Privacy Policy

ZeroLimitAI ("we", "us", "our") is an AI platform operated by ClawLabs AI. Our contact address for data matters is hello@zerolimitai.com.

This policy applies to all users of zerolimitai.com and related services, including users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with data protection laws.

Where applicable, we process personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing your account data, enforcing plan limits, and sending essential transactional emails.
• Legitimate interests (Art. 6(1)(f) GDPR): fraud detection, abuse prevention, platform security, and service improvement through aggregated analytics.
• Legal obligation (Art. 6(1)(c) GDPR): retention of billing records as required by applicable tax law.
• Consent (Art. 6(1)(a) GDPR): non-essential cookies and analytics, if any, collected only after you explicitly opt in via our cookie banner.

• Account data: name, email address, hashed password (bcrypt, cost 12).
• Payment data: Stripe customer ID and subscription status. We never store card numbers — all card processing is handled exclusively by Stripe.
• Usage data: message count per day, tier, timestamps of API calls, token counts.
• Conversation data: messages you send are passed to our AI routing layer and forwarded to third-party model providers to generate a response. We store conversation history in our database to enable your chat history feature. You can delete individual conversations or all conversations from your account at any time.
• Security data: IP addresses and browser user-agents are recorded in our security audit log for login events, API key operations, and session management. Audit logs are retained for 90 days.
• Technical data: error logs and performance metrics collected automatically by our hosting provider (Vercel).

• To authenticate you and manage your session.
• To enforce plan limits (message quotas, tier gating).
• To process payments and manage subscriptions via Stripe.
• To send transactional emails (email verification, welcome, payment receipts, password reset, security alerts) via Resend.
• To detect fraud, abuse, and unauthorised access.
• To maintain a security audit trail for your account.
• To improve our service using aggregated, anonymised analytics only.

We do not sell your data to third parties. Ever.

We do not use your conversations or inputs to train AI models. Your content is forwarded to model providers solely to generate your requested response.

If you use ZeroLimitAI as a business ("Controller") and your users' personal data is processed through the Service, ZeroLimitAI acts as a "Processor" under GDPR Article 28. The following terms govern our data processing relationship:

• Subject matter: Processing of personal data through AI prompts, responses, and usage records as described in this policy.
• Duration: For as long as you use the Service.
• Nature and purpose: Providing AI chat, agent, and automation services as described in the Terms of Service.
• Type of data: Email addresses, names, conversation content, and usage metadata.
• Sub-processors: See Section 6 below. We notify users of any new sub-processors with at least 14 days notice.
• Data subject rights: We will assist you in fulfilling GDPR data subject requests (access, erasure, portability) within 30 days of written request.
• Security measures: As described in Section 9.
• Breach notification: We will notify you of any personal data breach within 72 hours of becoming aware of it, where feasible.

For a signed DPA for your organisation, contact hello@zerolimitai.com.

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate technical and organisational security measures. Where data is transferred to the US, appropriate safeguards are in place (Standard Contractual Clauses or equivalent).

Some of our sub-processors are based in the United States. Transfers are made under the EU Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the UK Information Commissioner's Office (ICO). You may request a copy of the applicable transfer mechanism by emailing us.

• Account data: retained while your account is active plus 30 days after deletion to allow for recovery requests.
• Conversation data: retained until you delete the conversation or delete your account.
• Security audit logs: retained for 90 days.
• Billing records: retained for 7 years as required by UK/EU tax law.

When you delete your account, we permanently delete all personal data within 30 days, except where legally required to retain it.

We use a single session cookie (next-auth.session-token) strictly necessary for authentication. We do not use tracking cookies or third-party advertising cookies without your explicit consent. You can manage cookie preferences via our cookie banner.

Depending on your jurisdiction you may have the following rights regarding your personal data:

• Access: obtain a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your personal data (subject to legal retention requirements).
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Restriction: request that we restrict processing of your data.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email hello@zerolimitai.com. We respond within 30 days. If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK).

All data is transmitted over TLS 1.2+. Passwords are stored as bcrypt hashes (cost factor 12). API keys stored in our database are encrypted at rest using AES-256-GCM. We maintain a security audit log of all sensitive account actions. Access to production systems is restricted to authorised personnel only. We follow industry best practices including nonce-based Content Security Policy headers to mitigate XSS.

ZeroLimitAI is not directed at children under 13 (or the applicable age of digital consent in your country). We do not knowingly collect data from minors. If you believe a minor has provided us with data, contact us immediately and we will delete it.

We may update this policy from time to time. We will notify registered users by email of any material changes at least 14 days before they take effect. The current version is always available at this URL.

Questions or requests: hello@zerolimitai.com

UK supervisory authority: Information Commissioner's Office (ico.org.uk)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we share it with.
• Right to Delete: You have the right to request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information for monetary consideration. We do not share personal information with third parties for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide our services.
• Right of Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

Categories of personal information collected: Identifiers (name, email, IP address), commercial information (billing records, subscription history), internet activity (chat messages, usage logs), inference data (AI model usage patterns).

How to exercise your rights: Submit a verifiable consumer request by emailing privacy@zerolimitai.com or using the account deletion option in Settings → Account. We will respond within 45 days.

Authorised agent: You may designate an authorised agent to submit a request on your behalf by providing written authorisation.

For details on how long we retain different types of data, see our Data Retention Policy. For a full list of third-party services that process data on our behalf, see our Subprocessors page. Business customers can request a signed Data Processing Agreement (DPA).