Privacy Policy

Welcome to Zosma AI ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard your information when you visit our website at zosma.ai or use any of our services.

This policy applies to all Zosma AI products and services:

• ZoAH (Zosma Agentic Harness) — our AI-powered business intelligence agent that connects to your databases and SaaS tools, answers questions in plain English, and delivers reports via WhatsApp and other channels.
• OpenZosma — our open-source platform for deploying hierarchical AI agents across organizations, licensed under Apache 2.0.
• zosma.ai website — our marketing website, contact forms, scheduling tools, and related web properties.

We may collect, use, store, and transfer the following categories of personal data:

• Identity Data — name, username, job title, or similar identifiers you provide through our forms.
• Contact Data — email address, phone number, WhatsApp number, and organization name.
• Technical Data — IP address, browser type and version, device information, operating system, and time zone.
• Usage Data — information about how you use our website and services, including pages visited, features used, and interaction patterns.
• Communication Preferences — your consent choices and preferences for receiving communications from us, including records of when and how consent was given.
• Query Data — when using ZoAH, the questions you ask, the SQL queries generated, and result summaries. This data is used to process your requests and improve service quality.

We collect data through the following methods:

• Forms — when you submit our contact form, free trial signup, or any other form on our website, we collect the information you provide, including your consent to be contacted.
• Cookies — we use essential cookies to ensure our website functions properly. See the "Cookies & Tracking" section below for details.
• Google reCAPTCHA v3 — we use Google's reCAPTCHA service to protect our forms from spam and abuse. reCAPTCHA may collect hardware and software information (such as device and application data) and send it to Google for analysis. This is governed by Google's Privacy Policy.
• Anti-Spam Measures — we use honeypot fields, timestamp validation, and IP-based rate limiting to prevent automated abuse of our forms. IP addresses collected for rate limiting are not stored permanently.
• Scheduling Tools — when you book a meeting through our Cal.com integration, your data is processed by Cal.com under their own privacy policy.

We use your personal data only when the law allows us to. Most commonly, we use your data to:

• Provide, operate, and maintain our services, including ZoAH and OpenZosma.
• Process your free trial requests and set up your account.
• Communicate with you via email, phone, or WhatsApp regarding your inquiry, trial, or service — only when you have given explicit consent through our forms.
• Send you service-related updates, security alerts, and support messages.
• Improve and personalize your experience with our products.
• Detect, prevent, and address security issues, fraud, and technical problems.
• Comply with legal and regulatory obligations.

We process your personal data under the following legal bases:

• Consent — when you explicitly agree to be contacted via email, phone, or WhatsApp by checking the consent checkbox on our forms. You can withdraw this consent at any time.
• Contractual Necessity — when processing is necessary to perform a contract with you, such as providing access to ZoAH during your free trial.
• Legitimate Interest — when processing is necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, provided these interests do not override your rights.

When you provide your contact details and check the consent box on our forms, you agree to be contacted through the following channels:

• Email — for trial setup, service updates, and responses to your inquiries.
• Phone — for trial setup, onboarding calls, and support.
• WhatsApp — for trial setup, delivering reports (in the case of ZoAH), and ongoing communication.

You can opt out of non-essential communications at any time by contacting us at info@zosma.ai or by replying "STOP" to any WhatsApp message. Note that opting out of all communications may affect our ability to provide certain services.

Our services, including ZoAH, may integrate with third-party AI model providers selected by you or configured for your account. These may include, but are not limited to, providers such as OpenAI, GitHub Copilot plans, Anthropic, Google, and others.

When you use features powered by external AI models, your query data and relevant context are sent to the selected provider's API to process your requests. Zosma AI does not control how these third-party providers store, retain, process, or use that data. Each provider's own privacy policy and data retention policies govern their handling of the data they receive.

Zosma AI is not responsible for data retained or processed by third-party AI model providers. We strongly recommend that you review the privacy policy of your chosen AI provider to understand their data practices.

No other user data is shared with any third party beyond what is strictly necessary for service operation as described in this policy.

We use the following third-party services to operate our platform. We do not sell your personal data to any third party.

• Resend — for transactional email delivery (e.g., form submission notifications). Resend processes email addresses and message content on our behalf.
• Google reCAPTCHA v3 — for spam and abuse protection on our forms.
• Cal.com — for meeting scheduling. Data you provide when booking a meeting is processed under Cal.com's privacy policy.
• Vercel — for website hosting and edge delivery.
• GitHub — for hosting the OpenZosma open-source repository. Contributions and interactions on GitHub are governed by GitHub's privacy policy.

We use the following types of cookies:

• Essential Cookies — required for our website to function properly. These cannot be disabled.
• reCAPTCHA Cookies — set by Google reCAPTCHA to analyze browsing behavior and distinguish humans from bots. These are necessary for form security.

We do not currently use advertising or marketing tracking cookies. You can control cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

We implement appropriate technical and organizational measures to protect your personal data, including:

• End-to-end encryption (TLS 1.3) for all data in transit.
• Input sanitization and validation on all form submissions.
• Honeypot fields and timestamp validation for bot prevention.
• IP-based rate limiting to prevent automated abuse.
• reCAPTCHA v3 with score-based verification.
• Access controls and audit logging for ZoAH query data.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Contact form submissions — retained for the duration of our business relationship and up to 12 months after last communication.
• Free trial data — retained for the duration of the trial and any subsequent service agreement. Deleted upon request if no active service exists.
• Query and audit logs — retained as required by compliance obligations or as agreed in your service terms.
• Technical/security logs — IP-based rate limiting data is stored in memory and automatically purged.

When data is no longer needed, we securely delete or anonymize it.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data where there is no compelling reason for continued processing.
• Portability — request transfer of your data to another service provider in a structured, machine-readable format.
• Objection — object to processing of your data based on legitimate interests.
• Withdraw Consent — withdraw your consent to be contacted at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at info@zosma.ai. We will respond within 30 days.

Your data may be processed in countries other than your own, including where our hosting providers (Vercel) and third-party services operate. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable.

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us at info@zosma.ai and we will promptly delete the data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. We encourage you to review this page periodically.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to withdraw your consent to be contacted, please reach out to us at info@zosma.ai.