Privacy policy

Last updated 2026-05-15

This policy explains what we collect, how we use it, and the four commitments we make about your diagrams. We've tried to write it in plain language; the legal-grade detail follows below for procurement reviewers and counsel.

The four commitments, up front:

We never look at your diagrams. Zindex employees and operators cannot read the contents of your scenes. Decryption only happens during your own authenticated requests, or when you explicitly opt a scene into our support visibility.
We never train AI on your diagrams. We never send them to AI providers. Our rendering engine is deterministic code. There are no LLM subprocessors in our stack.
You can share diagrams with us anonymously. When you want our help with a specific diagram, you can anonymize it first - labels, text, and identifiers are replaced with random characters that preserve the visual structure but remove every identifier. You see exactly what we will see, before you submit.
Deletion is final and atomic. When you delete your account or a scene, the data is gone from our primary database immediately. Backup snapshots age out within 30 days. There is no recovery from our side.

1. What we collect

Account data. Email address and a hash of your password. We never store your plaintext password.
Workspace data. Workspace name, plan tier, billing state, and Stripe customer reference (if you've subscribed to a paid plan).
Scene content. The diagrams you create - nodes, edges, labels, layout, styles, and revision history. Scene content is encrypted at rest and accessible only to your authenticated requests.
Operational telemetry. For each request to our API: timestamp, route, status code, owner identifier, and a truncated user-agent. For each render: format, theme, diagram family, element count, diagnostic codes, and the source surface (playground, MCP, etc.). We do not log request bodies, response bodies, or scene content in operational telemetry.
Audit log. Account creation, deletion, plan changes, and scene-decryption events. Retained for 7 years for security and compliance.

2. How we use it

We use your data to provide the service - storing your diagrams, rendering them on request, validating your operations, and managing your subscription. Operational telemetry feeds engine improvements (which diagnostic codes fire most often, which diagram families need better defaults). Scene content is not used for anything other than serving your authenticated requests.

We do not sell your data. We do not share it with advertisers. We do not use it to train AI models, and we do not send it to third-party AI providers.

We use a small set of subprocessors to run the service. The full list is in Appendix A; the summary:

Neon - Postgres database hosting. Scene content arrives encrypted; Neon never sees plaintext.
Fly.io - API hosting.
Cloudflare Pages - website + agent front-door hosting.
Stripe - payment processing for paid plans.
Resend - transactional email delivery (verification codes, account-deletion confirmations, support replies).

No AI / LLM subprocessors. Our subprocessor list does not include OpenAI, Anthropic, Google, or any other large-language-model vendor. The agent that uses Zindex (Claude Code, Cursor, etc.) is your own LLM session - Zindex never sees it.

4. Your rights

Under GDPR (if you're in the EU/UK) and CCPA (if you're in California), you have the following rights. They apply to every Zindex user regardless of residence; the legal frameworks just give them more teeth in some jurisdictions.

Access. Request a copy of the personal data we hold about you. Email support@zindex.ai.
Correction. Update inaccurate data via your account settings, or by emailing support.
Deletion. Delete your account from Settings → Account. See §7 for the full mechanics.
Portability. Export your scenes via the public API. Every scene is a JSON document you fully control.
Objection / restriction. Tell us not to process your data for a specific purpose, or to restrict processing pending a complaint.
Complaint. Lodge a complaint with your local data-protection authority. We hope you'll talk to us first - support@zindex.ai.
Non-discrimination. We will not retaliate against you for exercising any of these rights.

5. Internal access

Zindex employees and operators cannot read the contents of your scenes. Scene content is encrypted at rest with a key held outside the database. Our admin tooling (used by Zindex staff for billing, account management, and platform operations) surfaces metadata only - workspace name, plan, scene count, last-modified timestamp - and never decrypts scene data.

The only paths that decrypt your scene content are:

Your own authenticated requests (your dashboard session, your API key, your MCP client).
The support-visibility flow: when you explicitly opt a specific scene into support visibility (typically to ask us to look at a rendering issue), Zindex support admins gain read-only access to that one scene until you withdraw it.

Every decryption event - customer-initiated or support-flow initiated - is recorded in an internal audit log. The log supports our forensics and operational review; it does not surface to a customer-facing dashboard. Independent attestation of our access controls comes from our third-party security audits (available to Enterprise customers on request) rather than self-reported in-app UI.

6. AI / training

Zindex does not use customer scene content to train models. We do not send customer scene content to third-party language model providers. There is no opt-out flag because there is no AI in our processing pipeline.

A note on customer-engaged LLMs. The question worth getting ahead of: many of you use Zindex through a coding agent (Claude Code, Cursor, ChatGPT) that runs on top of a large language model. The agent's LLM is your sub-processor (or simply your tool of choice) - not ours. The data flow is your LLM session → your agent → Zindex's API: we receive the resulting API call but have no relationship with the LLM. The LLM's handling of your data is governed by your contract with the LLM provider (Anthropic, OpenAI, etc.), not by us. The same model applies to any IDE, editor, or automation layer you choose to pipe in front of the Zindex API.

Concretely, on the Zindex side:

Our rendering engine is deterministic code (planner → layout engine → SVG renderer). No LLM is involved in render, validate, normalize, diff, or any persistence path.
Our subprocessor list (Appendix A) names no AI / LLM providers - and never has.
The MCP server is a thin adapter to our HTTP API. We never originate an LLM call.

This commitment has no exceptions, no enterprise-only carve-outs, and no "by default" qualifier.

7. Account deletion

The "Delete account" button in Settings triggers a two-step flow: type the workspace name to confirm, then click the link in a confirmation email. The two steps protect against accidental deletion and against a compromised session triggering deletion on your behalf.

When you click the confirmation link, the following are removed in one transaction:

Your user record (email is freed for re-signup immediately)
Every API key you've issued (existing keys stop working at the next request)
Every scene you've created, with all revisions
Your workspace record
Operational telemetry that references you (render events, request logs, plan-change history)
Your Stripe customer record (subscription canceled in the same flow)

Backup snapshots containing the data age out within 30 days per our storage provider's retention window. After that, no copy exists on our side.

Two things are retained:

The deletion audit log - kept for 7 years for compliance. The log records that an account was deleted; it does not include account contents.
Stripe billing records - retained per Stripe's privacy policy and applicable tax law (typically 7 years), governed by your relationship with Stripe rather than us.

There is no recovery on our side. Support cannot restore a deleted account; if you change your mind after confirming, the account is gone.

8. Sub-processors

See Appendix A for the full sub-processor list with role, region, and the data each one receives. Material changes to the sub-processor list are announced with at least 15 days' notice via support@zindex.ai; if you would like advance notice, email us and we'll add you to the notification list.

9. Contact

For privacy questions, data-subject requests, or to report a privacy concern, email support@zindex.ai. We respond within 5 working days; statutory rights (GDPR access / deletion requests) are handled within the regulatory deadline (30 days under GDPR Article 12).

Appendix A — Data Processing Addendum

This appendix is the Data Processing Addendum (DPA) that governs Zindex's processing of personal data on your behalf. For Enterprise customers, a counter-signed bilateral DPA is available on request.

A.1 Roles

For the personal data you submit to Zindex (scene content, workspace metadata, account information), you are the controller and Zindex is the processor. You determine the purposes and means of processing; we process on your documented instructions.

A.2 Sub-processors

The current sub-processor list:

Sub-processor	Role	Region	Data received
Neon	Postgres database	US (AWS us-east-1)	Account, workspace, encrypted scene content, audit logs
Fly.io	API hosting	US (iad — Ashburn, Virginia)	Request routing; scene plaintext only in-memory at request time
Cloudflare	Website + agent-front-door hosting	Global edge	Public website traffic; no scene content
Stripe	Payment processing	US	Billing email, payment method, subscription state
Resend	Transactional email delivery	US	Recipient email, message body (account verification, deletion confirmation, support correspondence)

Material additions to this list are announced with at least 15 days' advance notice. We do not currently use any AI / LLM sub-processors; if that ever changes, the announcement will include the proposed provider, the data they would receive, and your right to object.

A.3 Security commitments

Encryption in transit. TLS 1.2 or higher for every HTTP and database connection.
Encryption at rest. Scene content (in scenes, scene_revisions, and render_events tables) is encrypted with AES-256 before being written to the database. The encryption key is stored outside the database in our deployment platform's secrets store. A database compromise alone does not expose scene contents.
Access controls. Production database access requires SSO + audit-logged credentials. Admin tooling never decrypts scene content.
Audit logging. Every decryption event is recorded with timestamp, scene id, workspace id, actor type, and (for support-flow access) the support ticket reference.

A.4 Personal-data breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay - within 72 hours of confirming the breach. Notification will include what we know about the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

A.5 Audit rights

Enterprise customers may request a copy of our most recent independent security audit (when available) under NDA. For controllers requiring on-site or remote inspection, contact support@zindex.ai to arrange access scoped to legitimate audit purposes.

A.6 International transfers

Zindex processes personal data in the United States. For controllers in the EU, UK, or Switzerland, transfers are governed by the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, incorporated by reference into this DPA.

A.7 Term and termination

This DPA is effective as long as Zindex processes personal data on your behalf. On termination of your account, we delete the personal data we hold about you per Section 7 of the privacy policy above.