Public beta · Updated 2026-05-11

Privacy Policy

What ZOYYA collects, why we collect it, and how we protect it. Plain language. Read the whole thing — it's short.

What we collect

  • Account. Email + hashed password (never plaintext). Used for sign-in, password reset, invites, and rare service announcements.
  • Run data. Objectives you submit, files you attach, the agent's plan / tool calls / observations / outputs, and metadata (timing, status, token usage).
  • Org & billing. Org name + members, plan tier, payment-provider invoice IDs. We never see card numbers.
  • Audit log. Mutations to secrets, schedules, webhooks, triggers, outcomes — recorded with actor, IP, and user-agent.
  • Diagnostics. Aggregated request-rate, error, and latency metrics. No request bodies are kept for analytics.

How we use it

To operate the service: route your objectives to LLM providers, run sandboxed tools, stream traces, enforce plan limits, deliver webhooks.

We do not sell your data and we do not train on it.

Third-party sharing

Objectives and intermediate tool outputs are sent to LLM providers you select. Webhook subscriptions deliver event payloads to URLs you configure. We do not share data with ad networks or data brokers.

Secrets handling

Credentials stored in the secrets vault are AES-256-GCM-encrypted at rest. Plaintext is decrypted only inside the workspace at run-time, and a redactor removes the values from logs before they are persisted.

Retention

Run data and artifacts persist until you delete them or delete your account. Audit log entries persist indefinitely for security investigation. Backups are retained for 30 days.

Your rights

You can export or delete any run, artifact, secret, or audit row from the in-app dashboards. Account deletion (Settings → Workspace → Danger zone) removes your personal data immediately, subject to backup retention above.

Contact

Questions about data handling? Email [email protected].

ZOYYA is a product of Efolusi.

See also: Terms of Service · Docs