Xobni.aiXobni.ai

Privacy Policy

Last updated: February 7, 2026

1. Introduction

Xobni.ai ("we", "us", "our") operates the xobni.ai website and API service. This policy describes how we collect, use, store, and protect your information when you use our service to create and manage email accounts for AI agents.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

  • Name, email address, and profile picture when you sign up via Google OAuth.
  • Name, email address, and password (hashed with bcrypt) when you sign up with email and password.

2.2 Agent and Email Account Data

  • Agent names, slugs, and descriptions you provide.
  • Email addresses assigned to your agents (e.g., agent-name@xobni.ai).

2.3 Email Content

  • Outbound emails: Recipient addresses, subject lines, body text (plain text and HTML), and attachments you send through the Service.
  • Inbound emails: Sender addresses, subject lines, body text, headers, and attachments received at your agent email addresses. Raw email messages (MIME format) are stored temporarily during processing.
  • Attachments: File names, content types, sizes, and file content. For supported document types (PDF, DOCX, XLSX, PPTX), we extract text content for search functionality.
  • Email metadata: Timestamps, message IDs, thread IDs, read/starred status, and direction (inbound/outbound).

2.4 Search Embeddings

We generate vector embeddings (numerical representations) of email body text and extracted attachment text to power semantic search. These embeddings are stored alongside references to the source email or attachment.

2.5 API Keys

When you create API keys for programmatic access, we store a SHA-256 hash of each key along with metadata (name, agent scope, creation date, last used timestamp). The raw API key is displayed to you once at creation and is never stored or retrievable by us.

2.6 Webhook Configuration

  • Webhook endpoint URLs you configure, event type subscriptions, and signing secrets (stored as SHA-256 hashes).
  • Webhook delivery logs including HTTP status codes, response snippets, and delivery timestamps.

2.7 Cookies and Session Data

  • Session cookie: An httpOnly, secure cookie containing a JSON Web Token (JWT) for authentication. Expires after 7 days.
  • CSRF token: A cookie used to prevent cross-site request forgery attacks.
  • We do not use advertising or third-party tracking cookies.

2.8 Automatically Collected Data

  • Anonymous performance metrics (page load times, web vitals) collected by Vercel Analytics and Speed Insights. These do not contain personally identifiable information.
  • IP addresses and request metadata for rate limiting and abuse prevention. These are not persistently stored.

3. How We Use Your Information

  • To create and manage email accounts for your AI agents.
  • To send and receive emails on behalf of your agents via AWS Simple Email Service (SES).
  • To process inbound emails: receiving via SES, storing raw messages, parsing content, extracting attachment text, and notifying your webhooks.
  • To generate vector embeddings of email and attachment content for semantic search.
  • To deliver webhook notifications to endpoints you configure, including email metadata and a content preview (first 200 characters).
  • To authenticate your identity and authorize access to your agents and data.
  • To enforce rate limits and prevent abuse of the email sending service.
  • To monitor service health and debug issues.

4. Third-Party Services

We share data with the following third-party services as necessary to operate:

  • Amazon Web Services (AWS): Our backend infrastructure runs on AWS in the US East (N. Virginia) region. AWS services used include: SES (email sending and receiving), S3 (raw email and attachment storage), SNS/SQS (inbound email notification routing), RDS (PostgreSQL database hosting), and App Runner (API hosting). AWS processes email content, attachments, and all stored data.
  • OpenAI: We send email body text and extracted attachment text to OpenAI's embedding API (text-embedding-3-small model) to generate vector embeddings for semantic search. OpenAI receives the text content of your emails and attachments. OpenAI's data usage policies apply to this data.
  • Vercel: Our frontend is hosted on Vercel. Vercel Analytics and Speed Insights collect anonymous, non-personally-identifiable performance metrics (page load times, web vitals).
  • Google: If you sign in with Google OAuth, Google provides us with your name, email address, and profile picture. We do not access any other Google data.

5. Data Storage and Security

  • All data is stored on AWS infrastructure in the US East (N. Virginia) region.
  • Email metadata, body text, and extracted attachment text are stored in a PostgreSQL database (AWS RDS) with encryption at rest.
  • Email attachments and raw inbound email messages are stored in AWS S3 with server-side encryption (AES-256).
  • Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
  • API keys and webhook signing secrets are stored as SHA-256 hashes.
  • All data in transit is encrypted using TLS (HTTPS).
  • Authentication sessions use httpOnly, secure cookies with JWT tokens that expire after 7 days.
  • Email sending is protected by rate limits: per-minute, per-hour, and per-day quotas per email account, plus per-user burst limits.
  • All outbound emails are authenticated with DKIM and SPF.
  • Webhook payloads are signed with HMAC-SHA256 so you can verify their authenticity.

6. Data Retention

  • Account information is retained for as long as your account is active.
  • Emails, attachments, and embeddings are retained indefinitely until you delete them or close your account.
  • Raw inbound email messages (MIME format) in S3 are retained alongside parsed email data.
  • Webhook delivery logs are retained for 30 days, then automatically deleted.
  • API request logs and rate limiting data are held transiently in memory and not persisted.
  • Upon account deletion, we will delete all your data (agents, emails, attachments, embeddings, API keys, webhooks) within 30 days unless required by law to retain it.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data and account.
  • Export your email data in a machine-readable format via our API.
  • Revoke API keys at any time.
  • Delete individual emails, agents, or webhook configurations at any time.

To exercise any of these rights, contact us at the address below or use the relevant features in your account dashboard.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Governing Law

This Privacy Policy is governed by the laws of the State of Washington, United States, without regard to its conflict of laws principles.

11. Contact

For privacy-related questions or data requests, contact us at privacy@xobni.ai.