Eidrix

Legal

App Privacy Policy

Last Updated: June 8, 2026

This policy covers the Eidrix application — the AI operator product used by paying tenants. For data submitted through the eidrix.ai marketing site (consultation forms, demo submissions, waitlist), see our marketing-site Privacy Policy.

1. Who we are

Eidrix is operated by Eidrix AI LLC, a Twin Falls, Idaho company. Throughout this document "Eidrix," "we," "us," and "our" refer to Eidrix AI LLC. You can reach us at cody@eidrix.ai.

2. What this policy covers

This policy describes how the Eidrix application handles your data — including data your team enters into Eidrix, data Eidrix retrieves from third-party services you have connected, and the operational metadata Eidrix generates while assisting you.

Eidrix is a multi-tenant SaaS product. Each tenant (business account) is isolated from every other tenant at the database layer via row-level security. This policy applies uniformly to every tenant.

3. What we collect

Account and tenant data. Business name, owner email, billing contact information, the names and roles of team members you have invited into your Eidrix workspace.

Operational data you enter. Customer records (names, contact details, addresses), jobs, tasks, notes, invoices, files, messages, and any other records you create inside Eidrix. This is your business data — Eidrix stores it on your behalf.

Connected-integration data. When you authorize Eidrix to connect to a third-party service (such as Gmail, Google Calendar, QuickBooks Online, Slack, Notion, or HubSpot), Eidrix retrieves data from that service within the scope you have granted, in order to provide the integration features. The specific data depends on the integration — for example, Gmail integration retrieves emails relevant to the AI assistant's requested actions; Calendar integration retrieves event data needed for scheduling; QuickBooks Online integration retrieves customer, invoice, payment, item, and company-information records needed for accounting workflows (detailed in §08).

Stripe Connect data (tenants who connect their Stripe account to Eidrix). When you connect your Stripe account to Eidrix via Stripe Connect, Eidrix stores your Stripe-issued connected account ID (acct_…) and account capability flags (charges_enabled, payouts_enabled, details_submitted, and any outstanding KYC requirements Stripe is tracking). Eidrix does not store Stripe OAuth tokens — Stripe Connect's Account Links architecture does not issue such tokens to the platform. Sensitive merchant identity data you submit during Stripe onboarding (tax IDs, bank account numbers, beneficial ownership) is collected by Stripe directly and never traverses Eidrix's servers.

Operational metadata Eidrix generates. Tool-call logs (what actions Eidrix took on your behalf), audit events (state changes for forensic accountability), intent logs (your messages to the Eidrix assistant), and LLM dispatch records (what was sent for inference, what was returned).

Billing data. If you are a paid tenant, billing-relevant data (subscription state, invoice records) is captured. Payment instruments themselves are handled by Stripe and never stored by Eidrix directly.

4. Where it's stored

Tenant data lives in our Supabase Postgres database in the U.S. West (Oregon) region. Every table carries a tenant_id; Postgres row-level security policies prevent any tenant from seeing any other tenant's data.

Credentials for connected integrations (OAuth tokens, API keys) are stored encrypted in Supabase Vault. For integrations connected via Composio (our integration broker — see §05), tokens are also held by Composio's infrastructure. For integrations connected directly with the provider (such as the direct Google OAuth path or the QuickBooks Online direct OAuth path), tokens are held only by Eidrix in Supabase Vault. Plaintext credentials are never persisted by Eidrix.

Stripe Connect connection metadata. Your Stripe-issued connected account ID, capability flags, requirements lists, and recent webhook timestamps are stored in Eidrix's Supabase Postgres database, scoped to your tenant via row-level security. No payment-instrument data, no card numbers, and no Stripe OAuth tokens are stored — the Account Links architecture means there are none for Eidrix to hold. Per-call dispatch to Stripe's API uses Eidrix's platform secret key (held by Eidrix only) combined with your Stripe-Account identifier (the acct_… ID), not a tenant-issued credential.

Files you upload are stored in Supabase Storage with per-tenant path prefixes and the same row-level security model.

5. Who can see it

You and your team. Members of your tenant whom you have authorized through Eidrix's role system can see the data and capabilities you have granted to them.

Eidrix platform administrators. Eidrix personnel (currently just the founder, cody@eidrix.ai) can access tenant data when needed for support, troubleshooting, or security investigation. Studio-tier operators see connection state and operational metadata; raw integration credentials and token-bearing fields are excluded from operator views by design.

Subprocessors that process data on our behalf. Each is bound by its own terms and processes data only as needed to deliver the function we have engaged it for:

  • Supabase — Postgres database, edge functions, file storage, authentication. U.S. West (Oregon) region.
  • Composio — integration broker. When you connect Slack, Notion, or HubSpot to Eidrix — or use the Composio path for Gmail or Google Calendar — OAuth authorization is handled by Composio. The OAuth tokens for those connections are issued to and stored by Composio's infrastructure, not Eidrix. Composio dispatches actions on Eidrix's behalf at the connected service. Composio retains operational metadata about API dispatches and the connected account state in line with its standard terms; see composio.dev/privacy for Composio's full data-handling commitments. If you connect Gmail or Google Calendar via the direct OAuth alternative (see Connections settings → Advanced options), the connection bypasses Composio entirely. OAuth tokens are held only by Eidrix per §04, and API calls flow directly between Eidrix and Google. Google itself is not a subprocessor in either path — Google is the platform you've authorized Eidrix to access on your behalf. The same direct-OAuth shape applies to QuickBooks Online (Intuit), which is always connected directly with Intuit, never through Composio (see §08 for the full QBO data-handling commitments). Intuit itself is also not a subprocessor — Intuit is the accounting platform you've authorized Eidrix to access on your behalf.
  • Anthropic — large language model inference. When the Eidrix assistant needs to reason about a request, the relevant context (your message, recent conversation, available tool descriptions) is sent to Anthropic's API for processing. Per Anthropic's API terms, content may be retained for up to 30 days for trust and safety purposes. Anthropic does not use customer API content to train their models. See anthropic.com/privacy for Anthropic's full data handling commitments.
  • Voyage — embedding generation for the AI memory system. User messages and document content are sent to Voyage's API for vectorization to enable semantic retrieval. Voyage does not retain content beyond the embedding call and does not use customer data for training.
  • Stripe — both (a) payment processor for Eidrix's own paid-tenant billing AND (b) the payment platform for any tenant who connects their own Stripe account to Eidrix via Stripe Connect. Card details and billing-instrument data are handled by Stripe directly; Eidrix sees only subscription/invoice metadata, the Stripe-issued connected account ID, and account capability flags. For Stripe Connect tenants, Stripe is also the KYC data custodian — business identity, tax ID, bank account, and beneficial-ownership data submitted during Stripe onboarding are collected by Stripe directly and never reach Eidrix's servers. See stripe.com/privacy for Stripe's full data handling commitments.
  • Resend — transactional email delivery (account notifications, password resets, billing receipts).
  • Vercel — application and marketing-site hosting and CDN delivery.
  • Netlify — DNS registrar for the eidrix.ai domain.

We never sell, rent, or trade your data, your customers' data, or your connected-integration data to any third party.

6. Google API Services User Data Policy (Limited Use)

Eidrix's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide and improve user-facing features that are prominent in the Eidrix application's interface.
  • We do not transfer Google user data to others unless doing so is necessary to provide and improve user-facing features, complies with applicable laws, or is required for security purposes (such as investigating abuse).
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless: (a) we have obtained your affirmative agreement to view specific messages, files, or other data; (b) it is necessary for security purposes (such as investigating a bug or abuse); (c) it is necessary to comply with applicable law; or (d) the data has been aggregated and anonymized for internal operations such as reliability monitoring.
  • We do not use Google user data to develop, improve, or train generalized AI and/or ML models. Data sent to Anthropic or Voyage for inference and embedding is processed in-context per their published terms and not used by those providers to train models on customer content.

Scope set (V1 launch — direct Google OAuth).

When you connect your Gmail account to Eidrix via the direct OAuth flow, we request:

  • gmail.modify — We use this scope to: list inbox messages when you ask; retrieve the full content of messages you specifically reference; create drafts in your Drafts folder; send messages on your behalf (every send requires explicit confirmation before dispatch); add, remove, or apply labels to messages. We do not read messages other than those you reference, and we do not delete messages. (Technical scope: https://www.googleapis.com/auth/gmail.modify — read, modify, and send Gmail content.)
  • userinfo.email and openid — Standard OAuth identity scopes used only to identify the connected Google account (so we can label your connection in the UI as e.g., "Gmail: yourname@gmail.com" and so audit logs can record which account a message was sent from).

Eidrix does not actively scan your inbox in the background. The AI assistant only retrieves Gmail messages when you ask it to, and only the specific messages relevant to your request. There is no continuous monitoring or bulk reading of your inbox.

When you connect your Google Calendar to Eidrix via the direct OAuth flow, we request:

  • calendar — We use this scope to: list events when you ask; show event details; create events (creates with attendees always require explicit confirmation before dispatch); update events (every update requires explicit confirmation regardless of whether attendees are affected); query free/busy windows when scheduling. (Technical scope: https://www.googleapis.com/auth/calendar — read, create, update, and query Google Calendar events.)
  • userinfo.email and openid — Same as above; account identification only.

Eidrix does not request, and will never receive without an explicit future re-authorization, the following Google scopes: Drive access, Contacts access, Photos access, Chat access, YouTube access, or any other Google API scope outside the ones enumerated above. If a future Eidrix feature requires a broader scope, this policy will be updated and existing connected accounts will be prompted to re-authorize before the broader scope takes effect.

AI processing of Google data. When you instruct the Eidrix AI assistant to draft a reply, send a message, schedule a meeting, or perform any action that involves Google data, the relevant content is processed by Anthropic's API for inference, subject to Anthropic's data handling commitments described in §05 (30-day retention for trust and safety only; no training on customer content). Google data that you surface into the Eidrix AI chat (for example, a message you ask the assistant to summarize) may also be sent to Voyage for embedding generation so the assistant can semantically retrieve that context later, subject to Voyage's data handling commitments described in §05 (no retention beyond the embedding call; no training on customer data).

If you are connected via the Composio path (see §05), Composio also handles your Google data — it brokers OAuth authorization and dispatches actions on Eidrix's behalf at Google's API — subject to Composio's data handling commitments at composio.dev/privacy. If you are connected via the direct Google OAuth path, Composio is bypassed and API calls flow directly between Eidrix and Google.

Anthropic, Voyage, and (for Composio-path connections) Composio are the only subprocessors that handle your Google data on Eidrix's behalf. Per the Limited Use Policy commitments above, we do not transfer Google user data to any third party except as needed to provide the user-facing features you have authorized.

Deletion of Google user data. You can disconnect Gmail or Google Calendar at any time from Eidrix's Connections settings, or revoke Eidrix's access directly at myaccount.google.com/permissions. On disconnect or revocation, Eidrix immediately stops accessing your Google account and deletes the Google user data it holds: stored OAuth tokens are purged from Supabase Vault, and any cached Google-derived content (message bodies, event data, and their embeddings) is deleted within 30 days. You may also request deletion of your Google user data at any time by emailing cody@eidrix.ai, and we will delete it promptly.

7. Stripe Connect data handling

Tenants who connect their Stripe account to Eidrix do so via the Stripe Connect Standard Accounts architecture. Under this architecture:

  • Your Stripe relationship stays direct. Stripe Connect Standard Accounts means you (the tenant) remain the merchant of record on your Stripe account. You sign Stripe's terms directly; Stripe holds your KYC information directly; Eidrix operates on your Stripe account with your authorization but is not a party to your Stripe agreement.
  • Eidrix never sees your card data or your customers' card data. All card capture, tokenization, and processing happens on Stripe's infrastructure. Eidrix's AI assistant can read invoice, customer, charge, subscription, and balance metadata from your Stripe account via Stripe's API but never receives raw payment-instrument fields.
  • Eidrix does not hold a tenant-side Stripe credential. Stripe Connect's Account Links architecture (which Eidrix uses) does not issue an OAuth token to the platform. Per-call dispatch from Eidrix to Stripe uses Eidrix's platform secret key (held by Eidrix only) combined with your connected-account identifier (the acct_… ID). This is a meaningful reduction in the credential surface Eidrix needs to safeguard on your behalf.
  • The data Eidrix reads from your Stripe account. When you direct the AI assistant to retrieve customer, invoice, subscription, charge, or balance information from your Stripe account, Eidrix retrieves it via Stripe's API and processes it to answer your request. The relevant context may be sent to Anthropic for inference and to Voyage for embedding generation (subject to the data-handling commitments described in §05). Stripe-derived data is used only to fulfill the AI-assisted billing workflow you requested. Eidrix does not transfer this data to advertisers, does not use it for third-party analytics, and does not train AI models on your or your customers' financial data.
  • Stripe Connect webhooks. Eidrix subscribes to a small, scoped set of Stripe Connect webhook events (account.updated, account.application.deauthorized) so we can reflect your connected-account status in your Eidrix dashboard in real time. Webhook payloads are verified using Stripe's HMAC-SHA256 signature and recorded for forensic accountability; they follow the same retention windows as Eidrix's other operational logs (see §09).
  • No financial action without your confirmation. When the AI assistant operates on your Stripe account in any way that creates real financial state (creating an invoice, finalizing an invoice, and — in future versions — processing a charge or a refund), it does so under Eidrix's commit-token pattern: the assistant first stages the action and presents a confirmation card; the action only executes after you explicitly confirm. Eidrix does not auto-charge, auto-refund, or auto-send anything on your Stripe account without your consent on a per-action basis.
  • Disconnecting Stripe. You can disconnect Stripe at any time from Eidrix's Connections settings, or from your Stripe Dashboard directly (Connected accounts → Eidrix → Disconnect). Either path immediately stops Eidrix from accessing your Stripe account. Eidrix retains the connection metadata (the acct_… ID, capability flags, and webhook event log) for forensic accountability per §09's retention windows; the tenant data behind those records remains subject to your tenant deletion rights in §10.

8. QuickBooks Online data handling

Tenants who connect their QuickBooks Online (QBO) company to Eidrix do so via Intuit's direct OAuth 2.0 flow — the standard architecture Intuit provides for accounting integrations. Under this architecture:

  • Your QuickBooks relationship stays direct. Intuit remains the system of record for your books. You sign Intuit's terms directly; Intuit holds your QuickBooks data directly; Eidrix operates on your QBO company with your authorization but is not a party to your Intuit agreement.
  • The data Eidrix reads from your QuickBooks Online company. When you direct the AI assistant to retrieve or operate on your QBO data, Eidrix retrieves the following record categories via Intuit's V3 API, scoped to the QBO realm (company) you connected:
    • Customers — name, contact details, billing/shipping addresses, taxability, current balance.
    • Invoices — line items, totals, tax, status, due dates, customer reference.
    • Payments — amounts, dates, payment-method references, customer/invoice references.
    • Items — products/services you sell (name, description, unit price, SKU, taxability).
    • Company information — your QuickBooks company name, fiscal year start, base currency, country, address.
    The data is processed to answer your request. The relevant context may be sent to Anthropic for inference and to Voyage for embedding generation (subject to the data-handling commitments described in §05). QBO-derived data is used only to fulfill the AI-assisted accounting workflow you requested. Eidrix does not transfer this data to advertisers, does not use it for third-party analytics, and does not train AI models on your or your customers' accounting data.
  • How Eidrix holds your QBO credentials. Unlike Stripe Connect's Account Links architecture, Intuit's OAuth issues a refresh token + access token pair to Eidrix when you grant access. Both tokens are stored encrypted at rest in Supabase Vault (see §04), scoped to your tenant via row-level security. Access tokens are short-lived (rotated every 60 minutes against Intuit's token endpoint); refresh tokens rotate on every refresh per Intuit's contract. Intuit's policy caps the OAuth grant at 180 days from initial authorization — Eidrix surfaces a "reconnect soon" prompt in the Connections panel as the grant approaches that wall. If you go 180 days without using the connection, Eidrix will refuse to dispatch and ask you to reconnect.
  • Synchronization with your QBO company. Eidrix subscribes to QBO's webhook stream so changes you make in QuickBooks (creating a customer, updating an invoice, recording a payment) are reflected in your Eidrix dashboard near real-time. Webhook payloads are verified using Intuit's HMAC-SHA256 signature contract and recorded for forensic accountability; they follow the same retention windows as Eidrix's other operational logs (see §09). The webhook subscription is configured at the Eidrix application level (not per-tenant) — every connected tenant's QBO change events flow into the same verified intake pipeline, then route to the correct tenant via Intuit's realm identifier.
  • No financial action without your confirmation. When the AI assistant operates on your QBO data in any way that creates or modifies real accounting state (creating an invoice, recording a payment, updating a customer record, deleting a record), it does so under Eidrix's commit-token pattern: the assistant first stages the action and presents a confirmation card; the action only executes after you explicitly confirm. Eidrix does not auto-post entries, auto-modify records, or auto-send invoices to your QBO company without your consent on a per-action basis.
  • Disconnecting QuickBooks Online. You can disconnect QBO at any time from Eidrix's Connections settings, or from your Intuit account directly (My Apps → Eidrix → Disconnect). When you disconnect from Eidrix:
    • Eidrix first calls Intuit's OAuth revocation endpoint to sever the grant at the source.
    • Eidrix then deletes the local connection record, which triggers a database-level purge of the encrypted token blob from Supabase Vault.
    • Forensic audit-trail entries describing the connection lifecycle (when it was created, when it was disconnected, by whom) are retained per §09's retention windows — these contain no credential material.
    If you disconnect from your Intuit account first, Eidrix's next refresh attempt against your stored refresh token will return invalid_grant; Eidrix will flag the connection as needing reconnection and stop dispatching against it. You can then disconnect the row from Eidrix's Connections settings to clean up the local record + Vault entry, or simply reconnect to reactivate.

9. How long we keep it

Active tenant data is retained for the lifetime of your tenant account.

Archived tenants. If you archive your tenant, data is preserved for 90 days during which you can request a full export or restore. After 90 days you can request final deletion; we will delete tenant data on request.

Operational logs. Tool-call logs prune automatically at 90 days. LLM dispatch logs prune at 180 days. Audit events are retained indefinitely for forensic accountability — these contain state-change records, not message content.

Connected-integration data is retained as long as the integration is connected. When you disconnect an integration, Eidrix stops accessing the third-party service immediately; cached integration metadata is purged within 30 days.

10. Your rights

You can, at any time:

  • Access your data — every record Eidrix holds for your tenant is visible to you and your authorized team members within the application.
  • Export your data — the Reports module includes a one-click full export of your tenant's records. Connected-integration data lives at the third-party service and remains yours there.
  • Correct your data — edit any record through the Eidrix interface.
  • Delete your data — delete individual records through the interface, or request full tenant deletion by emailing cody@eidrix.ai.
  • Revoke an integration — disconnect any integration from Eidrix's Connections settings; we will immediately stop accessing the third-party service.
  • Revoke at the source — revoke Eidrix's access at the third-party service directly (e.g. myaccount.google.com/permissions for Google services).

If you are located in a jurisdiction with additional privacy rights (EEA, UK, California, etc.), you have those rights in addition to the above. Contact cody@eidrix.ai to exercise them.

11. Security

  • All data in transit is protected with TLS 1.2 or later.
  • All data at rest is encrypted by our database and storage providers.
  • Multi-tenant isolation is enforced by Postgres row-level security policies on every table — application-level filtering is treated as defense-in-depth, not the primary boundary.
  • Service-role credentials are never exposed to client-side code.
  • Every state-change to tenant data writes an audit-event row for forensic accountability.
  • We perform periodic security review of integration substrates and dependencies.

12. Changes to this policy

We may update this policy as Eidrix's substrate evolves — most commonly when we add a new integration, a new subprocessor, or a new data category. When we do, we will revise the "Last Updated" date at the top of this page and, for material changes that expand the data we collect or who we share it with, we will notify active tenants by email before the change takes effect.

13. Contact

Questions about this App Privacy Policy or about how Eidrix handles your data: