1. Overview
This Privacy Policy describes how Zaruko LLC ("Zaruko," "we," "us," or "our") collects, uses, stores, and discloses information through the Zelaros platform, including the website at zelaros.com and the application at app.zelaros.com (collectively, the "Service").
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect the information provided through Google OAuth authentication: your name, email address, and Google account identifier. We do not collect or store passwords.
2.2 Organization Information
When you create or join an organization on the Service, we collect the organization name, size range, and industry you provide during onboarding.
2.3 Provider Integration Data
When you connect an AI provider to the Service, we collect and store:
- Provider credentials (API keys, OAuth tokens) - encrypted at rest using AES-256-GCM
- Billing and usage metadata returned by the provider's billing API, including: token counts, request counts, cost in USD, model names, API key identifiers, workspace identifiers, date of usage, and seat assignment data for SaaS tools
We do not collect, access, or store the content of prompts, model outputs, documents, code, or any data that passes through your AI workflows. We access billing metadata only.
2.4 Usage Data
We collect information about how you use the Service, including pages visited, features used, actions taken, and session duration. This data is collected through PostHog and used for product analytics and improvement.
2.5 Communications
If you contact us by email or through a contact form, we retain the content of that communication and your contact information.
2.6 Technical Data
We collect standard technical data including IP address, browser type, operating system, referring URLs, and access timestamps. This data is collected automatically through Cloudflare and our application infrastructure.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate your identity and manage your account
- Sync billing and usage data from connected providers and display it in your dashboard
- Send transactional emails including spend alerts, report exports, team invitations, and service notifications
- Respond to support requests and communications
- Detect and prevent fraud, abuse, and security incidents
- Analyse usage patterns to improve the Service
- Comply with legal obligations
We do not sell your personal information. We do not use your information to train AI or machine learning models. We do not use your provider billing data for any purpose other than providing the Service to you.
4. Legal Basis for Processing
We process your personal information on the following legal bases:
- Contract performance: Processing necessary to provide the Service you have subscribed to
- Legitimate interests: Analytics, security monitoring, and product improvement, where these interests do not override your rights
- Legal obligation: Compliance with applicable law
- Consent: Where you have provided explicit consent, which you may withdraw at any time
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
We share information only in the following circumstances:
5.1 Service Providers
We share information with third-party service providers who process data on our behalf to operate the Service. These providers are contractually bound to use your data only to provide services to us and are prohibited from using it for their own purposes. Current providers include:
- Railway - hosting and database infrastructure
- Cloudflare - CDN, DNS, and security
- SendGrid - transactional email delivery
- Stripe - payment processing
- PostHog - product analytics
- Cloudflare R2 - object storage for exported reports
5.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Zaruko LLC, our customers, or the public.
5.3 Business Transfers
If Zaruko LLC is involved in a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Billing and usage records (spend_records, seat_records) | 3 years |
| Alert history | 2 years |
| Audit logs | 7 years |
| Account and organization data | Duration of account plus 90 days after deletion |
| Exported report files | 90 days from generation |
| Background job logs | 6 months |
When you delete your account or request deletion, we soft-delete your data immediately and permanently delete it within 90 days, except where we are required to retain it for legal or compliance purposes (such as audit logs, which are retained for 7 years).
7. Security
We implement technical and organizational measures to protect your information against unauthorized access, loss, destruction, or alteration. These measures include AES-256-GCM encryption of all provider credentials at rest, TLS 1.2 or higher for all data in transit, access controls and role-based permissions, immutable audit logging, and regular automated security scanning.
No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security.
8. Your Rights
Depending on your location, you may have the following rights with respect to your personal information:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information, subject to our retention obligations
- Portability: Request a machine-readable export of your personal information
- Objection: Object to certain processing of your personal information
To exercise any of these rights, contact us at privacy@zelaros.com. We will respond within 30 days.
9. Cookies
The Service uses cookies and similar tracking technologies to maintain your session and collect usage analytics. We use:
- Strictly necessary cookies: Required for authentication and session management. Cannot be disabled.
- Analytics cookies: Used by PostHog to collect usage data. You may opt out by contacting us.
We do not use advertising cookies or third-party tracking for advertising purposes.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact us at privacy@zelaros.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
12. Contact
For privacy-related questions or to exercise your rights:
Zaruko LLC
Email: privacy@zelaros.com
For security-related issues: security@zelaros.com