Privacy Policy

When you create an account, we collect your name, email address, and organization details necessary to provision your account and provide the service.

Zero-8 OS allows you to connect third-party email and calendar accounts, including Google Workspace (Gmail + Google Calendar) and Microsoft 365 (Outlook + Microsoft Calendar). When you authorize a connection, we access the following data solely to provide the features of the platform:

• Email (Gmail or Outlook): Message metadata (sender, subject, date) and message content for the purpose of generating your daily Morning and Afternoon Briefs, surfacing urgent communications, and drafting follow-up replies you review before sending. We do not store full raw message bodies beyond the processing window required to generate your brief.
• Calendar (Google Calendar or Microsoft Calendar): Event titles, times, attendees, locations, and descriptions for the purpose of populating your briefs and scheduling context. Event data is processed and displayed within the platform and is not retained beyond your active session except as needed to deliver the service.
• Business Management Platforms (PushPress, etc.): If you connect a business management platform, we may access customer/member data including names, email addresses, phone numbers, check-in records, attendance history, membership status, enrollment details, class schedules, and billing information. This data is accessed solely to provide operational intelligence features such as member health scoring, attendance trend analysis, retention alerts, and outreach draft generation. We process this data on your behalf as a data processor — you remain the data controller. We do not independently contact your customers or members.
• Other Providers: As we expand integrations to include additional email, calendar, CRM, or productivity providers, this policy will govern all such connections. The same access principles apply: we access only what is necessary to deliver the service features you have enabled.

We collect information about how you interact with the platform, including pages visited, features used, and actions taken. This data is used to improve the platform and troubleshoot issues.

We may collect your IP address, browser type, operating system, and other technical identifiers to maintain platform security and performance.

If you enable push notifications, your browser generates a push subscription endpoint (a URL issued by your browser's push service — Apple, Google, or Mozilla, depending on your device) along with encryption keys. We store these so we can deliver notifications to your device. You can revoke a push subscription at any time from the Notifications settings page or your browser's site settings.

We use Anthropic's Claude API to generate summaries, drafts, and other AI outputs. Under Anthropic's Commercial Terms of Service, data submitted through the Claude API is not used to train Anthropic's models. We do not use your data to train any first-party or third-party AI model, and we do not authorize any of our sub-processors to do so on our behalf.

In the event of a security breach that affects the confidentiality or integrity of your personal data, we will notify you by email within 72 hours of confirming the breach, to the extent consistent with applicable law. The notification will describe what data was affected, what we are doing in response, and what steps you can take to protect yourself.

We do not retain full raw email message bodies from Gmail or Outlook. However, to deliver the platform's features, we do persist the following derived data within your organization's isolated storage:

• Brief summaries: AI-generated summaries of your recent email and calendar activity, produced for each Morning and Afternoon Brief. These may paraphrase or quote message content and are retained for 30 days.
• AI-generated email drafts: Both the pre-approval draft and the final (edited) version you approved. Retained for 90 days for audit, debugging, and so you can reference what you sent.
• Lead and contact records: Metadata you explicitly save about leads, including name, email, company, stage, notes, and activity history. Retained for the life of your account.

You may request earlier deletion of any of the above at any time by contacting support.

When you connect a business management platform (such as PushPress), we access your customer/member data to generate operational intelligence. We handle this data as follows:

• Transient processing: Member check-in data, attendance records, and class schedules are pulled on-demand for brief generation and health scoring. We do not maintain a persistent copy of your full member database.
• Derived insights: AI-generated member health scores, retention alerts, and attendance summaries may be stored as part of your brief history (retained for 30 days) and pipeline contact records (retained for the life of your account).
• Outreach drafts: AI-generated retention messages and follow-ups drafted from member data require your explicit approval before sending. Draft content is retained for 90 days.
• API credentials: Your Business Platform API key is encrypted at rest using AES-256-GCM and is deleted immediately upon disconnection of the integration.

Disconnecting your Business Platform integration immediately stops all data access. You may request deletion of any derived data at any time.

We use the following sub-processors to deliver the Platform. Each has its own privacy and security commitments, and each has access only to the data necessary for its role.

• Supabase Inc. (US) — primary application database, authentication, and file storage. Holds your account, business profile, leads, and derived data described in Section 6.1.
• Vercel Inc. (US) — application hosting and serverless infrastructure. Processes requests and may temporarily cache non-sensitive data.
• Anthropic PBC (US) — Claude API for AI inference. Receives email content, calendar events, and business-profile context strictly to generate summaries and drafts; per Anthropic's Commercial Terms, this data is not used to train models.
• Resend Inc. (US) — transactional email delivery (sign-in magic links, welcome emails, receipts). Receives your email address and the contents of the outgoing message.
• Stripe, Inc. (US) — payment processing. Receives payment-card data directly from your browser via Stripe Checkout; we do not see or store full card numbers.
• Google LLC (US) — source of the Gmail and Google Calendar data that Google Workspace users authorize us to read, and the destination for emails approved for sending from a connected Gmail account.
• Microsoft Corporation (US) — source of the Outlook email and Microsoft Calendar data that Microsoft 365 users authorize us to read, and the destination for emails approved for sending from a connected Outlook account.
• PushPress Inc. (US) — business management platform for fitness businesses. When connected, provides member data, check-in records, class schedules, enrollment status, and messaging capabilities. Data is accessed via API on behalf of the account holder only.

We will update this list at least 30 days before adding a new sub-processor that has access to customer data. Existing customers may object to a new sub-processor by contacting support before the effective date.