Privacy Policy

Effective Date: February 16, 2026  |  Last Updated: February 16, 2026

This Privacy Policy describes how ZeroSuite, INC. ("ZeroSuite," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our products, services, websites, and applications. We are committed to protecting your privacy and handling your data responsibly.

1. Introduction

ZeroSuite, INC. is a C-Corporation incorporated in the State of Delaware, United States, with operations in Abidjan, Côte d'Ivoire. We provide AI-powered developer infrastructure tools, including but not limited to FLIN (flin.dev), 0fee.dev, 0sh.dev, 0sql.dev, 0seat.dev, 0cron.dev, otpx.dev, 0diff.dev, and Déblo (deblo.ai).

This Privacy Policy applies to all personal information we collect through our websites, applications, APIs, and any other services we offer (collectively, the "Services"). It does not apply to third-party websites, products, or services, even if they are linked from our Services.

For the purposes of data protection legislation, ZeroSuite, INC. is the data controller for information collected directly through our Services. Where we process data on behalf of our customers (e.g., through 0seat.dev or otpx.dev), we act as a data processor.

2. Information We Collect

2.1 Account Information

When you create an account, we may collect:

• Name and email address
• Phone number (when using OTP-based authentication)
• Organization or company name
• Billing address and payment information (processed by third-party payment providers)
• Authentication credentials (stored using bcrypt hashing; we never store plaintext passwords)

2.2 Usage Data

We automatically collect certain information when you use our Services:

• API request metadata (endpoints called, response times, error rates)
• Feature usage patterns and frequency
• Service performance metrics
• Log data (timestamps, request identifiers, status codes)

2.3 Technical Data

• IP address and approximate geolocation (country/region level)
• Browser type and version
• Operating system
• Device type and identifiers
• Referring URL and pages visited
• Language preferences

2.4 Payment Data

Payment card numbers and sensitive financial data are processed directly by our third-party payment processors. We do not store full payment card numbers on our servers. We may retain transaction identifiers, amounts, dates, and the last four digits of payment cards for record-keeping and support purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our Services, including processing transactions, authenticating users, and delivering scheduled tasks.
• Communication: To send you service-related notices, security alerts, account notifications, and respond to your inquiries.
• Improvement: To analyze usage patterns, diagnose technical problems, and improve the performance, reliability, and user experience of our Services.
• Security: To detect, prevent, and address fraud, abuse, security threats, and technical issues.
• Compliance: To comply with applicable legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.
• Billing: To process payments, manage subscriptions, and provide invoices and receipts.
• Marketing: With your consent, to send you information about new products, features, or promotions. You may opt out of marketing communications at any time.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and similar data protection laws, we process personal data based on the following legal grounds:

• Performance of a Contract: Processing necessary to provide you with the Services you have requested (e.g., account management, service delivery, payment processing).
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, ensuring security, and preventing fraud, provided such interests are not overridden by your rights and freedoms.
• Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, optional analytics).
• Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject (e.g., tax reporting, responding to lawful court orders).

5. Information Sharing

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service Providers: We engage trusted third-party companies to perform services on our behalf (e.g., payment processing, email delivery, cloud hosting, analytics). These providers are contractually obligated to protect your data and may only process it for the purposes specified by us.
• Legal Requirements: We may disclose your information when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.
• Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you, for research, analysis, or business purposes.

6. Data Security

We implement comprehensive technical and organizational measures to protect your personal information:

• Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.3.
• Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
• Password Security: User passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
• Access Controls: Strict role-based access controls limit which personnel can access personal data, on a need-to-know basis.
• Infrastructure Security: Our services are hosted on Hetzner infrastructure in Germany and Finland, subject to European data protection standards. Cloudflare provides global CDN, DDoS protection, and Web Application Firewall services.
• Monitoring: Continuous security monitoring, automated vulnerability scanning, and regular security reviews.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of data breaches in accordance with applicable law (within 72 hours for GDPR-reportable breaches).

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to continuously improving our security posture.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements:

• Account Data: Retained for the duration of your account and up to 30 days after account deletion, to allow for recovery.
• Usage and Technical Data: Retained for up to 24 months for analytics and service improvement purposes.
• Transaction Records: Retained for a minimum of 7 years to comply with tax and financial reporting obligations.
• Communication Records: Support ticket history is retained for up to 3 years after the last interaction.
• Log Data: Server and security logs are retained for up to 12 months.
• Marketing Consent Records: Retained for the duration of your consent and 3 years after withdrawal, to demonstrate compliance.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Restriction: You have the right to request restriction of processing of your personal data under certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before processing your request.

9. International Data Transfers

Our primary infrastructure is located in the European Union (Hetzner, Germany and Finland), which provides a high standard of data protection. However, as a company incorporated in the United States with operations in Côte d'Ivoire, your data may be accessed from or transferred to locations outside the EU.

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:

• EU-U.S. Data Privacy Framework: For transfers to the United States, where the recipient participates in the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to countries not covered by an adequacy decision.
• Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection.
• Supplementary Measures: Where required, we implement additional technical or organizational measures (e.g., encryption, pseudonymization) to ensure the effectiveness of the transfer mechanism.

10. Children's Privacy

Our general Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16 for our developer tools.

Déblo.ai Exception: Déblo (deblo.ai) is an AI-powered educational platform specifically designed for students, including minors. For Déblo.ai, we implement the following additional protections:

• Verifiable parental or guardian consent is required before a child under 16 can create an account.
• We collect only the minimum personal information necessary to provide the educational service.
• Children's data is never used for marketing purposes or shared with third parties for advertising.
• Parents and guardians have the right to review, modify, or delete their child's personal information at any time.
• We do not use children's data to train AI models.
• Content filtering and safety measures are implemented to protect minors from inappropriate material.

If we become aware that we have collected personal information from a child under 16 without verifiable parental consent (outside of Déblo.ai), we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us at [email protected].

11. Product-Specific Privacy Notes

FLIN (flin.dev)

FLIN applications run locally on your machine. Application data is stored in a local .flindb directory on your device. ZeroSuite does not access, collect, transmit, or store any data from your local FLIN applications. When you use FLIN's development server, all processing occurs locally. If you opt into cloud features (e.g., deployment via 0sh.dev), the relevant product-specific privacy terms apply.

0fee.dev

0fee.dev processes payment transactions through third-party providers. We collect transaction metadata (amount, currency, timestamp, status) for record-keeping and support. Payment card details are handled directly by PCI DSS-compliant payment processors and are never stored on our servers. Merchant account information, including business details and payout preferences, is stored securely and encrypted at rest.

0seat.dev

0seat.dev processes customer support communications using AI. The content of support tickets, chat messages, and emails routed through 0seat.dev is processed by AI models to generate responses, classify inquiries, and extract insights. This data is used solely to provide the service and is not used to train general-purpose AI models. You, as the data controller, are responsible for informing your end users about the use of AI in processing their communications.

otpx.dev

otpx.dev processes phone numbers and email addresses for the purpose of delivering one-time passwords and authentication codes. Phone numbers and delivery metadata are retained for fraud prevention and audit purposes. OTP codes are automatically deleted after expiration (typically 5-10 minutes).

Déblo.ai

Déblo.ai collects educational interaction data (questions asked, subjects studied, performance metrics) to personalize the learning experience. This data is used exclusively to improve educational outcomes and is not shared with advertisers or used for non-educational purposes. See Section 10 for additional protections for minors.

12. Cookie Policy

We use cookies and similar tracking technologies on our websites. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy.

13. Third-Party Services

Our Services may integrate with or link to third-party services. We use the following categories of third-party service providers:

• Cloud Infrastructure: Hetzner (Germany/Finland) for compute and storage.
• CDN and Security: Cloudflare for content delivery, DDoS protection, and DNS.
• Payment Processing: Various PCI DSS-compliant payment processors (through 0fee.dev).
• Communication: Third-party SMS, WhatsApp, and email delivery providers (through otpx.dev).
• AI Providers: Third-party AI model providers for natural language processing and generation.
• Analytics: Privacy-focused analytics tools for understanding usage patterns.

Each third-party provider operates under their own privacy policy. We encourage you to review the privacy practices of any third-party service you interact with through our Services. We are not responsible for the privacy practices of third-party services.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Provide notice via email to your registered email address at least 30 days before material changes take effect.
• Post a prominent notice on our websites.
• Where required by law, seek your consent before applying material changes to the processing of your personal data.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.