Privacy Policy for Zephior Sàrl

Effective Date: June 18, 2025

1. Introduction

Zephior Sàrl ("we," "our," or "us"), a Swiss corporation, provides a unique, agent-led service for creating proposals and other complex response documents. Our service combines a software platform, the "Agent Command Center," with specialized, AI-powered agents (the "Agents") that we deploy and manage on your behalf to complete specific "Projects".

This Privacy Policy explains in detail how we collect, process, and protect your data when you use our Service. It is designed to be transparent about our dual role as both a technology provider and a service operator, particularly regarding how and when our personnel interact with your data to ensure the successful delivery of our Service.

This policy applies to all aspects of the Service provided by Zephior.

2. Our Role in Processing Your Data

In the context of our service, our role regarding your data is twofold:

  • As a Data Processor: For all content and documents you provide for a Project (your "Client Data"), Zephior acts as a Data Processor. We process this data exclusively based on your instructions (i.e., the Project you assign to an Agent) and the terms of our Agreement. You, the Client, are the Data Controller for this data.
  • As a Data Controller: For the data necessary to manage our service and your account (such as user login information, billing details, and our own operational analytics) Zephior acts as a Data Controller.

3. Information We Process

3.1. Client Data (We act as Processor)

This is the core information our Agents process to complete a Project. This category includes:

  • Project-Related Documents: Any files you upload, including RFPs, RFIs, security questionnaires, tenders, source documents, past proposals, and templates.
  • Agent Instructions and Communications: Any text, prompts, clarifications, or feedback you provide to an Agent through the Agent Command Center.
  • Generated Output: The drafts and final proposals or documents created by the Agent.
  • Metadata: Information about your data, such as file names, timestamps, user authors, and version histories.

Crucially, we do not use your Client Data to train our own or any third-party AI models.

3.2. Service Administration Data (We act as Controller)

This is the data we need to operate the service itself. This includes:

  • User Account Information: Names, email addresses, user roles, and authentication credentials.
  • Billing Information: Details required for invoicing, such as company name, address, and payment history.
  • Usage and Engagement Data: Information about how you interact with the Agent Command Center, such as feature usage, login frequency, and performance metrics. This data is used to improve our Platform and service delivery.
  • Support Communications: Records of your interactions with our support team.

4. How and Why We Use Your Information

4.1. To Execute Your Projects

The primary use of your Client Data is to enable our Agents to perform the service you have requested. This includes:

  • Analyzing source documents to understand requirements.
  • Searching your provided knowledge base for relevant information.
  • Generating draft and final responses.
  • Incorporating your feedback to refine the Output.

4.2. Zephior Personnel Access and Human Oversight

To deliver a high-quality, reliable service, our personnel require a limited and controlled degree of access to the systems managing your Projects. We are transparent about this access, which operates under a strict two-tiered model:

  • A) Fleet Management View (Default Access):
    • Purpose: This is the standard operational view used by our engineering and support teams to monitor the overall health, performance, and cost of the Agent fleet without inspecting your sensitive content.
    • What we see: Aggregated data and metadata, such as Project status (e.g., "in progress," "completed"), AI model usage statistics, processing times, and error logs.
    • What we DON'T see: The actual content of your documents or communications. Access to your Client Data is strictly prohibited in this view.
  • B) Client-Granted Access (Explicit, Audited Access):
    • Purpose: In specific situations where an Agent requires direct intervention (for complex issue resolution, quality assurance checks, or to handle a task the AI cannot) you may grant temporary, explicit access to a named Zephior employee.
    • How it works: This access is granted by you directly through the Agent Command Center on a per-Project, per-user basis.
    • What we see: The authorized employee can view the specific Project's data to the extent necessary to resolve the issue.
    • Controls: All actions taken under Client-Granted Access are logged in an immutable audit trail that is fully visible to you. Access is time-bound and automatically revoked after a short period.

4.3. For Service Improvement and Security

We use Service Administration Data to:

  • Improve the performance, features, and usability of the Agent Command Center.
  • Monitor for security threats and protect the integrity of our service.
  • Provide client support and troubleshoot issues.

5. Data Security

We are committed to the security of your data and implement multi-layered security controls. These are detailed in our Terms of Service DPA but include:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Infrastructure: Hosted in ISO 27001 and SOC 2 certified data centers within Switzerland and the EU.
  • Access Control: Strict role-based access control (RBAC) for all internal systems, with multi-factor authentication (MFA) required for all personnel.
  • Auditing: Regular internal and third-party security audits and penetration testing.

6. Data Retention and Deletion

  • During Engagement: We retain your Client Data for the duration of your active Projects and for a limited period afterward to allow for follow-up and final delivery.
  • After Engagement: Following the completion of all Projects and settlement of final invoices, you may request the deletion of your data. We provide a 30-day grace period for you to export your final Output. After this period, we will securely and permanently delete your Client Data from our primary systems. Data may persist in encrypted, isolated backups for a limited time before being permanently destroyed.

7. Your Rights and Controls

You are the controller of your Client Data and have full rights over it under GDPR and FADP, including:

  • The Right to Access: You can access your data at any time through the Agent Command Center.
  • The Right to Portability: You can export your data and final Output.
  • The Right to Erasure: You can request the complete deletion of your account and all associated data upon conclusion of our business relationship.

8. Sub-processors

We use a limited number of trusted sub-processors to provide our service. These are vetted for their security and privacy practices and are bound by data processing agreements. Our primary sub-processors include:

  • Google Cloud Platform: For secure cloud hosting, AI model hosting, and infrastructure (Switzerland/EU).
  • MongoDB Atlas: For managed database services (Europe/EU).
  • Auth0 (by Okta): For identity and access management (Europe/EU).
  • Stripe, Inc.: For secure payment processing (Switzerland).
  • GitLab: For version control and CI/CD pipeline management (Europe/EU).
  • Resend: For transactional email services (Europe/EU).
  • Vercel: For edge computing and frontend hosting services (Europe/EU).
  • Upstash: For serverless Redis database services for rate limiting and caching (Europe/EU).
  • PostHog: For privacy-focused product analytics (Europe/EU). PostHog respects Do Not Track browser settings.
  • Hetzner Online GmbH: For cloud infrastructure and server hosting (Germany/EU).
  • Exoscale: For cloud infrastructure and server hosting (Switzerland).

We will notify you of any changes to our sub-processors and provide you with an opportunity to object.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice in the Agent Command Center.

10. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer:

Data Protection Officer
Mingyu Kim
Zephior Sàrl
Avenue d'Ouchy 4, 1006 Lausanne, Switzerland
Email: [email protected]