. Cookies and Similar Technologies

We and our service providers may use cookies, pixels, SDKs, local storage, and similar technologies to operate the Services, remember preferences, authenticate sessions, understand usage, analyze performance, and support marketing activities.

You may be able to control some of these technologies through your browser or device settings. Disabling certain technologies may affect functionality.

8. How We Disclose Information

We may disclose personal information to:

• service providers, subprocessors, hosting providers, analytics providers, payment processors, communication providers, and other vendors that help us operate the Services;
• AI providers, cloud providers, workflow infrastructure providers, and integration partners that help deliver requested features;
• third-party platforms and services you choose to connect or authorize;
• your organization, workspace administrators, and other authorized users within your workspace or account environment;
• other account holders or users where you choose to post, share, or collaborate through network or sharing features;
• legal, regulatory, governmental, and law enforcement authorities where required or appropriate;
• professional advisors, insurers, auditors, investors, and counterparties in connection with corporate transactions or legal matters; and
• other parties with your direction or consent.

9. Workspace Administrators and Visibility

If you use the Services through a company, workspace, group, or managed deployment, administrators and authorized personnel for that environment may be able to access, manage, export, disclose, or review certain account information, profile information, Customer Content, execution logs, approvals, connected services, usage records, and outputs associated with the workspace.

If you share content through network or collaboration features, other authorized users may view, copy, use, modify, or act on that content. Do not share information unless you have the authority and comfort level to do so.

10. Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with law, resolve disputes, enforce agreements, maintain security, and support legitimate business needs.

Retention periods may vary depending on the type of data, the applicable workspace configuration, legal requirements, operational needs, backup cycles, and whether data is subject to deletion requests, litigation holds, or contractual obligations.

Even after deletion requests or account closure, we may retain limited information in backups, security logs, audit trails, legal records, billing records, and other archival systems for a reasonable period.

11. International Transfers

EPX may transfer personal information across borders, including to the United States and other jurisdictions that may not provide the same level of legal protection as your home jurisdiction.

Where required by law, EPX will use appropriate transfer mechanisms and safeguards for cross-border transfers.

12. Security

EPX uses commercially reasonable administrative, technical, and organizational safeguards designed to protect personal information. Those measures may include access controls, encryption, logging, network protections, role-based permissions, vendor management, and incident response processes.

No method of transmission, storage, or processing is completely secure. You are also responsible for protecting your devices, accounts, passwords, Credentials, and internal approval processes.

13. Your Rights and Choices

Depending on your location and applicable law, you may have rights regarding your personal information, such as rights to access, correct, delete, port, restrict, object, withdraw consent, or appeal a privacy decision.

To exercise rights, please contact support@epx.global. We may need to verify your identity and authority before responding.

You may also:

• update certain account information through your account settings;
• unsubscribe from certain marketing messages using the unsubscribe mechanism in those messages; and
• adjust cookie preferences where available.

14. U.S. State Privacy Disclosures

Where required by applicable U.S. state privacy law, EPX provides the disclosures and rights described in this Privacy Policy. EPX does not sell personal information for money. EPX may share personal information for targeted advertising or similar marketing activities in ways that may be treated as a "sale" or "sharing" under certain state laws.

EPX may process the categories of personal information described above for the business and commercial purposes described above.

We may retain personal information as described in the Retention section.

If applicable law grants you the right to opt out of certain targeted advertising, profiling, or similar processing, you may contact support@epx.global.

15. Children's Privacy

The Services are not directed to children under 13, and EPX does not knowingly collect personal information from children under 13 through the Services. If you believe a child has provided personal information to EPX, please contact us so that we can take appropriate action. Users must be 18 years or older to use our platform.

16. Changes to This Privacy Policy

EPX may update this Privacy Policy from time to time. If we make material changes, we will post the updated Privacy Policy on this page and revise the Last Updated date. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes acceptance of the updated version where permitted by law.

17. Contact Us

Questions or requests regarding this Privacy Policy may be sent to support@epx.global.