V1.1 Effective Date: 12.11.25

SECTION 1 — INTRODUCTION & SCOPE

1.1 Overview

This Privacy Policy explains how Marble Labs Inc. (“Marble Labs,” “we,” “us,” or “our”) collects, uses, stores, discloses, and protects personal information when you visit or interact with https://www.xp1drive.com, its subdomains, and any webpages that link to this Privacy Policy (collectively, the “Website”). This Policy applies solely to information collected through the Website and related online forms, including demo-request submissions and email communications initiated through the Website.

1.2 Exclusions (Software & Payment Processing)

This Privacy Policy does not apply to any information processed when you install, activate, or use the XP1 Software (“Software”). Software-related data practices are governed exclusively by the XP1 End User License Agreement (“EULA”).
This Policy also does not apply to payment, billing, subscription, tax, VAT, or account-management information processed by Lemon Squeezy, our Merchant of Record (“MOR”), who acts as the seller of record for XP1 transactions. When you purchase or manage a subscription, you interact directly with Lemon Squeezy, whose privacy practices are available at:
https://www.lemonsqueezy.com/privacy

1.3 Acceptance

By accessing or using the Website, submitting information through our forms, or interacting with our online services, you acknowledge that you have read and understand this Privacy Policy and agree to its terms. If you do not agree, you must discontinue use of the Website.

1.4 Who We Are

Marble Labs Inc., an Idaho corporation, is responsible for operating the XP1 brand and this Website. XP1 is licensed to Marble Labs and managed under its legal, privacy, and security framework. The Website exists to provide information about XP1, facilitate demo requests, and support communications with prospective or existing users.

1.5 Scope of This Policy

This Privacy Policy governs personal information collected from visitors to the Website, including information submitted through demo-request or contact forms, limited operational or analytics data, and cookie-related interactions managed through our consent platform. It does not govern personal data processed by third-party sites or services accessible via the Website, payment systems managed by Lemon Squeezy, or telemetry or activation data collected within the XP1 Software.

1.6 Age Requirements

The Website is intended for visitors who are at least 18 years old or the age of majority in their jurisdiction. We do not knowingly collect personal information from children under 16. If such information is inadvertently collected, we will delete it.

1.7 Intended Audience & Territorial Notice

Although the Website may be accessible globally, XP1 licensing and services are intended for use within the United States and its territories. Accordingly, this Privacy Policy is drafted to comply with applicable U.S. federal privacy principles and relevant U.S. state privacy laws governing website data collection, including but not limited to California, Texas, and Nebraska.

1.8 Cookie Consent & Tracking Controls

The Website uses CookieYes to manage cookie consent, regional privacy notices, and user opt-in/opt-out preferences. CookieYes provides jurisdiction-specific disclosures, including GDPR-compliant consent flows for visitors from the European Union and “Do Not Sell or Share My Personal Information” mechanisms required for California residents under the CCPA/CPRA. CookieYes processes user consent selections but does not sell personal information. You may review CookieYes’ privacy practices at: https://www.cookieyes.com/privacy-policy/

1.9 Relationship to Other Legal Terms

Use of the Website is also governed by the XP1 Website Terms of Use, the XP1 EULA (when using the Software), and the XP1 Cookie Policy. To the extent that any conflict arises between this Privacy Policy and other XP1 legal documents regarding Website data collection, this Privacy Policy controls.

SECTION 2 — INFORMATION WE COLLECT

2.1 Information You Provide Directly

We may collect personal information that you voluntarily submit through the Website, including your name, email address, and any information you provide when completing a demo-request form, submitting a contact request, or communicating with us by email. This information is used to fulfill the request you initiated, including delivering demo-access instructions, managing communications, or responding to inquiries. You are not required to provide personal information to browse the Website, but certain features—such as requesting a demo—may not function without it.

2.2 Information Collected Automatically When You Use the Website

When you visit the Website, we may automatically collect certain technical data that your browser or device makes available, such as your IP address, browser type, operating system, device type, referring URLs, access times, and standard server log information. This data is collected for security, anti-fraud, diagnostic, and operational purposes. We do not use this information for behavioral advertising or cross-site tracking.

2.3 Cookies and Similar Technologies

The Website uses cookies and similar technologies to support functionality, manage consent preferences, and maintain security. Cookie usage is governed by our Cookie Policy and the controls provided through CookieYes, which manages user consent, jurisdiction-specific notices, and opt-in/opt-out features (including “Do Not Sell or Share My Personal Information” options for California residents). CookieYes’ privacy policy is available at:
https://www.cookieyes.com/privacy-policy/

Non-essential cookies are used only with your consent, and you may adjust or withdraw consent at any time using the tools provided on the Website.

2.4 Information Related to Demo Requests

If you submit a request for XP1 demo access, we will collect your name, email address, and any optional information you choose to provide. We may also generate internal identifiers associated with your request for the purpose of demo eligibility, fraud prevention, and distribution control. Demo-request information is used solely to administer and track demo access and is not shared or sold.

This section covers Website submission only. Any data collected inside the XP1 Software during Demo use is governed by the EULA, not this Privacy Policy.

2.5 Communications and Interaction Data

If you interact with Marble Labs through Website forms or email links, we may retain a record of your communication for operational, security, and support purposes. We may also maintain internal logs of email delivery, receipt, and open-status information where supported by standard email protocols, but we do not use third-party tracking pixels or marketing profiling tools.

2.6 Log Files and Security Monitoring

For security, performance, and abuse-prevention purposes, the Website may temporarily record log data such as IP addresses, timestamps, device characteristics, browser attributes, error logs, and similar diagnostic information. This information helps protect the Website from unauthorized access, fraud, and malicious activity. Logs are retained only as necessary for operational or security purposes and are not used to profile users.

2.7 Information Received from Service Providers

We may receive aggregated, anonymized, or de-identified information from service providers who support the Website (such as email delivery services, hosting providers, and consent-management tools). These service providers act as processors and do not sell personal information. We do not receive payment data or subscription details from Lemon Squeezy; all such information is governed by Lemon Squeezy’s policies.

2.8 No Collection of Sensitive Personal Information

We do not intentionally collect or process sensitive personal information through the Website, including financial information, government identifiers, health data, biometric identifiers, precise geolocation, or information revealing racial or ethnic origin, religious beliefs, political opinions, sex life, or sexual orientation. If such data is ever submitted inadvertently, it will be deleted.

2.9 No Tracking for Advertising Purposes

The Website does not conduct behavioral advertising, cross-site tracking, retargeting, or profiling for marketing purposes. Any third-party cookies handled by CookieYes are restricted to consent-managed categories and compliance functions.

2.10 Children’s Information

The Website is not directed to children under 16, and we do not knowingly collect personal information from children. If we become aware that information from a child under 16 has been submitted, we will delete it.

SECTION 3 — HOW WE USE INFORMATION

3.1 Providing and Operating the Website

We use the information collected through the Website to operate, maintain, and improve the functionality, security, and performance of the Website. This includes loading pages, administering forms, managing consent preferences, enabling demo-request processes, and ensuring that the Website functions correctly on your device and browser.

3.2 Responding to Requests and Communications

When you submit information through demo-request or contact forms, or when you communicate with us by email, we use your information to respond to your inquiries, process your request, deliver relevant instructions or materials (such as demo-access information), and maintain records of the communication as needed for operational and legal purposes.

3.3 Demo-Request Processing and Eligibility Determination

If you request access to the XP1 Demo, we use your submitted information to determine eligibility, manage distribution, send demo instructions, validate anti-fraud requirements, and administer any limitations associated with demo access. For residents of jurisdictions where Demo eligibility is restricted or unavailable, we may use your information to confirm compliance with such requirements. XP1 Software telemetry and activation behaviors associated with demo use are governed separately by the EULA.

3.4 Website Security, Fraud Prevention, and Abuse Detection

We may use automatically collected information—such as IP addresses, device characteristics, log data, consent preferences, and error diagnostics—to detect and prevent fraudulent activity, unauthorized access, security threats, abuse of demo-request systems, violations of our Terms of Use, or attempts to interfere with Website operations. This information is used strictly for security and operational integrity and not for marketing or profiling.

3.5 Compliance with Laws and Legal Obligations

We may use Website-collected information to comply with applicable laws, regulations, lawful requests, subpoenas, court orders, or other legal processes, including privacy laws that require honoring deletion requests, consent withdrawals, opt-out instructions, or other user rights. We may also use information to enforce our Terms of Use, protect Marble Labs’ intellectual property, and respond to suspected malicious or unlawful activity.

3.6 Improving Website Performance and User Experience

We may use aggregated or anonymized Website data to analyze general usage patterns, troubleshoot technical issues, evaluate Website performance, and develop improvements. This information does not identify individuals and is used solely to support operational enhancements.

3.7 Consent-Managed Cookie Handling

We use your cookie preferences—submitted via CookieYes—to determine which Website cookies or scripts may be activated. Non-essential cookies are only used if you have granted consent. CookieYes may store your consent preferences so that they persist across sessions in accordance with applicable privacy laws.

3.8 Internal Record-Keeping

We may maintain internal records of Website submissions, consent selections, communications, and demo requests for audit, compliance, legal preservation, and internal quality-assurance purposes. These records are retained only as long as necessary for the purposes described in this Policy or as required by law.

3.9 No Use for Advertising or Cross-Site Tracking

We do not use Website-collected data for targeted advertising, cross-site tracking, behavioral profiling, data brokerage, or marketing analytics that identify individual users. We do not sell personal information.

3.10 No Automated Decision-Making

The Website does not conduct automated decision-making or profiling that produces legal or similarly significant effects. Any email communications resulting from demo requests are triggered solely by user submission and manual or rules-based processing, not by automated behavioral profiling.

SECTION 4 — HOW WE SHARE INFORMATION

4.1 Sharing with Service Providers

We may share personal information collected through the Website with third-party service providers who assist us in operating, securing, and maintaining the Website. These providers may supply services such as website hosting, business email delivery, consent management, analytics limited to operational diagnostics, and customer support tools. Service providers act on our behalf, are permitted to use personal information only as necessary to perform services for Marble Labs, and are contractually prohibited from selling or misusing personal information.

4.2 CookieYes and Consent-Management Services

The Website uses CookieYes to manage cookie-consent banners, jurisdiction-specific notices, opt-out mechanisms, and GDPR or CCPA/CPRA compliance features. CookieYes processes consent preferences and regional regulatory logic but does not sell personal information. Further information about CookieYes’ privacy practices is available at:
https://www.cookieyes.com/privacy-policy/

4.3 Email and Communication Service Providers

If you submit a demo request or contact form, your information may be routed through email delivery systems used by Marble Labs to send instructions or respond to inquiries. These providers may receive metadata associated with email operation (e.g., delivery status or timestamps) but do not have permission to use your information for any other purpose.

4.4 Hosting and Security Infrastructure

Website data, including form submissions and server logs, may be processed by hosting providers or security-related vendors who support infrastructure monitoring, threat detection, denial-of-service mitigation, and operational continuity. These providers may have temporary access to anonymized or log-level data solely to maintain secure site operations. Such data is not used for marketing or profiling.

4.5 No Sharing for Advertising or Marketing

We do not share Website-collected personal information with third parties for advertising, behavioral targeting, cross-site tracking, commercial profiling, data brokerage, or marketing-list creation. Personal information collected through the Website is used solely for operational purposes as described in this Privacy Policy.

4.6 Sharing for Legal, Compliance, and Protection Purposes

We may disclose Website-collected information if we believe in good faith that such disclosure is necessary to comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our Website Terms of Use or protect Marble Labs’ rights, property, or intellectual property; to protect the safety of users or the public; or to detect, prevent, or investigate fraud, abuse, or security incidents.

4.7 Business Transfers

If Marble Labs undergoes a merger, acquisition, corporate restructuring, or asset transfer, Website-collected information may be transferred as part of the transaction, provided the receiving entity agrees to respect this Privacy Policy or adopts comparable protections.

4.8 No Sale or “Sharing” of Personal Information (CCPA/CPRA)

Marble Labs does not sell or “share” personal information as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not disclose Website-collected personal information for cross-context behavioral advertising or targeted advertising. If our practices change in the future, we will update this Policy and honor all legally required opt-out rights.

4.9 Aggregated or De-Identified Information

We may create aggregated, anonymized, or de-identified data based on Website interactions for operational analytics, research, or security purposes. Such information does not identify individuals and may be shared with service providers to improve Website performance or stability.

4.10 Third Parties You Interact With

If you follow links from the Website to external platforms (e.g., social media sites, Lemon Squeezy checkout pages, or external content providers), those third parties operate independently of Marble Labs. Their privacy practices are governed by their own policies, and we encourage you to review them before submitting any personal information.

SECTION 5 — DATA RETENTION

5.1 General Retention Principles

We retain personal information collected through the Website only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, including providing Website functionality, maintaining security, processing inquiries you submit, complying with legal obligations, resolving disputes, and enforcing our agreements. We may retain certain information longer where required by law, where necessary to protect Marble Labs’ legal rights, or for record-keeping integrity.

5.2 Retention of Contact and Communication Records

If you submit a demo request, contact form, or similar Website-based inquiry, we may retain the related submission records—including your name, email address, communication content, and any technical metadata generated by our systems—for as long as necessary to respond to your inquiry and maintain accurate business records. These records may also be retained for audit, fraud-prevention, or compliance purposes, but are not used for marketing unless you explicitly opt into such activity.

5.3 Retention of Log Data and Security Records

Website operational logs (such as IP address, browser type, timestamps, page requests, diagnostic errors, and crash information) may be retained for a limited period to ensure Website stability, security, and fraud-prevention. Some anonymized or aggregated security data may be retained longer for trend analysis, infrastructure protection, or compliance with legal or regulatory requirements.

5.4 Retention of Consent Preferences (CookieYes)

Consent records stored through CookieYes—including cookie acceptance, declination, modification, regional privacy choices, and applicable opt-out preferences under U.S. state laws—may be retained as long as required to demonstrate compliance with GDPR, ePrivacy, CCPA/CPRA, or other regional privacy obligations. These records do not contain sensitive personal information and are not used for profiling.

5.5 Retention of Email Delivery Metadata

If we send you an email in response to a Website form submission, our service providers may retain email-delivery logs (such as send time, bounce codes, or delivery confirmation) for a limited period consistent with standard operational practices. Such metadata is not used to track behavior across sites or to create marketing profiles.

5.6 Legal, Regulatory, and Fraud-Prevention Retention

We may retain certain Website-related records if necessary to:
• comply with legal obligations, government inquiries, or law enforcement requests;
• maintain records relevant to litigation, dispute resolution, or intellectual-property protection;
• identify or prevent fraud, abuse, or unauthorized access to the Website.

Where retention is mandated by law or necessary to protect Marble Labs’ rights, such records may be stored beyond normal retention periods.

5.7 Data Deletion Requests (U.S. State Laws)

If you are a resident of a U.S. state with applicable privacy rights (e.g., California, Colorado, Virginia, Connecticut, Utah, Texas, or Nebraska), you may request deletion of personal information collected through the Website. We will honor such requests to the extent required by law, subject to exceptions that allow us to retain information for legitimate business purposes, fraud prevention, security, legal compliance, or internal recordkeeping.

Deletion requests do not apply to:
• data stored solely within XP1’s activation/licensing systems (those are governed by the EULA and the XP1 in-app privacy notice);
• aggregated or anonymized data that cannot reasonably identify you;
• any information retained to comply with legal obligations.

Instructions for submitting a deletion request are provided in Section 6 (Your Privacy Rights).

5.8 Aggregated or De-Identified Information

We may retain aggregated, de-identified, or anonymized Website usage information indefinitely. Such data does not identify any individual and is used solely for operational monitoring, analytics, and improving Website performance.

5.9 Retention Schedules Subject to Change

Marble Labs may update retention durations periodically based on changes in legal requirements, industry best practices, operational needs, and security considerations. Any future changes will be reflected in updated versions of this Privacy Policy.

SECTION 6 — YOUR PRIVACY RIGHTS (U.S. STATES)

6.1 Overview of State Privacy Rights

Residents of certain U.S. states have privacy rights regarding the personal information collected through the Website. These rights vary by jurisdiction but generally include the ability to access, correct, delete, and opt out of certain uses of personal information. Marble Labs will honor valid requests to the extent required by applicable law, and we may ask for additional information to verify your identity before processing a request.

6.2 Right to Know, Access, and Portability

You may have the right to request that we disclose the categories of personal information we have collected about you through the Website, the categories of sources from which the information was collected, the purpose for which we collected it, the categories of third parties with whom we have shared it, and the specific pieces of personal information we hold. Some states also allow you to request a copy of your information in a portable format. These rights do not extend to anonymized, aggregated, or de-identified data.

6.3 Right to Deletion

You may request that we delete personal information we have collected from you through the Website. We will honor such requests except where retention is necessary to comply with legal obligations, detect or prevent fraud or security incidents, maintain internal records, or fulfill the purpose for which the information was collected.

Deletion requests do not apply to XP1 activation data, licensing markers, or Machine-bound security systems, which fall under the EULA and XP1 in-app policies.

6.4 Right to Correction

Residents of certain states may request correction of inaccurate personal information maintained by the Website. If you submit a correction request, we will update inaccurate information where feasible and permitted.

6.5 Right to Opt Out of “Sale,” “Sharing,” or Targeted Advertising

Some states define “sale,” “sharing,” or “targeted advertising” in ways that include Website analytics and third-party cookies. We do not sell personal information for monetary value. However, to comply with state privacy laws:

• CookieYes provides a “Do Not Sell or Share My Personal Information” mechanism for California, with automatic detection based on the user’s region.
• CookieYes also provides a GDPR/EEA banner for international visitors.
• Users in opt-out states may disable analytics or advertising cookies through the CookieYes preference center at any time.

These settings apply only to Website data, not XP1 licensing systems.

6.6 Right to Restrict or Limit Processing

Certain U.S. states allow consumers to request restrictions on specific processing activities. Where applicable, we will honor such requests to the extent required by law. These restrictions apply only to Website data; they do not restrict XP1’s necessary in-app anti-tampering, activation, security, or licensing functions.

6.7 Right to Non-Discrimination

We do not discriminate against you for exercising your privacy rights. However, some Website features that rely on optional cookies may not function properly if consent is declined.

6.8 How to Submit Privacy Requests

If You wish to exercise any of the privacy rights described in this Section — including requests to access, correct, delete, or limit the use or disclosure of Your Personal Information — You may do so by contacting Marble Labs at:

privacy@xp1drive.com

As permitted by California Civil Code §1798.130(a)(1)(A), because Marble Labs operates exclusively online and maintains a direct relationship with Users, an email address is the designated method for submitting privacy-related requests. We will verify and respond to requests in accordance with applicable U.S. state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act (VCDPA), and equivalent frameworks where they apply. Marble Labs may request additional information necessary to verify Your identity before fulfilling certain requests, and may deny a request when an exemption applies or if We are unable to verify Your identity with commercially reasonable effort.

6.9 Appeals (Certain States Only)

Residents of states that require a privacy-request appeals process (e.g., Colorado, Virginia, Connecticut, Oregon, Texas) may appeal our decision if we decline or are unable to fulfill your request. Instructions will be provided in our response.

6.10 Authorized Agents (California Only)

If you are a California resident, you may authorize an agent to submit requests on your behalf. We may require the agent to provide written authorization and may request direct confirmation from you before processing the request.

6.11 Additional Rights for California Residents (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA, including:

• the right to receive disclosures about the categories of “personal information,” “sensitive personal information,” and “sharing” practices;
• the right to opt out of sharing with third-party advertising partners;
• the right to limit the use of sensitive personal information (if applicable);
• the right to request details about retention practices.

These rights apply only to information collected through the Website.

6.12. Additional Rights for Texas, Nebraska, and Other Emerging State Privacy Laws

Several U.S. states — including Texas (TDPSA), Nebraska (NDPA), and others adopting similar comprehensive privacy statutes — provide residents with rights that closely align with the privacy rights described in this Section. Marble Labs will honor such rights to the extent required by applicable law, including the rights to access, correct, delete, and obtain a copy of certain Personal Information, and the right to opt out of certain data uses such as targeted advertising or the sale of Personal Information where applicable. All such requests must be submitted through the procedures and verification steps described in Section 6.8. Marble Labs may deny a request when an exemption applies or where We are unable to verify the requestor’s identity with commercially reasonable effort, as permitted by the applicable state law.

6.13 Interaction With XP1 Software-Driven Licensing Data

Requests under this section apply only to Website-collected data.
XP1 activation data, Machine-bound identifiers, anti-tampering markers, and Short Key licensing systems are governed by the XP1 EULA and may be exempt from deletion, portability, or correction under U.S. state laws due to:

• fraud prevention
• software security requirements
• compliance with licensing obligations
• contractual necessity

This distinction preserves the integrity of XP1’s licensing and anti-abuse system.

6.14 Exercising Rights Through CookieYes

State opt-out signals submitted through the CookieYes banner or preferences panel—such as “Do Not Sell or Share My Personal Information”—will be honored for Website interactions. CookieYes maintains its own compliance documentation at:
https://www.cookieyes.com/privacy-policy/
https://www.cookieyes.com/terms-service/

7. CHILDREN’S DATA & AGE RESTRICTIONS

7.1 No Use by Children Under 13 (COPPA Compliance)

Marble Labs does not knowingly collect, solicit, store, or process Personal Information from children under the age of 13, and the Website and XP1 Software are not directed to children under 13. If we learn that a child under 13 has provided Personal Information to us, we will promptly delete such information and terminate any associated accounts or access rights. Parents or legal guardians who believe that a child under 13 may have submitted Personal Information to Marble Labs may contact us at the address or email provided in Section 6.

7.2 Age Requirements for XP1 Software Use

As stated in the XP1 End User License Agreement, the XP1 Software is intended for adult users (18+ or the age of majority in their jurisdiction). Minors aged 16–17 may only use the Software with the active supervision and express consent of a parent or legal guardian. Marble Labs does not knowingly collect Personal Information from unsupervised minors or permit self-registration by minors.

7.3 No Targeted Advertising to Minors

Marble Labs does not knowingly engage in targeted advertising, profiling, behavioral tracking, or the sale or sharing of Personal Information involving users under the age of 18. In the event we learn that Personal Information of a minor has been used in a manner inconsistent with this Policy or with applicable state laws governing minors’ privacy rights, we will take reasonable steps to cease such processing and delete the information where required.

7.4 Parental Rights for Covered Minors

To the extent permitted by applicable U.S. state privacy laws (including California, Virginia, Colorado, Connecticut, Texas, and others), parents or legal guardians may submit verified requests to access, delete, correct, or limit the processing of Personal Information of a minor for whom they have legal responsibility. Marble Labs will comply with such requests to the extent legally required and may request additional verification to ensure that the requester is authorized to act on behalf of the minor.

7.5 Restrictions on Sensitive Information Regarding Minors

Marble Labs does not intentionally collect sensitive categories of data about minors, including precise geolocation, biometric identifiers, or other data types classified as “sensitive” under state privacy laws. If such information is inadvertently collected during the operation of XP1 (for example, through automatically logged Machine identifiers under a supervised household installation), we will process such information only for operational purposes and will delete it upon verified parental request where required by law.

7.6 Removal of Minor Data

If you are a parent or legal guardian and believe that Marble Labs has collected Personal Information from a child or minor in a manner inconsistent with this Policy or applicable law, you may request deletion by contacting our privacy team using the information in Section 6. Marble Labs will delete the information and terminate the account or access credentials associated with the minor unless an exception applies under governing privacy statutes.

8. DATA SECURITY, PROTECTION, AND RETENTION

8.1 Protection of Personal Information

Marble Labs implements commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. These measures include access-control practices, encryption where appropriate, secure transmission protocols, authentication controls, and reasonable monitoring designed to detect and prevent unauthorized activity. While Marble Labs takes these precautions, no method of electronic storage or transmission is entirely secure, and we cannot guarantee absolute security.

8.2 Your Responsibility for Secure Use

You are responsible for maintaining the confidentiality of your account credentials, License Keys, Short Keys, activation information, and the security of your own devices and networks. Marble Labs is not responsible for security incidents arising from compromised passwords, malware or unsafe configurations on your system, shared devices, or unauthorized individuals to whom you grant access.

8.3 Retention of Personal Information

Marble Labs retains Personal Information only for as long as necessary to:
(a) provide XP1 services and fulfill the purposes described in this Privacy Policy;
(b) maintain the integrity of licensing, activation, fraud-prevention, and security systems;
(c) comply with legal, tax, accounting, or regulatory obligations;
(d) resolve disputes or enforce our agreements; or
(e) satisfy retention periods required by applicable U.S. state privacy laws.
When information is no longer needed for these purposes, Marble Labs will delete, de-identify, or anonymize the data in accordance with applicable law and our internal retention protocols.

8.4 De-Identification and Aggregation

Marble Labs may de-identify or aggregate Personal Information so that it can no longer reasonably be linked to an identifiable individual. We may use or disclose such de-identified or aggregated information for analytics, product development, system integrity, and other lawful business purposes. Marble Labs will not attempt to re-identify de-identified data except as required to test and maintain our de-identification processes.

8.5 Security of Sensitive Information

Marble Labs does not collect highly sensitive categories of Personal Information such as financial account numbers, Social Security numbers, medical data, or precise geolocation. To the extent XP1 or the Website collects identifiers (such as Machine identifiers, email addresses, or IP addresses), we process such information solely for operational, licensing, and security purposes. Marble Labs does not share such information with third parties for cross-context behavioral advertising or for the “sale” or “sharing” of Personal Information under state privacy laws.

8.6 Incident Response

If Marble Labs becomes aware of a security incident affecting Personal Information, we will investigate promptly and take reasonable steps to mitigate potential harm. Where required by applicable law, Marble Labs will provide notifications to affected individuals and relevant authorities.

8.7 No Security Guarantees

While Marble Labs follows industry-standard practices designed to protect Personal Information, no method of security is infallible. By using the Website or XP1 Software, you acknowledge that the transmission and storage of information carry inherent risks and that Marble Labs cannot guarantee complete security or prevent all unauthorized access.

SECTION 9 — INTERNATIONAL VISITORS

9.1 U.S.-Only Access & Geo-Blocking

The XP1 Website is intended solely for visitors located within the United States and its territories. Marble Labs uses Cloudflare geo-blocking and related access controls to restrict international traffic and prevent Website access from non-U.S. locations. Accessing the Website from outside the United States—whether directly or by using VPNs, proxies, anonymization tools, or other location-masking technologies—is unauthorized and constitutes a violation of Marble Labs’ Website Terms of Use.

9.2 Unauthorized International Access

Although geo-blocking is implemented, it may be technically possible for certain international visitors to reach the Website due to VPNs, masked IP addresses, or regional routing anomalies. If you access the Website from outside the United States in violation of these territorial restrictions, you do so without authorization. Any information you voluntarily submit will be processed and stored in the United States under this Privacy Policy, and no rights under non-U.S. privacy frameworks (such as GDPR or UK GDPR) are created or conferred.

9.3 GDPR, UK GDPR, and Other Non-U.S. Privacy Regimes

Because Marble Labs does not offer the XP1 software or licensing services to residents of the European Union, United Kingdom, European Economic Area, Switzerland, or other non-U.S. jurisdictions, XP1 is not subject to the GDPR, UK GDPR, ePrivacy Directive, or comparable foreign privacy regimes. International visitors may still access the Website, and when they do, CookieYes automatically presents consent and preference banners as required by applicable cookie laws. Any Personal Information voluntarily submitted by non-U.S. visitors—such as through contact forms—is processed solely for the purpose of responding to the inquiry and is handled in accordance with this Privacy Policy. Nothing in this Privacy Policy should be interpreted as an expansion of Marble Labs’ geographic service offerings or as creating rights under non-U.S. privacy laws that do not otherwise apply.

9.4 Legal Basis for Processing for Non-U.S. Visitors (Transparency Only)

Although Marble Labs is not subject to the GDPR or UK GDPR, we provide the following information for transparency. Personal Information voluntarily submitted by international visitors is processed exclusively to respond to inquiries, maintain Website functionality, enable fraud-prevention measures, or support general security and analytics. If GDPR or similar frameworks applied, such processing would rely on the visitor’s affirmative consent when information is submitted and on Marble Labs’ legitimate interests in operating, securing, and improving the Website. These disclosures do not create or expand Marble Labs’ obligations under non-U.S. data-protection laws and do not indicate that XP1 or its licensing services are offered outside the United States.

9.5 International Data Transfers

All data processed by Marble Labs is stored and processed in the United States. By providing Personal Information through the Website or related services, international visitors acknowledge and agree to such transfer and processing. Marble Labs does not currently maintain data centers or processing infrastructure outside the United States.

9.6 No Availability Where Prohibited by Law

Access to the Website from jurisdictions where the Website or its content is illegal is prohibited. International visitors who continue to browse the Website do so on their own initiative and are responsible for compliance with their local laws.

9.7 Software Use Outside the United States is Prohibited

Access to the Website by international visitors does not confer any right to download, activate, license, or use the XP1 software outside the United States or its territories. XP1 is a U.S.-only product, and any attempt to obtain a Demo, activate a License, or otherwise use the Software from a location outside the authorized Territory—whether directly or through VPNs, proxies, or similar location-masking technologies—is strictly prohibited and may result in permanent ineligibility for future licensing under Marble Labs’ enforcement and anti-tampering policies. Website access alone does not create any entitlement to XP1 software access or eligibility in non-U.S. regions.

SECTION 10 — THIRD-PARTY LINKS & EXTERNAL SERVICES

10.1 Third-Party Websites and External Content

The Website may contain links to third-party websites, social-media platforms, video services, documentation pages, or other external resources that are not owned or controlled by Marble Labs. When You follow a link to a third-party site, any Personal Information You provide or that is collected through Your interaction with that site is governed solely by the privacy policies and terms of the third party. Marble Labs does not endorse, control, monitor, or assume responsibility for the data-handling practices, security measures, or content of third-party websites. Your use of any third-party site is entirely at Your own risk, and You should review the applicable privacy policies and terms of use before providing Personal Information or engaging with third-party services.

10.2 Third-Party Service Providers Used by Marble Labs

Marble Labs uses a limited number of third-party service providers to support the Website and certain XP1-related functions, including email communication, consent-management tools, hosting infrastructure, and Merchant-of-Record services. These providers may process Personal Information on Marble Labs’ behalf as necessary to operate the Website and to deliver communications requested or authorized by You. Marble Labs does not share more Personal Information with Service Providers than reasonably necessary for the relevant operational purpose. A non-exclusive list of Service Providers includes:

• Lemon Squeezy (Merchant of Record & Subscription Management) — https://www.lemonsqueezy.com

• CookieYes (Cookie and Consent Management Tool) — https://www.cookieyes.com/privacy-policy

• Google Workspace (Business Email & Operational Services) — https://policies.google.com/privacy

Marble Labs does not disclose source-code repositories, licensing infrastructure details, internal operational tooling, or backend technical architecture to Users, and nothing in this Privacy Policy obligates Marble Labs to do so.

10.3 Social Media Pages and Embedded Features

The Website may link to or embed content from social-media platforms, including but not limited to Instagram, YouTube, X/Twitter, and Facebook. When You interact with embedded content or visit our social-media profiles, those platforms may collect information in accordance with their own privacy policies and independent tracking technologies. Marble Labs does not control or influence how such platforms collect, use, or share Your Personal Information.

10.4 No Responsibility for Third-Party Tracking Technologies

Third-party websites, embedded media players, social networks, and analytics tools may use cookies, pixels, or tracking technologies that operate independently from Marble Labs. Marble Labs does not control such technologies and is not responsible for their operation, data collection, or compliance. Your interactions with third-party services are governed solely by those third parties’ privacy policies and terms.

10.5 Third-Party Terms Apply

Your use of any third-party service, tool, integration, or Merchant-of-Record platform is subject exclusively to the terms and privacy policies of the respective provider. Marble Labs is not responsible for any obligations, representations, warranties, billing decisions, refund policies, security practices, or data-processing activities of third parties, and nothing in this Privacy Policy modifies or supersedes those third-party terms.

SECTION 11 — YOUR CHOICES & CONTROLS

11.1 Managing Cookie and Tracking Preferences

The Website uses CookieYes to present cookie-consent banners and manage user preferences in accordance with applicable U.S. state laws and global requirements such as GDPR for non-U.S. visitors. Through the CookieYes interface, You may accept or reject categories of cookies, adjust Your preferences at any time, or withdraw consent where applicable. Your cookie choices apply only to the Website and do not affect XP1 software functionality. Browser-level controls (such as deleting cookies or enabling “Do Not Track” settings) may further modify or limit cookie behavior, although Marble Labs does not guarantee that third parties will honor browser-based do-not-track signals.

11.2 Opting Out of the “Sale” or “Sharing” of Personal Information

Certain U.S. privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), require the ability for Users to opt out of the “sale” or “sharing” of Personal Information where such activity occurs. Marble Labs does not “sell” Personal Information in the conventional sense; however, to the extent that analytics or cookie-based data might be interpreted as a “sale” or “sharing” under state law, You may opt out through the “Do Not Sell or Share My Personal Information” link provided in the CookieYes banner or footer. CookieYes implements the relevant opt-out mechanisms for browser-based identifiers in accordance with applicable law.

11.3 Email Communication Preferences

If You provide Your email address through the Website—such as during a Demo request or other voluntary interaction—Marble Labs may send operational communications relating to the Demo process, licensing eligibility, or technical notifications. You may unsubscribe from optional or promotional communications at any time by using the link provided in the email or by contacting Marble Labs at privacy@xp1drive.com. Operational or legally required communications may not be subject to opt-out, as they may be necessary for completing processes You initiate.

11.4 Opting Out of Analytics and Performance Tracking

You may disable certain analytics cookies through CookieYes or through Your browser settings. Some analytics tools may also offer opt-out methods directly through their providers. Disabling analytics may affect how content is personalized or how the Website performs but will not affect Your ability to request a Demo or browse informational pages.

11.5 Control Over Personal Information Provided Voluntarily

If You submit Personal Information through a contact form, email, or Demo request, You may request to access, correct, update, or delete that information in accordance with Section 6 (Your Privacy Rights). Marble Labs will respond to such requests consistent with applicable U.S. state privacy laws and internal verification requirements. Because Marble Labs collects minimal Personal Information and does not maintain user accounts on the Website, the scope of available data may be limited to what You voluntarily submitted.

11.6 Control Over Device Settings

Your device or browser may allow You to control permissions related to location, camera, microphone, notifications, or other local settings. The Website does not request or require such permissions, and any adjustments to device-level privacy controls occur within Your operating system or browser and are not managed by Marble Labs.

11.7 Consequences of Disabling Certain Controls

If You disable cookies, analytics, or tracking technologies, the Website may still function but certain features—such as remembering cookie preferences, detecting geographic consent requirements, or delivering localized disclosures—may not operate as intended. Disabling optional cookies will not affect Your ability to read documentation, submit Demo requests, or access general Website content.

SECTION 12 — CHANGES TO THIS PRIVACY POLICY

12.1 Right to Modify This Privacy Policy

Marble Labs may update or modify this Privacy Policy at any time to reflect changes in our business practices, Website functionality, data-processing activities, applicable laws, or the services we provide. Updated versions of this Privacy Policy will be posted on the Website with a revised “Last Updated” date. We encourage You to review this Privacy Policy periodically to remain informed about our information practices.

12.2 Material Changes

If Marble Labs makes material changes to this Privacy Policy—such as expanding the categories of Personal Information we collect, altering how we use or disclose information, or making changes that materially affect Your privacy rights—we will provide notice as required by applicable law. Such notice may occur through Website banners, updated links, or email communication where appropriate. Continued use of the Website after the effective date of any updated Privacy Policy constitutes Your acceptance of the changes unless otherwise required by law.

12.3 Non-Material Updates

Non-material changes, such as clarifications, structural improvements, or updates to reflect service-provider changes, may be implemented without additional notice. These adjustments do not reduce Your privacy rights but ensure greater accuracy and transparency.

12.4 Effect of Continued Use

Your continued use of the Website after changes become effective signifies Your acknowledgment of and agreement to the updated Privacy Policy. If You do not agree to the updated terms, You should discontinue use of the Website and may request deletion of previously collected Personal Information in accordance with Section 6.

SECTION 13 — CONTACT INFORMATION & SUBMITTING PRIVACY REQUESTS

13.1 How to Contact Marble Labs Regarding Privacy

If You have questions about this Privacy Policy, our data-handling practices, or any rights described herein, You may contact Marble Labs at:

privacy@xp1drive.com

This is the primary and designated method of contact for all privacy-related inquiries.

13.2 Submitting Privacy Rights Requests

All privacy rights requests—including requests to access, correct, delete, or obtain a copy of Personal Information—must be submitted via email to privacy@xp1drive.com. Marble Labs will review and respond to such requests in accordance with applicable U.S. state privacy laws and our internal verification procedures. Because Marble Labs collects only limited Personal Information through the Website, the scope of available data may be correspondingly limited.

13.3 Verification Requirements

To protect User privacy and prevent unauthorized disclosures, Marble Labs may request sufficient information to verify Your identity before processing a rights request. If Marble Labs cannot verify Your identity using commercially reasonable methods, we may deny the request, request additional information, or explain why verification could not be completed. Verification standards may differ depending on the nature of the request and applicable state law.

13.4 Response Timelines

Marble Labs will respond to verified privacy requests within the time periods required by applicable U.S. state laws. If additional time is reasonably necessary, we will notify You within the legally permitted extension period and explain the reason for the delay. Requests that are repetitive, unfounded, or excessive may be denied as permitted by law.

13.5 Opt-Out Mechanisms

If You wish to opt out of the “sale” or “sharing” of Personal Information as defined under certain state privacy laws, You may do so by selecting the appropriate options in the CookieYes banner, including the “Do Not Sell or Share My Personal Information” link when displayed. Marble Labs honors opt-out preferences communicated through CookieYes or applicable user-agent signals when legally required.

13.6 Communications Choice

If You receive email communications from Marble Labs relating to Website interactions or optional communications, You may opt out of non-essential messages at any time by following the instructions provided in those communications or by contacting privacy@xp1drive.com. Operational communications necessary to fulfill a request You initiate may not be subject to opt-out.

13.7 No Fee for Valid Requests

Marble Labs does not charge a fee for processing valid privacy requests submitted in good faith. However, if a request is manifestly unfounded, repetitive, excessive, or otherwise permitted by law, Marble Labs may deny the request or charge a reasonable fee based on administrative costs.

SECTION 14 — STATE-SPECIFIC PRIVACY NOTICES

14.1 Overview

Several U.S. states have enacted consumer privacy laws granting residents specific rights regarding their Personal Information. These include, but are not limited to, California (CCPA/CPRA), Texas (TDPSA), Nebraska (NDPA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA). Marble Labs honors applicable rights afforded to residents of these states to the extent required by law. This Section supplements, and in some cases clarifies, the rights described elsewhere in this Privacy Policy.

14.2 California Residents (CCPA/CPRA)

Under the Texas Data Privacy and Security Act, Texas residents may have rights to confirm whether Marble Labs processes their Personal Information, to access a copy of that information, to correct inaccuracies, and to request deletion of Personal Information supplied by or collected about them. Texas residents may also have the right to opt out of certain processing activities, including targeted advertising, the sale of Personal Information, and profiling that produces legal or similarly significant effects. Marble Labs does not engage in targeted advertising, does not sell Personal Information, and does not conduct automated profiling of this nature.

Texas residents may exercise their rights by emailing privacy@xp1drive.com, and Marble Labs will verify the identity of the requester before complying with any request, consistent with the verification requirements of the TDPSA.

14.3 Texas Residents (TDPSA)

Under the Texas Data Privacy and Security Act, Texas residents may have rights to confirm whether Marble Labs processes their Personal Information, to access a copy of that information, to correct inaccuracies, and to request deletion of Personal Information supplied by or collected about them. Texas residents may also have the right to opt out of certain processing activities, including targeted advertising, the sale of Personal Information, and profiling that produces legal or similarly significant effects. Marble Labs does not engage in targeted advertising, does not sell Personal Information, and does not conduct automated profiling of this nature.

Texas residents may exercise their rights by emailing privacy@xp1drive.com, and Marble Labs will verify the identity of the requester before complying with any request, consistent with the verification requirements of the TDPSA.

14.4 Nebraska Residents (NDPA)

The Nebraska Data Privacy Act grants Nebraska residents substantially similar rights to those described for Texas and other privacy-law states. Nebraska residents may request access to, correction of, or deletion of Personal Information and may opt out of processing activities interpreted as sales or targeted advertising.

All requests must be submitted to privacy@xp1drive.com and are subject to identity verification.

14.5 Colorado, Virginia, Connecticut, Utah, and Other Emerging State Laws

Residents of Colorado, Virginia, Connecticut, Utah, and other states that have enacted comprehensive privacy laws may have rights similar to those described in this Section, including rights to access, correct, delete, or obtain a copy of certain Personal Information, and rights to opt out of targeted advertising or the sale of Personal Information.

Marble Labs does not process data in ways that constitute targeted advertising, profiling, or sale under these state laws. To the extent these laws apply, Marble Labs will honor valid requests submitted in accordance with Section 13.

14.6 Appeals Process (Where Required)

Some state laws require businesses to provide an internal appeals process if a privacy request is denied. If Marble Labs denies a request submitted by a resident of a state with an applicable appeals requirement (such as Colorado or Virginia), the resident may appeal by replying to the denial email and indicating that they wish to appeal the decision. Marble Labs will review and respond within the timeline required by the applicable law.

14.7 Limitations and Legal Exceptions

The rights described in this Section are subject to statutory limitations. Marble Labs may deny or partially fulfill a request if it cannot verify the requestor’s identity, if the information must be retained to comply with legal obligations, if the requested action would interfere with security, fraud-prevention functions, or internal operations, if fulfilling the request would impair the rights of others, or if the request is repetitive, excessive, or unfounded. Some data may be exempt from deletion or disclosure obligations because Marble Labs is required to retain it for licensing enforcement, audit purposes, fraud prevention, safety, legal compliance, or internal operational integrity. Marble Labs will notify the requester when an exemption applies and will explain the basis for any limitation or denial as required by applicable law.

14.8 No Discrimination for Exercising Rights

Marble Labs does not discriminate against residents who exercise privacy rights under state law. Exercising Your rights will not result in different pricing, reduced functionality, or decreased service quality. However, certain actions—such as opting out of cookies or requesting deletion—may limit features that rely on those technologies.

14.9 Relationship to XP1 Licensing Restrictions

The privacy rights described in this Section apply only to the Personal Information collected through the Website or through Marble Labs’ service-related communications. These rights do not alter, limit, or override any provision of the XP1 End User License Agreement, including but not limited to territorial enforcement, anti-tampering safeguards, machine-binding mechanisms, seat allocation rules, refund-related revocation, license termination procedures, or any other contractual licensing obligations. The exercise of privacy rights does not affect Marble Labs’ ability to enforce licensing restrictions or security measures necessary to protect the XP1 platform, its intellectual property, or its fraud-prevention systems.