Privacy Policy

Effective date: March 25, 2026

TelosX is a product of Dwellingly Inc., a Texas company doing business as TelosX ("we," "us," or "our"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website at www.telosx.ai, our application at app.telosx.ai, and any related services (collectively, the "Service").

By using TelosX, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Username and display name
• Password (stored only as a cryptographic hash — we never store or have access to your plain-text password)
• Timezone (auto-detected from your browser)
• Profile information you choose to provide (bio, location, website, profile picture)

1.2 Content You Create

The Service is a productivity platform. When you use it, you may create and store:

• Tasks, projects, goals, milestones, and notes
• Social posts, comments, and reactions
• Habit tracking data and completion logs
• Custom workspace applications and records
• Documents and file uploads (up to 50 MB per file)
• Chat conversations with the AI assistant
• Bug reports and feedback submissions

1.3 Information from Third-Party Integrations

If you choose to connect third-party services, we collect additional information:

• Google or Microsoft Sign-In: Your name and email address as provided by the identity provider.
• Gmail Integration: OAuth access and refresh tokens that allow us to read and send email on your behalf. We access your inbox only when you use email features within TelosX.
• Microsoft Outlook Integration: OAuth access and refresh tokens for Microsoft Graph API access to your mailbox, used to read and send email on your behalf.
• Stripe (Payments): When you subscribe to a paid plan, we send your email address, display name, and an internal user ID to Stripe. All payment card information is handled directly by Stripe — we never see or store your card number.

1.4 Automatically Collected Information

• No cookies: We do not use cookies for authentication or tracking. Authentication tokens and theme preferences are stored in your browser's localStorage.
• No third-party analytics: We do not use Google Analytics, tracking pixels, or any third-party analytics services.
• Server-side logs: We maintain internal application logs for debugging and system health monitoring. These logs may include request metadata, error details, and timestamps.
• Rate limiting: We process IP-based request counts in memory to enforce rate limits. This data is not persisted to a database.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the TelosX platform
• Authenticate your identity and secure your account
• Generate AI-powered features, including daily briefings, task suggestions, chat assistance, workspace creation, email drafting, and image generation — powered by Azure OpenAI (GPT-4 and DALL-E)
• Moderate social posts using AI content analysis to maintain community standards
• Process payments and manage subscriptions through Stripe
• Send system emails such as account verification, password resets, and daily briefings
• Deliver real-time notifications via WebSocket connections
• Enforce rate limits and protect the Service from abuse
• Monitor system health through internal application logs
• Track gamification points based on your productivity activity

3. Third-Party Services and Data Sharing

We share data with the following third-party services only as necessary to operate the Service. We do not sell, rent, or trade your personal information.

3.1 Azure OpenAI (Microsoft)

Content you create — including tasks, goals, projects, chat messages, social posts, workspace records, and email content — may be sent to Azure OpenAI for AI processing. This includes content moderation analysis of social posts. Azure OpenAI processes data in accordance with Microsoft's data processing terms and does not use your data to train its models.

3.2 Stripe

We share your email address, display name, and an internal user ID with Stripe to process payments and manage subscriptions. Stripe handles all payment card information directly — we never see or store your card number, expiration date, or CVV. Stripe's use of your data is governed by the Stripe Privacy Policy.

3.3 Microsoft Graph (Email)

If you connect your Microsoft account for email integration, we access your mailbox via Microsoft Graph APIs using OAuth tokens you authorize. We use this to read, display, and draft emails on your behalf within TelosX. We also use a TelosX system mailbox to send transactional emails such as account verification and notifications.

3.4 Google (Gmail and Sign-In)

If you use Google Sign-In, Google shares your name and email address with us. If you connect Gmail, we access your inbox via Gmail APIs using OAuth tokens you authorize. We participate in Google's RISC (Risk and Incident Sharing and Collaboration) program, which means we receive security event notifications about your Google account (such as session revocations or credential changes) to help protect your TelosX account.

3.5 Azure Blob Storage (Microsoft)

Documents, profile pictures, and workspace attachments you upload are stored in Microsoft Azure Blob Storage. Profile pictures are stored in a publicly accessible container so they can be displayed to other users. All other documents are access-controlled.

3.6 No Sale of Data

We do not sell, rent, or trade your personal information to any third party. We do not share data with advertisers or data brokers. We do not use your content to train AI models.

4. Data Security

We take the security of your data seriously and implement the following measures:

• Passwords are hashed using industry-standard cryptographic algorithms and are never stored in plain text
• Authentication uses short-lived access tokens (60-minute expiry) with rotating refresh tokens (7-day expiry)
• All communication between your browser and our servers is encrypted via HTTPS/TLS
• Security headers are enforced, including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy
• Rate limiting is applied to authentication endpoints, API mutations, chat requests, file uploads, and public form submissions to prevent abuse
• OAuth tokens for email integrations are stored server-side with encryption at rest
• Database connections use encrypted channels with automatic retry policies

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing and maintaining appropriate safeguards.

5. Data Retention

• Account data is retained for as long as your account is active.
• Deleted content (tasks, posts, comments, etc.) is soft-deleted — marked as removed but not immediately purged from our database. This allows for potential recovery and ensures data integrity.
• Permanent deletion is available upon request. Contact us at support@telosx.ai to request complete removal of your data.
• Authentication tokens expire automatically — access tokens after 60 minutes, refresh tokens after 7 days.
• Application logs are retained for system debugging and are periodically purged.
• AI-processed content is not retained by Azure OpenAI beyond the duration of each processing request.
• Stripe retains payment and subscription data according to their own retention policies and legal obligations.

6. Your Privacy Rights

6.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access — request a copy of your personal data
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing of your data for certain purposes
• Right to withdraw consent — withdraw consent at any time where processing is based on consent
• Right to lodge a complaint — file a complaint with your local data protection authority

Our legal bases for processing your data include: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), and consent (where applicable, such as optional email integrations).

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected
• Right to delete — request deletion of your personal information
• Right to correct — request correction of inaccurate personal information
• Right to opt out of sale — we do not sell your personal information, so this right is already honored
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

6.3 Other Jurisdictions

If you are located outside the EEA or California, you may have additional rights under your local privacy laws. We will honor requests consistent with applicable law. To exercise any privacy right, contact us at support@telosx.ai.

7. International Data Transfers

TelosX is operated by Dwellingly Inc., based in Texas, United States. Your data is processed and stored in Microsoft Azure data centers located in the United States.

If you access TelosX from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For users in the EEA, UK, and Switzerland, we rely on Standard Contractual Clauses and other approved transfer mechanisms to ensure that your data is protected in accordance with applicable data protection regulations when transferred internationally.

8. Children's Privacy

TelosX is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will take prompt steps to delete that information.

If you believe that a person under 18 has provided us with personal information, please contact us at support@telosx.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the updated policy on this page with a revised effective date.

Your continued use of TelosX after changes are posted constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.