Privacy Policy

Last Updated: March 28, 2025

Welcome to Xabi! When you use Xabi – an AI scheduling assistant developed by The Micro Company AB – you trust us with your personal information. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR). This Privacy Policy explains what data we collect, how we use, store, and share it, and your rights regarding your information. We’ve tried to write it in clear, user-friendly language.

By using Xabi, you agree to the practices described in this policy. If you have any questions or concerns, please contact us at hello@offwork.ai.

Who We Are

Xabi is a product of The Micro Company AB, located at De Geersgatan 10, 11529 Stockholm, Sweden. For the purposes of data protection law, The Micro Company AB is the “data controller” of your personal data processed through Xabi. You can reach us with privacy questions at hello@offwork.ai.

What Data We Collect

When you use Xabi (for example, when you connect it to your calendar and email accounts via a third-party authorization like OAuth2), we collect certain information to provide and improve our scheduling services. This includes:

• Calendar Data: With your permission, Xabi accesses your calendar events and related metadata from your connected calendar service. This may include event titles, dates and times, locations, attendees (their names and email addresses), and notes or descriptions associated with your meetings. We use this information to check your availability and schedule new events on your calendar as needed.

• Email Data: With your permission, Xabi can access relevant content from your email account to help schedule meetings. This may include email headers and content such as subject lines, timestamps, sender and recipient addresses, and the body text of emails that involve scheduling or meeting requests. Xabi uses this information to understand scheduling requests and to send emails (like invitations or confirmations) on your behalf.

• Scheduling Request Information: Any information you directly provide to Xabi when requesting a meeting or responding to scheduling prompts. For example, if you email Xabi or use our interface to say “schedule a meeting with Alex next week,” we collect the details you provide (like desired meeting participants, duration, timing preferences, etc.). This also includes any commands or preferences you give to Xabi for scheduling.

• Participant Contact Information: When you ask Xabi to schedule a meeting, you often provide contact details of others (e.g. names and email addresses of the people you want to invite). We collect and use this contact information strictly to arrange the meeting and send necessary communications (like invites or scheduling emails) to those individuals.

• Account and Authentication Data: When you connect a third-party account (such as a calendar or email service account) to Xabi via an authorization method (e.g. OAuth2), we receive basic account information such as the email address associated with that account and possibly your name. We also store the tokens/credentials provided through that authorization process that allow Xabi to access your calendar or email on your behalf. These tokens are stored securely (encrypted) and are used only to perform the services you have authorized.

• Usage Logs and Technical Data: Like most online services, Xabi automatically collects usage data to help us maintain and improve the service. This includes logs of actions (e.g. when Xabi schedules a meeting or sends an email), timestamps of your interactions with Xabi, and technical information like your IP address, browser type or app version, and operating system. We may also collect error logs or crash reports if the app encounters a problem. This information helps us troubleshoot issues, monitor performance, and ensure the service is being used properly.

We do not collect any more data than necessary to fulfill the scheduling tasks. In particular, we do not use your data (including data from third-party services such as Google Workspace APIs) to scan for unrelated information, and we do not collect sensitive personal data from your accounts beyond what is described above. If you choose not to connect a particular third-party service (for example, a calendar or email account), Xabi will not access any data from that service.

How We Use Your Data

We use the collected information to operate, provide, and improve the Xabi scheduling service. Specifically, we use your data for the following purposes:

1. Providing the Scheduling Service: The primary use of your data is to schedule meetings on your behalf. Xabi reads your connected calendar to find free times and checks your emails for meeting requests or relevant information. We then propose meeting times, create calendar events, and send emails via your email account to invite participants, all according to your instructions. For example, if you ask Xabi to set up a meeting, it will find a suitable time on your calendar and email all participants to confirm the appointment.

2. Managing Your Calendar and Emails: Xabi will add or update events in your connected calendar with your consent (for instance, placing a meeting that’s been scheduled). It will also draft or send emails via your connected email account to communicate with meeting participants (such as sending invitations, confirmations, or rescheduling notices). All such actions are only done in line with your requests and permissions.

3. Communication with You: We may use your contact information (like your email address) to send you service-related communications. This could include confirmations that a meeting was scheduled, notifications if Xabi needs clarification, or alerts about any issues (for example, if Xabi cannot access your calendar or email service). We may also respond to you if you reach out to our support team. We will not send you marketing emails unrelated to Xabi unless you have explicitly opted in to such communications.

4. Improving and Developing Xabi: We analyze usage logs and other non-sensitive data to understand how Xabi is being used. This helps us troubleshoot problems, refine our scheduling algorithms, and develop new features. For example, knowing that many users schedule meetings of certain durations might help us improve default suggestions. Wherever possible, we use aggregated or anonymized data for analytics to protect your privacy.

5. Customer Support: If you contact us for help or feedback, we will use any information you provide (which might include parts of your scheduling data or email content, if relevant) to assist you. Our support team may access your account information or recent scheduling requests to troubleshoot the issue you reported, but they will only access the minimum data needed to help you.

6. Security and Abuse Prevention: We may process data (such as usage patterns or log-in IP addresses) to monitor for suspicious activities, prevent abuse of Xabi, and keep your account secure. This could include detecting spam scheduling requests or unauthorized access attempts. These measures protect both your data and the integrity of our service.

7. Legal Compliance: In certain cases, we may need to use or preserve your data to comply with legal obligations – for example, fulfilling lawful requests from authorities or retaining certain information as required by law (such as for tax or audit purposes).

We will not use your personal data for purposes unrelated to the services we offer unless we obtain your consent. In particular, we do not use your data for advertising purposes, and we do not sell your data to third parties. Your information is used solely to serve you and improve your Xabi experience.

Disclosure: Xabi’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

AI/ML and Third-Party Services

Xabi works with third-party services (such as calendar and email providers, or other productivity tools) to perform its scheduling tasks. When you choose to integrate these services with Xabi, we access and use data from those services strictly to carry out your requests (for example, reading your calendar events or sending an email invite on your behalf). All integration with third-party services is done with your knowledge and permission, using secure APIs or authorization protocols. We do not access any third-party account data unless you have connected that account to Xabi and authorized us to do so.

Any data exchanged between Xabi and an integrated third-party service is transferred securely (for instance, via OAuth2 and encrypted communication channels). The third-party service (for example, your calendar or email provider) will process that information as part of delivering their service to you — such as storing an event on your calendar or sending an email message from your account. These providers handle your data according to their own privacy policies and agreements with you, but Xabi only initiates exchanges as necessary for scheduling. We do not grant any third-party service any rights to use your information beyond what is needed to fulfill the integration. In other words, the external service is not an independent recipient of your data for their own purposes; Xabi simply acts as an intermediary on your behalf within the permissions you have given. If in the future you connect Xabi with additional services (for example, another calendar platform or a video conferencing tool), we will apply the same principles: we will only access or share data with those services with your explicit consent and only as needed to provide the functionality you expect.

Importantly, we do not use any of your personal data, including data from third-party services such as Google Workspace APIs, to develop or improve any artificial intelligence (AI) or machine learning (ML) models. This means that the content of your emails, calendar events, and other personal information is never used to train or enhance our algorithms beyond. Any AI or ML capabilities in Xabi are developed through other means (such as using non-personal or aggregated data and testing) and are not fueled by your personal data. Your data is only used to perform the scheduling tasks you ask of Xabi, and not to improve or train the underlying technology itself.

Legal Bases (GDPR)

Under the GDPR, we must have a valid legal basis to process your personal data. Depending on the situation, Xabi relies on the following legal bases:

• Consent: When you connect Xabi to your calendar, email, or other third-party accounts, you grant us permission (consent) via the authorization process (for example, an OAuth2 consent screen) to access your data from those services. You can withdraw this consent at any time by disconnecting Xabi or revoking its access through the settings of the respective third-party service (for instance, by removing Xabi’s permissions in your calendar or email account settings). Once you revoke access, we will stop accessing data from that service. In some cases, we may also ask for your consent for certain processing that is not strictly necessary for the service (for example, if we ever wanted to use your data for a new purpose, we would ask you first).

• Performance of a Contract: When you use Xabi, you are effectively entering into a user agreement (a contract) with us for the scheduling service. We need to process your data (like reading your calendar and sending emails) to deliver the service you have requested. In other words, processing your data is necessary for us to fulfill our obligations and provide you with Xabi’s functionality as promised.

• Legitimate Interests: In some cases, we process your data to pursue our legitimate interests in a way that is not overridden by your rights and freedoms. For example, we have a legitimate interest in understanding how our service is used, securing and improving our product, and communicating with you about service updates. When we rely on this basis, we always consider and balance any potential impact on you and your rights. You have the right to object to processing based on our legitimate interests (see Your Rights below).

• Legal Obligation: If we are required by law to process or retain certain data, we will do so. For instance, we might have to keep transaction records for a certain period to comply with accounting or tax regulations, or disclose information if compelled by a court order or regulatory requirement.

We will always make sure we have a valid legal reason to use your personal data and will document these bases. If you have questions about the legal basis for any specific processing of your data, please contact us.

How We Share Your Data

We understand that your personal data is important, and we are not in the business of selling it. We do not sell your personal information to anyone. We only share your data in a few specific situations, and always with appropriate safeguards:

• Service Providers (Processors): We employ trusted third-party companies and individuals to help us operate Xabi and provide the service to you. For example, we may use cloud hosting providers to store data or email delivery services to send notifications. These service providers process personal data on our behalf for the purposes described in this policy (for instance, hosting your information on secure servers or transmitting emails). We only share the data that is necessary for them to perform their functions, and they are contractually obligated to protect your information and use it only for our specified purposes. If a service provider is located outside the European Economic Area (EEA), we ensure that appropriate international transfer safeguards are in place (see International Data Transfers below).

• Third-Party Services (User-Authorized Integrations): When you integrate Xabi with external services (such as your connected calendar, email, or video conferencing platforms), we exchange data with those services as needed to perform the scheduling tasks you request. For instance, Xabi might retrieve events from your calendar or send an invitation via your email provider to your meeting invitees. These data exchanges occur only with your permission and as part of the functionality you choose to use. The information is transmitted through secure interfaces (APIs), and the external service processes that data under the terms of your agreement with them (for example, adding an event to your account or delivering an email). Importantly, we are not sharing your data with these services for their independent use; rather, Xabi is acting on your behalf within the scope of the permissions you have granted to facilitate your scheduling needs.

• Legal Requirements and Protection: We may disclose your information if we are legally required to do so or if we believe in good faith that such disclosure is necessary to (a) comply with a legal obligation, subpoena, or request from authorities; (b) protect our rights or property; (c) prevent or investigate possible wrongdoing in connection with the service (such as fraud or security incidents); or (d) protect the personal safety of our users or the public. If we receive a government or law enforcement request for your data, we will attempt to redirect the requesting party to seek the data directly from you, or we will notify you of the request unless we are legally prohibited from doing so.

• Business Transfers: If The Micro Company AB is involved in a merger, acquisition, sale of assets, or reorganization, your personal data may be transferred to the successor or new owner as part of that transaction. If such a transfer occurs, we will ensure the new entity honors the commitments we have made in this Privacy Policy regarding your personal data. We will also notify you (for example, via email or a notice on our website) of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal data at that time.

Other than the situations above, we will not share your information with third parties. To reiterate, we never sell user data. If you have questions about any specific sharing scenario, feel free to contact us.

Data Retention

We keep your personal data only for as long as necessary to fulfill the purposes for which we collected it, including providing the Xabi service or as required by applicable laws. Here’s how our data retention works:

• Active Account Data: For as long as you are actively using Xabi and have it connected to your accounts (such as your calendar and email accounts), we will retain the data we need to serve you (such as your calendar events, relevant email information, and usage logs). This allows Xabi to continuously help schedule your meetings and reference past interactions as needed.

• If You Disconnect or Delete Your Account: You have control over the connection between Xabi and your third-party accounts. If you decide to stop using Xabi, you can revoke Xabi’s access to your integrated services at any time (for example, by removing Xabi’s access in your calendar or email account settings). Once you revoke access or delete your Xabi account, we will initiate deletion of the personal data we hold that is associated with your account. All your personal data will be deleted within 30 days of revoking access or account deletion. In practice, this means we remove calendar events, email content, scheduling requests, and any other personal identifiers from our systems—typically much sooner than 30 days, with an outside window of 30 days to account for any backups or residual data that may take a short time to purge.

• Retention for Legal/Compliance Purposes: In certain cases, we might need to retain some information for longer than the standard period if it’s necessary for legal reasons. For example, we may keep minimal records of transactions or communications if required for tax, audit, or to comply with other laws, or to resolve disputes and enforce our agreements. However, in such cases, we will only retain the data that is strictly necessary for the specific purpose and will isolate it from routine use once it’s no longer actively needed.

• Anonymized or Aggregated Data: We may retain data that has been anonymized or aggregated (so it can no longer be linked to you personally) for analytics and service improvement purposes. This data is not considered personal data since it contains no identifiable information about individual users. We may keep anonymized/aggregated information even after your personal data has been deleted, as it helps us understand usage patterns and improve Xabi without identifying any user.

After the applicable retention period is over, we will securely erase or anonymize your personal data. We have processes in place to ensure data is deleted properly from active systems and from backups. If for any reason there is a delay in deletion, we will ensure your data remains protected until it is removed.

Security

We take the security of your data seriously and implement a range of measures to protect it. While no method of transmission over the internet or electronic storage is 100% secure, we work hard to safeguard your information from unauthorized access, disclosure, or alteration. Our security practices include:

• Encryption: We use encryption to protect your data in transit and at rest. For example, communications between Xabi and any third-party service APIs, as well as communications between your device and our servers, are secured via industry-standard encryption (TLS/SSL). Any sensitive data we store (such as access tokens or any stored content) is encrypted in our databases and storage systems.

• Access Controls: Internally, access to personal data is restricted to authorized personnel who need it to operate or support the service. The Micro Company AB has implemented strict access controls, and our team members and contractors are bound by confidentiality obligations. We regularly review who has access to systems that contain personal data and limit access to those who require it for their job role (for example, customer support or engineering troubleshooting).

• Monitoring and Testing: We monitor our systems for potential vulnerabilities and attacks, and we conduct periodic security assessments and penetration testing to identify and address possible weaknesses. Our infrastructure is kept up-to-date with security patches and follows industry best practices to prevent security issues.

• Secure Development Practices: Xabi is developed following secure coding guidelines. We apply privacy-by-design principles, meaning we consider privacy and security at each stage of development and implement appropriate safeguards from the ground up as we build and update the service.

• Data Minimization: We strive to collect and store only the data that we need to provide our service to you. By limiting the amount of personal information we hold, we reduce the risk and impact of any potential security issue.

• Incident Response: In the unlikely event of a data breach or security incident affecting your personal data, we have a response plan in place to address and mitigate the issue. If your data is involved in a breach that poses a risk to your rights and freedoms, we will inform you and the relevant authorities as required by GDPR.

Remember that you also play a role in keeping your data secure. Keep your account credentials (for your calendar, email, and other integrated services) safe and do not share them. Always revoke Xabi’s access to your accounts if you suspect any unauthorized activity. If you have any concerns about the security of your data with Xabi, please contact us immediately.

International Data Transfers

The Micro Company AB is based in Sweden, and whenever possible we strive to store and process your data within the European Union. However, the nature of Xabi’s service (and the global infrastructure of the internet and our service providers) means that your data may be transferred to and processed in countries outside of your own country or outside the European Economic Area (EEA). In particular:

• Third-Party Service Servers: If you connect Xabi to external service providers (such as a calendar or email provider), any data that Xabi accesses from or transmits to those services may be processed on servers located in various countries. These servers could be outside your country or the EEA. For example, if your calendar or email provider is a U.S.-based service, your scheduling data might transit through or be stored on servers in the United States or other countries as part of that service’s operations.

• Our Service Providers: We may use cloud hosting or other IT service providers that are located outside the EEA. This means the personal data we store (such as logs or account information) might reside on servers in countries that have different data protection laws than your country or the EU.

In all cases of international data transfers, we take steps to ensure that your data remains protected according to GDPR standards:

• If your data is transferred outside the EEA, we will ensure that the recipient country is deemed to have an “adequate” level of data protection by the European Commission, or we will put in place appropriate safeguards such as Standard Contractual Clauses (SCCs). These are legal agreements that impose GDPR-level data protection obligations on the recipient of the data.

• For transfers to service providers or partners in countries that do not have an EU adequacy decision (for example, the United States), we rely on mechanisms like SCCs or other approved transfer frameworks. We also ensure these providers are contractually obligated to safeguard your information in line with EU data protection standards.

• We will notify you if we ever need to transfer personal data to a third country in a manner that does not have the typical safeguards, and will seek your consent for such transfer if required by law.

You can contact us for more information about the safeguards we have in place for international data transfers. Despite any transfers, your rights and protections as described in this Privacy Policy remain in effect.

Your Rights

As a user of Xabi, and in accordance with the GDPR (and equivalent data protection laws where applicable), you have several rights regarding your personal data. We are committed to honoring these rights. Below is a summary of your key data protection rights:

• Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we process it. Upon request, we will provide you with a summary of your data and details about its use, typically within one month.

• Right to Rectification: If any of your personal data that we have is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if your name or contact information is wrong in our records, you can ask us to fix it.

• Right to Erasure (“Right to be Forgotten”): You have the right to request the deletion of your personal data in certain circumstances. For instance, if you no longer want to use Xabi and you withdraw your consent or object to our processing, you can ask us to delete the data we hold about you. We will then erase your data provided we don’t have a compelling legal reason to keep it (as described in the Data Retention section above). In practice, as noted, if you revoke Xabi’s access to your connected accounts or delete your Xabi account, we will delete your data within 30 days.

• Right to Restrict Processing: You can ask us to restrict (pause) the processing of your personal data in certain situations. This might apply if you contest the accuracy of the data or if you want us to preserve data while you believe we are holding it unlawfully (rather than deleting it). When processing is restricted, we will still store your data but will not use it for the period of restriction until the issue is resolved.

• Right to Data Portability: You have the right to obtain the personal data you provided to us in a structured, commonly used, machine-readable format (for example, a CSV or JSON file). You also have the right to transmit that data to another service provider (or to request that we transfer it for you, where technically feasible). For example, you could request a copy of the scheduling information or settings you have provided to Xabi so you can use it with a different service. This right applies to data processed by us by automated means, where our processing is based on your consent or on a contract with you.

• Right to Object: You have the right to object to certain types of processing. Notably, you can object to any processing that we base on “legitimate interests.” If you object, we will review the reasons for your objection and will stop processing the data in question unless we have an overriding legitimate ground to continue (or if the processing is needed for legal claims). You also have the right to object at any time to any direct marketing use of your data (although we currently do not use your data for marketing purposes).

• Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time. The easiest way to withdraw consent is by revoking Xabi’s access through the settings of any connected service you have authorized (for example, removing Xabi’s permissions in your calendar or email account settings). Additionally, you can contact us to request the removal of any data that you previously consented to provide. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.

• Right to Lodge a Complaint: If you believe we have infringed your data protection rights or GDPR obligations, you have the right to lodge a complaint with a supervisory authority. The Micro Company AB is regulated by the Swedish data protection authority (Integritetsskyddsmyndigheten), but you may contact the supervisory authority in your country of residence or workplace. Of course, we hope to resolve any issue by working directly with you, so we encourage you to contact us first with any concerns.

To exercise any of your rights, please contact us at hello@offwork.ai. We may need to verify your identity before fulfilling certain requests (to ensure we do not disclose your data to someone else). We will respond to your requests as soon as possible, and no later than one month from receiving your request, unless the request is particularly complex (in which case we might extend the response deadline by up to two further months, but we will inform you if that is the case).

Children’s Privacy

Xabi is not intended for children under the age of 13. We do not knowingly allow or target our services to anyone under 13, and we do not knowingly collect personal data from children under 13. If you are under 13, you should not use Xabi or provide any information to us.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete such information promptly. If you are a parent or guardian and you believe that a child under 13 has provided us with personal data, please contact us at hello@offwork.ai so we can investigate and delete the data. (Note: In certain jurisdictions, including some in the EU, the age threshold for consent may be higher than 13 (for example, 16). We do not knowingly offer our service to anyone under the applicable age of consent in those regions either.)

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will revise the “Last Updated” date at the top of this policy. If the changes are significant, we will provide a more prominent notice — for example, by emailing you at the email address associated with your account or by displaying a notice within the Xabi app or on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of Xabi after any update to this Privacy Policy will signify your acceptance of the changes, to the extent permitted by law.

Contact Us

Your privacy is important to us. If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please do not hesitate to contact us:

The Micro Company AB (Xabi Support Team)
De Geersgatan 10
11529 Stockholm, Sweden
Email: hello@offwork.ai

We will be happy to answer your questions or address any issues you may have. Thank you for trusting Xabi with your scheduling needs – we’re committed to keeping that trust by safeguarding your privacy every step of the way.