Privacy Policy

The short version

We want you to trust us, so here is the summary before the detail:

• By default, we store operational metadata about requests - not the content of your prompts or outputs. Retaining raw content is an explicit, per-project choice you make.
• We never sell personal data, and we never use the content of your inputs or outputs to train third-party foundation models.
• Public identifiers are opaque and tenant-scoped; we do not expose raw content hashes.
• We tell you which sub-processors we use, and we give advance notice before adding new ones.
• You can access, export, correct, or delete your data, and deletion produces a receipt describing what was removed.

1. Scope and roles

This policy covers personal data processed through the Zumik websites, APIs, console, documentation, and support channels.

For data about your own end users that you submit through the Services, you are the controller (or processor for your customers) and Zumik acts as your processor (or sub-processor), processing such data on your documented instructions, which include your configuration choices. For account and billing data about you as our customer, Zumik is the controller. Business customers can execute our Data Processing Addendum, which governs processor obligations and prevails over this policy where they conflict.

2. Information we collect

Depending on how you use the Services, we process the following categories:

• Account data: name, work email, organization, role, and authentication identifiers.
• Operational and usage metadata: request timing, model resolution, alias releases, reuse measurements, QoS outcomes, error events, and aggregate usage counts. This is collected by default and does not include prompt content.
• Content data: the inputs and outputs of your requests, and the artifacts and state you create. Content is only retained when you select a trace mode that stores it (tokenized or encrypted full-fidelity); the default metadata mode does not retain raw content.
• Payment data: billing contact and transaction records. Card details are handled by our payment processor; we do not store full card numbers.
• Support data: messages and attachments you send when you contact us.
• Device and log data: IP address, browser type, and similar technical information collected automatically for security and reliability.
• Cookies and preferences: see the Cookie Policy. Your light/dark theme choice is stored locally and not transmitted to us.

3. How we use information

We use personal data to:

• Provide, operate, secure, and maintain the Services, including routing requests and measuring reuse.
• Produce diagnostics, telemetry, and reports you request.
• Prevent, detect, and respond to fraud, abuse, security incidents, and violations of our Terms.
• Process payments and manage your account and credits.
• Communicate with you about service, security, and (where permitted) product updates.
• Comply with legal obligations and enforce our agreements.

4. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we process personal data on these bases: performance of a contract (to provide the Services you request); our legitimate interests (to secure, improve, and operate the Services, balanced against your rights); compliance with legal obligations; and consent where required (which you may withdraw at any time).

5. Trace modes and data minimization

Tracing is configurable per project so you control how much is retained:

• Metadata (default): timing, lineage, fingerprints, and usage. No raw prompt content.
• Tokenized: token identifiers retained for deeper reuse analysis on a consenting project.
• Encrypted full-fidelity: encrypted raw content retained for full replay fidelity, only where you explicitly enable it.
• If you do nothing, the Services run in metadata mode.

6. Sharing and sub-processors

We share data only as needed to operate the Services: with model and infrastructure sub-processors that execute requests and host the platform; with our payment processor for billing; and with professional advisors, or authorities, where required by law or to protect rights and safety. We may share data in connection with a merger, acquisition, or asset sale, subject to this policy.

The current sub-processor list is published on our sub-processors page, and we provide advance notice of material changes so you may object where you have that right. We do not sell personal data, and we do not share it for cross-context behavioral advertising.

7. International transfers

We may process and store data in countries other than your own. Where we transfer personal data internationally, we use appropriate safeguards required by applicable law, such as the European Commission’s Standard Contractual Clauses and the UK Addendum. BYOC and regional profiles can constrain processing to specific regions.

8. Retention

We keep personal data only as long as necessary for the purposes described here:

• Account and billing records: for the life of the account and as required for tax, accounting, and legal purposes thereafter.
• Operational metadata: for the period needed to operate, secure, and audit the platform, then aggregated or deleted.
• Content data: according to the retention you configure per project.
• On deletion, handles are revoked and purge jobs remove underlying state, returning a receipt with profile-specific evidence and any remaining retention window. Backups are purged on a rolling cycle.

9. Security

We apply technical and organizational measures appropriate to the risk, including tenant isolation, opaque tenant-scoped identifiers, HMAC-keyed internal fingerprints, encryption in transit, layered rate limits, access controls, secret hygiene, supply-chain integrity checks, and audit logging. No system is perfectly secure, but we treat security as a baseline requirement rather than an add-on. See our security overview for more.

10. Your rights

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent. Under the GDPR/UK GDPR you may also lodge a complaint with a supervisory authority.

Under the CCPA/CPRA, California residents may request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and the categories of recipients; request deletion or correction; and exercise the right to limit certain uses. We do not sell or share personal information as those terms are defined under the CCPA, so no opt-out of sale is required, but you may still exercise the rights above without discrimination.

To exercise any right, contact [email protected]. We will verify your request and respond within the time required by law. You may use an authorized agent where permitted.

11. Automated decision-making

We do not make decisions producing legal or similarly significant effects about individuals based solely on automated processing without a lawful basis and appropriate safeguards. Routing and reuse decisions operate on workload metadata, not on profiling of individuals.

12. Children

The Services are intended for businesses and developers and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

13. Changes to this policy

We may update this policy to reflect changes in the Services or the law. We will post the updated version with a revised "Last updated" date and, for material changes, provide additional notice. Your continued use after changes take effect constitutes acceptance.

14. Contact

For privacy questions or to exercise your rights, contact [email protected]. For general inquiries, contact [email protected]. Business customers can also request our Data Processing Addendum at [email protected].