Privacy Policy

1. Information We Collect

We collect information you provide directly, data we obtain through connected services (with your consent), and technical data from your use of the platform.

• Account & profile: Name, email address, password (hashed), and profile preferences.
• Google user data (Gmail, Calendar, Meet, Contacts): With your consent we access a scoped, read-only view of your Google account to build your workspace knowledge graph. Each data source is a separate optional connection. Exact scopes and data uses are detailed in Section 4 (Google User Data).
• GitHub data: With your consent via GitHub OAuth or the Oxagen GitHub App, we access repository metadata, issues, pull requests, commits, and release information to create typed nodes in your workspace graph. We do not access repository source code beyond what is necessary to extract structured entities. Exact scopes are listed in Section 5 (GitHub Data).
• Email & calendar (Outlook / Microsoft 365): With your consent we access email headers, bodies, and calendar events to extract typed entities into your workspace graph. We process this data according to the permissions you grant (read-only).
• Notion & documents: Content you sync from Notion is processed into the workspace ontology to support retrieval and agent queries.
• API and MCP server usage: When you or an AI agent accesses the Oxagen API or MCP server, we log request metadata (endpoint, timestamp, Credit consumption, response status) for billing, security, and service improvement. We do not log the content of graph query responses in full; structured query parameters may be logged for a limited period for debugging.
• Usage & device data: Logs, IP address, device type, browser, and interaction patterns to improve service and detect security issues.
• Payment information: Billing details are collected and processed by our payment processor (Stripe). Oxagen does not store full card numbers or bank account details.

2. How We Use Your Information

We use your information solely to provide, secure, and improve the Oxagen platform:

• Operating and maintaining the Oxagen ontology platform, workspace knowledge graphs, API, and MCP server.
• Extracting and structuring typed entities (nodes, edges, types) from your connected data sources into your workspace graph.
• Answering queries from you or from AI agents operating under your API key against your workspace graph.
• Billing, Credit tracking, and subscription management.
• Securing accounts, detecting fraud, and complying with applicable law.
• Communicating with you about the product, support, and policy changes.
• Improving our services using aggregated or de-identified data, as described in Section 8 (AI and Machine Learning).

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have subscribed to, including operating your workspace and answering queries.
• Consent: Processing data from connected Third-Party Services (Google, GitHub, Outlook, Notion) is based on your explicit consent granted during the OAuth authorization flow. You may withdraw consent at any time by disconnecting the integration.
• Legitimate interests: Security monitoring, fraud prevention, service improvement using aggregated data, and direct communications about the Service.
• Legal obligation: Compliance with applicable laws and regulatory requirements.

4. Google User Data

Oxagen integrates with Google via OAuth 2.0. You choose which Google services to connect; we request only read-only scopes and never request write, send, or delete permissions.

Limited Use disclosure: Oxagen's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, for every connected Google account:

• We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
• We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing features that you have connected, to comply with applicable law, or as part of a merger or acquisition with your explicit consent.
• We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security (investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized so it cannot be used to identify an individual.
• We do not sell Google user data.

Scopes we request, and why

• Sign in (openid, email, profile): Used at login to identify your Oxagen account. We store your email, name, and profile picture URL on your user record.
• Gmail (gmail.readonly, userinfo.email): Read your messages (headers, body, attachments) to extract typed nodes — emails, people, organizations — into your workspace knowledge graph. We never send, modify, or delete mail.
• Calendar (calendar.readonly, calendar.events.readonly, userinfo.email): Read your primary calendar events (title, time, location, attendees) to create typed calendar-event nodes in your workspace. We never create, modify, or delete events.
• Meet (meetings.space.readonly, userinfo.email): Read conference-record metadata (start time, end time, Meet space identifier). We do not read transcripts or recordings.
• Contacts (contacts.readonly, contacts.other.readonly, userinfo.email): Read your Google Contacts (names, primary emails, organizations, titles, phone numbers) to create person nodes in your workspace graph. We never create, modify, or delete contacts.

Where the data lives and how to remove it

Google user data is stored encrypted at rest in your workspace-scoped knowledge graph, isolated from other workspaces by row-level security. Refresh tokens are encrypted with a dedicated key in Google Secret Manager and never leave our infrastructure.

You can disconnect any Google service at any time from the Connections panel inside Oxagen. Disconnecting stops further reads immediately. To delete the data already ingested, use the delete action in Connections or email success@oxagen.ai. You can also revoke Oxagen's access from your Google Account at myaccount.google.com/permissions.

5. GitHub Data

Oxagen integrates with GitHub via OAuth and the Oxagen GitHub App. When you connect a GitHub account or install the GitHub App on your organization, Oxagen receives data from the repositories and organizations you authorize. The permissions and data we access:

• Repository metadata: Repository names, descriptions, visibility, topics, and language statistics — used to create repository nodes in your workspace graph.
• Issues and pull requests: Titles, bodies, labels, assignees, status, and comments — used to create typed issue and PR nodes linked to contributors and repositories.
• Commits: Commit messages, authors, timestamps, and changed file paths (not full diffs or file contents) — used to build contributor activity nodes.
• Releases: Release names, tags, and release notes — used to create release nodes in your workspace graph.
• Webhook events: Real-time events (push, pull_request, issues, release, deployment) delivered by GitHub to keep your workspace graph current.

We do not read, store, or process the contents of source code files, private keys, secrets, or credentials present in repositories. GitHub data is stored encrypted at rest in your workspace-scoped knowledge graph, isolated from other workspaces.

You can disconnect GitHub at any time from the Connections panel. You can also uninstall the GitHub App from your GitHub organization settings, which immediately revokes Oxagen's access and stops all webhook delivery.

6. MCP Server and API Data Flows

The Oxagen MCP server and REST API enable AI agents, coding assistants, and developer tooling to query your workspace knowledge graph. When requests are made through the MCP server or API:

• Query parameters and responses transit encrypted (TLS 1.2+) between the client and Oxagen's infrastructure.
• Request metadata (endpoint, timestamp, API key identifier, Credit consumption) is logged for billing, security, and debugging purposes.
• Query parameters may be logged for a limited debugging window (up to 30 days) and are then purged. Full response payloads from your workspace graph are not logged.
• AI agents operating under your API key query only your workspace-scoped graph; cross-workspace access is enforced by row-level security and is not possible without explicit administrator configuration.

You are responsible for the data accessed and operations performed by any agent operating under your API key. See the Terms of Service §3.4 for your obligations as an API key holder.

7. Data Sharing and Third Parties

We do not sell your personal information. We may share data with:

• Service providers: Cloud infrastructure (Google Cloud), database providers, payment processor (Stripe), error monitoring, and analytics tools — under contracts that limit use to providing our services and prohibit use for the provider's own purposes.
• AI model providers: Query text and retrieved context may be transmitted to third-party LLM providers (e.g., Anthropic) to generate responses. These providers process data subject to their own privacy policies and Oxagen's data processing agreements with them.
• Legal & safety: When required by law, court order, or to protect the rights, property, or safety of Oxagen, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, subject to the same privacy commitments and notice to affected users.

8. AI and Machine Learning

Our AI systems process your connected data to power workspace knowledge graph construction and query answering. We apply industry-standard practices: your data is not used to train or fine-tune AI models without your explicit opt-in consent. We may use aggregated, de-identified operational data (e.g., query patterns, traversal statistics) to improve model performance and service quality. This data cannot reasonably be used to identify you or your organization. You can disconnect integrations and request deletion as described in Section 11.

9. Data Security and Retention

We implement industry-standard technical and organizational security measures, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Workspace-level data isolation enforced by PostgreSQL row-level security.
• OAuth tokens and API keys encrypted with dedicated keys stored in Google Secret Manager.
• Access controls limiting Oxagen personnel access to customer data.
• Continuous security monitoring and anomaly detection.

We retain your data for as long as your account is active or as needed to provide the Service, comply with applicable law, resolve disputes, and enforce our agreements. Upon account deletion, workspace data is deleted within ninety (90) days. You may request deletion of your data as described in Section 11.

10. Cookies and Similar Technologies

We use the following categories of cookies and similar technologies on the Oxagen platform and website:

• Strictly necessary cookies: Session authentication tokens (e.g., session, next-auth.session-token) required for you to log in and access your account. These cannot be disabled. Retention: session or up to 30 days.
• Preference cookies: Stores your UI preferences (e.g., theme: light/dark, cookie-consent status). Retention: up to 12 months.
• Analytics cookies: Anonymized usage telemetry via Vercel Analytics to understand how the platform is used. No cross-site tracking; no personal identifiers are transmitted. Retention: up to 90 days.
• CSRF protection tokens: Short-lived tokens preventing cross-site request forgery. Retention: session.

You can manage cookie preferences in your browser settings. Disabling strictly necessary cookies will prevent you from logging in. We do not use third-party advertising cookies or cross-site tracking cookies.

11. Your Rights and Choices

Depending on your location, you may have the right to:

• Access and receive a copy of your personal data.
• Correct or update inaccurate data.
• Request deletion of your data (subject to legal and operational requirements).
• Restrict or object to certain processing.
• Data portability (where applicable).
• Withdraw consent for processing based on consent (e.g., disconnect a Google or GitHub integration).
• Lodge a complaint with a supervisory authority.

We will respond to verifiable data subject requests within thirty (30) days (or within the timeframe required by applicable law). You can manage connected accounts and delete your workspace data from the Connections panel and account settings. For requests or questions about your rights, contact us at success@oxagen.ai.

12. International Data Transfers

Your data is processed primarily in the United States. If you are located in the EEA, United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for cross-border data transfers, including Standard Contractual Clauses (SCCs) with service providers and, for Enterprise Tenants, a Data Processing Agreement. Contact legal@oxagen.ai to request a copy of applicable transfer mechanisms.

13. Enterprise Data Processing

Enterprise Tenants that require Oxagen to process personal data as a data processor under applicable law (including GDPR Article 28) may enter into a Data Processing Agreement ("DPA") with Oxagen. The DPA governs the subject matter, duration, nature, and purpose of processing, the type of personal data involved, and the obligations and rights of the controller. To request a DPA, contact legal@oxagen.ai.

14. Children

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children under 18. If you believe we have done so, please contact us and we will take steps to delete such information.

15. SMS Communications

SMS Terms of Service

By opting in to SMS messages from Oxagen Inc., you agree to receive text messages for customer support, service updates, and other communications related to your account.

You can cancel the SMS service at any time. Just text STOP. After you send the SMS message "STOP" to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. If you want to join again, just sign up as you did the first time and we will start sending SMS messages to you again.

If you are experiencing issues with the messaging program, you can reply with the keyword HELP for more assistance.

Carriers are not liable for delayed or undelivered messages.

Message and data rates may apply. Message frequency varies. If you have any questions about your text plan or data plan, contact your wireless provider.

SMS Privacy

Oxagen Inc. does not share mobile numbers, text messaging originator opt-in data, or consent with any third parties or affiliates for marketing or promotional purposes.

Mobile information may be shared only with subcontractors and service providers that support the delivery of SMS services, such as messaging platforms, telecommunications providers, or customer support vendors. This information is used solely to provide and operate the messaging service.

All other use case categories exclude text messaging originator opt-in data and consent. This information will not be shared with any third parties.

16. Governing Law

This Privacy Policy is governed by the laws of the State of California, United States, without regard to its conflict of law principles. Data subjects in the EEA or United Kingdom retain rights under applicable data protection law (GDPR / UK GDPR) regardless of this choice of law.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Where required by applicable law or where changes materially affect how we use your personal data, we will seek your consent or provide additional notice (e.g., by email to the address on your account).

18. Contact Us

For privacy-related questions, data subject requests, or to exercise your rights under applicable data protection law, contact:

Email: success@oxagen.ai

Legal / DPA inquiries: legal@oxagen.ai

Mail: Oxagen, Inc., Attn: Privacy, 2261 Market Street STE 87168, San Francisco, CA 94114