Legal — Privacy

Privacy Policy

Last updated: April 11, 2026

Zipilot (“we,” “us,” or “our”) operates the Zipilot platform, available at zipilot.com and app.zipilot.com. This policy explains what data we collect, how we use it, and your rights.

1. Who We Are

Zipilot is operated by Zipilot LLC, a company registered in the United States. If you have questions, contact us at privacy@zipilot.com.

2. What We Collect

Account data. Name, email address, company name, country, and password (hashed) when you sign up.

Business knowledge data. Services, pricing, policies, documents, and other business information you upload or enter during onboarding. This data is private to your account and is never shared with other accounts or used to train shared AI models.

Customer conversation data. Messages exchanged between your AI assistant and your customers across connected channels (webchat, WhatsApp, SMS). This data belongs to you and is stored on your behalf.

Usage data. Pages visited, features used, API call counts, and error logs. We use this to operate and improve the platform.

Payment data. We use Stripe to process payments. We do not store credit card numbers. Stripe’s privacy policy governs payment data.

3. How We Use Your Data

We do not sell your data. We do not use your business knowledge data or your customers’ conversation data to train shared AI models.

4. How We Store and Protect Your Data

All data is stored on Amazon Web Services (AWS) infrastructure in encrypted form (AES-256 at rest, TLS in transit). Access is controlled by role-based permissions. We maintain an append-only audit log of all data access and modifications.

Each customer account is fully isolated. Your data is not accessible to other accounts on the platform.

5. HIPAA

HIPAA-compliant data handling, including a Business Associate Agreement (BAA), is available on the Enterprise plan. If you are a healthcare business and require HIPAA coverage, contact us at privacy@zipilot.com before processing any protected health information on the platform.

Zipilot is a tool — HIPAA compliance is a shared responsibility between us and your organization.

6. Security

Zipilot is built to SOC 2 standards. Our infrastructure and processes are designed to meet the SOC 2 Trust Service Criteria for security, availability, and confidentiality. Formal certification is in progress.

Key controls include: encryption at rest (AES-256) and in transit (TLS), role-based access control, append-only audit logging, tenant data isolation, and automated backups with object lock.

7. Third-Party Services

We use the following third-party services to operate the platform:

These services are governed by their own privacy policies. We choose providers with strong data protection practices.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we initiate a cascading deletion of all associated data including business knowledge, conversation history, and user records. Backups are retained for up to 90 days after deletion.

9. Your Rights

You may request access to, correction of, or deletion of your personal data at any time.

If you are located in California, you have rights under the CCPA, including the right to know what data we collect, the right to delete it, and the right to opt out of sale (we do not sell data). To exercise these rights, contact us at privacy@zipilot.com. We will respond within 30 days.

10. Cookies

We use only functional cookies required to keep you logged in and remember your preferences. We do not use advertising or tracking cookies.

11. Children

Zipilot is a business platform. We do not knowingly collect data from individuals under 18.

12. Changes to This Policy

We may update this policy as the platform evolves. We will notify account holders by email of material changes. The “Last updated” date at the top of this page reflects the current version.

13. Contact

Questions about this policy or your data: privacy@zipilot.com

Zipilot LLC · zipilot.com