Privacy Policy
Contents
1. Who we are
This Privacy Policy describes how [LEGAL ENTITY NAME] ("Everest", "we", "us", or "our") collects, uses, stores, and shares information when you use the Everest application, website, APIs, integrations, and related services (the "Service"), accessible at everest.ag and app.everest.ag.
Everest is operated from [CITY, COUNTRY]. For data protection purposes, the data controller is [LEGAL ENTITY NAME], contactable at privacy@everest.ag.
2. Data we collect
We collect three categories of information:
2.1 Account information
- Email address, display name, and authentication identifier provided when you sign up
- Profile data you choose to add (e.g. timezone, working hours, role)
- Channel identifiers if you connect Telegram, WhatsApp, Discord, or similar messaging surfaces (e.g. your Telegram chat ID)
2.2 Connected-service data
When you authorise Everest to access third-party services on your behalf — such as Google Workspace, GitHub, Stripe, Slack, or others — we receive data from those services through their official APIs. The specific data depends on the scopes you grant; see Section 3 for Google in detail.
2.3 Conversation and usage data
- Messages you send to Everest through any channel and the responses we generate
- Tasks, briefs, and outputs Everest produces on your behalf, including documents and files it creates in connected services
- Technical logs (IP address, user agent, timestamps, error traces) needed to operate, secure, and debug the Service
- Aggregate usage metrics (feature counts, latency) used to operate and improve the Service
3. Google user data
If you connect a Google account, Everest accesses Google user data only with your explicit OAuth consent and only for the scopes you grant. The current scope set, and what each is used for, is:
| Scope | What we do with it |
|---|---|
| openid, userinfo.email, userinfo.profile | Identify you, link your Google identity to your Everest account |
| mail.google.com (Gmail full access) | Read incoming mail to brief you, draft and send replies on your instruction, organise threads you ask Everest to handle |
| calendar | Read your calendar to brief you on the day, schedule meetings on your instruction, propose times |
| drive, documents, spreadsheets, presentations | Read documents you reference, create and edit files on your instruction |
| contacts.readonly | Look up people you mention by name without you having to paste an email |
| tasks | Read and write Google Tasks on your instruction |
| photoslibrary.readonly.appcreateddata, photoslibrary.edit.appcreateddata | Manage photos Everest itself creates (no access to your existing photos) |
| analytics, analytics.readonly | Pull metrics from Google Analytics properties you connect, on your instruction |
| adwords | Read campaign data from Google Ads accounts you connect, on your instruction |
You can revoke Everest's access to your Google account at any time via your Google Account permissions page. Revocation takes effect immediately for new requests; cached data is deleted per the retention schedule.
4. How we use data
We use the data described above to:
- Provide the Service — answer your messages, prepare briefs, take actions you instruct on connected services
- Operate, secure, and maintain the Service — authentication, abuse prevention, fraud detection, debugging
- Communicate with you about your account, security, and material changes to the Service
- Comply with legal obligations and respond to lawful requests from authorities
We do not use your data, including Google user data, to train, fine-tune, or evaluate generalised AI models on your behalf or for third-party customers. We do not sell your personal data. We do not use it for targeted advertising.
5. AI processing
Everest is an AI-driven product. To answer your messages and execute tasks, we send relevant context (your messages, retrieved documents, calendar entries, etc.) to large-language-model (LLM) providers acting as our subprocessors. These providers process the data on our instruction under contractual data-protection terms and do not retain or train on it beyond the period needed to return a response (typically 30 days, or zero retention where the provider offers it).
We currently use the following LLM providers: Anthropic (Claude), OpenAI, and Google (Gemini). The list may change; the current set is reflected in Section 6.
Because LLM outputs are probabilistic, Everest may occasionally make mistakes — sending a message you did not intend, summarising content imperfectly, or proposing the wrong action. You remain responsible for reviewing material actions Everest is about to take on your behalf, and for the consequences of actions you authorise.
6. Sharing & subprocessors
We share data only with subprocessors who help us operate the Service, and only as needed for them to perform their function. Each is bound by a data processing agreement that restricts their use of your data to providing services to us.
| Subprocessor | Purpose | Region |
|---|---|---|
| OVH | Hosting (servers, network) | EU (France) |
| Supabase | Database, authentication | EU |
| Anthropic | LLM inference (Claude) | US |
| OpenAI | LLM inference (GPT) | US |
| LLM inference (Gemini) | US/EU | |
| Composio | Third-party OAuth connection management (deprecating) | US |
| Nango | Third-party OAuth connection management | Self-hosted (EU) |
| Telegram, Meta (WhatsApp), Discord | Message delivery via official channel APIs (only if you connect those channels) | Various |
We do not share your data with advertisers, data brokers, or for marketing purposes.
We may disclose data when legally required (e.g. valid subpoena, court order), to enforce our Terms of Service, or to protect the rights, safety, or property of Everest, our users, or others. Where lawful, we will notify you of any government request for your data before disclosing it.
7. Storage & security
Account data and conversation history are stored on infrastructure operated by Supabase in the European Union. OAuth refresh tokens for connected services are stored encrypted at rest. Backups are encrypted in transit and at rest.
We use industry-standard administrative, technical, and physical safeguards designed to protect your data against unauthorised access, disclosure, alteration, and destruction. No system can be perfectly secure; in the event of a personal data breach, we will notify affected users and competent authorities within the timeframes required by applicable law.
8. Retention & deletion
We retain data only as long as needed for the purposes described in this policy:
- Account data — for the life of your account, plus 30 days after deletion to allow recovery from accidental deletion
- Conversation history — for the life of your account, unless you delete individual conversations sooner
- Cached Google user data — only as long as needed to fulfil your active request, typically minutes; long-running results (briefs, drafts) are stored as your conversation history above
- Logs — 30 days for application logs, 12 months for security/audit logs
- Backups — 30 days rolling
- Legal-hold data — for as long as required to comply with applicable law or to assert/defend legal claims
You can delete your Everest account at any time from your account settings or by emailing privacy@everest.ag. Deletion removes your data from our active systems within 30 days and from backups within 90 days.
9. Your rights
Subject to applicable law (including the EU General Data Protection Regulation and the UK Data Protection Act), you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Receive your data in a structured, machine-readable format (data portability)
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority — for users in France, the CNIL
To exercise any of these rights, email privacy@everest.ag. We respond within 30 days of receipt.
10. International transfers
Some of our subprocessors are located outside the European Economic Area, primarily in the United States. When we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures where required. The current EU adequacy decision for the US (the EU–US Data Privacy Framework) covers transfers to subprocessors that are certified under it.
11. Cookies and similar technologies
The Everest dashboard uses a small number of strictly necessary cookies for authentication and session management. On the public Everest website, we also offer optional Google Analytics cookies and similar technologies to understand aggregate landing-page traffic, demo interactions, and waitlist conversion. We load Google Analytics only after you allow analytics in the cookie banner. We do not use Google Analytics to collect waitlist email addresses, and we do not use third-party advertising cookies on the Everest website.
If you decline analytics, Everest stores that preference in your browser and does not load Google Analytics. You can later change your preference by clearing site data for everest.ag in your browser.
12. Children
Everest is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact privacy@everest.ag and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice — for example, by emailing the address associated with your account or by displaying a prominent notice in the Service — at least 14 days before the change takes effect.
14. Contact
For privacy questions, data subject requests, or any concern about this policy, contact:
[LEGAL ENTITY NAME]
[STREET ADDRESS]
[POSTAL CODE, CITY, COUNTRY]
Email: privacy@everest.ag