Privacy

Your data, treated like research data.

We collect the minimum needed to run your studies, isolate it to your workspace, and never use customer prompts or outputs to train shared models. Hosted in the US. CCPA/CPRA aligned.

In reviewLast updated May 2026·legal@zippypays.com

This page summarizes our current privacy posture during private beta. The formal Privacy Policy is in legal review and available on request. We'll send the signed PDF within one business day.

What we collect

Account data: the name, work email, and company you provide on sign-up. Used to authenticate you and contact you about your account.

Study inputs: the briefs, stimuli, audience definitions, and any uploaded customer data you bring to a study. Scoped to your workspace.

Study outputs: the populations, transcripts, surveys, and reasoning chains Zippy produces for you. Yours to keep, export, and delete.

Operational telemetry: aggregated, non-identifying usage signals (page views, error rates, feature usage) used to improve product reliability.

What we don't do

We do not use your prompts, populations, or outputs to train any shared model. Yours or anyone else's.

We do not sell, rent, or share your data with third-party advertisers. We have no advertising business.

We do not allow other Zippy customers to read, query, or otherwise access content that lives in your workspace.

Where data lives

Customer data is encrypted at rest (AES-256) and in transit (TLS 1.3). All hosting and processing happens in the United States; customer data does not leave US soil. Specific region details available on request.

We use leading US-based model providers (OpenAI, Anthropic) under strict no-training agreements. Customer prompts and outputs do not enter shared training pipelines.

How long we keep it

Studies, populations, and transcripts persist in your workspace until you delete them or close your account. Deletion is hard-deletion within 30 days, including from backups.

Operational telemetry is retained for 13 months in identifiable form, then aggregated indefinitely.

Your rights

Access, correction, deletion, export, and objection requests are honored within 30 days. Email privacy@zippypays.com with the request and we'll confirm receipt the same business day.

California residents have additional rights under CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. Other US state privacy laws (Colorado, Connecticut, Virginia, Utah) are honored where they apply.

Subprocessors

We use a small set of subprocessors for hosting (AWS), model inference (OpenAI, Anthropic), error monitoring (Sentry), product analytics (PostHog, self-hosted), and email (Resend).

The current list, including processing scope and region, is available on request and updated when subprocessors change.

Changes to this page

When the formal Privacy Policy supersedes this summary, customers will be notified by email at least 30 days before the new policy takes effect.

Need the formal document?

We'll send the latest signed PDF on request.

Procurement, security, or legal review? Email the team and we'll respond within one business day.

Email legal@zippypays.com Security overview