Home

Privacy Policy

Effective date: April 24, 2026

Last updated: April 24, 2026

In plain english

We collect the information you give us (account details, payment, and the things you type into Zyra.ai) plus some automatic data about how you use the service. We use it to run the service, prevent abuse, bill you, comply with the law, and — if you opt in — to improve our models.

We do not sell your personal information. We don't share your chats with advertisers. If you use Private mode, that conversation isn't stored on our servers. You can export or delete your data anytime from account settings.

1. Who we are

Zyra.ai ("Zyra.ai," "we," "us," "our") provides an AI research assistant available through the Zyra.ai website, mobile app, and API (together, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Service.

By using Zyra.ai, you agree to the practices described here. If you don't agree, please don't use the Service.

2. Scope of this policy

This policy applies to personal information processed by Zyra.ai as a controller — that is, when we determine how and why personal data is processed. It does not cover:

  • Third-party websites or services you access through Zyra.ai (for example, external links the assistant references);
  • Personal information processed on behalf of our business customers under a data processing agreement (their privacy policies govern in that case);
  • Public information you voluntarily share in public forums or support channels.

3. Information we collect

Information you give us

  • Account information: name, email, password (stored as a salted hash), GitHub handle if you connect one, and profile settings.
  • Content: prompts, files, images, and other inputs you submit; the assistant's responses; and any feedback (thumbs up/down, reports).
  • Payment information: billing address, subscription plan, and partial payment-card details (full card numbers are handled by our payment processor — we never see or store them).
  • Two-factor authentication: phone number you enroll; the one-time codes themselves are transient and not stored after verification.
  • Support correspondence: messages you send us, bug reports, and survey responses.

Information collected automatically

  • Usage data: features accessed, queries per day, conversation counts, timestamps, referring pages, performance telemetry, and error logs.
  • Device and connection: IP address (approximate geolocation), browser, operating system, device type, language, and time zone.
  • Session metadata: sign-in timestamps, device fingerprints used to secure your account and power the "Sessions" list in account settings.
  • Cookies and similar technologies: see Cookies and tracking.

Information from third parties

  • SSO providers (Google, GitHub): basic profile info (name, email, avatar) shared when you sign in with them.
  • Payment processor (Stripe): transaction status, card brand, last four digits, and billing country.
  • Anti-abuse partners: reputation signals about IPs and devices to help detect fraud and abuse.
Private mode. When you enable Private mode in the app, your conversation is held only in volatile server memory for the duration of the request and is not written to long-term storage, your chat history, or our training datasets.

4. How we use your information

We use your information to:

  • Provide the Service: authenticate you, route queries to the model, maintain your chat history, apply your preferences, and sync across devices.
  • Bill and administer subscriptions: process payments, calculate usage against limits, send receipts, and manage refunds.
  • Safety and abuse prevention: detect automated scraping, credential stuffing, prohibited uses (including requests for sexualized content involving minors, targeted harassment, or content that attempts to manufacture weapons of mass destruction), and terms-of-service violations.
  • Improve the Service: analyze aggregate usage, measure performance, fix bugs, and develop new features.
  • Communicate with you: transactional emails (receipts, security notices), product updates, and — with your consent — marketing.
  • Legal obligations: respond to valid legal process, enforce our terms, protect our rights, and meet regulatory requirements.
  • Model improvement (see Using content to train models): only with your explicit opt-in, or in limited aggregated/anonymized form.

5. When we share information

We share personal information only with:

  • Service providers and subprocessors acting on our behalf — cloud hosting (AWS, Google Cloud), email delivery, customer support tooling, analytics, error monitoring, payment processing, SMS delivery for 2FA, and anti-abuse. These vendors are bound by confidentiality and data-protection agreements.
  • Model providers, if your query is routed to an external foundation model. We use contractual terms that prohibit those providers from using your inputs to train their models unless you've opted in.
  • Legal and safety recipients when we believe in good faith that disclosure is necessary to comply with law, legal process, or to protect the rights, property, or safety of Zyra.ai, our users, or others. This includes preserving account data when served with a preservation request, and disclosing content in response to properly scoped legal orders.
  • Business transfers: if Zyra.ai is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.
  • With your direction: integrations you authorize, teammates on a shared workspace, or public posts you choose to share.

We do not sell personal information as "sale" is defined under California, Virginia, Colorado, or equivalent law. We do not share personal information for cross-context behavioral advertising.

6. Using content to train models

By default, we do not use the content of your conversations, uploads, or outputs to train or fine-tune our models. We will only do so when:

  • You explicitly opt in through a setting or prompt;
  • You submit feedback (e.g., a thumbs up/down with an optional comment) — the rated exchange and feedback may be used to improve the model;
  • Content has been reviewed for a safety incident and is being used to make the model safer.

API customers and Enterprise customers are opted out of training by default. Free-tier and consumer users can opt out at any time in account settings.

7. Data retention

We retain personal information only as long as necessary to provide the Service and fulfill the purposes in this policy, unless a longer retention period is required or permitted by law.

  • Chat history: retained until you delete the chat or close your account. Deletion is typically completed within 30 days, though encrypted backups may persist for up to 90 days.
  • Private-mode conversations: not written to durable storage.
  • Account information: retained while your account is active and for a reasonable period afterward for legal, tax, and fraud-prevention purposes.
  • Usage logs: aggregated after 30–180 days depending on category; raw IP logs are minimized after 30 days.
  • Safety investigations: content flagged as policy-violating may be retained for up to 12 months.
  • Billing records: retained as required by applicable tax and accounting law (typically 7 years).

8. Security

We use administrative, technical, and physical safeguards designed to protect your information. These include encryption in transit (TLS 1.3) and at rest (AES-256), isolation between customer environments, role-based access controls for employees, continuous monitoring, regular third-party security testing, and a bug bounty program.

No method of transmission or storage is 100% secure. If we learn of a security breach affecting your personal information, we will notify you and regulators as required by applicable law.

9. Your rights and choices

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information;
  • Delete your account and associated data;
  • Export your data in a portable format;
  • Restrict or object to certain processing;
  • Withdraw consent where we rely on it (this does not affect prior processing);
  • Opt out of targeted advertising, the sale or sharing of personal information, and profiling that produces legal or similarly significant effects (we do not engage in these, but your right is preserved);
  • Lodge a complaint with a data-protection authority.

You can exercise most of these rights directly from account settings or by emailing privacy@zyra.ai. We will respond within the time required by applicable law (typically 30–45 days).

Region-specific notes

  • California (CCPA/CPRA): in the last 12 months we collected the categories of personal information described in Section 3 for the purposes described in Section 4. We disclosed Identifiers, Commercial Information, and Internet Activity to our service providers. We do not sell or share personal information. You have the right not to be discriminated against for exercising these rights.
  • Europe/UK (GDPR): our legal bases are: contract (to provide the Service), legitimate interest (security, product improvement, analytics), consent (marketing, optional training), and legal obligation. For international transfers, we rely on Standard Contractual Clauses and, where applicable, the EU-US and UK-US Data Privacy Frameworks.
  • Brazil (LGPD), Canada (PIPEDA), and other jurisdictions have analogous rights. Contact us and we'll honor them.

10. Cookies and tracking

We use cookies and similar technologies for three purposes:

  • Strictly necessary: session cookies (e.g., zyraai_session) to keep you signed in, CSRF tokens, and load-balancing cookies. These cannot be turned off.
  • Preferences: theme, language, and UI-state cookies (e.g., remembering that you chose the Pro plan or Safe Search is on).
  • Analytics: first-party analytics to count usage and diagnose issues. We do not use third-party advertising cookies.

You can clear cookies from your browser settings; disabling strictly-necessary cookies will break the Service.

11. Children

Zyra.ai is not directed to children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

12. International data transfers

We operate in the United States and process personal information in the US and other countries where our service providers are located. When we transfer personal data from the EEA, UK, or Switzerland, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

13. Changes to this policy

We'll update this policy from time to time. When we make material changes, we'll notify you by email or through the Service and update the "Last updated" date above. The current version always lives at /privacy.

14. Contact us

If you have questions about this policy, want to exercise your rights, or wish to reach our Data Protection Officer, contact us at:

  • Email: privacy@zyra.ai
  • Mail: Zyra.ai, Attn: Privacy, 1 Market Street, Suite 400, San Francisco, CA 94105, USA
  • EU representative: available on request

For urgent security or abuse matters, email security@zyra.ai.