1.What we collect
We collect the minimum needed to operate Zavi for you:
- Account information. Email, name, and optional company name when you sign up.
- Authentication identifiers. OAuth subject IDs from GitHub or Google when you choose those sign-in methods. We do not receive your password.
- Connector data. When you connect Slack, GitHub, or another integration, we receive the data those connectors are scoped to read. We store OAuth tokens in Supabase Vault and never expose them to the client browser.
- Usage telemetry. Public funnel page views, whitelisted product events, agent run IDs, run latency, and cost. We do NOT capture raw model inputs, raw model outputs, prompts, or any user content in our telemetry pipeline. Internal agent telemetry is whitelisted to
{ tool_name, ms, code, iter }. - Cookies. First-party session cookies set by Supabase Auth and first-party analytics storage used by PostHog when analytics is enabled. We do not use advertising cookies.
2.Why we collect it
We use the data above to (a) operate the Service, (b) generate agent outputs you requested, (c) keep you signed in, (d) bill you if you are on a paid plan, and (e) communicate service-related notices. We do not sell your data and we do not use it to train any foundation model.
4.Where your data lives
All production data is hosted in AWS us-west-1 (Northern California). Data is encrypted at rest by Supabase and AWS, and encrypted in transit over TLS 1.2+. We do not offer EU residency at this time; if that's a requirement for you, contact us.
5.How long we keep it
We retain account data for as long as your account is active. If you delete your account, we delete account data within 30 days, except where we are required to keep specific records by law (for example, tax-related billing records for up to 7 years). Agent run telemetry is retained for 12 months and then deleted on a rolling basis.
6.Your rights
Depending on your jurisdiction, you may have the right to access, correct, port, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any right, email support@zaviagent.com. We will respond within 30 days. If you are in California, you can read more about your rights under the CCPA in Section 10 below. If you are in the EU/UK, your GDPR rights are described in Section 11.
7.Children
Zavi is a B2B service not intended for use by children under 13 (or 16 where local law sets a higher threshold). We do not knowingly collect data from children. If we learn that we have collected such data, we will delete it promptly.
8.Security
We follow defense-in-depth practices: per-tenant row-level security in Postgres, Vault-stored OAuth tokens, no service-role credentials in the browser bundle (CI enforced), and prod secrets in AWS Secrets Manager with least-privilege IAM. For more, see our Security page. If you believe you've found a vulnerability, please report it to support@zaviagent.com.
9.International transfers
If you access the Service from outside the United States, you understand that your data will be processed in the United States. When we transfer personal data from the EU/UK to the U.S., we rely on Standard Contractual Clauses with our sub-processors.
10.California (CCPA / CPRA)
California residents have the right to know what categories of personal information we collect, the categories of sources, the business purposes, and the categories of third parties with whom we share it. All of that is described in Sections 1–3 above. You can request access, deletion, or correction by emailing support@zaviagent.com. We do not sell personal information or share it for cross-context behavioral advertising.
11.EU / UK (GDPR)
If you are in the EU or UK, your lawful bases for processing are: (a) performance of a contract (to operate the Service), (b) legitimate interests (to improve and secure the Service), and (c) consent where we explicitly ask for it (e.g., marketing emails). You have the right to lodge a complaint with your local supervisory authority.
12.Google Ads data
If you connect your Google Ads account, the Zavi Ads Manager agent uses the Google Ads API on your behalf. We read campaign structure and performance data (campaigns, ad groups, ads, keywords, budgets, and metrics such as impressions, clicks, conversions, and cost) to generate recommendations. We write changes back to Google Ads — budget shifts, campaign status, ad updates — only after you explicitly approve the specific change. Google Ads data is stored in AWS us-west-1, encrypted at rest and in transit; Google OAuth tokens are held in Supabase Vault and never exposed to the browser. We use this data solely to operate the Ads Manager for you, we do not sell or share it beyond the sub-processors above, and we do not use it to train any foundation model. Our use of Google data complies with the Google API Services User Data Policy, including its Limited Use requirements. Disconnecting the integration revokes our access immediately. Full detail: Zavi & the Google Ads API.
13.Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice at least 14 days before they take effect.
14.Contact
Zavi · San Francisco, California · Contact support@zaviagent.com.
