Privacy

Privacy Policy

We are committed to being transparent about the data we collect, how it is used, and the choices you have. Your data belongs to you.

Effective date: May 24, 2026

1. Overview

This Privacy Policy describes how Zylaro AI ("Zylaro", "we", "us", "our") collects, uses, stores, protects, and shares your personal information when you use our platform at zylaroai.com and associated services (the "Service").

We take your privacy seriously. Our core principles:

  • Minimal collection: We collect only the data necessary to provide the Service
  • No selling: We never sell your personal data to third parties
  • Transparency: We explain clearly what we collect and why
  • Your control: You can access, correct, export, and delete your data
  • Security first: We employ industry-standard security practices

2. Data We Collect

We collect the following categories of personal data:

Data CategoryExamplesPurposeRetention
Account DataEmail address, name, password (hashed)Authentication, account managementUntil account deletion
Profile DataDisplay name, account status, email verification statusPersonalization, service accessUntil account deletion
Chat MessagesYour messages and AI responsesConversation history, AI contextUntil manually deleted or account deletion
Notes & TasksNote content, task titles, descriptions, due datesProductivity featuresUntil manually deleted or account deletion
Usage LogsMessage count, token usage, response times, error codesService quality, billing, abuse prevention90 days
Security EventsLogin attempts, IP prefix (masked), rate limit hitsSecurity monitoring, fraud prevention30 days
Moderation LogsPrompt preview (200 chars max), risk score, categoryContent moderation, safety90 days
Device DataBrowser type, operating system (from User-Agent)Security logging, compatibility30 days (truncated)
Phone NumberPhone number (optional, if you add it)Optional phone verificationUntil removed or account deletion

3. How We Collect Data

Directly From You

When you register, you provide your email address, name, and password. When you use the Service, you create notes, tasks, and chat messages.

Automatically

When you use the Service, we automatically collect:

  • Partial IP address (first 3 octets only — we never store your full IP address)
  • User-Agent string (browser/device type) for security logging
  • Timestamps of requests and actions
  • Feature usage patterns (aggregate, not individually tracked behavioral profiling)

From Third-Party Services

Our infrastructure providers (Supabase) may collect technical data as part of service delivery. See the Third-Party Services section for details.

4. How We Use Your Data

We use your data only for the following purposes:

  • Service delivery: To authenticate you, store your content, and provide AI chat, notes, and task features
  • Communication: To send account-related emails (verification, password reset, security alerts)
  • Safety & moderation: To detect and prevent abuse, policy violations, and illegal activity
  • Rate limiting & fair use: To enforce usage limits and prevent system abuse
  • Service improvement: To analyze aggregate usage patterns and fix bugs (not for behavioral advertising)
  • Legal compliance: To comply with applicable laws, regulations, and lawful requests
  • Security: To protect users, the platform, and third parties from harmful activity

We do not use your data for targeted advertising, data brokering, or profiling for commercial purposes.

5. AI Processing

When you use the AI Chat feature, your messages are processed as follows:

Moderation Screening

Before your message reaches the AI model, it is screened by an automated content moderation system (using OpenAI's Moderation API). This check determines whether the content may violate our safety policies. The moderation system processes your prompt but does not retain it beyond the screening operation; only a 200-character preview and a risk score are stored in our moderation log for safety auditing purposes.

AI Model Processing

Your messages, along with your recent conversation history (up to 20 messages), are sent to OpenAI's API to generate responses. OpenAI processes this data according to their API usage policies. OpenAI's API data is not used to train their models per their enterprise API agreement.

What We Do Not Do

  • We do not use your chat messages to train AI models
  • We do not share your chat content with third parties for marketing
  • We do not perform behavioral profiling based on AI conversations
  • We do not store your full conversation history indefinitely — it is deleted when you clear it or delete your account

6. Third-Party Services

Zylaro AI relies on the following third-party services. Each is bound by its own privacy policy:

Supabase

Database, authentication, and backend infrastructure

Data shared: All user data (stored in EU/US data centers)

View Supabase Privacy Policy →

OpenAI

AI language model (chat completions and content moderation)

Data shared: Chat messages and prompts (via API, not used for training)

View OpenAI Privacy Policy →

Netlify

Web hosting and CDN

Data shared: Request logs, IP addresses

View Netlify Privacy Policy →

Google Analytics

Website analytics (aggregated, anonymized)

Data shared: Page views, session duration, browser type (anonymized)

View Google Analytics Privacy Policy →

Sentry (optional)

Error monitoring

Data shared: Error messages, stack traces (no personal content)

View Sentry (optional) Privacy Policy →

7. Cookies & Local Storage

Authentication

We use Supabase Auth, which stores a session token in your browser's localStorage to keep you signed in. This is essential for the Service to function and cannot be disabled without logging out.

Service Worker Cache

Our Progressive Web App (PWA) uses a service worker that caches static assets (icons, fonts, CSS). The service worker never caches your personal data, authentication tokens, chat messages, or dashboard pages. Cached data is limited to app shell resources required for offline display of the landing page only.

Analytics Cookies

Google Analytics sets cookies to measure aggregated traffic patterns (page views, session duration). We have configured Google Analytics with IP anonymization enabled. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on.

No Tracking Cookies

We do not use advertising cookies, third-party tracking pixels, or cookies for behavioral profiling.

8. Analytics

We use Google Analytics (GA4) to understand how users interact with Zylaro AI. We collect:

  • Page views and navigation paths
  • Session duration and bounce rate
  • Browser type and operating system (aggregated)
  • Country/region of origin (not city-level precision)

We do not:

  • Enable User-ID tracking in Google Analytics
  • Link analytics data to your account or personal identity
  • Use remarketing or advertising features
  • Share raw analytics data with third parties

We also maintain internal usage logs for operational purposes (API latency, error rates, feature adoption) using aggregated, anonymized data stored in our own database.

9. Data Security

We implement industry-standard security practices to protect your data:

Encryption in transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2+.

Encryption at rest

Your data is stored in encrypted databases managed by Supabase.

Row-level security

Database-level security policies ensure you can only access your own data.

Access controls

Admin access is restricted via role-based policies with audit logging.

Intrusion monitoring

Automated systems detect and alert on suspicious login attempts and abuse patterns.

HTTPS everywhere

HSTS and secure headers are enforced across all pages and API endpoints.

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to supportzylaroai@gmail.com.

10. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in these limited circumstances:

  • Service providers: With our infrastructure providers (Supabase, OpenAI, Netlify) strictly for service delivery
  • Legal requirements: When required by law, court order, or lawful government request
  • Safety: To protect against imminent harm to any person or to investigate fraud or security incidents
  • Business transfer: In the event of a merger or acquisition, subject to the acquiring party honoring this policy or obtaining fresh consent

Any data shared with third parties is limited to the minimum necessary for the stated purpose.

11. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account data: Retained until account deletion, then deleted within 30 days
  • Notes, tasks, chat messages: Retained until you delete them or delete your account
  • Usage logs: 90 days, then automatically purged
  • Security & moderation logs: 30–90 days for active threat monitoring, then purged
  • Legal holds: Data may be retained longer if required by law or for ongoing legal proceedings

12. Your Privacy Rights

Regardless of your location, you have the following rights with respect to your personal data:

Right to Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data. You can delete your account and data directly in Settings.

Right to Portability

Request an export of your data in a machine-readable format.

Right to Object

Object to certain types of processing, including automated decision-making.

Right to Restriction

Request that we limit how we process your data in certain circumstances.

To exercise any of these rights, contact us at privacy@zylaroai.com. We will respond within 30 days.

Account Deletion

You can delete your account at any time from Settings → Danger Zone → Clear Data, followed by signing out and contacting us for full account deletion. Upon deletion, your personal data is removed within 30 days, except where retention is required by law.

13. GDPR & EEA/UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your data.

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract: Processing necessary to provide the Service you signed up for (account data, content storage)
  • Legitimate interests: Security monitoring, abuse prevention, service improvement
  • Legal obligation: Compliance with applicable laws
  • Consent: Optional features such as phone verification and analytics

Data Transfers

Your data may be processed in countries outside the EEA, including the United States, where our infrastructure providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required.

Your GDPR Rights

In addition to the general rights above, EEA/UK users have the right to:

  • Lodge a complaint with your national data protection authority
  • Withdraw consent at any time where processing is based on consent
  • Not be subject to solely automated decision-making with legal or significant effects

14. Children's Privacy

Zylaro AI is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete that data promptly.

If you are a parent or guardian and believe your child has provided us with personal data without consent, please contact privacy@zylaroai.com.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on this page with a new effective date
  • Sending an in-app notification or email for significant changes affecting your rights

Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact & Data Requests

For privacy inquiries, data access requests, or to exercise your rights, contact our privacy team:

Privacy inquiries

privacy@zylaroai.com

Data deletion

delete@zylaroai.com

We aim to respond to all privacy requests within 30 days. For urgent matters, please indicate "URGENT" in the subject line.