Privacy Policy

Interpretation

The meanings of words with capitalized first letters are defined under the following conditions. The definitions have the same meaning whether singular or plural.

Definitions

For the purposes of this Privacy Policy:

• Application or Service means the ModuleX web application, APIs, and related services accessible at modulex.dev.
• Account means a unique account created for You to access our Service or parts of our Service.
• Company (referred to as "the Company", "We", "Us" or "Our") refers to ModulexAI, LLC. For the purpose of the GDPR, the Company is the Data Controller.
• Connected Service means a third-party service you authorize ModuleX to access via OAuth or API keys (e.g., Google Workspace, Microsoft 365, Slack, LinkedIn, Meta).
• Country refers to: United States (state of incorporation: Delaware).
• Cookies are small files placed on Your device by a website.
• BYOK (Bring Your Own Key) means a configuration in which You supply Your own API keys or credentials (e.g., for AI model providers) for ModuleX to use on Your behalf in workflows.
• Data Controller, for the GDPR, refers to the Company.
• Device means any device that can access the Service (computer, phone, tablet).
• Google Data means any data, content, or metadata obtained via Google APIs (including Google Workspace APIs).
• Generalized AI/ML model means an AI or ML model intended to be broadly trained across multiple users, not specific to a single user's data or behavior.
• Personal Data is any information that relates to an identified or identifiable individual.
• Sale, for the CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a Consumer's Personal Information to another business or third party for monetary or valuable consideration.
• Service Provider means a third party who processes data on our behalf. For the GDPR, Service Providers are considered Data Processors.
• Usage Data refers to data collected automatically (e.g., page visits, duration).
• User-facing features means features directly visible to or used by the individual user through the app UI.
• Website refers to ModuleX, accessible from modulex.dev.
• You means the individual accessing or using the Service.

Personal Data You Provide

When you sign up, link accounts, or use features, you may provide Personal Data such as:

• Name and email address
• Phone number and mailing address
• Profile picture, settings, and preferences
• Content you upload or create within ModuleX (workflows, configurations, prompts, outputs)
• Any data you explicitly input or connect via integrations

Google Data via API Scopes

Depending on the Google integrations you enable, ModuleX may access data from Google Workspace and related services, including Gmail (to send email on your behalf and manage labels; we do not read or modify your messages), Drive (only the files you create or open with ModuleX), Docs, Sheets, Slides, Forms, Calendar and Meet, Contacts and your Workspace directory, Tasks, Tag Manager, Analytics, Search Console, Google Ads, Ad Manager, Merchant Center, Business Profile, and Workspace Admin audit logs. We request only the minimal scope needed for each feature you enable, and we do not request scopes for unimplemented features.

Other Connected Service Data

When you connect Microsoft 365 (Outlook, OneDrive, Calendar, Teams, Excel, Bookings), Meta Platforms (Facebook, Instagram, WhatsApp Business), LinkedIn, Slack, HubSpot, or any other supported integration, we access only the data permitted by the scopes you grant. We comply with each provider's API terms and data handling requirements.

Usage Data

We may also collect Usage Data such as IP address, browser type and version, pages of our Service that you visit, the time and date of your visit, time spent on those pages, unique device identifiers, mobile device type and ID, mobile operating system, and other diagnostic data.

Tracking & Cookies Data

We use cookies and similar tracking technologies (beacons, tags, scripts) to track activity on our Service and hold certain information. Cookies may be Essential (session/auth/security), Functional (preferences), or Analytics (PostHog). You can instruct your browser to refuse all cookies, but some portions of the Service may not function. We do not use cookies for behavioral advertising. We honor Global Privacy Control (GPC) signals.

We use the collected data for various purposes:

• To provide and maintain our Service
• To execute the workflows and automations you configure
• To notify you about changes to our Service
• To allow you to participate in interactive features of our Service when you choose to do so
• To provide customer care and support
• To analyze usage and improve the Service
• To monitor the usage of the Service
• To detect, prevent, and address technical issues
• To manage your Account
• For the performance of a contract
• To contact you by email, SMS, or other equivalent forms of electronic communication
• To enable and support user-enabled integrations with Connected Services and provide personalization and user-specific automation for that individual user
• To detect and prevent fraud, abuse, or security incidents and to comply with legal obligations

Importantly: any Connected Service Data (including Google Data) used within ModuleX is used only for features tied to that specific user (user-facing features), and never for generalized AI/ML training or shared model improvement across users.

Your information, including Personal Information, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including Personal Information, to the United States and process it there.

For transfers from the EEA, UK, or Switzerland we rely on Standard Contractual Clauses approved by the European Commission.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Business Transactions

If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Legal Requirements

ModuleX may disclose your Personal Information in the good faith belief that such action is necessary:

• To comply with a legal obligation
• To protect and defend the rights or property of ModuleX
• To prevent or investigate possible wrongdoing in connection with the Service
• To protect the personal safety of users of the Service or the public
• To protect against legal liability

The security of your data is important to us. We use commercially reasonable administrative, technical, and physical safeguards, including:

• Encryption in transit (TLS/HTTPS) and encryption at rest (AES-256 where applicable)
• Role-based access control and principle of least privilege
• Multi-factor authentication for employee accounts
• Security event monitoring and logging
• An incident response process aligned with applicable breach-notification requirements (including GDPR Article 33)
• Regular review of vulnerabilities and security practices

OAuth tokens and credentials are stored encrypted at rest. BYOK API keys are handled transiently for the duration of an active session or workflow run and discarded after use.

Remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services, or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. Service Providers we use include:

• Amazon Web Services (cloud infrastructure)
• Stripe (payment processing)
• SendGrid / Postmark (email delivery)
• PostHog (product analytics)
• Sentry (error monitoring)
• OpenAI, Anthropic, Google Gemini (AI model providers, bound by their no-training commitments for API customers)

Your prompts, workflow content, and Connected Service Data may be processed by AI systems (large language models) to generate workflows, summarize, classify, or transform content as your workflow requires.

ModuleX does not use Customer Content to train AI/ML models, our own or third-party. Processing is real-time and ephemeral; nothing is retained for training.

We use AI providers (OpenAI, Anthropic, Google Gemini) to power AI features. Per their published API customer commitments (OpenAI Enterprise Privacy, Anthropic Commercial Terms, Google Cloud Generative AI Terms), customer data routed through their APIs is not used to train their models. If you use BYOK (Bring Your Own Key), your data goes directly to the AI provider under your own account.

AI outputs may contain errors or biased content. You are responsible for reviewing AI-generated content before relying on it, especially for legal, medical, financial, or other high-stakes decisions.

We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing.

We do not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

Payment processors we work with:

• Stripe

Affirmative Statement & Compliance

ModuleX's use, storage, processing, and transfer of Google Data (raw or derived) strictly adheres to the Google API Services User Data Policy, including the Limited Use requirements, and to the Google Workspace API user data policy (when applicable). We explicitly affirm that:

• ModuleX does not use, transfer, or allow Google Data to be used to train, improve, or develop generalized or non-personalized AI/ML models.
• Any processing of Google Data is limited to providing or improving user-facing features visible in the app UI.
• ModuleX does not use Google Data for advertising, marketing, retargeting, or any other commercial purpose beyond delivering the user-requested workflow functionality.
• ModuleX does not sell Google Data to any party.
• We do not allow third parties to access Google Data for purposes of training or model improvement.
• Transfers of Google Data are disallowed except in limited permitted cases.

Permitted Transfers & Data Use

We may only transfer Google Data (raw or derived) to third parties under the following limited conditions, always aligned with user disclosures and consent:

• To provide or improve user-facing features (with the user's explicit consent)
• For security, abuse investigation, or system integrity
• To comply with laws or legal obligations
• As part of a merger, acquisition, divestiture, or sale of assets, with explicit user consent

Human Access Restrictions

We restrict human review of Google Data strictly. No employee, contractor, or agent may view Google Data unless one of the following is true:

• The user gave explicit, documented consent to view specific items (e.g., "let customer support view this email/file")
• It is necessary for security, abuse investigation, or legal process
• Data is aggregated, anonymized, and used for internal operations only (without re-identification)

Scope Minimization & Justification

We only request scopes essential to features you opt into; we do not request broad or unused permissions. For each Google API scope we request, we maintain internal documentation justifying why that scope is needed and why narrower scopes are insufficient. Where possible, we follow incremental authorization and request additional scopes only when needed in context.

Secure Handling & Storage

• Google Data is encrypted in transit (TLS/HTTPS) and at rest (AES-256 where applicable)
• Access controls, role-based permissions, logging, and auditing protect data
• OAuth tokens and credentials are stored securely in an encrypted credential store
• We regularly review security practices and infrastructure
• If a security incident affects Google Data, we will notify Google as required and cooperate fully

Retention & Deletion

We retain data only as long as necessary for the purposes disclosed:

• Account Data: Retained during active account + 30 days after deletion request
• Google API Data: Retained during feature use + 7 days after revocation or account deletion
• Usage Logs: 90 days for analytics; up to 1 year for security investigations
• Transaction Records: Up to 7 years for legal and tax compliance

When you revoke access, delete your account, or stop using a feature, we remove associated data within the timeframes above. You may request deletion via in-app settings or by contacting privacy@modulex.dev; we will comply promptly.

The same Limited Use commitments above (no advertising use, no sale, no AI/ML training, no human reading except permitted purposes, scope minimization) apply to data we receive from any Connected Service.

Microsoft Graph data. When you connect Microsoft 365, we access only the data permitted by the Microsoft Graph scopes you grant (Outlook, OneDrive, Calendar, Teams, Excel, Bookings). We comply with the Microsoft Services Agreement and Microsoft's data handling requirements for partner applications.

Meta Platforms data. When you connect Meta services (Facebook, Instagram, WhatsApp Business), we access only the data permitted by the permissions you grant, in compliance with the Meta Platform Terms and Developer Policies.

LinkedIn data. When you connect LinkedIn, we access only the data permitted by the LinkedIn scopes you grant, in compliance with the LinkedIn API Terms of Use and Marketing Developer Program Terms.

Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Our Service does not address anyone under the age of 18 ("Children").

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from children without verification of parental consent, we take steps to remove that information from our servers.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective, and update the "Last Updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

If you are a resident of the European Economic Area (EEA), UK, or Switzerland, you have certain data protection rights. ModuleX aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Information.

In certain circumstances, you have the following data protection rights:

• The right to access, update, or delete the information we have on you
• The right of rectification: to have inaccurate or incomplete information corrected
• The right to object: to object to our processing of your Personal Information
• The right of restriction: to request that we restrict the processing of your personal information
• The right to data portability: to receive your data in a structured, machine-readable, and commonly used format
• The right to withdraw consent: where ModuleX relied on your consent to process your personal information

Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority in the EEA.

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your information, the right to correct inaccurate information, and the right to opt-out of the sale or sharing of your personal information.

Do Not Sell or Share My Personal Information

We do not sell your personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. To exercise opt-out rights, contact us at privacy@modulex.dev.

Global Privacy Control (GPC)

We recognize and honor Global Privacy Control (GPC) signals. When your browser sends a GPC signal, we will treat it as a valid request to opt-out of the sale or sharing of your personal information.

Other US State Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, and Kentucky have similar rights under their respective state privacy laws. Contact privacy@modulex.dev to exercise them.

Introduction

ModuleX is dedicated to preserving data security by preventing unauthorized disclosure of information. This policy provides security researchers with instructions for conducting vulnerability discovery activities and information on how to report vulnerabilities. This policy explains which systems and types of activity are covered, how to send vulnerability reports, and how long we require you to wait before publicly reporting vulnerabilities.

Guidelines

We request that you:

• Notify us as soon as possible after you discover a real or potential security issue
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
• Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or obtain data, establish command-line access and/or persistence, or use the exploit to "pivot" to other systems
• Once you've established that a vulnerability exists or encounter any sensitive data (including personal data, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and keep the data strictly confidential
• Do not submit a high volume of low-quality reports

Authorization

Security research carried out in conformity with this policy is deemed permissible. We'll work with you to swiftly understand and fix the problem, and ModuleX will not suggest or pursue legal action in connection with your study.

Scope

This policy applies to the following systems and services:

• modulex.dev website
• ModuleX web application
• ModuleX API services

Any service that isn't explicitly specified above, such as related services, is out of scope and isn't allowed to be tested. Vulnerabilities discovered in third-party solutions ModuleX interacts with are not covered by this policy and should be reported directly to the solution vendor.

Types of Testing Not Authorized

• Network denial of service (DoS or DDoS) tests
• Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing

Reporting a Vulnerability

To report any security flaws, send an email to security@modulex.dev. We'll acknowledge receipt of your vulnerability report within three business days and keep you updated on our progress. Reports can be anonymously submitted.

In order to process and react to a vulnerability report, we recommend that you include the following information:

• Vulnerability description
• Place of discovery
• Potential impact
• Steps required to reproduce the vulnerability (include scripts and screenshots if possible)

If possible, please provide your report in English.

Our Commitment

If you choose to give your contact information, we promise to communicate with you in a transparent and timely manner. We will acknowledge receipt of your report within three business days. We will keep you informed on vulnerability confirmation and remedy to the best of our capabilities.

If you have questions, requests, or complaints regarding this Privacy Policy or our data practices, you may contact us at:

• Privacy: privacy@modulex.dev
• Support: support@modulex.dev
• Security: security@modulex.dev

Mailing Address: ModulexAI, LLC 8 The Green, Suite B Dover, Delaware 19901 United States

This Privacy Policy is governed by the laws of the State of Delaware, United States.

We will respond to your request within a reasonable timeframe.