1. Overview
This Privacy Policy describes how Zylaro AI ("Zylaro", "we", "us", "our") collects, uses, stores, protects, and shares your personal information when you use our platform at zylaroai.com and associated services (the "Service").
We take your privacy seriously. Our core principles:
- Minimal collection: We collect only the data necessary to provide the Service
- No selling: We never sell your personal data to third parties
- Transparency: We explain clearly what we collect and why
- Your control: You can access, correct, export, and delete your data
- Security first: We employ industry-standard security practices
2. Data We Collect
We collect the following categories of personal data:
| Data Category | Examples | Purpose | Retention |
|---|---|---|---|
| Account Data | Email address, name, password (hashed) | Authentication, account management | Until account deletion |
| Profile Data | Display name, account status, email verification status | Personalization, service access | Until account deletion |
| Chat Messages | Your messages and AI responses | Conversation history, AI context | Until manually deleted or account deletion |
| Notes & Tasks | Note content, task titles, descriptions, due dates | Productivity features | Until manually deleted or account deletion |
| Usage Logs | Message count, token usage, response times, error codes | Service quality, billing, abuse prevention | 90 days |
| Security Events | Login attempts, IP prefix (masked), rate limit hits | Security monitoring, fraud prevention | 30 days |
| Moderation Logs | Prompt preview (200 chars max), risk score, category | Content moderation, safety | 90 days |
| Device Data | Browser type, operating system (from User-Agent) | Security logging, compatibility | 30 days (truncated) |
| Phone Number | Phone number (optional, if you add it) | Optional phone verification | Until removed or account deletion |
3. How We Collect Data
Directly From You
When you register, you provide your email address, name, and password. When you use the Service, you create notes, tasks, and chat messages.
Automatically
When you use the Service, we automatically collect:
- Partial IP address (first 3 octets only — we never store your full IP address)
- User-Agent string (browser/device type) for security logging
- Timestamps of requests and actions
- Feature usage patterns (aggregate, not individually tracked behavioral profiling)
From Third-Party Services
Our infrastructure providers (Supabase) may collect technical data as part of service delivery. See the Third-Party Services section for details.
4. How We Use Your Data
We use your data only for the following purposes:
- Service delivery: To authenticate you, store your content, and provide AI chat, notes, and task features
- Communication: To send account-related emails (verification, password reset, security alerts)
- Safety & moderation: To detect and prevent abuse, policy violations, and illegal activity
- Rate limiting & fair use: To enforce usage limits and prevent system abuse
- Service improvement: To analyze aggregate usage patterns and fix bugs (not for behavioral advertising)
- Legal compliance: To comply with applicable laws, regulations, and lawful requests
- Security: To protect users, the platform, and third parties from harmful activity
We do not use your data for targeted advertising, data brokering, or profiling for commercial purposes.
5. AI Processing
When you use the AI Chat feature, your messages are processed as follows:
Moderation Screening
Before your message reaches the AI model, it is screened by an automated content moderation system (using OpenAI's Moderation API). This check determines whether the content may violate our safety policies. The moderation system processes your prompt but does not retain it beyond the screening operation; only a 200-character preview and a risk score are stored in our moderation log for safety auditing purposes.
AI Model Processing
Your messages, along with your recent conversation history (up to 20 messages), are sent to OpenAI's API to generate responses. OpenAI processes this data according to their API usage policies. OpenAI's API data is not used to train their models per their enterprise API agreement.
What We Do Not Do
- We do not use your chat messages to train AI models
- We do not share your chat content with third parties for marketing
- We do not perform behavioral profiling based on AI conversations
- We do not store your full conversation history indefinitely — it is deleted when you clear it or delete your account
6. Third-Party Services
Zylaro AI relies on the following third-party services. Each is bound by its own privacy policy:
Supabase
Database, authentication, and backend infrastructure
Data shared: All user data (stored in EU/US data centers)
View Supabase Privacy Policy →OpenAI
AI language model (chat completions and content moderation)
Data shared: Chat messages and prompts (via API, not used for training)
View OpenAI Privacy Policy →Google Analytics
Website analytics (aggregated, anonymized)
Data shared: Page views, session duration, browser type (anonymized)
View Google Analytics Privacy Policy →Sentry (optional)
Error monitoring
Data shared: Error messages, stack traces (no personal content)
View Sentry (optional) Privacy Policy →8. Analytics
We use Google Analytics (GA4) to understand how users interact with Zylaro AI. We collect:
- Page views and navigation paths
- Session duration and bounce rate
- Browser type and operating system (aggregated)
- Country/region of origin (not city-level precision)
We do not:
- Enable User-ID tracking in Google Analytics
- Link analytics data to your account or personal identity
- Use remarketing or advertising features
- Share raw analytics data with third parties
We also maintain internal usage logs for operational purposes (API latency, error rates, feature adoption) using aggregated, anonymized data stored in our own database.
9. Data Security
We implement industry-standard security practices to protect your data:
Encryption in transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
Encryption at rest
Your data is stored in encrypted databases managed by Supabase.
Row-level security
Database-level security policies ensure you can only access your own data.
Access controls
Admin access is restricted via role-based policies with audit logging.
Intrusion monitoring
Automated systems detect and alert on suspicious login attempts and abuse patterns.
HTTPS everywhere
HSTS and secure headers are enforced across all pages and API endpoints.
No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to supportzylaroai@gmail.com.
11. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
- Account data: Retained until account deletion, then deleted within 30 days
- Notes, tasks, chat messages: Retained until you delete them or delete your account
- Usage logs: 90 days, then automatically purged
- Security & moderation logs: 30–90 days for active threat monitoring, then purged
- Legal holds: Data may be retained longer if required by law or for ongoing legal proceedings
12. Your Privacy Rights
Regardless of your location, you have the following rights with respect to your personal data:
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data. You can delete your account and data directly in Settings.
Right to Portability
Request an export of your data in a machine-readable format.
Right to Object
Object to certain types of processing, including automated decision-making.
Right to Restriction
Request that we limit how we process your data in certain circumstances.
To exercise any of these rights, contact us at privacy@zylaroai.com. We will respond within 30 days.
Account Deletion
You can delete your account at any time from Settings → Danger Zone → Clear Data, followed by signing out and contacting us for full account deletion. Upon deletion, your personal data is removed within 30 days, except where retention is required by law.
13. GDPR & EEA/UK Users
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your data.
Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract: Processing necessary to provide the Service you signed up for (account data, content storage)
- Legitimate interests: Security monitoring, abuse prevention, service improvement
- Legal obligation: Compliance with applicable laws
- Consent: Optional features such as phone verification and analytics
Data Transfers
Your data may be processed in countries outside the EEA, including the United States, where our infrastructure providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required.
Your GDPR Rights
In addition to the general rights above, EEA/UK users have the right to:
- Lodge a complaint with your national data protection authority
- Withdraw consent at any time where processing is based on consent
- Not be subject to solely automated decision-making with legal or significant effects
14. Children's Privacy
Zylaro AI is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete that data promptly.
If you are a parent or guardian and believe your child has provided us with personal data without consent, please contact privacy@zylaroai.com.
15. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on this page with a new effective date
- Sending an in-app notification or email for significant changes affecting your rights
Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
16. Contact & Data Requests
For privacy inquiries, data access requests, or to exercise your rights, contact our privacy team:
Privacy inquiries
privacy@zylaroai.comData deletion
delete@zylaroai.comWe aim to respond to all privacy requests within 30 days. For urgent matters, please indicate "URGENT" in the subject line.