Privacy Policy
Your privacy matters to us. This policy explains how we collect, use, share, and protect personal information across the DoubleXL platform.
Effective: June 9, 2026 · Last updated: June 9, 2026
1. Introduction
DoubleXL, Inc. ("DoubleXL," "we," "us," or "our") provides a suite of AI-powered business automation products (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, transfer, retain, and safeguard personal information when you access our websites, applications, APIs, integrations, mobile apps, and related offerings.
By using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services. For California, EEA, UK, and other state-specific disclosures, see the dedicated sections below.
2. Scope and Our Role
DoubleXL acts in two roles depending on the data:
- Controller for personal information we collect about visitors, account holders, and administrators (e.g., billing data, account credentials, marketing engagement, website analytics).
- Processor / Service Provider for content and personal information that our business customers (or their end users) upload, generate, or transmit through the Services ("Customer Data"). Our processing of Customer Data is governed by our Data Processing Addendum (DPA) and the applicable customer agreement. The customer is the controller.
If you are an end user, employee, contact, or meeting participant of one of our business customers, please direct privacy requests to that customer first; we will support them in responding.
3. Information We Collect
3.1 Information You Provide
- Account Information: name, email, password, company name, job title, phone number.
- Payment Information: billing address, payment method tokens, and tax identifiers, processed by our payment processor (Stripe). We do not store full card numbers.
- Profile Information: profile photo, bio, language/timezone, role, notification preferences.
- Customer Content: files, documents, images, emails, meeting audio/video, transcripts, prompts, knowledge bases, CRM data, and other content you upload, generate, or connect.
- Communications: support tickets, survey responses, sales conversations, recorded demo calls (with consent).
3.2 Information Collected Automatically
- Usage Data: features accessed, actions taken, queries issued, time spent, AI prompts and outputs, error events.
- Device and Network: IP address, browser type, operating system, device identifiers, language settings, referring URL.
- Cookies and Similar Technologies: as described in our Cookie Policy. We use PostHog, Datadog RUM, and Google Tag Manager (via Cloudflare Zaraz) for product analytics, performance monitoring, A/B testing, and attribution. You can manage preferences via our cookie banner and your browser settings.
- Server Logs: request metadata, error traces, latency, security events.
3.3 Information from Third Parties
- Identity Providers (SSO): Google, Microsoft, Apple, and SAML/OIDC providers when you sign in via SSO.
- Integrations: data from connected services such as Google Workspace, Microsoft 365, HubSpot, Salesforce, Slack, Zoom, Stripe, calendar systems, CRMs, and telephony/messaging providers (e.g., Twilio).
- Enrichment and Sales Data: business contact information from data providers (e.g., Apollo) used for business-to-business communications and CRM enrichment.
- Referrals and Partners: contact information from partners or co-marketing programs.
3.4 Sensitive Information
The Services are not designed to collect special-category or sensitive personal information (e.g., health data, government IDs, precise geolocation, biometric identifiers, racial or ethnic origin). Do not upload such data unless we have specifically agreed in writing (e.g., a Business Associate Agreement for PHI). Voice recordings and meeting transcripts may, depending on jurisdiction, be treated as biometric or sensitive data; you are responsible for obtaining required consents (see Section 7).
4. How We Use Information
We use personal information to:
- Provide, operate, maintain, and improve the Services
- Authenticate users and secure accounts
- Process payments, invoices, and tax
- Generate AI outputs (transcripts, summaries, replies, drafts, images, analytics) in response to your inputs
- Send transactional notices (security alerts, billing, system changes, product updates that affect functionality)
- Send marketing communications, subject to your preferences and applicable law
- Provide customer support, training, and onboarding
- Detect, investigate, and prevent fraud and abuse
- Monitor performance, debug, measure usage, and run A/B experiments
- Comply with legal obligations and enforce our agreements
5. AI Processing and Model Training
Our products use a combination of DoubleXL-developed models and third-party model providers (currently including Anthropic and OpenAI; additional providers may be added or substituted). All AI providers we use are bound by data-processing agreements that prohibit using your content to train their generalized models.
- Customer Data is not used to train our models by default. We may use de-identified, aggregated metrics (counts, latency, success rates) to improve quality and reliability.
- Opt-in product improvement: features that use content to fine-tune or evaluate models are off by default and require explicit opt-in by an account administrator. You can turn them off at any time in workspace settings.
- Human review: in narrow cases (safety investigations, severe errors, customer-initiated support), a limited and audited number of personnel may review content.
- Automated decision-making: the Services may generate suggestions, classifications, or recommendations. They are decision-support tools, not autonomous decisions about you. Where automated decisions producing legal or similarly significant effects could occur, we provide a human-review path consistent with GDPR Article 22.
- No advertising use: we do not use Customer Data, prompts, or outputs to serve advertising.
6. Per-Product Data Practices
The DoubleXL platform includes seven products. Each processes a specific set of personal information to deliver its features.
- DoubleXL Stream (meetings): joins video/voice conferences, captures audio/video, generates transcripts, summaries, action items, and speaker analytics. Processes voice data, participant names/emails, calendar metadata, and recorded content.
- DoubleXL Answer (email/inbox automation): reads, drafts, sends, and labels messages in connected Gmail and Microsoft 365 mailboxes; processes message contents, metadata, attachments, and contact information.
- DoubleXL Align (advertising and growth optimization): connects to ad platforms (Google, Meta, LinkedIn, others) and CRM systems; processes campaign data, audience signals, conversion metadata, and aggregate attribution.
- DoubleXL Respond (customer engagement): powers chat, SMS, and voice replies to inbound customer contacts; processes conversation transcripts, contact identifiers, and CRM context. SMS and voice are subject to Section 7.
- DoubleXL Draft (content and document generation): generates documents, proposals, marketing content, and code; processes prompts, brand assets, reference content, and outputs.
- DoubleXL Ops (workflow automation): runs triggers and actions across connected SaaS apps; processes workflow definitions, intermediate data, and audit logs.
- DoubleXL Vision (analytics and intelligence): processes business data sources (warehouses, CRMs, billing, product analytics) to produce dashboards, narratives, and alerts. May process images and documents for OCR/extraction. Vision does not perform facial recognition or biometric identification of individuals.
7. Communications, Recording, and Notifications
7.1 Email Communications
We send transactional emails (security, billing, service-impact notices) that are required to operate your account; you cannot opt out of these while your account is active. Marketing emails are sent only with a lawful basis and include an unsubscribe link in every message. You can update preferences in your account settings.
7.2 SMS and Text Messaging
Where you opt in to receive SMS from DoubleXL or where a product sends SMS on a customer's behalf, the following apply:
- Message frequency varies. Message and data rates may apply from your carrier.
- Reply STOP to opt out at any time. Reply HELP for help. You can also email hello@double-xl.com.
- Consent to receive SMS is not a condition of purchase.
- Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subprocessors that support the messaging service (e.g., Twilio) is permitted.
7.3 Voice Calls and Call Recording
Products like DoubleXL Stream and DoubleXL Respond may record and transcribe calls and meetings. Recording laws vary by jurisdiction; some require all-party consent. Customers and users are responsible for obtaining required consents from participants. We provide in-product notices and audible/visual recording indicators where supported.
7.4 Push and In-App Notifications
You can enable or disable push and in-app notifications in your device settings and your DoubleXL notification preferences.
7.5 Managing Preferences
You can update communication preferences any time at Account Settings → Notifications, via unsubscribe links in email, by replying STOP to SMS, or by emailing hello@double-xl.com.
8. Google User Data
When you connect a Google account, we access and process Google user data in accordance with the Google API Services User Data Policy, including the Limited Use requirements.
8.1 Data We Access
- Profile: name, email, profile picture.
- Gmail: messages, labels, and metadata when you use DoubleXL Answer or other products that integrate with email.
- Google Calendar: events, attendees, and scheduling metadata when you use DoubleXL Stream.
- Google Drive: files you explicitly select or grant access to.
- Google Meet / Contacts: meeting metadata and contact details where you connect them.
8.2 How We Use Google User Data
We use Google user data only to provide and improve the user-facing features you request. We do not use Google user data for advertising, do not transfer it to third parties except as necessary to provide the Services (see subprocessors) and required by law, and do not use it to develop, improve, or train generalized AI/ML models.
8.3 Storage, Protection, and Deletion
Google user data is encrypted in transit (TLS 1.3) and at rest (AES-256), with access restricted to authorized systems and personnel. You can disconnect your Google account from Settings → Integrations at any time, or revoke access at myaccount.google.com/permissions. Disconnection results in deletion of Google user data within 30 days, except where retention is required by law.
9. Microsoft and Other Integrations
When you connect Microsoft 365 (Outlook, Teams, OneDrive, SharePoint, Calendar), Slack, Zoom, HubSpot, Salesforce, or other integrations, we access only the scopes you authorize and process the data solely to provide the features you request. Disconnect at any time from Settings → Integrations.
10. How We Share Information
- With Your Consent or at your direction.
- Within Your Organization: with other members and administrators of your workspace.
- Subprocessors: vendors that host infrastructure, process payments, deliver communications, or power AI features (see Section 11).
- Professional Advisors: auditors, lawyers, accountants, insurers under confidentiality.
- Business Transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to continued protection.
- Legal Compliance: to comply with law, legal process, or government requests, and to protect rights, property, or safety.
- Aggregated/De-identified Data: that cannot reasonably identify an individual.
We do not sell personal information as that term is defined under U.S. state privacy laws, and we do not share personal information for cross-context behavioral advertising.
11. Subprocessors
We engage subprocessors to provide the Services. A current list includes:
- Cloud infrastructure: Cloudflare (compute, storage, CDN, security), DigitalOcean (compute and managed databases).
- Database: Neon (managed PostgreSQL).
- AI providers: Anthropic, OpenAI (and other model providers as noted in product documentation).
- Authentication: Stytch and identity providers you connect.
- Payments: Stripe, PayPal (where enabled).
- Communications: Twilio (SMS, voice), SendGrid (transactional email).
- Analytics & observability: PostHog, Datadog, Sentry, Google Tag Manager (via Cloudflare Zaraz).
- Customer engagement: HubSpot, Intercom (where enabled).
A current and complete subprocessor list, including changes, is available on request to hello@double-xl.com. Customers subject to a DPA receive advance notice of new subprocessors and may object as set out in the DPA.
12. International Data Transfers
We are headquartered in the United States and use infrastructure providers globally. Where personal information is transferred from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), and, where applicable, the Swiss-FADP addendum. Customers may request copies of executed transfer mechanisms. Enterprise customers can request EU-region data residency where available.
13. Data Security
- Encryption: TLS 1.2+ in transit, AES-256 at rest.
- Access controls: role-based access, least-privilege, mandatory SSO and MFA for staff.
- Network and application security: WAF, DDoS protection, secrets management, dependency scanning, code review.
- Monitoring: centralized logging, anomaly detection, on-call incident response.
- Testing: periodic vulnerability scans, third-party penetration tests, annual security reviews.
- Compliance: we maintain a security program aligned with SOC 2; current attestations and reports are available under NDA to qualifying customers.
No system is perfectly secure. Help protect your account by using strong, unique passwords, enabling MFA, and reporting any suspected unauthorized access to security@double-xl.com.
14. Data Breach Notification
If we determine that a personal data breach has occurred involving your information, we will notify affected users and applicable regulators consistent with our legal obligations and our DPA commitments to business customers.
15. Data Retention and Deletion
- Active accounts: we retain data while your account is active and as needed to provide the Services.
- Account deletion: account and content are deleted within 30 days; backups purged within 90 days.
- Connected integrations: data from a disconnected integration is deleted within 30 days.
- Legal retention: we may retain limited information longer to comply with law, resolve disputes, or enforce agreements (e.g., billing records, audit logs).
16. Your Rights and Choices
Subject to local law, you may have the right to:
- Access a copy of your personal information
- Correct inaccurate information
- Delete information
- Receive a portable copy of certain information
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- Opt out of targeted advertising, sale, or sharing (we do not engage in these activities, but you may still submit a request)
- Appeal a denial of your request, where required by law
To exercise rights, contact privacy@double-xl.com or use the in-product privacy request form. We will verify your identity before fulfilling requests and respond within the time required by applicable law.
17. U.S. State Privacy Rights
Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws have additional rights as described above. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under these laws.
Global Privacy Control (GPC): we recognize and honor GPC signals from supported browsers as a valid opt-out of sale/sharing.
Sensitive Personal Information: we do not use sensitive personal information for purposes that require an opt-out right under California law.
Authorized agents may submit requests on your behalf with valid authorization.
California residents may also exercise their "Shine the Light" right by contacting us at the address below.
18. European, UK, and Swiss Privacy Rights
For individuals in the EEA, UK, and Switzerland, we process personal information under one or more of the following legal bases:
- Contract — to provide the Services to you or your organization.
- Legitimate interests — to operate, secure, and improve the Services.
- Consent — for certain marketing and optional processing.
- Legal obligation — to comply with law.
You have the right to lodge a complaint with your local supervisory authority. Our EU representative under GDPR Article 27 is available on request to privacy@double-xl.com.
19. Children's Privacy
The Services are intended for business use and are not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If we learn we have collected such information, we will delete it promptly. Contact us if you believe a child has provided us information.
20. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified through the Services or by email at least 30 days before they take effect, except where a shorter period is required by law. Continued use of the Services after the effective date constitutes acceptance.
21. Contact Us
For privacy questions, data subject requests, or to reach our Data Protection Officer:
DoubleXL, Inc.
Privacy: privacy@double-xl.com
Security: security@double-xl.com
General: hello@double-xl.com
Address: 212 Crossroads Blvd, #620, Saratoga Springs, UT 84048
Related policies: Terms of Service · Cookie Policy · Security · Data Processing Addendum · Subprocessors