EgoZ Privacy Policy (DRAFT)
⚠️ DRAFT — NOT LEGAL ADVICE. Review with counsel before use.
Last updated: July 7, 2026
This Privacy Policy explains how [LEGAL ENTITY] ("EgoZ", "we") processes personal data when you use EgoZ. For business customers, our processing of personal data contained in Customer Content is also governed by the Data Processing Addendum.
1. Roles
- For account and billing data, EgoZ is the controller.
- For Customer Content you submit to run your AI agents (knowledge-base documents, prompts, end-user messages, tool payloads), EgoZ acts as a processor on your behalf — you are the controller. See the DPA.
2. Data we process
| Category | Examples | Role |
|---|---|---|
| Account data | name, email, display name, hashed password | Controller |
| Project configuration | project settings, prompts, personality, tool/endpoint definitions | Processor |
| Knowledge base | documents you upload and their derived chunks/embeddings | Processor |
| Conversations | messages/threads sent through /ask, token counts, model used | Processor |
| Usage metadata | request counts, token/cost metrics, timestamps | Controller (aggregate) / Processor |
| Encrypted secrets | your LLM provider API keys (BYOK), webhook secrets | Processor (stored encrypted) |
| Diagnostics | error reports (PII-redacted before transmission) | Controller |
We do not intend to process special-category or regulated data; see the AUP. Do not submit such data.
3. How we use it
- To provide the Service: authenticate you, run your agents, retrieve knowledge, execute tools, and store conversations/usage.
- To secure and operate the Service: monitoring, error diagnosis, abuse prevention.
- To communicate with you (transactional email, e.g. password reset).
- We do not sell personal data and do not use your Customer Content to train any models.
4. BYOK and your model provider
When you use EgoZ, your prompts and relevant context are transmitted to the LLM provider you configure, using your API key, to generate responses. That provider processes the data under your agreement with them. EgoZ stores your provider key encrypted at rest (AES-256-GCM) and uses it only to execute your requests.
5. Subprocessors
We use the third parties listed at Subprocessors to host and operate the Service (hosting/database, object storage, error monitoring, email). Each is bound by appropriate data-processing terms.
6. International transfers & hosting
The Service is hosted in the EU (EU-West). Where data is transferred outside your region (e.g. to a subprocessor or your configured model provider), we/you rely on appropriate safeguards (e.g. Standard Contractual Clauses). [Counsel to confirm transfer mechanisms.]
7. Retention
- Account data: retained while your account is active and for [RETENTION PERIOD] thereafter.
- Customer Content: retained until you delete it or your account closes, then deleted within [RETENTION PERIOD].
- Diagnostics/logs: [RETENTION PERIOD]. [Counsel/founder to finalise periods.]
8. Security
Measures include encryption in transit (TLS) and at rest for secrets (AES-256-GCM), access controls, tenant-scoped data isolation, and PII redaction in error reporting. See the DPA §Security for detail.
9. Your rights
Depending on your jurisdiction (e.g. GDPR), you may have rights to access, correct, delete, export, or restrict processing of your personal data. For account data, contact [DPO CONTACT]. For Customer Content where EgoZ is processor, submit requests through the controller (our customer); we will assist per the DPA.
10. Children
The Service is not directed to children and is not intended for users under [AGE].
11. Changes
We may update this Policy; material changes will be notified [via Console or email]. The "Last updated" date reflects the current version.
12. Contact
[DPO CONTACT] — [CONTACT EMAIL] — [ADDRESS]