Privacy Policy

We collect information you provide directly: your name and email when creating an account, payment information processed securely through Stripe or PayPal (we never store raw card data), and any content you compress via the API or Playground. We also collect usage data automatically: API call counts, token volumes, error rates, and request timing. This is used to enforce quotas, power analytics, and improve the service.

Your data is used to: provide and improve the ziptoken service, process billing, enforce usage limits, send transactional emails (receipts, password resets), and detect abuse. We do NOT use your prompt content to train AI models. Prompt text is processed in memory and discarded immediately after compression.

Account data is retained while your account is active. Usage logs (API call counts, token volumes) are retained for 90 days for billing and abuse detection. Prompt content is never persisted to disk. You can request deletion of your account and all associated data at any time by contacting privacy@ziptoken.ai.

We share your data only with: payment processors (Stripe, PayPal, Paddle) for billing; infrastructure providers (MongoDB Atlas for data storage, Upstash for caching, Vercel for hosting); and analytics providers under strict data processing agreements. We never sell your data. We never share prompt content with third parties.

We use TLS 1.3 for all data in transit, AES-256 encryption for data at rest, bcrypt hashing for passwords, and short-lived JWT tokens for authentication. We follow OWASP security practices and conduct regular security reviews.

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data; object to processing; and request data portability. To exercise these rights, contact privacy@ziptoken.ai. EU/EEA residents: ziptoken complies with GDPR. Our data processing is based on contractual necessity and legitimate interests.

We use strictly necessary cookies only: a session cookie for authentication (HttpOnly, Secure) and a CSRF protection token. We do not use advertising or tracking cookies.

We may update this policy occasionally. Significant changes will be communicated by email to registered users. Continued use of the service after changes constitutes acceptance.