Privacy Policy

Last updated: February 18, 2026

1. Introduction

This Privacy Policy explains how Zipf AI collects, uses, and protects your information when you use our services.

We do not sell user data to third parties. Our business model is based on paid API access, not data monetization or advertising.

2. Information We Collect

Account Information

  • Email address
  • Name (optional)
  • Company name (optional)
  • Password (hashed via WorkOS)

Billing Information

Payment processing is handled by Stripe. We receive only the last 4 digits of your card and payment status.

API Usage Logs

API requests are logged for 90 days for debugging, billing, and abuse prevention:

  • Timestamp and endpoint
  • Request parameters
  • Response data
  • Credits consumed
  • Status code and response time
  • IP address and user agent

You can view and delete response data from individual logs via the dashboard.

Analytics

We use PostHog for privacy-focused analytics (page views, feature usage). Web server logs (IP, browser, referrer) are retained for 30 days.

3. How We Use Your Data

We use collected data to:

  • Provide and maintain the service
  • Process authentication and billing
  • Track credit usage and enforce rate limits
  • Debug technical issues
  • Send transactional emails (password resets, receipts, service notifications)
  • Analyze aggregate usage patterns for performance optimization
  • Detect and prevent abuse
  • Comply with legal obligations

We do not use your data to train AI models, build advertising profiles, or sell to third parties.

4. Data Sharing

Service Providers

We share data with the following service providers:

  • Stripe - Payment processing
  • WorkOS - Authentication
  • AWS/Vercel - Hosting infrastructure
  • Supabase - Database
  • PostHog - Analytics
  • Anthropic/OpenAI - API service providers

Legal Compliance

We disclose data when required by valid legal process (subpoenas, court orders). We notify users when legally permitted to do so.

Business Transfers

In the event of acquisition or merger, user data may be transferred. We will notify users and provide options to delete accounts prior to transfer.

5. Data Retention

  • Account data: Retained until account deletion
  • API logs: 90 days (response data can be deleted manually)
  • Billing records: 7 years (legal requirement)
  • Web server logs: 30 days

Upon account deletion, all data is deleted except legally required billing records.

6. Security

Security measures include:

  • TLS 1.3 encryption for all traffic
  • Encrypted data at rest
  • Hashed API tokens and passwords
  • PCI-compliant payment processing via Stripe
  • 2FA for production system access
  • Monitoring for unusual activity

In the event of a security breach, affected users will be notified within 72 hours.

7. Your Rights

Via Dashboard:

  • View account info and API logs (/dashboard/usage)
  • Export API logs as CSV or JSON
  • Delete response data from individual logs
  • Manage billing and subscription (/dashboard/billing)
  • Delete account permanently (/dashboard/account)

Via Email (support@zipf.ai):

  • Export complete account data
  • Correct account information
  • GDPR/CCPA data access requests

8. Cookies

  • Session cookie: Required for authentication
  • Analytics cookies: PostHog for aggregate usage tracking

We do not use advertising cookies or cross-site tracking.

9. International Data Transfers

Our servers are located in the US (AWS us-east-1). We use standard contractual clauses for GDPR compliance.

Enterprise customers may request data residency guarantees.

10. Children's Privacy

Our service is not intended for users under 18. We do not knowingly collect information from minors.

11. Changes to This Policy

Material changes will be announced via email at least 30 days in advance. The "Last updated" date indicates when changes were last made.

12. Contact

For privacy questions: support@zipf.ai

For legal/compliance: daniel.campos@zipf.ai

Skip to main content
Privacy Policy | Zipf AI