Privacy Policy
This Privacy Policy explains how Zynlab ("Zynlab", "we", "us") collects, uses, and protects information in connection with the Zynlab website (zynlab.dev) and the Zynlab agentic chat & voice platform (together, the "Service").
1. Two roles: controller and processor
Zynlab plays two different roles depending on the data:
- As a controller — for data about our own account holders and website visitors (e.g. the email and business name you give us at signup), we decide how and why it is processed.
- As a processor — when a business (a "tenant") integrates Zynlab to serve its own customers, the conversations and knowledge that flow through their assistant are processed on that tenant's behalf and under their instructions. That tenant is the controller of their end-users' data; this policy covers our handling, but the tenant's own privacy notice governs their relationship with their customers.
2. Information we collect
| Category | Examples |
|---|---|
| Account data | Email, business name, hashed password, console role. |
| Usage & metering | Request counts, token/credit usage, feature usage, timestamps — used for quotas and billing. |
| Conversation content | Chat and voice transcripts processed to generate replies. Whether transcripts are retained is controlled per tenant (logging can be turned off). Voice audio is processed transiently to produce text and speech and is not stored as audio by default. |
| Knowledge content | Documents a tenant uploads to ground their assistant (their RAG knowledge base). |
| Technical data | IP address, request logs, approximate location, and browser/device information for security and reliability. |
| Anti-abuse | Cloudflare Turnstile signals at signup to distinguish humans from bots. |
We do not use third-party advertising or cross-site tracking cookies. The only browser storage we rely on is functional: a theme preference and, where you sign in, your session/authentication token.
3. How we use information
- To provide, operate, and secure the Service and generate assistant responses.
- To meter usage and administer quotas, plans, and billing.
- To prevent abuse, fraud, and security incidents, and to enforce our Terms.
- To provide support and send service communications (e.g. email verification).
- To maintain and improve reliability and quality of the Service.
We do not sell personal information, and we do not use tenant conversation content or knowledge bases to train foundation models.
4. Subprocessors and third parties
To deliver the Service we share limited data with the following providers:
| Provider | Purpose |
|---|---|
| Anthropic | Large-language-model inference (Claude) to generate responses. |
| OpenRouter | Fallback model routing when the primary model is unavailable. |
| Cloudflare | Content delivery, network tunnel, and Turnstile bot protection. |
| Email delivery | Sending transactional email (verification, notifications). |
Notably, text embeddings for knowledge search are computed on our own infrastructure — knowledge-base content is not sent to a third-party embedding service. A current list of subprocessors is available on request.
5. Data retention
Account data is retained while your account is active and for a reasonable period afterward to meet legal, accounting, and security obligations. Conversation transcripts are retained according to the controlling tenant's logging configuration and may be deleted on request, subject to legitimate retention needs (e.g. abuse investigation).
6. Security
We apply industry-standard safeguards, including encryption in transit, hashing of passwords and API keys at rest, least-privilege service accounts, and tenant isolation. No method of transmission or storage is perfectly secure, but we work to protect your data commensurate with its sensitivity.
7. International processing
Model inference and some processing may occur outside your country. Where required, we rely on appropriate safeguards for cross-border transfers.
8. Your rights
Depending on your location (including under the Philippine Data Privacy Act and the GDPR where applicable), you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise these rights, contact us at [email protected]. If you are an end-user of a tenant's assistant, please direct requests to that business; we will assist them as their processor.
9. Children
The Service is not directed to children under the age of 18 and we do not knowingly collect their personal data.
10. Changes
We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above and, where appropriate, by additional notice.
11. Contact
Questions about this policy or your data: [email protected]. Address: Cebu City, Philippines.