Privacy Policy
PRIVACY POLICY
Last updated: April 25, 2026
This Privacy Policy describes how ZinXan AI ('we', 'us', or 'our') collects, uses, stores, and shares your personal information when you use our website https://zinxan.com, mobile application, and related services (collectively, the 'Services').
Please read this Privacy Policy carefully. By using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services.
TABLE OF CONTENTS
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- Third-Party AI Providers
- EU AI Act and AI Regulation
- Data Retention
- International Data Transfers
- Your Privacy Rights
- GDPR Rights (UK/EEA Users)
- Cookies and Tracking Technologies
- Security of Your Information
- Children's Privacy
- Third-Party Links
- Updates to This Policy
- Contact Us
1. INFORMATION WE COLLECT
Information You Provide to Us
Account Information
- Name and email address (when you register directly or via third-party authentication)
- Phone number (for account verification, two-factor authentication, and account recovery)
- Username and password (if applicable)
- Profile picture (if provided or obtained via third-party authentication)
Sign-in and identity (WorkOS)
We use WorkOS to handle authentication and user identity for the Services. You can sign in with Apple, Google, or GitHub through WorkOS, subject to the options we enable. WorkOS and the identity provider you choose process the minimum data required to create or secure your account.
We receive, for example:
- Your name and email address
- Profile picture (if the provider and your settings make it available)
- A unique identifier from WorkOS and/or the sign-in provider
We do not receive or store the passwords for your Apple, Google, or GitHub accounts.
Payment Information
- Billing name and address
- Payment card details (processed and stored by our payment processor, not by us directly)
- Transaction history
User Content and Conversations
- Messages, prompts, and queries you submit to the AI
- Files, images, and documents you upload (stored in Cloudflare R2 object storage on our behalf)
- AI-generated responses and outputs
- Conversation history and chat logs
Connected Third-Party Content
When you connect third-party services or workspaces, such as Notion, we may receive and process:
- Account and workspace metadata needed to establish and maintain the connection
- Pages, documents, databases, messages, calendar events, or other content you explicitly authorise us to access
- Search queries and retrieval requests you initiate against connected services
Communications
- Emails or messages you send to our support team
- Feedback and survey responses
Information Collected Automatically
Device and Usage Information
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Pages visited and features used
- Date and time of access
- Referring website or source
Log Data
- API requests and responses
- Error logs and performance data
- Feature usage patterns
2. HOW WE USE YOUR INFORMATION
We use your personal information for the following purposes:
To Provide the Services
- Process your prompts and queries through AI models
- Generate and deliver AI responses
- Perform web searches and documentation lookups on your behalf
- Search and retrieve content from connected third-party services and workspaces you authorise us to access
- Store and display your conversation history
- Process payments and manage subscriptions
To Manage Your Account
- Create and maintain your account
- Authenticate your identity
- Send verification codes and security alerts
- Provide account recovery options
To Communicate With You
- Send service-related notifications
- Respond to your enquiries and support requests
- Send SMS alerts (with your consent)
- Notify you of changes to our Services or policies
To Improve Our Services
- Analyse usage patterns and trends
- Identify and fix bugs and errors
- Develop new features and functionality
- Monitor and improve performance
To Ensure Safety and Security
- Detect and prevent fraud, abuse, and violations of our Terms of Service
- Enforce our acceptable use policies
- Protect against harmful or illegal activity
- Moderate content and filter prohibited requests
To Comply With Legal Obligations
- Respond to legal requests and court orders
- Comply with applicable laws and regulations
- Establish, exercise, or defend legal claims
3. HOW WE SHARE YOUR INFORMATION
We may share your information with the following categories of recipients:
Service Providers
We share information with third-party vendors who perform services on our behalf:
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Cloud hosting | Application infrastructure, databases | Service and account data (encrypted) |
| WorkOS | Sign-in, identity, OAuth with IdPs | Account identifiers, session/auth tokens, profile fields from Apple, Google, or GitHub as applicable; see WorkOS policies |
| Cloudflare R2 | Object storage for uploads | User-uploaded files and related content |
| Payment processors | Subscription billing | Payment and billing info |
| SMS providers (Vonage) | Account verification, alerts | Phone number, message content |
| Analytics providers | Usage analysis | Anonymised usage data |
| Customer support tools | Support ticket management | Communications, account info |
Third-Party AI Providers
See Section 4 for detailed information about how your data is shared with AI model providers.
Connected Third-Party Services
When you connect third-party services such as Notion, Slack, GitHub, Google Calendar, or similar platforms, we may exchange the data necessary to authenticate the connection and retrieve the content or metadata you ask us to access. We only access content made available through the permissions and pages, databases, channels, repositories, calendars, or other resources you authorise.
Legal and Safety Disclosures
We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to:
- Comply with legal obligations or respond to lawful requests
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing
- Protect the personal safety of users or the public
- Protect against legal liability
Business Transfers
If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
With Your Consent
We may share your information with other parties when you have given us explicit consent to do so.
4. THIRD-PARTY AI PROVIDERS
Our Services utilise third-party artificial intelligence models and APIs to generate responses. This section explains how your data is processed by these providers.
AI Providers We Use
We may use AI models and services from providers including, but not limited to:
- Anthropic (Claude)
- OpenAI (GPT models)
- Google (Gemini)
- Other AI model providers as we expand our Services
Data Sent to AI Providers
When you use the Services, the following data may be sent to AI providers:
- Your prompts, messages, and queries
- Files and images you upload for analysis
- Conversation context necessary to generate responses
- Web search results retrieved on your behalf
- Content retrieved from connected third-party services or workspaces that is necessary to answer your request
How AI Providers Process Your Data
Each AI provider has their own privacy policy and data handling practices:
- Anthropic: https://www.anthropic.com/privacy
- OpenAI: https://openai.com/privacy
- Google: https://policies.google.com/privacy
Important: We use API access to these providers, which typically means:
- Your data is processed to generate responses
- Data retention and training policies vary by provider
- We recommend reviewing each provider's policies for details
Your Choices
- You may choose which AI model to use for your conversations where options are available
- You can request deletion of your conversation history (see Section 8)
- You can stop using the Services at any time
5. EU AI ACT AND AI REGULATION
Regulation (EU) 2024/1689 (the EU Artificial Intelligence Act) and related national measures impose different duties on different actors in the AI value chain (for example, providers of certain AI systems, and deployers in specific high-risk or regulated cases), with staged dates of application for different rules.
ZinXan operates the user interface to the Services and routes your requests to third-party AI model providers; we do not train the underlying foundation models ourselves. The personal data and content you submit may be processed as described in Section 4. You are responsible for ensuring that your use of the Services complies with applicable law, including the AI Act and national implementing law where they apply to your use case, sector, or role (for example, certain workplace, biometric, or high-risk deployment scenarios our general-purpose product is not designed for).
Our Terms of Service set out acceptable use, safety expectations, and limitations of AI output. They do not replace professional legal or compliance advice. For regulated or high-risk uses, you should consult qualified counsel and review the underlying model providers' public documentation and terms (for example, Anthropic, OpenAI, Google), which address their own regulatory obligations.
Nothing in this Privacy Policy or our Terms is a representation that a particular use of the Services, or that our operations, satisfy every obligation that may apply under the EU AI Act, digital copyright rules, or other evolving AI-related legislation; requirements depend on the facts, your status (for example, deployer, employer, or business user), and the date on which each rule takes effect for you.
6. DATA RETENTION
We retain your personal information for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention Periods
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Conversation history | Until you delete it, or account deletion |
| Payment records | 7 years (legal/tax requirements) |
| Server logs | 90 days |
| Analytics data | 26 months (anonymised) |
| Support communications | 3 years |
Conversation Data
- Your conversation history is retained to provide you with access to past chats
- You can delete individual conversations or all conversation history at any time
- When you delete conversations, they are removed from our active systems within 30 days
- Backup copies may persist for up to 90 days before being permanently deleted
- Some data may be retained in anonymised or aggregated form for analytics
Account Deletion
When you delete your account:
- Your personal information will be deleted within 30 days
- Conversation history will be permanently deleted
- Payment records will be retained as required by law
- Anonymised or aggregated data may be retained indefinitely
7. INTERNATIONAL DATA TRANSFERS
Hosting Location
Our Services are hosted in Germany (European Union).
Data Transfers
Your information may be transferred to and processed in countries outside of your country of residence, including:
- Countries where our cloud infrastructure providers operate
- Countries where object storage and related Cloudflare services (for example, R2 for your uploads) are processed, depending on our configuration
- Countries where our AI providers process data
- Countries where our identity provider (WorkOS) and sign-in methods process data
Safeguards
When we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions where available
- Other lawful transfer mechanisms
8. YOUR PRIVACY RIGHTS
Depending on your location, you may have the following rights regarding your personal information:
Access — Request a copy of the personal information we hold about you.
Correction — Request that we correct inaccurate or incomplete information.
Deletion — Request that we delete your personal information, subject to certain exceptions.
Data Portability — Request a copy of your data in a structured, machine-readable format.
Restriction — Request that we restrict processing of your information in certain circumstances.
Objection — Object to processing of your information for certain purposes.
Withdraw Consent — Where processing is based on consent, withdraw that consent at any time.
How to Exercise Your Rights
You can exercise many of these rights directly through your account settings:
- Delete conversations
- Export your data
- Update account information
- Delete your account
For other requests, contact us at info@zinxan.com.
We will respond to your request within 30 days (or sooner where required by law).
9. GDPR RIGHTS (UK/EEA USERS)
If you are located in the United Kingdom or European Economic Area, this section provides additional information about your rights under the UK GDPR and EU GDPR.
Legal Bases for Processing
We process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Services | Performance of contract |
| Account management | Performance of contract |
| Payment processing | Performance of contract |
| Security and fraud prevention | Legitimate interests |
| Service improvement | Legitimate interests |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
Your GDPR Rights
In addition to the rights listed in Section 8, UK/EEA users have the right to:
- Lodge a complaint with a supervisory authority
- Not be subject to automated decision-making with legal effects (we do not engage in such processing)
Supervisory Authority
If you are unsatisfied with our response to a privacy concern, you may lodge a complaint with your local data protection authority:
United Kingdom: Information Commissioner's Office (ICO) https://ico.org.uk
European Union: Find your local authority at https://edpb.europa.eu/about-edpb/board/members_en
Data Controller
ZinXan AI is the data controller for your personal information.
10. COOKIES AND TRACKING TECHNOLOGIES
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate and improve our Services.
Types of Cookies We Use
Strictly Necessary Cookies
- Authentication and session management
- Security features
- Essential functionality
These cookies are required for the Services to function and cannot be disabled.
Functional Cookies
- Remember your preferences and settings
- Maintain your session state
- Store your selected AI model preferences
Analytics Cookies
- Understand how users interact with our Services
- Identify errors and performance issues
- Measure feature usage
Your Cookie Choices
- Most browsers allow you to refuse cookies or alert you when cookies are being sent
- You can manage cookie preferences through our cookie consent banner
- Disabling certain cookies may affect the functionality of our Services
Do Not Track
Our Services do not currently respond to "Do Not Track" signals.
11. SECURITY OF YOUR INFORMATION
We implement appropriate technical and organisational measures to protect your personal information, including:
Technical Measures
- Encryption of data in transit (TLS/SSL)
- Encryption of data at rest
- Secure authentication mechanisms
- Regular security assessments and testing
Organisational Measures
- Access controls and authentication requirements
- Employee training on data protection
- Incident response procedures
- Regular review of security practices
Important: While we take reasonable steps to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
If you have reason to believe that your account or information is no longer secure, please contact us immediately at info@zinxan.com.
12. CHILDREN'S PRIVACY
Our Services are not intended for users under the age of 18. We do not knowingly collect personal information from children under 18.
If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at info@zinxan.com. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
13. THIRD-PARTY LINKS
Our Services may contain links to third-party websites, services, or content that are not operated by us. This Privacy Policy does not apply to those third-party services.
We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.
14. UPDATES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
How We Notify You
- We will post the updated Privacy Policy on this page
- We will update the "Last updated" date at the top
- For material changes, we will notify you via email or a prominent notice on our Services
Your Continued Use Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically.
15. CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
ZinXan
Email: info@zinxan.com
Address: United Kingdom
For GDPR-related enquiries, please include "GDPR Request" in your subject line.
We will endeavour to respond to your enquiry within 30 days.
SUMMARY OF KEY POINTS
| Topic | Summary |
|---|---|
| What we collect | Account info, conversations, payment data, usage data |
| Why we collect it | To provide Services, manage accounts, improve features, ensure safety |
| AI providers | Your prompts are sent to third-party AI providers to generate responses |
| Data storage | Application hosted in Germany (EU); uploads in Cloudflare R2; transfers may use safeguards in Section 7 |
| Sign-in | WorkOS with Apple, Google, or GitHub where offered |
| Your rights | Access, correct, delete, port your data; withdraw consent |
| Retention | Conversations kept until you delete; account data kept 30 days post-deletion |
| Security | Encryption, access controls, regular security reviews |
| Children | Not for users under 18 |
| Contact | info@zinxan.com |