Privacy Policy

Effective Date: February 16, 2026  |  Last Updated: May 15, 2026

This Privacy Policy describes how ZeroSuite, INC. ("ZeroSuite," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our products, services, websites, and applications. We are committed to protecting your privacy and handling your data responsibly.

1. Introduction

ZeroSuite, INC. is a C-Corporation incorporated in the State of Delaware, United States, with operations in Abidjan, Côte d'Ivoire. We provide AI-powered developer infrastructure tools, including but not limited to FLIN (flin.dev), 0fee.dev, 0sh.dev, 0sql.dev, 0seat.dev, 0cron.dev, otpx.dev, 0diff.dev, and Déblo (deblo.ai).

This Privacy Policy applies to all personal information we collect through our websites, applications, APIs, and any other services we offer (collectively, the "Services"). It does not apply to third-party websites, products, or services, even if they are linked from our Services.

For the purposes of data protection legislation, ZeroSuite, INC. is the data controller for information collected directly through our Services. Where we process data on behalf of our customers (e.g., through 0seat.dev or otpx.dev), we act as a data processor.

2. Information We Collect

2.1 Account Information

When you create an account, we may collect:

• Name and email address
• Phone number (when using OTP-based authentication)
• Organization or company name
• Billing address and payment information (processed by third-party payment providers)
• Authentication credentials (stored using bcrypt hashing; we never store plaintext passwords)

2.2 Usage Data

We automatically collect certain information when you use our Services:

• API request metadata (endpoints called, response times, error rates)
• Feature usage patterns and frequency
• Service performance metrics
• Log data (timestamps, request identifiers, status codes)

2.3 Technical Data

• IP address and approximate geolocation (country/region level)
• Browser type and version
• Operating system
• Device type and identifiers
• Referring URL and pages visited
• Language preferences

2.4 Authentication and Sign-In Audit Data

To protect your account against unauthorized access and to comply with our security obligations, we record metadata for each sign-in event:

• Timestamp of each successful and failed sign-in attempt
• Authentication method used (phone OTP, WhatsApp OTP, Google, Apple, organization access code)
• IP address from which the sign-in originated, and the country/region inferred from it
• Device type and platform (iOS, Android, web browser identifier)
• User-agent string (browser name and version, or mobile app version)

This information is stored under your account and may be displayed back to you in your profile so that you can review where and when your account was accessed. You may report any unrecognized session to [email protected].

2.5 Payment Data

Payment card numbers and sensitive financial data are processed directly by our third-party payment processors. We do not store full payment card numbers on our servers. We may retain transaction identifiers, amounts, dates, and the last four digits of payment cards for record-keeping and support purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our Services, including processing transactions, authenticating users, and delivering scheduled tasks.
• Communication: To send you service-related notices, security alerts, account notifications, and respond to your inquiries.
• Improvement: To analyze usage patterns, diagnose technical problems, and improve the performance, reliability, and user experience of our Services.
• Security: To detect, prevent, and address fraud, abuse, security threats, and technical issues.
• Compliance: To comply with applicable legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.
• Billing: To process payments, manage subscriptions, and provide invoices and receipts.
• Marketing: With your consent, to send you information about new products, features, or promotions. You may opt out of marketing communications at any time.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and similar data protection laws, we process personal data based on the following legal grounds:

• Performance of a Contract: Processing necessary to provide you with the Services you have requested (e.g., account management, service delivery, payment processing).
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, ensuring security, and preventing fraud, provided such interests are not overridden by your rights and freedoms.
• Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, optional analytics).
• Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject (e.g., tax reporting, responding to lawful court orders).

5. Information Sharing

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service Providers: We engage trusted third-party companies to perform services on our behalf (e.g., payment processing, email delivery, cloud hosting, analytics). These providers are contractually obligated to protect your data and may only process it for the purposes specified by us.
• Legal Requirements: We may disclose your information when required by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.
• Aggregated or De-identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you, for research, analysis, or business purposes.

6. Data Security

We implement comprehensive technical and organizational measures to protect your personal information:

• Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.3.
• Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
• Password Security: User passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
• Access Controls: Strict role-based access controls limit which personnel can access personal data, on a need-to-know basis.
• Infrastructure Security: Our services are hosted on Hetzner infrastructure in Germany and Finland, subject to European data protection standards. Cloudflare provides global CDN, DDoS protection, and Web Application Firewall services.
• Monitoring: Continuous security monitoring, automated vulnerability scanning, and regular security reviews.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of data breaches in accordance with applicable law (within 72 hours for GDPR-reportable breaches).

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to continuously improving our security posture.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements:

• Account Data: Retained for the duration of your account and up to 30 days after account deletion, to allow for recovery.
• Usage and Technical Data: Retained for up to 24 months for analytics and service improvement purposes.
• Transaction Records: Retained for a minimum of 7 years to comply with tax and financial reporting obligations.
• Communication Records: Support ticket history is retained for up to 3 years after the last interaction.
• Log Data: Server and security logs are retained for up to 12 months.
• Marketing Consent Records: Retained for the duration of your consent and 3 years after withdrawal, to demonstrate compliance.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object: You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Restriction: You have the right to request restriction of processing of your personal data under certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law. We may need to verify your identity before processing your request.

9. International Data Transfers

Our primary infrastructure is located in the European Union (Hetzner, Germany and Finland), which provides a high standard of data protection. However, as a company incorporated in the United States with operations in Côte d'Ivoire, your data may be accessed from or transferred to locations outside the EU.

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:

• EU-U.S. Data Privacy Framework: For transfers to the United States, where the recipient participates in the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to countries not covered by an adequacy decision.
• Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection.
• Supplementary Measures: Where required, we implement additional technical or organizational measures (e.g., encryption, pseudonymization) to ensure the effectiveness of the transfer mechanism.

10. Children's Privacy

Our general Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16 for our developer tools.

Déblo.ai Exception: Déblo (deblo.ai) is an AI-powered educational platform specifically designed for students, including minors. For Déblo.ai, we implement the following additional protections:

• Verifiable parental or guardian consent is required before a child under 16 can create an account.
• We collect only the minimum personal information necessary to provide the educational service.
• Children's data is never used for marketing purposes or shared with third parties for advertising.
• Parents and guardians have the right to review, modify, or delete their child's personal information at any time.
• We do not use children's data to train AI models.
• Content filtering and safety measures are implemented to protect minors from inappropriate material.

If we become aware that we have collected personal information from a child under 16 without verifiable parental consent (outside of Déblo.ai), we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us at [email protected].

11. Product-Specific Privacy Notes

FLIN (flin.dev)

FLIN applications run locally on your machine. Application data is stored in a local .flindb directory on your device. ZeroSuite does not access, collect, transmit, or store any data from your local FLIN applications. When you use FLIN's development server, all processing occurs locally. If you opt into cloud features (e.g., deployment via 0sh.dev), the relevant product-specific privacy terms apply.

0fee.dev

0fee.dev processes payment transactions through third-party providers. We collect transaction metadata (amount, currency, timestamp, status) for record-keeping and support. Payment card details are handled directly by PCI DSS-compliant payment processors and are never stored on our servers. Merchant account information, including business details and payout preferences, is stored securely and encrypted at rest.

0seat.dev

0seat.dev processes customer support communications using AI. The content of support tickets, chat messages, and emails routed through 0seat.dev is processed by AI models to generate responses, classify inquiries, and extract insights. This data is used solely to provide the service and is not used to train general-purpose AI models. You, as the data controller, are responsible for informing your end users about the use of AI in processing their communications.

otpx.dev

otpx.dev processes phone numbers and email addresses for the purpose of delivering one-time passwords and authentication codes. Phone numbers and delivery metadata are retained for fraud prevention and audit purposes. OTP codes are automatically deleted after expiration (typically 5-10 minutes).

Déblo (deblo.ai)

Because Déblo is a conversational AI product with its own privacy obligations (in-app AI consent, declared third-party processors, Apple App Store and Google Play Store compliance), it has a dedicated section below: see Section 12 — Déblo.

12. Déblo — Conversational AI Assistant

Déblo is a conversational AI assistant developed and operated by ZeroSuite, INC. This section gathers all product-specific privacy information, in addition to the general provisions of Sections 1 through 11.

12.1. Covered platforms

• Web app: deblo.ai (any platform with a modern, up-to-date browser).
• iOS app: “Déblo” on the Apple App Store, bundle identifier ai.deblo.app.
• Android app: “Déblo” on the Google Play Store, identifier ai.deblo.app.

A single native mobile application is distributed on each store. This universal app serves all audiences listed in 12.2 through internal routing based on onboarding answers. No K12-only or Pro-only variant is distributed at this time.

12.2. Audiences

• K-12 students from primary school through final-year secondary school (CP → Terminale in francophone Africa; equivalent grades in anglophone systems).
• Professionals in chartered accounting (SYSCOHADA), legal practice, audit, and tax advisory.
• General-public adult users who use Déblo as a daily voice companion for everyday questions.

12.3. What data Déblo collects from you

The list below mirrors the official App Privacy declaration published by ZeroSuite, INC. in App Store Connect (13 categories) and the Data Safety declaration filed with Google Play Console.

• Account identifiers: phone number (WhatsApp / SMS OTP authentication), email address (when you sign in with Google or Apple), display name, organization access code (for school or business deployments).
• Internal user identifier: anonymous UUID generated at sign-up, tied to your phone OTP. No IDFA, IDFV, or Android Advertising ID is used.
• Chat content: the text messages you send to Déblo and the AI-generated replies. Chat history is retained for 30 days after the conversation ends, then deleted automatically.
• Voice content: the audio of your voice during a realtime call. Voice audio is processed in real time and is not retained as a recording after the call ends. Transcripts of the call (text) may be retained under the same 30-day window as chat content.
• Photos and documents you upload: images of exercises, handwritten notes, invoices, or any document you submit for analysis. These files are processed for optical character recognition (OCR) and visual understanding. Uploaded photos and documents are retained for 30 days, then deleted.
• Educational interaction data: subjects studied, question topics, school level, exam targets (BAC, BEPC, WAEC, KCSE, GCSE, etc.), and aggregated performance metrics.
• Wallet and payment metadata: in-app wallet balance, top-up history (Mobile Money or card), and anonymized payment references. No card numbers are stored.
• Sign-in audit data: as described in Section 2.4 above.
• Diagnostics: crash reports and performance traces collected via Sentry, linked to your user identifier so we can debug issues you encounter.
• Customer support exchanges: WhatsApp messages or emails you send us through the support channel.

12.4. Data we explicitly do not collect

• No IDFA, IDFV, or Android Advertising ID — no advertising fingerprinting.
• No GPS location (neither precise nor coarse). The country inferred from your phone prefix remains a metadata of your phone number, not a geographic coordinate.
• No web browsing history outside Déblo, no external search history.
• No address book, no calendar, no photos beyond those you explicitly choose to upload.
• No credit card number, IBAN, or bank account identifier stored on our servers (Stripe and XPAYE / 0fee handle the entire PCI-DSS scope).
• No health, fitness, or sensitive data within the meaning of the GDPR.
• No personalized advertising; no data sent to data brokers or ad networks.

12.5. Third-party technology providers used by Déblo

Déblo relies on several AI and infrastructure providers to deliver its features. When you interact with Déblo, your input data (text, voice, photos) is transmitted in real time to one or more of the providers below, strictly to generate the AI response. None of these providers train their general-purpose models on your data.

• Anthropic — large language model inference (Claude family). Routed through the OpenRouter API gateway. Used for chat responses, tutoring explanations, and content generation. Anthropic and OpenRouter receive the text of your messages but no direct identifiers (we use a stable hashed user reference).
• Mistral AI — fallback large language model and image-understanding (vision) model, also routed through OpenRouter. Same data scope as Anthropic.
• Ultravox — realtime voice AI provider (current default). When you start a voice call, your microphone audio is streamed to Ultravox via the LiveKit transport. Ultravox returns audio that Déblo plays back to you. Audio is not retained by Ultravox after the call.
• Google (Vertex AI / Gemini Live API) — alternate or fallback realtime voice provider. May replace or supplement Ultravox at our discretion. Same data scope as Ultravox: real-time bidirectional audio, no recording retained by Google.
• Datalab (Marker V2) — primary OCR and document understanding provider. Photos and PDFs you upload are sent to Datalab for text extraction. Mistral OCR serves as a fallback.
• Sentry — crash and performance diagnostics. Receives stack traces, app version, device model, OS version, and your user identifier when an error occurs.
• SMSing and WhatsApp Business API — deliver one-time passwords to your phone via SMS or WhatsApp during sign-in.
• Stripe — card payment processing (webview). No card number ever transits through our servers.
• XPAYE / 0fee — Mobile Money gateway (Wave, MTN, Orange Money, Moov, Togocel, Free CI). No banking information stored on Déblo's side.
• Hetzner Cloud (Germany) — primary application and PostgreSQL database hosting.
• Google OAuth and Apple Sign In — optional authentication providers (in addition to phone OTP).

Each provider listed above acts as a data processor under a data processing agreement (DPA) with ZeroSuite, INC. They are contractually required to provide a level of protection equivalent to ours, to use the data only for the specified purpose, and to delete it when no longer needed.

12.6. Apple's “Tracking” definition and Déblo's position

Apple defines tracking as linking data collected from this app with data collected from other companies' apps, websites, or offline properties for targeted advertising or advertising measurement; or sharing data collected from this app with a data broker. Déblo performs none of these operations. We have declared “No Tracking” for every data category in our App Privacy submission to App Store Connect, and the same principle applies to our Google Play Console Data Safety questionnaire.

12.7. In-app explicit consent for sharing data with third-party AI services

Before you interact with Déblo's AI features for the first time (chat, voice call, photo analysis), the mobile applications display an explicit consent screen. The screen describes the categories of data transmitted and what they are used for, without publicly naming each individual processor (the exhaustive list is in Section 12.5 above). The screen requires your affirmative consent before triggering the first AI action.

You can review this disclosure at any time from Settings → Privacy in the mobile app, and you can withdraw your consent there. Withdrawing consent stops the AI features but does not delete your account data; for full deletion, contact [email protected].

A short reminder also sits below the home screen mic button and below the chat input: “Déblo is AI and can make mistakes. Limits · Privacy”. The “Limits” link points to deblo.ai/disclaimer; the “Privacy” link reopens the consent screen in read mode so you can re-read the disclosure.

12.8. Déblo data retention

• Chat conversation text: 30 days after the last activity in the conversation, then permanently deleted.
• Voice call audio: not retained (real-time stream, not recorded). Any text transcript follows the same 30-day retention as chat.
• Uploaded photos and documents: 30 days after upload, then deletion.
• Account data: retained for the lifetime of the account. Deleted within 30 days after closure, except where a longer legal obligation applies.
• Payment metadata (anonymized): 7 years (accounting and tax obligation).
• Sentry diagnostics: 30 days then purge.
• Sign-in logs: 12 months (cf. Section 7).

12.9. How Déblo uses this data

• To answer your questions, generate explanations, and deliver the conversational and educational features of the product.
• To personalize your learning experience (remembering your school level, preferred language, recent topics).
• To debug crashes and performance issues, and to improve the product based on aggregated, anonymized usage statistics.
• To prevent abuse and to comply with our legal obligations.

Déblo data is not used to train general-purpose AI models, is not sold to advertisers, and is not shared with data brokers.

12.10. Your rights over your Déblo data

All GDPR rights listed in Section 8 apply to your Déblo data. In addition, from the mobile app you can:

• Review and withdraw your AI consent at any time via Settings → Privacy.
• Delete an individual conversation from the chat history.
• Request a full account export or permanent deletion by writing to [email protected] from the address attached to your account.

12.11. Protection of minors using Déblo

Because Déblo is designed for students, including minors, additional protections apply. See Section 10 (Children's Privacy) for the full set of safeguards, including verifiable parental consent, restrictions on data use, and parents' rights to review or delete their child's data.

13. Cookie Policy

We use cookies and similar tracking technologies on our websites. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy.

14. Third-Party Services

Our Services may integrate with or link to third-party services. We use the following categories of third-party service providers:

• Cloud Infrastructure: Hetzner (Germany/Finland) for compute and storage.
• CDN and Security: Cloudflare for content delivery, DDoS protection, and DNS.
• Payment Processing: Various PCI DSS-compliant payment processors (through 0fee.dev).
• Communication: Third-party SMS, WhatsApp, and email delivery providers (through otpx.dev).
• AI Providers: Third-party AI model providers for natural language processing and generation.
• Analytics: Privacy-focused analytics tools for understanding usage patterns.

Each third-party provider operates under their own privacy policy. We encourage you to review the privacy practices of any third-party service you interact with through our Services. We are not responsible for the privacy practices of third-party services.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Provide notice via email to your registered email address at least 30 days before material changes take effect.
• Post a prominent notice on our websites.
• Where required by law, seek your consent before applying material changes to the processing of your personal data.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.