Privacy Policy

Last updated: May 8, 2026

This Privacy Policy explains how ZeroQuarry ("ZeroQuarry", "we", "us", or "our") collects, uses, discloses, stores, and protects information when you visit our website, use the ZeroQuarry cloud console, call our APIs, or otherwise interact with our products and services (the "Service").

ZeroQuarry is a security assessment platform. By design, the Service may process sensitive technical material such as source code, binaries, live application responses, vulnerability evidence, credentials used for authorized testing, generated proof-of-concept artifacts, and remediation drafts. Please only submit content that you are authorized to provide to us and to the configured model and integration providers.

1. Scope and Roles

This policy covers our handling of information as a website operator, product provider, account administrator, billing provider, and support contact. For personal information contained in source code, binaries, scan targets, reports, chats, logs, and other content you submit to the Service ("Customer Content"), we generally process that information on behalf of the customer account that submitted it. For account, billing, website, analytics, and marketing information, we generally determine why and how the information is processed.

If you use ZeroQuarry through your employer or another organization, that organization may control your account, workspace, scans, reports, users, integrations, retention choices, and access permissions. Please contact that organization first for questions about its handling of your information.

2. Information You Provide

We collect information you provide directly, including:

Account information, such as name, email address, avatar, organization or account name, role, theme preference, and authentication provider.
Login and identity information from email magic links, Google OAuth, GitHub OAuth, invitations, sessions, and account administration actions.
Billing and plan information, such as account tier, payment status, Stripe customer identifiers, billing events, invoices, usage records, and related metadata.
Support, sales, and contact information, including information submitted through pricing or contact forms and messages sent to our support, privacy, or legal email addresses.
API key labels and metadata. We store API key hashes and display prefixes, not the plaintext API key after creation.
Integration settings, such as Slack webhook configuration, Jira and ServiceNow instance details, GitHub App settings, Git credentials, account LLM provider keys, and other connection details you choose to save.

3. Customer Content and Security Scan Data

Depending on the scan mode and features you use, we may process:

Uploaded source files, archives, binaries, compiled artifacts, and related metadata.
Git repository URLs, cloned repository contents, commit identifiers, repository metadata, and saved private-repository credentials.
Remote scan targets, URLs, HTTP requests and responses, headers, cookies, form-login fields, basic-auth credentials, required bug-bounty headers, target metadata, and scan notes.
Extracted, decompiled, or transformed outputs produced during binary or source analysis.
Findings, non-issues, severity scores, CVSS vectors, vulnerability descriptions, evidence, proof-of-concept artifacts, disclosure drafts, patch drafts, deployment packages, and report exports.
Finding chats, report chats, scan logs, audit log events, model choices, token usage, cost usage, and worker status events.
Share-link data, including recipient email addresses, optional messages, shared finding identifiers, expiry dates, revocation status, token hashes, and password hashes.
Disclosure tracking information, such as vendor contacts, report URLs, acknowledgement dates, fix dates, bounty amounts, credit text, public advisory links, notes, and timeline events.

Customer Content may incidentally include personal information, secrets, credentials, confidential business information, regulated data, or information about third parties. You are responsible for ensuring you have the necessary rights, permissions, notices, and authorizations before submitting it to the Service.

4. Information Collected Automatically

We collect technical and usage information automatically when you use the website, console, and APIs, including IP address, user agent, browser and device information, referring pages, pages viewed, timestamps, session activity, API request metadata, error details, scan lifecycle events, and feature usage.

The cloud console uses cookies and similar technologies for authentication, session management, CSRF protection, theme preferences, product analytics, and security. The marketing website uses Google Analytics. The console may use PostHog product analytics when enabled. Analytics tools may set their own cookies or device identifiers and receive pageview, event, device, and usage information.

5. How We Use Information

We use information to:

Provide, operate, secure, monitor, debug, and improve the Service.
Create and administer accounts, sessions, users, invitations, roles, projects, tiers, billing, and API access.
Run authorized security scans and generate findings, reports, PoCs, disclosure drafts, patch proposals, remediation artifacts, and related outputs.
Route Customer Content and prompts to the model provider selected for the relevant scan stage or account setting.
Clone repositories, run remote probes, process uploads, store scan artifacts, and maintain auditability of scan activity.
Send transactional emails, magic links, scan-completion notifications, share-link emails, service notices, support replies, and security alerts.
Operate integrations you configure, such as GitHub pull requests, Slack notifications, Jira tickets, ServiceNow records, and CRM or analytics workflows.
Calculate usage, enforce quotas, invoice accounts, prevent abuse, investigate security incidents, and enforce our Terms of Use.
Understand product adoption, reliability, conversion, and usage patterns.
Comply with legal obligations and respond to lawful requests.

6. AI and LLM Providers

ZeroQuarry uses large language models and related tooling to analyze Customer Content, reason about vulnerabilities, generate summaries, draft artifacts, review findings, and produce remediation suggestions. Customer Content, prompts, tool results, logs, and generated outputs may be sent to the configured model provider as needed to provide the Service.

If you use ZeroQuarry-managed inference, we send relevant content to the model provider configured by ZeroQuarry for that scan or stage. If you bring your own LLM API key, relevant content is sent to that provider using your configured key and may be governed by your account, settings, and agreement with that provider. We do not use Customer Content to train third-party foundation models.

AI-generated output may be inaccurate or incomplete. You are responsible for reviewing, validating, and testing findings, PoCs, disclosure drafts, and patch proposals before relying on or sharing them.

7. Credentials and Secrets

The Service may process credentials or secrets you provide for private repository access, remote authenticated probing, Slack webhooks, Jira, ServiceNow, GitHub App operation, LLM providers, and other integrations. Saved integration credentials are stored in encrypted form or hashed form where appropriate. Session tokens, API keys, magic-link tokens, and share tokens are designed so plaintext secrets are not stored after issuance or are stored only as needed to provide the feature.

Remote scan authentication values are attached to probes as configured and may be visible to the LLM agent when required for analysis or authenticated testing. Use least-privilege credentials, scoped test accounts, staging environments where possible, and short-lived tokens when appropriate. Do not submit secrets or production personal information that are not needed for the scan.

8. Sharing and Disclosures

We disclose information in the following circumstances:

Service providers. We use vendors that help us host, store, secure, analyze, email, bill, support, and operate the Service.
Model providers. We send relevant Customer Content and prompts to configured LLM providers as described above.
Payment processing. We use Stripe for payment, billing, customer portal, and invoice-related workflows.
Email delivery. We use email providers such as Resend to send transactional messages.
Analytics and CRM. We may use Google Analytics, PostHog, and HubSpot to understand website and product usage, manage customer relationships, and improve the Service.
Authentication providers. If you sign in with Google or GitHub, those providers process authentication information under their own policies.
Configured integrations. When you connect or invoke integrations, we may send relevant information to GitHub, Slack, Jira, ServiceNow, Git hosting providers, or other services you configure.
Share recipients. If you create a share link, the recipient can access the findings and context included in that share until it expires or is revoked.
Account users and administrators. Users with access to the same account or project may be able to view Customer Content, reports, findings, integrations, billing, and audit records according to their role.
Legal, safety, and business transfers. We may disclose information when required by law, to protect rights and safety, to investigate abuse or security incidents, or in connection with a merger, acquisition, financing, reorganization, or sale of assets.

9. No Sale of Customer Content

We do not sell Customer Content. We do not use Customer Content for cross-context behavioral advertising. We do not sell personal information in the ordinary sense of exchanging it for money. Some privacy laws define "sale" or "sharing" broadly enough to include certain analytics or advertising technologies; you can opt out of website analytics through the cookie banner or by contacting us at privacy@zeroquarry.com.

10. Cookies and Analytics Choices

You can control website analytics cookies through the cookie banner and can control other cookies through your browser settings. Blocking necessary cookies may prevent login, session management, security protections, theme preferences, or parts of the Service from working. Browser-level privacy controls, ad blockers, and analytics opt-out tools may also limit Google Analytics or PostHog tracking.

11. Data Security

We use administrative, technical, and organizational safeguards designed to protect information, including account-based access controls, server-side sessions, CSRF protections, secret hashing or encryption where appropriate, tenant scoping, audit logs, and operational monitoring. No system is perfectly secure, and we cannot guarantee that information will never be accessed, disclosed, altered, or destroyed. If you believe your account or Customer Content has been compromised, contact us immediately at privacy@zeroquarry.com.

12. Retention and Deletion

We retain information for as long as needed to provide the Service, maintain security and auditability, comply with legal obligations, resolve disputes, enforce agreements, and support legitimate business purposes.

Scans, uploaded materials, cloned repositories, reports, findings, chats, logs, artifacts, exports, credentials, integrations, shares, and disclosures remain available in the workspace until deleted through the console or API, expired, revoked, or removed as part of account deletion or operational cleanup. Deleting cloned repository material for a scan removes local clone material while preserving findings and report evidence unless you delete the scan or account.

Account owners may schedule account deletion. The product currently uses a 60-day grace period before hard purge, during which the owner can cancel deletion. When the purge runs, account-scoped data is deleted where technically supported, while limited billing, legal, security, backup, and audit records may be retained if necessary or required.

13. International Processing

We and our service providers may process information in countries other than where you live or where your organization is established. These countries may have different privacy and data protection laws. Where required, we rely on appropriate safeguards for cross-border transfers.

14. Your Rights and Choices

Depending on your location and relationship with us, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, or information about how your personal information is processed. You may also have rights to complain to a privacy or data protection authority.

To make a request, contact privacy@zeroquarry.com. We may need to verify your identity and account authority before acting. If your information is controlled by your employer or another ZeroQuarry customer, we may direct your request to that customer.

15. Australia, EEA, UK, and California Notices

If Australian privacy law applies, you may request access to or correction of your personal information and may make a privacy complaint by contacting us. If you are in the EEA or UK, our legal bases may include performance of a contract, legitimate interests, consent, and compliance with legal obligations. If you are in California or another US state with privacy rights, you may have rights to know, access, correct, delete, or opt out of certain processing, subject to applicable exceptions.

16. Children

The Service is intended for business and professional security use and is not directed to children. We do not knowingly collect personal information from children under 16.

17. Third-Party Services

The Service may link to or integrate with third-party services. Their privacy practices are governed by their own policies and agreements. Your use of those services may expose information to them independently of ZeroQuarry.

18. Changes

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through the Service, by email, or by other appropriate means. The "Last updated" date above shows when this policy was last revised.

19. Contact

Questions, requests, or privacy complaints? Contact us at privacy@zeroquarry.com.