1. Introduction
White Belt Lab, LLC (“White Belt Lab,” “we,” “us,” or “our”) operates whitebeltstudio.com and the ELVARA / Neural Genesis application, including its calendar assistant and connected integrations (collectively, the “Services”). This Privacy Policy describes how we collect, use, disclose, and protect information about you when you create an account, use the Services, connect a third-party account, or otherwise interact with us.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Services.
2. Information We Collect
We collect only what we need to provide the Services:
2.1 Account Information
When you create an account or join our waitlist, we collect your name and email address, an encrypted (hashed) password, and, if you enable it, multi-factor authentication settings. If you contact us, we collect the content of your message.
2.2 Content You Create
We store the content you create in the Services, such as calendar events, notes, and conversations with the assistant, so we can provide those features back to you.
2.3 Connected-Account Data
When you choose to connect a third-party account, we access only the data needed for the feature you enable, with consent granted through that provider’s permission screen. Depending on what you connect and enable, this can include your Google Calendar and, only if you enable the Inbox feature, read-only access to your Gmail (see Section 4); your Microsoft Outlook mail and calendar; and your Slack or Discord workspaces for the channels you authorize. You can disconnect any provider at any time from your Connected settings, and each integration can be toggled per capability.
2.6 Organizations, Teams, and Single Sign-On
If you join an organization on ELVARA (a team or business workspace), the organization’s administrators can see your name, email address, role, and membership status. Content you file into a shared workspace (shared folders and shared notes) is visible to the organization’s active members. If your organization uses single sign-on, your login is authenticated through your organization’s own identity provider (Google Workspace or Microsoft Entra ID), and we receive your verified email address and basic profile from that provider. If you delete your account, content you authored, including content in shared workspaces, is deleted with it.
2.4 Automatically Collected Information
When you use the Services, we and our infrastructure providers may collect technical information such as your IP address, browser and device type, pages viewed, and timestamps, through cookies and similar technologies used to operate, secure, and improve the Services. You may configure your browser to refuse cookies, though some features may not work.
2.5 Billing and Subscription Information
If you upgrade to a paid plan, our payment provider and Merchant of Record, Lemon Squeezy, collects and processes your payment details on its own PCI-DSS Level 1 certified systems. We receive from Lemon Squeezy only your subscription status and non-sensitive identifiers (a customer ID and a subscription ID). We never receive or store your full card number, security code, or bank details. We keep a record of your subscription status and your consent to auto-renewal (see Sections 8 and 10).
2.7 Personalized Memory (optional, off by default)
If you choose to turn on Personalized Memory in your Settings, ELVARA remembers durable preferences and facts you state about yourself, for example how you like your answers formatted, your time zone, the tools you use, or the projects you are working on, and uses them to make future responses more relevant to you. This is a form of automated profiling. It is off by default and is never active without your explicit, opt-in consent, which you can grant or withdraw at any time in your Settings. We do not use your memories to train AI models, we never sell them, and they are never used for advertising. You can view everything ELVARA has remembered about you, and delete any item, at any time, in your Settings. Withdrawing consent stops all use of your memory immediately, and deleting your account erases it entirely.
3. How We Use Your Information
We use collected information to:
- Provide, maintain, secure, and improve the Services
- Operate the features you use, including the calendar assistant and your connected integrations
- Send communications you have requested and respond to your inquiries
- Process payments, manage your subscription, and prevent payment fraud, for paid plans
- Detect, prevent, and investigate fraud, abuse, and security incidents
- Comply with applicable legal obligations
We do not sell, rent, or trade your personal information, and we do not use it for advertising.
4. Google User Data and Limited Use
If you connect your Google account, we access Google user data only to provide features you explicitly enable, and only with the scopes you grant on Google’s consent screen.
4.1 What we access and why
- Google Calendar (read and write). Our scheduling assistant reads your calendar to show your week and check availability, and creates, edits, or deletes events on your instruction. Changes are sent to Google only when you choose to sync.
- Gmail (read-only), only if you enable the Inbox feature. The Focused Inbox reads your mail on demand to show you a folded view of your conversations and, when you ask for one, to generate a summary. Messages are read at the moment you use the feature and are not stored on our servers beyond short-lived operational caches. We never send, delete, or modify your mail.
- Basic profile (name, email). Used to create and identify your account when you sign in with Google.
4.2 How we store and protect it
Google access tokens are encrypted at rest in a per-user vault (AES-256-GCM). You can disconnect your Google account at any time, and you may request deletion of your account and associated data.
4.3 Limited Use
White Belt Lab’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide and improve these user-facing features. We do not sell it, do not use it for advertising, do not use it to train AI models, and do not transfer it to others except as needed to provide the feature or as required by law. No humans read your Google data except with your consent, for security or abuse investigations, or to comply with law.
5. AI Processing of Your Data
The assistant is powered by AI models operated by our processors, chosen specifically for their privacy posture:
- We do not use your data to train AI models, and our AI processors do not train their models on your inputs or outputs under their commercial terms.
- AI inference is performed by Cloudflare Workers AI and Anthropic (Claude). Anthropic processes data under commercial terms that prohibit training on customer data and apply short retention.
- We never send your data to OpenAI, advertising networks, or data brokers.
- Your inputs are processed only to generate the response you requested, and are not retained by the AI processors beyond the short operational windows described in their terms.
- If you enable Personalized Memory (Section 2.7), the preferences and facts it stores are produced by this same on-inference processing and are likewise never used to train any AI model.
6. Legal Basis for Processing (EEA/UK Residents)
If you are located in the European Economic Area or the United Kingdom, our legal basis for processing your personal data depends on the context: (a) your consent, where you have provided it (including connecting a Google account); (b) our legitimate interests in operating, securing, and improving the Services; (c) the performance of a contract; or (d) compliance with a legal obligation.
7. How We Share Information
We do not sell your information. We share it only in these limited circumstances:
7.1 Service Providers (Sub-processors)
We rely on a small set of vendors who process data only to provide services to us, under contractual confidentiality and security obligations:
- Cloudflare, Inc. — hosting, edge compute, databases, and Workers AI inference.
- Anthropic, PBC — Claude AI model inference (no training on your data; short retention).
- Google LLC — sign-in, Calendar access, and (only if you enable the Inbox feature) read-only Gmail access, each only with your consent; Google Workspace single sign-on for organization accounts.
- Microsoft Corporation — Microsoft account connection (Outlook mail and calendar via Microsoft Graph), only with your consent; Microsoft Entra ID single sign-on for organization accounts.
- AlphaAI Technologies Inc. (dba Tavily) — live web search for the Research feature, only when you run a search. Zero data retention: queries are not saved.
- Resend — transactional and requested email delivery.
- Lemon Squeezy, LLC — payment processing and Merchant of Record (seller of record) for paid subscriptions, under PCI-DSS Level 1 certification. We never receive your full card number.
7.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
7.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you prior to your information becoming subject to a different privacy policy.
7.4 With Your Consent
We may share your information for other purposes with your explicit consent.
8. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Services, and thereafter only as required to satisfy legal, accounting, or security obligations. When information is no longer required, we securely delete or anonymize it. A connected account’s access ends as soon as you disconnect it, and deleting your account removes your associated data. Billing and subscription records, including your consent to auto-renewal, are kept for at least three years after your account closes, to comply with auto-renewal recordkeeping laws (such as the California Automatic Renewal Law) and tax and accounting obligations, after which they are deleted or anonymized.
9. Data Security
We protect your information with encryption in transit (TLS) and at rest, a per-user encrypted vault for third-party access tokens (AES-256-GCM with per-user keys), strict access controls, and per-user data isolation so one account can never reach another’s data. No method of transmission or storage is completely secure, but we take reasonable and appropriate measures to safeguard your information.
10. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
- Access: The right to request a copy of the personal information we hold about you
- Correction: The right to request correction of inaccurate or incomplete information
- Deletion: The right to request deletion of your personal information, subject to certain legal exceptions
- Portability: The right to receive your personal information in a structured, machine-readable format
- Objection: The right to object to or restrict certain processing of your personal information
- Withdrawal of Consent: Where processing is based on consent, the right to withdraw it at any time, including by disconnecting a connected account
You can export a copy of your account data, including your conversations, and delete individual conversations or your entire account, directly from your account at any time. You can disconnect Google or any integration from your account settings. To exercise any other right, or if you need assistance, contact us at [email protected], and we will respond within the timeframe required by applicable law.
11. Children’s Privacy
The Services are not directed to individuals under the age of 16, and we do not knowingly collect their personal information. If we become aware that we have inadvertently collected such information, we will take prompt steps to delete it. If you believe a child under 16 has provided us information, please contact us immediately.
12. Third-Party Links and Services
The Services may contain links to third-party websites or services that this Privacy Policy does not cover. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the privacy practices or content of third-party services.
13. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. We will notify you of material changes by updating the effective date at the top of this document and, where required by law, by providing additional notice. Your continued use of the Services following the posting of changes constitutes your acceptance of the revised Privacy Policy.
14. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
White Belt Lab, LLC
Atlanta, Georgia, United States
Email: [email protected]