Privacy Policy
XperiencOps, Inc. ("XperiencOps") offers a cloud-based service that provides automated IT service orchestration and monitoring for our customers' employees.

This Privacy Policy describes the privacy practices of XperiencOps ("we", "us", or "our") and how we handle personal information that we collect through our website and any other sites or services that link to this Privacy Policy(collectively, the "Services"). This Privacy Policy does not apply to the information we handle on behalf of our customers, including any personal information about authorized users of our Services or our customers' employees. Our processing of this information is governed by our contract with the customer.

Personal information we collect

Methods of processing
  • Business contact information, such as your first and last name, email address, and business mailing address.
  • Feedback or correspondence, such as information you provide when you contact us with questions, feedback, product reviews, or otherwise correspond with us online.
  • Marketing information, such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.
  • Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.
Automatic data collection
We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, our communications and other online services, such as:
  • Business contact information, such as your first and last name, email address, and business mailing address.
  • Device data, such as your computer's or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 4G), and general location information such as city, state or geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, browsing history, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access, and whether you have opened our marketing emails or clicked links within them.
We use the following tools for automatic data collection:
  • Cookies, which are text files that websites store on a visitor's device to uniquely identify the visitor's browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating online advertising.
  • Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on the device outside of your browser in connection with specific applications.
  • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
How we use your personal information

To operate our Services:
Provide, operate, maintain, secure and improve our Services; provide information about our Services; communicate with you about our Services, including by sending you announcements, updates, security alerts, and support and administrative messages; respond to your requests, questions and feedback.

For research and development
To analyze and improve the Services and to develop new products and Services, including by studying use of our Services.

For marketing
We may from time-to-time send you direct marketing communications as permitted by law, including, but not limited to, notifying you of special promotions, offers and events via email and in-app notifications. You may opt out of our marketing communications as described in the "Opt out of marketing communications" section below.

To comply with law
As we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

For compliance, fraud prevention, and safety
To: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern our Services; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

To create anonymous data
To create anonymous data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve our Services and promote our business.

Lawful basis for processing
We process personal data collected through our website and general services on the following legal bases:
  • Contractual necessity
    Where processing is required to provide services you have requested or to fulfil our contract with you
  • Legitimate interests
    For analytics, service improvement, security, and fraud prevention, where our interests are not overridden by your rights and freedoms
  • Consent
    For non-essential cookies and direct marketing communications, where we have obtained your prior consent. You may withdraw cookie consent at any time via the cookie settings on our website. You may withdraw consent to marketing communications by using the unsubscribe link in any marketing email
  • Legal obligation
    Where we are required to process or retain data to comply with applicable law
How we share your personal information

Service provider
We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate our Services (such as customer support, hosting, analytics, email delivery, marketing, identity verification, and database management services).

Professional advisor
We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.

For compliance, fraud prevention and safety
We may share your personal information for the compliance, fraud prevention and safety purposes described above.

Business transfers
We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. In such a case, we will make reasonable efforts to require the recipient to honor this Privacy Policy.
AI-Enabled Features

Overview
XperiencOps offers Sidekick Copilot, an AI-enabled operational assistant that allows authorized users to access customer-authorized operational data through natural-language queries. Sidekick Copilot is implemented as a Microsoft 365 declarative agent and is accessible through Microsoft Copilot and other MCP-compatible client applications.

Sidekick Copilot is designed to support decision-making and operational lookups — not to make autonomous decisions on behalf of users or to replace human judgment. Customers remain responsible for reviewing and confirming outputs before relying on them for operational or business decisions.

What Sidekick Copilot Does
Sidekick Copilot enables authorized users to ask plain-language questions and retrieve information from customer-authorized data sources, including records related to people, devices, services, assets, organizations, addresses, locations, and related operational data. The system translates natural-language queries into approved data retrieval operations and returns formatted responses through the connected client.Sidekick Copilot does not autonomously take actions on behalf of users without confirmation. Before processing a request, the agent informs the user of the intended action and proceeds only after the user explicitly confirms. Users may cancel at any time. All responses include a disclosure that AI-generated content may be incorrect, and users are expected to apply their own judgment before relying on any output.

Data Processed by Sidekick Copilot
Sidekick Copilot may process user identity and authentication data (including organizational role and tenant context), the text of natural language queries submitted through the connected client, customer-authorized operational data (such as records related to people, devices, services, assets, and locations), short-lived session tokens, and operational telemetry used for monitoring and incident response. Personal data may be present in operational data where it exists in customer-authorized data sources, such as names, email addresses, job titles, and device identifiers.Sidekick Copilot processes data only within the applicable customer-authorized context. User queries and responses are not stored permanently. Customer data is logically isolated by customer environment and is not shared across customer tenants.

Sidekick Copilot is not used for model training. XperiencOps does not use customer data retrieved through Sidekick Copilot to train, fine-tune, or develop AI models.

Data Sources and Endpoints
Sidekick Copilot accesses data through a limited set of connected endpoints: the MCP-compatible client interface through which queries are initiated and responses are delivered, a third-party identity and authentication provider used for secure token issuance and access control, and XperiencOps-operated backend services including the enterprise database from which authorized operational data is retrieved and session storage supporting secure multi-instance deployments.
Authorization and Access Controls
Access to data through Sidekick Copilot is governed by the following controls:
  • Authentication: Users are authenticated via OAuth 2.0 / OIDC using a third-party identity provider. Tokens convey user identity and authorization context and are valid for two hours before refresh is required.
  • Role-based access control (RBAC) and org scoping: Authorization is enforced using role-based access control and organization-level isolation. Users can only retrieve data permitted for their role and organizational scope.
  • Token validation: The backend service validates token signature and expiration prior to processing any request.
  • Tenant isolation: Customer data is processed only within the applicable customer-authorized boundary and is not accessible across customer environments.
  • Encryption in transit: All communication channels use HTTPS/TLS encryption.
Third-Party AI Services
Sidekick Copilot relies on third-party hosted large language model (LLM) services for natural-language query interpretation and response generation. XperiencOps does not operate internal AI models as part of Sidekick Copilot. The identity of the third-party AI model or service is determined by the MCP-compatible client used by the customer (e.g., Microsoft Copilot).

XperiencOps focuses on secure integration, authorization, and workflow suitability when evaluating third-party AI service dependencies.
Lawfulness of Processing
XperiencOps processes personal data through Sidekick Copilot on the following legal bases:
  • Contractual necessity: Processing is required to deliver Sidekick Copilot functionality as agreed with the customer under our service agreement.
  • Legitimate interests: Processing supports the secure, authorized, and reliable operation of the platform, including authentication, authorization, monitoring, and incident response.
  • Compliance with legal obligations: Processing may be required to meet applicable legal, regulatory, or contractual obligations.
Processing Locations
Personal data processed through Sidekick Copilot is handled within the following infrastructure:

Personal data processed through Sidekick Copilot is handled across managed cloud infrastructure hosting the backend services, enterprise database, and session storage; a third-party identity and access management service for authentication and token issuance; and third-party monitoring and error tracking services used for operational reliability and incident response. All processing occurs within services governed by applicable data processing agreements, security controls, and access restrictions. Data residency requirements for personal data are supported through metadata tagging, routing, and storage in designated compliance regions where applicable.
How We Use AI-Processed Data
Data processed through Sidekick Copilot is used solely to:
  • Respond to the authorized user's natural-language query.
  • Enforce authentication, authorization, and organizational scoping controls.
  • Support operational monitoring, alerting, and incident response through log aggregation, performance monitoring, and error tracking services.
Operational telemetry captured for monitoring purposes does not change the authorization boundary for enterprise data and is subject to applicable data handling controls.
Profiling and Automated Decision-Making
Sidekick Copilot does not use personal data for automated profiling or decision-making that produces legal or similarly significant effects on individuals. The system is designed solely to support human decision-making by retrieving and summarizing customer-authorized data.

Customers remain responsible for reviewing and validating outputs before relying on them for operational or business decisions. If XperiencOps implements automated decision-making processes in the future that materially affect individuals, this Privacy Policy will be updated accordingly, including details on applicable rights under GDPR and similar regulations.
AI Transparency and User Rights
Notification of AI use: Users accessing Sidekick Copilot are interacting with an AI-enabled capability. This is disclosed through the nature of the agent interface and the information provided at the time of access.
Human review: Sidekick Copilot outputs are intended to support, not replace, human decision-making. Customers and users are responsible for reviewing responses before relying on them for operational or business decisions.
Data minimization: Queries and responses are not stored permanently. Data retrieval is filtered by organizational context and user authorization scope.
Output accuracy: The accuracy of Sidekick Copilot responses depends on the quality and completeness of the underlying source data and the clarity of user queries. Ambiguous or overly broad queries may result in incomplete or less relevant outputs. Users should validate returned results before operational reliance.
AI Transparency and User Rights
XperiencOps is committed to the responsible, ethical, and secure use of AI-enabled functionality within our Services.If you believe that any AI-enabled feature or output from our Services has resulted in, or may result in, an adverse impact — including potential bias, unfair outcomes, safety concerns, security vulnerabilities, privacy issues, or other unintended or harmful effects — you may report your concern by emailing: ethicaloversight@xops.io

When submitting a report, please include relevant details such as:
  • The feature or workflow involved
  • Approximate date and time of occurrence
  • A description of the concern
  • Any supporting screenshots, logs, or additional context
Reports are reviewed and triaged in accordance with our AI governance and risk management processes. Where appropriate, concerns may be escalated to internal governance bodies for review and corrective action. We will acknowledge receipt and respond as appropriate based on the nature and severity of the concern.XperiencOps prohibits retaliation against individuals who raise AI-related concerns in good faith.
Your Choices

Access or update your information
To keep your information accurate, current, and complete, please contact us as specified below. We will take reasonable steps to update or correct information in our possession that you have previously submitted via the Services.

Opt out of marketing communications
You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email or by contacting us at legal@xops.io. You may continue to receive service-related and other non-marketing emails
Right to Erasure ("Right to be Forgotten")

 You have the right to request the erasure of your personal data from our systems under certain circumstances, as outlined in GDPR and CCPA regulations. These circumstances include:
  1. The data is no longer necessary for the purpose it was collected.
  2. You withdraw your consent for processing.
  3. The data is processed unlawfully.
  4. You object to the processing of your data for direct marketing purposes.
To request the erasure of your personal data, please contact us at legal@xops.io. We will respond to your request within a reasonable timeframe, typically within one month. We may not be able to erase your data in certain situations, such as where we have a legal obligation to retain it or where it is necessary for us to defend legal claims.
Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data under certain circumstances, as outlined in GDPR and CCPA regulations. These circumstances include:
  1. The accuracy of the data is contested.
  2. The processing is unlawful, but you object to the erasure of the data.
  3. We no longer need the data for the purposes for which it was collected, but you need it for legal claims.
  4. You object to the processing of your data based on our legitimate interests.
To request restriction, please contact us at legal@xops.io. We will respond within a reasonable timeframe, typically within one month.
Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. This right applies to personal data that you have provided to us and that we process with your consent or for the performance of a contract. To submit a request, contact legal@xops.io.
Rights in Relation to Automated Decision-Making and Profiling

Sidekick Copilot is a decision-support tool and does not make automated decisions that produce legal or similarly significant effects on individuals. If we implement automated decision-making or profiling processes with material individual impact in the future, we will provide clear information about them and your applicable rights, including:
  1. The types of automated decision-making or profiling we use.
  2. The purposes for which we use them.
  3. The logic involved in the decision-making process.
  4. The potential consequences for you of the decision-making or profiling.
  5. Your right to object and how to exercise that right.
Right to be Informed

XperiencOps is dedicated to transparency. We will always inform you about how we collect and use your data, ensuring you understand our practices.
Right of Access

As a user, you have the right to access your personal information that XperiencOps holds, allowing you to verify the accuracy and legality of our data processing.
Right to Object

At XperiencOps, you have the option to object to the processing of your personal data, especially for purposes like marketing and automated decision-making.
Right to Lodge a Complaint

If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.

In the United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

In the EEA: contact the supervisory authority in your EU member state. A list of authorities is available at edpb.europa.eu.

We encourage you to contact us at legal@xops.io first so we can try to resolve your concern directly.
Data Retention

At XperiencOps Inc., we are committed to only retaining your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Customer accounts and their associated data are deleted within 90 days following the termination of the contract. Data processed through Sidekick Copilot (including user queries and responses) is not stored permanently and is subject to applicable retention controls.
Categories of Personal Data Processed
  1. Business Contact Information: Name, email address, and business mailing address.
  2. Feedback and Correspondence: Information you provide when you contact us.
  3. Marketing Information: Preferences for receiving marketing communications and engagement details.
  4. Device Data: Operating system type, browser type, IP address, and related technical information.
  5. AI Feature Data (Sidekick Copilot): Authentication tokens, user role and organizational context, and natural-language query content processed solely to respond to authorized requests. See the "AI-Enabled Features — Sidekick Copilot" section for full details.
Online Tracking Opt-Out

Cookie consent and preferences: When you visit our website, you will be presented with a cookie consent banner that allows you to review and manage your cookie preferences by category, including declining non-essential cookies.Non-essential cookies are not set until you provide consent. You can updateyour preferences at any time by accessing the cookie settings on our website.

Cookie categories we use
  • Necessary: Required for basic website functionality such as page navigation and access to secure areas. These cookies cannot be declined.
  • Preferences: Allow the website to remember information that affects how the site behaves or appears, such as your preferred language or region.
  • Statistics: Help us understand how visitors interact with our website by collecting and reporting information anonymously.
Blocking cookies in your browser
Most browsers allow you to remove or reject cookies through your browser settings. Please refer to your browser's help documentation for instructions.

Do Not Track
Some browsers may be configured to send "Do Not Track" signals to online services. We currently do not alter our data collection practices in response to such signals.
Other Sites, Mobile Applications and Services

Our Services may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions.
I

XperiencOps Inc. is headquartered in the United States. Where personal data of individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland is processed, XperiencOps implements data residency compliance controls to ensure that data is stored and processed in the designated compliance region aligned with applicable jurisdictional and regulatory requirements.

Where transfers of personal data to countries without an adequacy decision are required, XperiencOps relies on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (IDTA) where applicable. For more information about the safeguards in place, contact legal@xops.io.
Security Practices

We use reasonable organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure.
Children

Our Services are not intended for use by children under 13 years of age. If we learn that we have collected personal information through the Services from a child under 13 without the consent of the child's parent or guardian as required by law, we will delete it.
Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on our Services.
How to Contact Us
Please direct any questions or comments about this Policy or our privacy practices to: legal@xops.io

For AI-related concerns specifically, please contact: ethicaloversight@xops.io

You may also write to us via postal mail at:
XperiencOps Inc.
4900 Hopyard Rd. Suite 100
Pleasanton, CA 94588-7101
United States

Data Protection Officer: For matters relating to personal data processing, GDPR compliance, or data subject rights, contact legal@xops.io
Platform
About
CustomersSupport
Request a Demo
Copyright 2026 © XperiencOps, Inc. | All Rights Reserved | Support | Status Page | Terms of Services | SLA | Security Trust Center | Privacy Policy