Privacy Policy

Last updated: June 29, 2026 · Effective on first access.

This policy explains what we collect when you use Zur-lix, how we use it, and how we keep it safe. We do not use your prompt or completion content to train models, and we do not sell your data. The Service is currently offered only to United States persons located in the United States — see Section 7 for where your data is processed.

1. Who this applies to

This Privacy Policy applies to visitors of our website and customers of the Zur-lix service operated by Zur-lix ("we", "us", "our"). You can reach us at [email protected].

The Service is currently offered only to United States persons located in the United States, per our Terms of Service. This Policy is written with that scope in mind and does not establish a representative under the EU GDPR, UK GDPR, or any other extraterritorial privacy regime.

2. What we collect

Account data

When you create an account we collect your name, email address, organization name (if provided), and authentication identifiers (e.g. hashed password or OAuth identity). If you subscribe to a paid plan, our payment processor (Stripe) collects billing information on our behalf, including your billing address; we receive limited metadata such as plan, amount, billing address country, and the last four digits of the card.

We also record the timestamp and IP address at which you accept our Terms of Service and Privacy Policy at signup, as evidence of that acceptance.

API request metadata

For every request routed through the proxy we record: timestamp, API key identifier, model, upstream provider, input and output token counts, latency, HTTP status, computed cost, and the originating IP address (used for rate limiting and abuse detection — stored as an HMAC fingerprint in Redis rather than as the raw address). This metadata is used for billing, abuse detection, and rate-limit enforcement.

Prompt and completion content

We do not persist the bodies of your prompts or the completions returned by upstream providers. Prompts are compressed in memory and forwarded; completions are streamed back to you and discarded after delivery.

Website analytics

Our public marketing pages may use a privacy-conscious analytics provider that collects aggregate, non-identifying information such as page views, referrer, country, and device class. We do not deploy advertising trackers.

3. How we use data

We do not use customer prompts, completions, or account data to train machine learning models.

4. How we share data

We share data only with:

We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

Current subprocessors

The following vendors process Service data on our behalf. All are based in, and process data within, the United States.

Subprocessor Purpose Data category
RailwayApplication hosting, PostgreSQL, RedisAll Service data
StripePayment processing, metered billingBilling address, card last-4, subscription state, ToS acceptance audit
CloudflareCDN and DDoS protection for the marketing siteIP address, request path, user agent (marketing site only)
SentryError monitoringStack traces with header allowlist and regex redaction; no request bodies
GitHubSource control and CISource code and build artifacts (no customer data)
OpenAIUpstream LLM provider, used only when you route to OpenAIForwarded request body, returned completion
AnthropicUpstream LLM provider, used only when you route to AnthropicForwarded request body, returned completion
Twilio SendGridTransactional email (signup notifications, beta inquiries, operational alerts)Email address, account identifiers, operational email content

We will update this list when we add, change, or remove a subprocessor and will notify the account owner by email at least 14 days before a new subprocessor begins to process your data.

5. Data retention

Metering records are retained for the duration of your subscription plus a rolling period needed for reconciliation and dispute resolution (typically 13 months). Account records are retained for up to 90 days after account deletion unless longer retention is legally required.

Terms of Service and Privacy Policy acceptance records (the timestamp and IP address at which you accepted these documents at signup) are retained for the duration of your account plus six years. This period is set conservatively to cover applicable statutes of limitations for contract claims across U.S. jurisdictions (Delaware’s general contract limitations period is three years; other states’ periods run up to six years or longer).

6. Security

We use TLS in transit, encryption at rest for persistent stores, role-based access controls, and audit logging. No system is perfectly secure; if you believe your account has been compromised, contact [email protected] immediately.

7. Where your data is processed

The Service is operated in the United States. All Service data — including account records, API request metadata, billing records, and ToS acceptance audit records — is processed and stored in the United States by Zur-lix and the subprocessors listed in Section 4.

The Service is offered only to United States persons located in the United States, per our Terms of Service. We do not currently offer EU, UK, Swiss, Canadian, or other international data residency, and we do not market or knowingly accept users from outside the United States. If you signed up from outside the United States, your account is in breach of the Terms and will be terminated without refund upon discovery.

8. Your rights

You have the right to access, correct, delete, or port the personal data we hold about you. To exercise any of these rights, email [email protected] from the address on your account. We will respond within 45 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal data we collect, the right to delete it, the right to correct inaccuracies, and the right to opt out of the sale or sharing of your personal data. As stated above, we do not sell or share personal data as those terms are defined under the CCPA.

You may designate an authorized agent to make a request on your behalf. We will verify the agent's authorization before processing the request.

Because we do not market the Service outside the United States and do not process personal data of EU, UK, or other foreign data subjects in the ordinary course, this Policy does not provide GDPR-style rights such as a right to object to processing or to lodge a complaint with a national supervisory authority.

9. Children

The Service is not directed to children under 13 (or under 16 in the EEA/UK) and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.

10. Cookies

We use essential cookies required to keep you logged in and to secure your session. We may use a small number of analytics cookies to understand aggregate usage of our marketing pages. We do not use advertising cookies.

11. Changes to this policy

We may update this policy to reflect changes to the Service or to applicable law. Material changes will be notified by email to the account owner at least 14 days before they take effect.

12. Contact

Privacy questions and rights requests: [email protected].