Privacy Policy
Last updated: April 23, 2026
This Privacy Policy describes how Stephen Shkeda, an individual based in Maryland, United States, doing business as "zcouncil" ("we", "us", "our"), collects, uses, and shares personal information in connection with the service offered at zcouncil.com (the "Service"). For questions, please contact us at [email protected].
1. Information we collect
Account information. When you create an account, we collect your email address, display name (if provided), and either a hashed password or an identifier from your single sign-on provider.
Chat content. The prompts you submit, the responses returned by each model, the synthesis produced by the Service, and any files (including images) you upload. Chats are retained in our database and associated with your account.
Usage data. The volume and timing of your activity, and metadata used to enforce quotas and detect abuse.
Billing information. If you subscribe to a paid plan, payment details are collected by our payment processor on our behalf. We receive a customer identifier and subscription status; we do not store your payment-card data.
Technical information. IP address, browser type, device identifiers, strictly necessary session cookies, and a small number of preference cookies that remember user-interface state (for example, whether the sidebar is expanded or collapsed, which lasts up to seven days).
API credentials. Tokens created through the Service are stored in a form from which they cannot be recovered. Once issued, a token cannot be retrieved from our systems.
2. How we use your information and legal bases
We use your information for the purposes below. For users protected by the GDPR or UK GDPR, the corresponding legal basis under Article 6 is listed alongside each purpose.
- To operate and secure the Service, authenticate you, and maintain your account — contract performance.
- To process payments and manage subscriptions — contract performance.
- To enforce usage limits, prevent abuse, and diagnose issues — legitimate interests (running a reliable, non-abused service).
- To communicate about your account, security, or material changes to the Service — contract performance and legitimate interests.
- To comply with legal, tax, and regulatory obligations — legal obligation.
- Where we ever rely on consent (for optional marketing or analytics), you may withdraw it at any time — consent.
We do not use your chat content to train our own AI models. We do not sell your personal information.
3. Service providers
To deliver the Service, we share certain information with the third-party service providers listed below. Some act as our processors or sub-processors (for example, our infrastructure and database providers) and handle personal information on our behalf. Others (including model, identity, and payment providers) act as independent controllers or service providers under their own terms for the limited purposes described.
| Provider | Purpose | Location |
|---|---|---|
| OpenRouter | Gateway that routes prompts to AI model providers | United States |
| OpenAI | AI model inference (GPT family) | United States |
| Anthropic | AI model inference (Claude family) | United States |
| AI model inference (Gemini family) | United States | |
| xAI | AI model inference (Grok family) | United States |
| Cloudflare | Hosting, compute, and object storage | Global edge |
| Convex | Application database and backend platform | United States |
| Stripe | Payment processing for paid subscribers | United States |
| Google (OAuth) | Optional single sign-on | United States |
Each provider maintains its own privacy practices, and your information is subject to those practices while it is in the provider's custody. We do not use your content to train our own models. We route requests through OpenRouter, and we configure the settings available to us to minimize retention and to disable training on customer content where such options exist. Retention, logging, and training policies nonetheless vary by provider, endpoint, and model: some providers retain inputs and outputs temporarily (often up to 30 days) for abuse monitoring or trust-and-safety review under their own terms. We monitor provider terms and will update this Policy if there is a material change to the controls available to us.
We may also disclose information if required by law, to enforce our agreements, to protect the rights or safety of users or third parties, or as part of a merger, acquisition, or sale of assets. In such an event, we will provide notice before your information is transferred and becomes subject to a different privacy policy.
Data Processing Agreement. Business users or organizations that require a Data Processing Agreement (DPA) for their use of the Service may request one by contacting [email protected].
4. Data retention
- Chat history — retained until you delete individual chats or your account.
- Account data — retained while your account is active; deleted within 30 days of account deletion.
- Usage logs — retained for up to 12 months for rate-limiting and abuse detection.
- Billing records — retained for 7 years, as required by applicable tax and accounting regulations.
We may retain information longer than the periods above (including in backups and security logs) where we reasonably need to do so to comply with a legal obligation, respond to a legal hold, investigate fraud or abuse, resolve a billing dispute or chargeback, or address a security incident. Information retained under these exceptions is used only for those purposes.
Separately, our AI model providers may retain your prompts and outputs temporarily (typically for up to 30 days) for their own trust-and-safety monitoring, independent of our own retention practices.
You can delete individual chats at any time from within the Service. Deletion removes the chat from your chat history and our primary database, wipes the chat transcript from our streaming-agent infrastructure, and purges any uploaded files associated with the chat. Backup copies may retain the data for a short period before being overwritten on the underlying platform's storage lifecycle. To delete your account and all associated data, contact [email protected].
5. Security
We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. We use strictly necessary session cookies and a small number of preference cookies (such as your sidebar expand/collapse state); we do not use analytics or advertising cookies. No system can be guaranteed to be entirely secure. If you believe you have identified a vulnerability, please contact [email protected].
In the event of a personal-data breach affecting you, we will notify you and, where applicable, the relevant supervisory authority, without undue delay and within the timeframes required by applicable law (including, where the GDPR or UK GDPR applies, within 72 hours of becoming aware of the breach for notifications to a supervisory authority).
6. Your rights
Depending on where you reside, you may have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your information
- Port your information to another service
- Object to or restrict certain processing
- Withdraw consent, where processing is based on consent
To exercise these rights, please contact [email protected]. We respond within 30 days, which may be extended by up to 60 additional days for complex requests, in which case we will notify you of the extension. Residents of the EU or United Kingdom may also lodge a complaint with their local data-protection authority.
California residents. To the extent the California Consumer Privacy Act (CCPA/CPRA) applies to us, you have the right to know the categories of personal information we collect, to request deletion or correction, and to opt out of the sale or sharing of your personal information. We do not sell personal information and do not use it for cross-context behavioral advertising, and we honor opt-out preference signals such as Global Privacy Control (GPC) when we receive them through your browser. You may also submit a formal request by contacting [email protected]; this link serves as the "Do Not Sell or Share My Personal Information" contact point required by the CCPA/CPRA.
Maryland residents. To the extent the Maryland Online Data Privacy Act (MODPA) applies to us, you have the rights listed above — including to access, correct, delete, and port your information, and to opt out of targeted advertising and the sale of personal data. We do not engage in either. We also do not knowingly process the personal data of consumers under 18 for targeted advertising or the sale of personal data.
7. Minors
The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete it.
8. Automated processing
The Service uses AI models to generate outputs in response to your prompts, and synthesizes those outputs. We do not use these outputs to make decisions that produce legal or similarly significant effects about you, and the Service is not intended to make such decisions. Within the meaning of Article 22 of the GDPR, we do not carry out solely automated decision-making that has legal or similarly significant effects on you.
9. International data transfers
The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and in other countries where our service providers operate. These jurisdictions may offer different data-protection standards than your own. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses, and apply supplementary technical measures such as encryption in transit and at rest.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in-product or by email. Continued use of the Service after the effective date of an update constitutes acceptance of the revised policy. Where applicable law requires it, we will obtain your consent before processing your information under a materially changed policy.
11. Contact
For privacy inquiries or security disclosures, contact [email protected].