This policy explains what data Zipper collects, how we use it, and your rights. Zipper ("we") is operated by SPW Inc.
Solely to provide and secure the Service: authenticating you, storing and showing the data you enter, generating AI-assisted drafts at your request, detecting abuse, and communicating about your account. We do not sell or rent personal information. We do not use your business data to train AI models.
We share data only with processors needed to run the Service:
We disclose data when legally required (subpoena, court order) or to protect rights and safety.
Each company's data is scoped by an owner_id column enforced on every read and write. Users in one company cannot see another company's customers, jobs, or files.
HTTPS everywhere (HSTS enforced). Passwords hashed with bcrypt (cost 12). Session tokens stored server-side; optional httpOnly cookie. CSP blocks untrusted scripts. AI spend is rate- and cost-capped per tenant. We cannot prevent all threats; see the Terms disclaimers.
You can export or delete your data at any time by emailing support@pzip.ai. If you're in the EU/UK/California, you have additional rights under GDPR/CCPA (access, correction, deletion, portability, opt-out of sale — we do not sell data).
We use a single session cookie (ztoken) for login state. No third-party tracking or advertising cookies.
Business data is retained while your account is active and for 90 days after account deletion (to allow recovery), then permanently deleted. Audit logs may be retained up to 12 months.
Zipper is not intended for users under 16. We do not knowingly collect data from children.
We'll post updates here. Material changes will be announced by email to account owners.