Privacy Policy
1. Who this applies to
This Privacy Policy applies to visitors of our website and customers of the Zur-lix service operated by Zur-lix ("we", "us", "our"). You can reach us at [email protected].
The Service is currently offered only to United States persons located in the United States, per our Terms of Service. This Policy is written with that scope in mind and does not establish a representative under the EU GDPR, UK GDPR, or any other extraterritorial privacy regime.
2. What we collect
Account data
When you create an account we collect your name, email address, organization name (if provided), and authentication identifiers (e.g. hashed password or OAuth identity). If you subscribe to a paid plan, our payment processor (Stripe) collects billing information on our behalf, including your billing address; we receive limited metadata such as plan, amount, billing address country, and the last four digits of the card.
We also record the timestamp and IP address at which you accept our Terms of Service and Privacy Policy at signup, as evidence of that acceptance.
API request metadata
For every request routed through the proxy we record: timestamp, API key identifier, model, upstream provider, input and output token counts, latency, HTTP status, computed cost, and the originating IP address (used for rate limiting and abuse detection — stored as an HMAC fingerprint in Redis rather than as the raw address). This metadata is used for billing, abuse detection, and rate-limit enforcement.
Prompt and completion content
We do not persist the bodies of your prompts or the completions returned by upstream providers. Prompts are compressed in memory and forwarded; completions are streamed back to you and discarded after delivery.
Website analytics
Our public marketing pages may use a privacy-conscious analytics provider that collects aggregate, non-identifying information such as page views, referrer, country, and device class. We do not deploy advertising trackers.
3. How we use data
- To provide, operate, and maintain the Service.
- To bill you and reconcile metered usage against provider costs.
- To detect, investigate, and prevent abuse, fraud, and security incidents.
- To communicate with you about your account, billing, and material Service changes.
- To comply with legal obligations.
We do not use customer prompts, completions, or account data to train machine learning models.
4. How we share data
We share data only with:
- Upstream model providers — the body of each request is forwarded to the provider you route to. The current upstream providers are OpenAI and Anthropic. Their use of forwarded request and response data is governed by their own terms.
- Service providers (subprocessors) acting on our behalf — see the current list immediately below.
- Legal or safety requirements — when required by law, subpoena, or to protect rights, property, or safety.
- Corporate transactions — in connection with a merger, acquisition, or sale of assets, with continued protection of your data.
We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.
Current subprocessors
The following vendors process Service data on our behalf. All are based in, and process data within, the United States.
| Subprocessor | Purpose | Data category |
|---|---|---|
| Railway | Application hosting, PostgreSQL, Redis | All Service data |
| Stripe | Payment processing, metered billing | Billing address, card last-4, subscription state, ToS acceptance audit |
| Cloudflare | CDN and DDoS protection for the marketing site | IP address, request path, user agent (marketing site only) |
| Sentry | Error monitoring | Stack traces with header allowlist and regex redaction; no request bodies |
| GitHub | Source control and CI | Source code and build artifacts (no customer data) |
| OpenAI | Upstream LLM provider, used only when you route to OpenAI | Forwarded request body, returned completion |
| Anthropic | Upstream LLM provider, used only when you route to Anthropic | Forwarded request body, returned completion |
| Twilio SendGrid | Transactional email (signup notifications, beta inquiries, operational alerts) | Email address, account identifiers, operational email content |
We will update this list when we add, change, or remove a subprocessor and will notify the account owner by email at least 14 days before a new subprocessor begins to process your data.
5. Data retention
Metering records are retained for the duration of your subscription plus a rolling period needed for reconciliation and dispute resolution (typically 13 months). Account records are retained for up to 90 days after account deletion unless longer retention is legally required.
Terms of Service and Privacy Policy acceptance records (the timestamp and IP address at which you accepted these documents at signup) are retained for the duration of your account plus six years. This period is set conservatively to cover applicable statutes of limitations for contract claims across U.S. jurisdictions (Delaware’s general contract limitations period is three years; other states’ periods run up to six years or longer).
6. Security
We use TLS in transit, encryption at rest for persistent stores, role-based access controls, and audit logging. No system is perfectly secure; if you believe your account has been compromised, contact [email protected] immediately.
7. Where your data is processed
The Service is operated in the United States. All Service data — including account records, API request metadata, billing records, and ToS acceptance audit records — is processed and stored in the United States by Zur-lix and the subprocessors listed in Section 4.
The Service is offered only to United States persons located in the United States, per our Terms of Service. We do not currently offer EU, UK, Swiss, Canadian, or other international data residency, and we do not market or knowingly accept users from outside the United States. If you signed up from outside the United States, your account is in breach of the Terms and will be terminated without refund upon discovery.
8. Your rights
You have the right to access, correct, delete, or port the personal data we hold about you. To exercise any of these rights, email [email protected] from the address on your account. We will respond within 45 days.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal data we collect, the right to delete it, the right to correct inaccuracies, and the right to opt out of the sale or sharing of your personal data. As stated above, we do not sell or share personal data as those terms are defined under the CCPA.
You may designate an authorized agent to make a request on your behalf. We will verify the agent's authorization before processing the request.
Because we do not market the Service outside the United States and do not process personal data of EU, UK, or other foreign data subjects in the ordinary course, this Policy does not provide GDPR-style rights such as a right to object to processing or to lodge a complaint with a national supervisory authority.
9. Children
The Service is not directed to children under 13 (or under 16 in the EEA/UK) and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.
10. Cookies
We use essential cookies required to keep you logged in and to secure your session. We may use a small number of analytics cookies to understand aggregate usage of our marketing pages. We do not use advertising cookies.
11. Changes to this policy
We may update this policy to reflect changes to the Service or to applicable law. Material changes will be notified by email to the account owner at least 14 days before they take effect.
12. Contact
Privacy questions and rights requests: [email protected].