Privacy Policy

Legal

This Privacy Policy describes how ZeroDriveX LLC (“ZDX”, “we”, “us”) collects, uses, and protects information when you use any of our products and services, including zerodrivex.com, auth.zerodrivex.com, the zdxai CLI, ZDX Mobile AI / zdxai (Android), SecuredMail, ZDX Text Guard, and all related services (collectively, the “Services”).

1. Information We Collect

What we collect depends on which Service you use. The following applies across all Services unless a product-specific section below states otherwise.

  • Account data: Email address and bcrypt-hashed password when you register.
  • Authentication tokens: JWT access tokens (15-minute expiry) and refresh tokens (30-day expiry) stored as HTTP-only cookies (user-token, rt). Token IDs (JTI) are stored in Redis to enable instant revocation.
  • Technical / log data: IP addresses, timestamps, user-agent strings, and audit events (login, logout, token refresh, failed attempts). Collected for security and abuse prevention.
  • Payment data: Payments are processed by Stripe. ZDX stores your Stripe Customer ID, Subscription ID, and subscription status only. We do not store full card numbers or CVV data.
  • Contact form data: Name, email address, and message content when you contact us.
  • Cookies: Authentication cookies only (see Section 6). No advertising or tracking cookies are used on any ZDX property.

2. Product-Specific Data Practices

2a. zdxai CLI

  • Routing metadata (model selected, token counts, cost estimate) may be logged for billing accuracy and service diagnostics.
  • Prompt content is forwarded directly to the AI provider you select (Anthropic, OpenAI, Google, or xAI). ZDX does not store, read, or log your prompt content.
  • License key and activation status are stored to verify your subscription via auth.zerodrivex.com.
  • Each AI provider's own privacy policy governs how they handle your prompts. Links are provided in Section 5.

2b. ZDX Mobile AI / zdxai & SecuredMail (Android)

Our Android applications are engineered as local-first, on-device standalone environments. AI inference, coordinate mapping, and email processing run natively on your hardware. ZDX does not receive, log, mirror, or store the content of your prompts, messages, contacts, calls, emails, or any other personal data processed by these local engines.

Android Permissions & Purpose:

  • Camera — Captures images for local, on-device AI analysis only. Images are never uploaded to ZDX servers.
  • Microphone — Captures voice input for local voice processing. Audio remains strictly on-device.
  • Contacts — Read-only access to enable local AI-assisted contact lookup. Contact data is never transmitted.
  • SMS (Read & Send) — Enables local AI-assisted messaging features. Message content is processed entirely within the local runtime.
  • Phone / Call Log — Enables local AI-assisted call management. Call log data is not transmitted off-device.
  • Calendar (Read & Write) — Enables local AI-assisted scheduling.
  • Local storage: AI model files, workspace configurations, local email synchronization databases, and application preferences are stored securely on your device. Uninstalling the applications completely removes all locally stored data.
  • Authentication & Verification: Session data and hardware matrix access are managed via auth.zerodrivex.com using JWT tokens as described in Sections 1 and 6.
  • No SDKs for ads or tracking: ZDX mobile applications contain zero advertising SDKs, zero analytics trackers, and zero third-party telemetry libraries.

2c. ZDX Text Guard

ZDX Text Guard detects and neutralizes prompt injection attacks before they reach an execution pipeline. Available as a web application, Android application, and REST API.

  • Text submitted for scanning is analyzed on-device (Android) or server-side (web / API). ZDX does not store, log, or retain the content of text you submit beyond the duration of the real-time scan request.
  • Scan metadata (timestamp, threat classification result, API key identifier) may be logged for billing, rate limiting, and service diagnostics.
  • API usage: Your API key is used to authenticate requests and track usage against your subscription tier. No text payloads are retained server-side.
  • Android application: The Android version performs all analysis natively on-device. No text content is transmitted to ZDX servers when utilizing offline or local execution mode.

2d. ZDX Auth Platform (auth.zerodrivex.com)

The ZDX Auth Platform provides secure, multi-tenant JWT authentication for ZDX products and licensed deployments.

  • Data collected: Email, bcrypt-hashed password, Stripe billing identifiers, JWT/JTI records in Redis, and security audit logs (login attempts, token lifecycle events).
  • Multi-tenant Matrix Isolation: Each client deployment is strictly scoped, isolated, and bounded by dedicated client parameters. Account data is logically and structurally isolated between separate organization domains.
  • Admin access: ZDX administrators may access account metadata records solely for essential customer support, infrastructure fraud investigation, or strict legal compliance mandates.

3. How We Use Your Information

  • To provide, secure, and operate the Services.
  • To authenticate your identity and maintain secure sessions.
  • To process payments and manage subscriptions via Stripe.
  • To send transactional messages (password resets, billing receipts).
  • To detect, prevent, and contain infrastructure fraud, abuse, and security threats.
  • To enforce rate limits and subscription usage quotas.
  • To comply with legal obligations.

We do not sell your personal information to third parties. We do not use your data for advertising. We do not use user content, processed emails, or prompt inputs to train AI models.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), our legal bases are:

  • Contract: Processing needed to provide the Services you requested (authentication, subscriptions).
  • Legitimate interests: Security logging, threat prevention, and operational stability.
  • Legal obligation: Compliance with applicable law.
  • Consent: Where we explicitly request it.

5. Third-Party Data Processors

  • Vercel — Hosts web properties. Processes request logs, IP addresses, and edge network metadata under their Privacy Policy.
  • Stripe — Processes payments and subscription billing. Subject to Stripe's Privacy Policy.
  • Google (Gmail SMTP)— Delivers transactional communications. Subject to Google's terms.
  • Anthropic — Receives prompts when you explicitly choose Claude via the zdxai CLI. Subject to Anthropic's Privacy Policy.
  • OpenAI — Receives prompts when you explicitly choose GPT models via the zdxai CLI. Subject to OpenAI's Privacy Policy.
  • Google (Gemini)— Receives prompts when you explicitly choose Gemini via the zdxai CLI. Subject to Google's AI terms.
  • xAI (Grok)— Receives prompts when you explicitly choose Grok via the zdxai CLI. Subject to xAI's privacy terms.
  • Neon / PostgreSQL — Database hosting for account and transactional system configurations.
  • Redis / Upstash — Stores session identifiers for real-time token revocation. Data is transient and TTL-bounded.

ZDX Mobile applications and ZDX Text Guard operating in local/offline modes do not transmit infrastructure or processing data to any third-party processors.

6. Cookies

Cookies are utilized exclusively on zerodrivex.com and auth.zerodrivex.com. Native command line utilities and local mobile applications do not utilize browser cookies.

  • user-token — HTTP-only, Secure. JWT access token. Expires in 15 minutes. Required for authenticated session routing.
  • rt — HTTP-only, Secure. Refresh token. Expires in 30 days. Used to obtain new temporary access tokens without credentials re-entry.

We do not deploy advertising, analytics, or behavioural tracking cookies. Disabling cookies will prevent the execution of authenticated features on our web environments.

7. Data Retention

  • Account configuration data: retained until account deletion is initiated.
  • Authentication and access logs: retained for up to 90 days for security analysis.
  • Redis session identifiers: automatically purged via token lifecycle TTL.
  • Stripe billing records: retained in compliance with standard financial regulations (typically 7 years).
  • Password reset tokens: automatically expire after 1 hour and are cleared upon utilization.
  • ZDX Text Guard cloud scan metadata: retained for up to 30 days for billing validation. Scanned text payloads are never preserved.
  • Local Mobile Application Data: stored securely on your local device storage until application uninstallation or user cache clearance. ZDX retains no secondary network copies.

8. Your Rights

Depending on your location, you may have the following rights regarding your data:

  • Access: Request a copy of the metadata we hold regarding your account.
  • Correction: Request remediation of inaccurate account metrics.
  • Erasure (Right to be Forgotten): Request absolute deletion of your identity record.
  • Portability: Request account data extraction in a standard structured layout.
  • Restriction: Request processing bounds limitations.

To exercise any of these rights, contact us via our contact page. We address all verifiable requests within 30 days.

9. Children's Privacy

Our Services are not directed to children under 13 (or 16 in the EEA). We do not knowingly compile information from minors. If you determine a minor has initiated an account record, contact us for immediate purge operations.

10. International Transfers

Data processing occurs within the United States and regions where our primary infrastructure processors maintain nodes. By executing these Services, you acknowledge these routing paths. We rely on Standard Contractual Clauses for crossing jurisdiction baselines.

11. Security

ZDX enforces secure-by-default architecture boundaries across all layers: bcrypt hashing mechanisms, strict HTTP-only security cookies, transient JWT states with instant Redis revocation capabilities, TLS transport layers, and prompt inspection validation in network-connected boundaries. If you identify an issue, report it via our contact page.

12. Changes to This Policy

We update this policy from time to time to match deployment updates. The timestamp at the top of this document denotes current validation. Substantive updates are broadcasted via direct account communication channels or immediate site messaging. Continued interaction with the framework following changes indicates validation of updated terms.

13. Contact

Inquiries or data management actions regarding this document: contact us here.