Privacy Policy
Last updated: February 27, 2026
1. Introduction
Arcraz LLC ("Zyphr", "we", "us", or "our") operates the Zyphr platform at zyphr.dev and its associated subdomains (app.zyphr.dev, admin.production.zyphr.dev). This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you visit our website, create an account, or use our services (collectively, the "Service").
Zyphr is a developer-first unified communications and authentication platform. We serve two categories of individuals:
- Customers — Businesses and developers who create accounts and use our APIs to send messages and manage authentication for their applications.
- End Users — Individuals who receive communications or interact with authentication services through our Customers' applications.
This Privacy Policy primarily addresses our practices with respect to Customer information. For End User data, please refer to Section 4: Customer Data (End User Data).
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address
- Password (stored as a one-way cryptographic hash — we never store or have access to your plaintext password)
- Workspace name and configuration preferences
- OAuth profile information if you sign up via Google, Apple, Facebook, GitHub, or Microsoft (typically name, email, and profile photo)
- Team member information (names, emails, roles) for invited users
2.2 Billing Information
When you subscribe to a paid plan, we collect:
- Payment method details (credit card number, expiration, CVC) — these are collected and processed directly by Stripe and are never stored on our servers
- Billing address and tax identification (if applicable)
- Stripe customer ID and subscription identifiers (stored on our servers for billing management)
2.3 Usage Data
We automatically collect information about how you interact with the Service, including:
- API request logs (endpoints accessed, request timestamps, response codes, request IP addresses)
- Message delivery events (sent, delivered, bounced, opened, clicked) and associated metadata
- Feature usage metrics (which dashboard features you use, frequency of use)
- Webhook delivery statistics (delivery attempts, response codes, latency)
- Authentication event logs (login attempts, MFA usage, session activity)
- Monthly usage counters (emails sent, push notifications, SMS, MAU for auth)
2.4 Device and Browser Information
When you access the dashboard or website, we may collect:
- IP address and approximate geolocation
- Browser type, version, and language
- Operating system and device type
- Referring URL and pages visited
- Session duration and navigation patterns
2.5 Domain and Deliverability Data
When you configure custom sending domains, we collect and store DNS records (SPF, DKIM, DMARC), domain verification status, email sending reputation metrics (bounce and complaint rates), and warmup stage progression data.
3. How We Use Your Information
We use the information we collect to:
- Provide the Service — Process and deliver messages, authenticate end users, manage webhooks, and operate the dashboard and APIs
- Process transactions — Manage subscriptions, process payments, calculate overage charges, and send billing-related communications
- Maintain and improve — Monitor performance, diagnose technical issues, optimize delivery routes, and improve platform reliability
- Communicate with you — Send service announcements, technical notices, security alerts, billing notifications, and respond to support requests
- Enforce our terms — Detect and prevent fraud, abuse, spam, and violations of our Terms of Service
- Ensure security — Monitor for unauthorized access, implement rate limiting, manage circuit breakers, and protect the integrity of the platform
- Generate analytics — Produce aggregated, anonymized usage statistics and benchmarks to improve the Service (this data does not identify individual customers or end users)
- Comply with legal obligations — Respond to lawful requests, enforce our rights, and meet regulatory requirements
4. Customer Data (End User Data)
As a communications and authentication platform, we process data on behalf of our Customers. This "Customer Data" may include personal information about End Users such as:
- Email addresses, phone numbers, and device tokens/identifiers
- Message content (email bodies, push notification payloads, SMS text, in-app notification content)
- Subscriber profiles (names, external IDs, timezone, locale, custom metadata)
- Notification preferences and unsubscribe records
- Authentication credentials (hashed passwords, OAuth tokens, MFA configurations, WebAuthn registrations)
- Session data (user agent, IP address, login timestamps)
- Webhook payloads and custom header values
Our Role
With respect to Customer Data, our Customers are the data controllers and we are the data processor. We process Customer Data solely on our Customers' instructions and as necessary to provide the Service. We do not sell Customer Data, use it for our own marketing, or share it with third parties except as necessary to deliver the Service.
End User Rights
If you are an End User and wish to exercise your data protection rights (access, correction, deletion, etc.), please contact the Customer (the business or developer) whose application you interact with. They control how your data is used and can direct us to fulfill your request. If you are unable to identify or reach the relevant Customer, you may contact us at privacy@zyphr.dev and we will make reasonable efforts to assist you.
5. Data Retention
We retain different categories of data for different periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of active account + 30 days |
| Message logs & delivery data (Free) | 7 days |
| Message logs & delivery data (Starter) | 14 days |
| Message logs & delivery data (Pro) | 30 days |
| Message logs & delivery data (Scale) | 90 days |
| Message logs & delivery data (Enterprise) | Custom (as agreed) |
| Billing records | 7 years (legal/tax requirements) |
| API request logs | 90 days |
| Security/audit logs | 1 year |
Upon account termination, we retain your data for 30 days to allow for export, after which it is permanently deleted. Aggregated, anonymized data may be retained indefinitely.
6. Data Security
We implement industry-standard technical and organizational measures to protect your data, including:
- Encryption in transit — All data transmitted to and from our Service is encrypted using TLS 1.3
- Encryption at rest — Data stored in our databases is encrypted using AES-256
- Credential security — Passwords are hashed using bcrypt. API keys display only a prefix after creation; full keys are never stored or logged. Webhook signing secrets use HMAC-SHA256
- Access controls — Role-based access within workspaces (owner, admin, member). Infrastructure access is restricted to authorized personnel with multi-factor authentication
- Monitoring — Continuous monitoring for unauthorized access, anomalous activity, and security threats
- Audit logging — Administrative actions, including impersonation events, are logged for accountability
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
7. Data Breach Notification
In the event of a data breach that affects your personal information or Customer Data, we will notify affected Customers without undue delay and no later than 72 hours after becoming aware of the breach, consistent with GDPR Article 33 requirements. Notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach. We will cooperate with Customers to fulfill their own notification obligations to End Users and supervisory authorities.
8. Third-Party Services and Sub-Processors
We use the following categories of third-party service providers ("Sub-Processors") to help deliver and support the Service:
Infrastructure & Delivery
- Amazon Web Services (AWS) — Cloud infrastructure, database hosting (RDS), caching (ElastiCache), email delivery (SES), and object storage (S3). Region: US.
- Apple Push Notification service (APNs) — Delivery of push notifications to iOS and macOS devices
- Firebase Cloud Messaging (FCM) — Delivery of push notifications to Android and web platforms
Payment Processing
- Stripe — Payment processing, subscription management, and invoicing. Stripe receives your payment method details directly and is PCI-DSS Level 1 certified. See Stripe's Privacy Policy
Customer-Connected Services
- Twilio — SMS delivery (BYOP — Customers provide their own Twilio credentials)
- Slack, Discord, Microsoft Teams — Chat integrations connected by Customers (we transmit messages using Customer-provided OAuth tokens or webhooks)
- OAuth providers (Google, Apple, Facebook, GitHub, Microsoft) — Used for Customer account sign-up/login and for End User authentication when configured by Customers
Each Sub-Processor has their own privacy policy. We require our Sub-Processors to maintain appropriate security measures and to process data only as instructed. We will provide notice before adding new Sub-Processors that process personal data.
9. Cookies and Tracking Technologies
Cookies We Use
- Essential cookies — Required for authentication, session management, and security (e.g., session tokens, CSRF protection). These cannot be disabled.
- Functional cookies — Remember your preferences such as theme settings, language, and dashboard layout.
- Analytics cookies — Help us understand how our website and dashboard are used so we can improve the experience. These are only set with your consent where required by law.
Email Tracking
When Customers enable open and click tracking, we embed a small transparent pixel in emails and wrap links to track engagement. This tracking is controlled by the Customer (data controller) and can be disabled in their workspace settings. We do not use this data for our own marketing purposes.
Do Not Track
Our Service does not currently respond to "Do Not Track" (DNT) browser signals. However, you can manage cookie preferences through your browser settings.
10. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
- Access — Request a copy of the personal data we hold about you
- Correction — Request correction of inaccurate or incomplete personal data
- Deletion — Request deletion of your personal data, subject to legal retention requirements
- Data portability — Request your data in a structured, commonly used, machine-readable format
- Restriction — Request that we restrict the processing of your personal data in certain circumstances
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@zyphr.dev. We will respond to verified requests within 30 days (or within the time frame required by applicable law). We may ask you to verify your identity before fulfilling your request.
11. GDPR Compliance (EEA, UK, and Switzerland)
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following lawful bases:
- Contract performance — Processing necessary to provide the Service you have subscribed to (Article 6(1)(b))
- Legitimate interests — Processing necessary for our legitimate business interests (fraud prevention, security, service improvement) where not overridden by your rights (Article 6(1)(f))
- Legal obligation — Processing necessary to comply with legal requirements (Article 6(1)(c))
- Consent — Where specifically required, such as for analytics cookies (Article 6(1)(a))
You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.
For Customer Data processing, we act as a data processor and will enter into a Data Processing Agreement (DPA) upon request that includes Standard Contractual Clauses (SCCs) for international data transfers.
12. CCPA/CPRA Compliance (California)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to know — You may request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it
- Right to delete — You may request deletion of your personal information, subject to legal exceptions
- Right to correct — You may request correction of inaccurate personal information
- Right to opt out of sale/sharing — We do not sell personal information or share it for cross-context behavioral advertising
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights
To exercise these rights, contact us at privacy@zyphr.dev. We will verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf.
13. International Data Transfers
Zyphr is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational safeguards as necessary. We ensure that any international transfers provide an adequate level of data protection consistent with applicable law.
14. Children's Privacy
The Service is designed for use by businesses and developers and is not directed at children under the age of 16 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If a Customer uses our authentication or messaging services in an application directed at children, the Customer is responsible for compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent laws. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly. Please contact us at privacy@zyphr.dev if you believe a child has provided us with personal information.
15. Automated Decision-Making
We use automated systems for the following purposes: rate limiting and throttling (based on usage patterns), circuit breaking (automatically disabling webhook endpoints with high failure rates), spam and abuse detection, and domain reputation monitoring. These automated processes are used to maintain service quality and security. They do not involve profiling that produces legal effects or similarly significant effects on individuals. If you believe an automated decision has adversely affected your account, you may contact us for a manual review.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will notify you via email or through a prominent notice within the Service at least 30 days before the changes take effect. Non-material changes may take effect immediately upon posting. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
17. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:
Arcraz LLC
Email: privacy@zyphr.dev
For general inquiries, visit our Contact page.
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.