Privacy Policy
Contents
1. Who we are
This Privacy Policy describes how Blue Horizon Ventures ("Everest", "we", "us", or "our") collects, uses, stores, and shares information when you use the Everest application, website, APIs, integrations, and related services (the "Service"), accessible at everest.ag and app.everest.ag.
Everest is operated from Newark, Delaware, USA. For data protection purposes, the data controller is Blue Horizon Ventures, contactable at privacy@everest.ag.
2. Data we collect
2.1 Account information
- Email address, display name, and authentication identifier provided when you sign up
- Profile data you choose to add (e.g. timezone, working hours, role)
- Channel identifiers if you connect Telegram, WhatsApp, Discord, or similar messaging surfaces (e.g. your Telegram chat ID)
2.2 Connected-service data
When you authorise Everest to access third-party services on your behalf — such as Google, Slack, GitHub, or others — we receive data from those services through their official APIs. The specific data depends on the scopes you grant; see Section 3 for Google in detail.
2.3 Conversation and usage data
- Messages you send to Everest through any channel and the responses we generate
- Tasks, briefs, and outputs Everest produces on your behalf
- Technical logs (IP address, user agent, timestamps, error traces) needed to operate, secure, and debug the Service
- Aggregate usage metrics (feature counts, latency) used to operate and improve the Service
3. Google user data
If you connect a Google account, Everest accesses Google user data only with your explicit OAuth consent and only for the scopes you grant. Everest's Google access is focused on one job: scheduling — checking availability, resolving the people you mention by name, and managing calendar events on your instruction. The current scope set, and what each is used for, is:
| Scope | What we do with it |
|---|---|
| openid, userinfo.email, userinfo.profile | Identify you and link your Google identity to your Everest account |
| calendar.events | Read events on your calendars to answer scheduling questions, and create, update, or cancel events on your instruction |
| calendar.freebusy | Check when you — or a colleague whose calendar is visible to you — are free or busy before proposing or booking a time |
| calendar.calendarlist.readonly | List the calendars you subscribe to, so your schedule view covers all of them |
| calendar.calendars.readonly | Read calendar properties (names, time zones) needed to display and schedule correctly |
| calendar.settings.readonly | Read your calendar settings (e.g. timezone) so events are booked at the right local time |
| directory.readonly | Look up colleagues in your organisation's Google Workspace directory when you mention them by name (e.g. "is Sam free at 3pm?"), so you don't have to paste an email address |
| contacts.readonly | Look up people in your saved contacts by name for the same purpose |
| contacts.other.readonly | Look up people in your "Other contacts" (contacts Google saves automatically from your interactions) by name for the same purpose |
Scopes we no longer request. Before July 2026, Everest requested broader Google scopes (including Gmail, Drive, Docs, Sheets, Tasks, Google Analytics, and Google Ads). We no longer request any of these. If you granted them previously, you can narrow your grant by disconnecting and reconnecting Google in Everest, or revoke access entirely at any time (see below). Data previously obtained under those scopes is retained only as part of your conversation history and derived notes, per the retention schedule, and you can delete it at any time.
You can revoke Everest's access to your Google account at any time from Everest's Apps page or via your Google Account permissions page. Revocation takes effect immediately for new requests; cached data is deleted per the retention schedule.
4. How we use data
- Provide the Service — answer your messages, prepare briefs, take actions you instruct on connected services
- Operate, secure, and maintain the Service — authentication, abuse prevention, fraud detection, debugging
- Communicate with you about your account, security, and material changes to the Service
- Comply with legal obligations and respond to lawful requests from authorities
We do not use your data, including Google user data, to train, fine-tune, or evaluate generalised AI models. We do not sell your personal data. We do not use it for targeted advertising.
5. AI processing
Everest is an AI-driven product. To answer your messages and execute tasks, we send relevant context (your messages, calendar entries, contact lookups, etc.) to large-language-model (LLM) providers acting as our subprocessors. These providers process the data on our instruction under contractual data-protection terms and do not retain or train on it beyond the period needed to return a response (typically 30 days, or zero retention where the provider offers it).
We currently use the following LLM providers: Anthropic (Claude), OpenAI, and Google (Gemini). The list may change; the current set is reflected in Section 6.
Because LLM outputs are probabilistic, Everest may occasionally make mistakes. You remain responsible for reviewing material actions Everest is about to take on your behalf, and for the consequences of actions you authorise.
6. Sharing & subprocessors
We share data only with subprocessors who help us operate the Service, and only as needed for them to perform their function. Each is bound by a data processing agreement that restricts their use of your data to providing services to us.
| Subprocessor | Purpose | Region |
|---|---|---|
| OVH | Hosting (servers, network) | EU (France) |
| Supabase | Database, authentication | EU |
| Anthropic | LLM inference (Claude) | US |
| OpenAI | LLM inference (GPT) | US |
| LLM inference (Gemini) | US/EU | |
| Composio | Third-party OAuth connection management (deprecating) | US |
| Nango | Third-party OAuth connection management | Self-hosted (EU) |
| Telegram, Meta (WhatsApp), Discord | Message delivery via official channel APIs (only if you connect those channels) | Various |
We do not share your data with advertisers, data brokers, or for marketing purposes.
We may disclose data when legally required (e.g. valid subpoena, court order), to enforce our Terms of Service, or to protect the rights, safety, or property of Everest, our users, or others. Where lawful, we will notify you of any government request for your data before disclosing it.
7. Storage & security
Account data and conversation history are stored on infrastructure operated by Supabase in the European Union. OAuth refresh tokens for connected services are stored encrypted at rest. Backups are encrypted in transit and at rest.
We use industry-standard administrative, technical, and physical safeguards designed to protect your data against unauthorised access, disclosure, alteration, and destruction. No system can be perfectly secure; in the event of a personal data breach, we will notify affected users and competent authorities within the timeframes required by applicable law.
8. Retention & deletion
- Account data — for the life of your account, plus 30 days after deletion to allow recovery from accidental deletion
- Conversation history — for the life of your account, unless you delete individual conversations sooner
- Cached Google user data — only as long as needed to fulfil your active request, typically minutes; long-running results (briefs, scheduling notes) are stored as your conversation history above
- Logs — 30 days for application logs, 12 months for security/audit logs
- Backups — 30 days rolling
- Legal-hold data — for as long as required to comply with applicable law or to assert/defend legal claims
You can delete your Everest account at any time from your account settings or by emailing privacy@everest.ag. Deletion removes your data from our active systems within 30 days and from backups within 90 days.
9. Your rights
Subject to applicable law (including the EU General Data Protection Regulation where it applies to you), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Receive your data in a structured, machine-readable format (data portability)
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email privacy@everest.ag. We respond within 30 days of receipt.
10. International transfers
We are a US-based company and some of our subprocessors are located in the United States, while our primary data storage is in the European Union. Where we transfer personal data of EEA or UK users outside those regions, we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework for subprocessors certified under it, and supplementary measures where required.
11. Cookies and similar technologies
The Everest dashboard uses a small number of strictly necessary cookies for authentication and session management. On the public Everest website, we also offer optional Google Analytics cookies to understand aggregate landing-page traffic. We load Google Analytics only after you allow analytics in the cookie banner, and we do not use third-party advertising cookies.
If you decline analytics, Everest stores that preference in your browser and does not load Google Analytics. You can later change your preference by clearing site data for everest.ag in your browser.
12. Children
Everest is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact privacy@everest.ag and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice — for example, by emailing the address associated with your account or by displaying a prominent notice in the Service — at least 14 days before the change takes effect.
14. Contact
For privacy questions, data subject requests, or any concern about this policy, contact:
Blue Horizon Ventures
Newark, Delaware, USA
Email: privacy@everest.ag