Privacy Policy

Zeptix is a multi-tenant platform. There are three user groups with different processing activities:

• Visitors — any person visiting zeptix.io without registering. Zeptix is the controller.
• Tenant owners (“bot operators”) — person/company creating a paid account, configuring a chatbot and providing it on a subdomain. Zeptix is the controller for the account data.
• End-users (“bot visitors”) — any person interacting with a chatbot operated by a tenant. Zeptix and the respective tenant owner are joint controllers (Art. 26 GDPR, see section 12).

3.1 Server log files. On every visit, technical data is transmitted to our servers (location: Germany, Hetzner): IP address, date/time, requested URL, HTTP status code, transferred data volume, referrer URL, user agent.

Purpose: ensuring operation, protection against attacks, error analysis. Legal basis: Art. 6 (1)(f) GDPR. Our legitimate interest is the secure and stable operation of the service; as only technically necessary data is processed briefly, your protected interests do not override it. Storage period: 14 days, then automatic deletion or anonymization (system-level log rotation).

3.2 Cookies and similar technologies. We use technically necessary cookies and storage mechanisms without consent (§ 25 (2) No. 2 TDDDG):

• vl_token — JWT auth token (HttpOnly, Secure, SameSite=Lax), 30 days
• zeptix_locale — language preference (DE/EN), 30 days
• zeptix_tenant — bot subdomain mapping for the chat page, 1 day
• vl_consent — stores your cookie consent (statistics/marketing), 180 days
• localStorage zx-theme — theme preference (light/dark), persistent until browser cache is cleared

Statistics and marketing cookies (Google Analytics 4, Google Ads — see 3.5) are only set after your explicit consent. On your first visit we show an equivalent cookie banner with the options “Only necessary”, “Settings” and “Accept all” (no pre-ticked boxes). Until you consent, no statistics/marketing scripts are loaded (Google Consent Mode v2, default “denied”). You can change or withdraw your choice at any time via the “Cookie settings” link in the footer. A complete overview is available at zeptix.io/cookies.

3.3 Cloudflare. For service delivery we use services of Cloudflare, Inc. (San Francisco, USA). When the site is accessed, technically necessary connection data (IP, user agent, referrer) is transmitted to Cloudflare servers. Cloudflare is certified under the EU-US Data Privacy Framework. We use Cloudflare Turnstile as bot protection. Legal basis: Art. 6 (1)(f) GDPR. A DPA including standard contractual clauses is in place with Cloudflare.

3.4 Anonymous traffic measurement (first-party, cookieless). We run our own privacy-friendly traffic measurement to understand how many people visit our marketing pages (zeptix.io, zeptix.de, zeptix.dev), which pages are viewed and via which source/campaign visitors arrive. No cookie and no identifier is stored on your device. Per page view we process, in anonymized form: the requested path, referrer domain, any UTM parameters, coarse device type (mobile/desktop) and the country derived from Cloudflare. A visitor value is computed server-side only, from a daily-rotating random salt plus a shortened IP address and the user agent (SHA-256, truncated), and cannot be traced back to you. Because the measurement is anonymous and stores nothing on your device, no consent is required (German DPA guidance on consent-free reach measurement). Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in operational and reach statistics). Storage location: our servers in Germany; the data is not shared with third parties. The measurement also runs on tenant bot subdomains, there too anonymously only.

3.5 Google Analytics 4 and Google Ads (only with consent). On our marketing pages we use — only after your consent (section 3.2) — Google Analytics 4 (statistics) and Google Ads (marketing/conversion measurement and remarketing). The provider is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland); a transfer to Google LLC (USA) is possible. Processed data includes a shortened IP address (IP anonymization active), device/browser information, online identifiers in cookies (_ga, _ga_*, _gcl_*), pages viewed and interactions and — when you click one of our ads — conversion events (e.g. sign-up, trial, purchase). Purpose: reach and advertising-effectiveness measurement, campaign optimization. Legal basis: Art. 6 (1)(a) GDPR and § 25 (1) TDDDG (consent). Via Google Consent Mode v2, all storage/advertising signals default to “denied” and are only activated after your consent. Transfer to the USA relies on the EU-US Data Privacy Framework adequacy decision (Google LLC is certified) plus the EU standard contractual clauses. You can withdraw consent at any time with future effect via the Cookie settings in the footer; Google also offers a browser add-on to opt out (tools.google.com/dlpage/gaoptout). GA4 retention: by default up to 14 months at event level. More info: policies.google.com/privacy. Google Analytics and Google Ads are not loaded on tenant bot subdomains.

For the newsletter sign-up form, we collect: e-mail address, IP address, user agent, timestamps of sign-up and confirmation (double opt-in), confirmation token.

Purpose: sending the announced information, proof of consent. Legal basis: Art. 6 (1)(a) GDPR. Storage period: until withdrawal, then deletion of sign-up data within 30 days; consent proof data 3 years (§ 195 BGB).

Providing your email address is voluntary; without it we cannot send the newsletter. You can withdraw your consent at any time via the unsubscribe link.

E-mail dispatch is performed via IONOS SE (Montabaur, Germany) — servers in Germany, DPA in place.

When you create a paid account, we process: e-mail address, display name, password (bcrypt hash, no plaintext), Stripe customer ID, account creation/login timestamps, selected plan and status.

Purpose: contract performance (Art. 6 (1)(b) GDPR), authentication, billing. Storage period: contract duration + statutory retention periods (10 years under § 147 AO for invoice-relevant data, otherwise 30 days after account deletion). If a subscription ends, the related chatbot is deactivated and retained for up to 60 days for export, reactivation or support cases.

Providing this data is required to conclude the contract; without it no account can be created and no bot operated.

Chatbot operators may upload content themselves or enter it via the training AI in the dashboard:

• Knowledge-base documents and training content (PDF or dialog-based input, currently max. 50 MB per file) — text is extracted or adopted, chunked and stored in a pgvector database
• System prompt — defines bot behavior
• Branding (logo, colors, bot name)

Uploaded documents are not shared with third parties except for the specific LLM request (see section 7). Storage location: our servers in Germany. Legal basis: Art. 6 (1)(b) GDPR. Storage period: contract duration; after contract end the bot is deactivated and the knowledge base is retained for up to 60 days for export or reactivation, then deleted unless statutory retention obligations require otherwise.

Chatbot operator responsibility: As the chatbot operator, you are responsible for holding the necessary rights to uploaded content or content entered via the training AI and for not adding personal data of third parties without legal basis.

When an authenticated chatbot operator or end-user interacts with a chatbot hosted on Zeptix, the following data is processed.

Implementation status (as of 05.06.2026): Registered end-users may interact with a tenant chatbot depending on the bot configuration. The respective tenant owner decides on access, end-user plan limits, free credits, upgrades and credit top-ups.

7.1 What is stored. Chat content and conversation ID in our database in Germany. Tenant attribution, timestamps, account identifiers, tenant membership status, plan/credit quotas, usage counters and billing events are processed where required for operation, abuse prevention, support and billing. IP address 14 days in server logs; accounting and proof-relevant counters for up to 24 months.

Chat storage period (role-based): If you are logged in (tenant owner or registered end-user), your conversation history is retained as long as your account exists — you can delete it yourself at any time, and it is removed when your account is deleted. Chats of anonymous guest users (without an account) are automatically deleted after no more than 90 days, as there is no lasting purpose and no self-management option here.

Source of data (Art. 14 GDPR): We generally receive end-user data directly from chat input. Where a tenant owner submits or assigns data about their end-users within the joint controllership (Section 12, e.g. during end-user management), such data originates from the respective tenant owner.

There is no tracking across multiple tenants for advertising purposes. Optional re-identification or marketing features may only be activated by the tenant owner if a separate legal basis exists.

7.2 Disclosure to LLM providers. So that the chatbot can respond, we transmit the chat message, the system prompt set by the tenant and, where applicable, excerpts from the knowledge base to an LLM provider. With all providers used we have data processing agreements in place under Art. 28 GDPR. Currently in productive use: Cerebras (USA), Google (Ireland; depending on the model possibly other Google Cloud regions), Anthropic (USA) and Groq (USA). New or additional LLM providers are announced in advance via our subprocessor list. The current list, location, data categories and safeguards are available at zeptix.io/subprocessors.

Legal basis: Art. 6 (1)(f) GDPR and — for logged-in tenant owners — Art. 6 (1)(b) GDPR. Transfer to the USA is based on the EU Commission’s standard contractual clauses (Decision 2021/914) plus supplementary technical measures; for providers that are additionally DPF-certified, the EU-US Data Privacy Framework adequacy decision applies in addition (currently Cloudflare, Google). The US providers used for AI inference and moderation (Cerebras, Anthropic, OpenAI) are not DPF-certified; their transfer relies on the standard contractual clauses.

7.3 Notice on data input. End-users should not enter sensitive personal data (health, financial, account, password data) unless the tenant owner explicitly indicates this and has implemented appropriate safeguards.

7.4 Tenant-internal caching and optimization. To control costs and speed up responses, Zeptix may cache previously answered, similar requests within the same tenant and reuse or rephrase them for later answers. The cache is tenant-isolated, is not used across tenants and does not train third-party AI models. Processing of personal content for training purposes is generally not performed without explicit consent.

7.5 Safety moderation. To protect end-users and tenant owners, chat inputs (before LLM call) and chat replies (after LLM call) are automatically checked against the OpenAI Moderation API for harmful content (self-harm, sexual abuse, violence, hate, illicit activities). Text excerpts are transmitted; OpenAI does not use API data for training under their data policy. Flagged events are stored in our German-located database for 6 months (proof to authorities, Art. 6(1)(c)/(f) GDPR). Tenant owners can configure in their dashboard via which channels (Discord webhook, e-mail, in-app) they want to be alerted.

7.6 End-user management by tenant owners. Tenant owners can view registered end-users of their bot in their dashboard and take status actions (active / suspended / banned / deleted). They can also configure end-user plan limits, free credits and credit modes. This management is part of the joint controllership (see Section 12). Status changes and relevant quota changes are logged with timestamp, reason and acting person (audit log, retained for 12 months).

7.7 API access and webhooks (developer features). Tenant owners can optionally set up read-only API access (personal access token) to their own bot's data and create webhooks that deliver bot events (e.g. completed messages) to an HTTPS endpoint they operate. If owners enable webhooks, conversation content of their bot is forwarded to that endpoint; the owner is responsible for processing it there. For security we log the last use of an API token (timestamp, IP) and webhook delivery logs (status, response excerpt). Legal basis: Art. 6 (1)(b) and (f) GDPR.

7.8 Sharing features and launch announcement (voluntary). On publicly enabled chatbots and in the dashboard we offer share buttons for social networks (X, LinkedIn, Facebook, WhatsApp, e-mail). These are implemented as plain links ("Shariff" principle): no third-party scripts, no tracking pixels and no cookies are loaded. Data only flows to the respective network once you actively click a button and open its page; from that point the privacy policy of the respective provider applies. If your browser supports the Web Share API, your device's native system share dialog is used instead — we do not process any additional data in that case either. When a tenant owner makes their bot public for the first time, they can voluntarily (opt-in) choose to announce their launch in our official Discord server (#launches). Only in that case do we transmit the public bot name, a short description and the bot link to Discord (Discord Inc., USA); no transfer occurs without explicit consent. Legal basis: Art. 6 (1)(a) and (f) GDPR (consent or legitimate interest in reach). For the transfer to Discord (USA) we rely on the EU Standard Contractual Clauses.

Payments are processed via Stripe Payments Europe, Limited (Dublin, Ireland). From Stripe we only receive the data necessary for contract execution (payment status, Stripe customer ID, last 4 digits of the card). We do not store full credit card numbers or CVCs.

Legal basis: Art. 6 (1)(b) GDPR. Stripe’s privacy policy: stripe.com/privacy.

Personal data is generally not shared except with:

• Processors (Hetzner for hosting, IONOS for e-mail, Cloudflare for CDN, Stripe for payments, LLM providers see 7.2)
• Joint controllers (tenant owners, see section 12)
• Authorities, where legally obliged to provide information

The full subprocessor list with location and DPA status: zeptix.io/subprocessors.

Some processors (in particular LLM providers, Cloudflare) are based in the USA. Transfers occur exclusively on the basis of:

• EU-US Data Privacy Framework (where the provider is certified)
• Standard contractual clauses of the EU Commission (Decision 2021/914) incl. supplementary technical measures
• where applicable, explicit consent in individual cases

You have the following rights at any time:

• Access (Art. 15 GDPR) — e-mail with subject “Access”
• Rectification (Art. 16 GDPR) — in the account or by e-mail
• Erasure / right to be forgotten (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — delivery as JSON
• Objection (Art. 21 GDPR)
• Withdrawal of consent (Art. 7 (3) GDPR)

Contact for exercising rights: [email protected]

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Competent:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7th floor, 20459 Hamburg, Germany
datenschutz-hamburg.de

To protect against misuse, we may request proof of your identity to process your request where there are reasonable doubts (Art. 12 (6) GDPR). We typically process requests within 7 days, at the latest within the statutory period of one month (Art. 12 (3) GDPR).

There is no solely automated decision producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR. In particular, we do not create profiles to evaluate individuals.

The chatbot generates AI-assisted answers — this is the contractually agreed service itself, not a decision about you. The automated safety moderation (Section 7.5) filters harmful content only and makes no decision about your person. Decisions to ban or suspend end-users are made by the respective tenant owner (with human involvement), not solely automatically by the platform.

For the processing of end-user data in chatbots operated by tenant owners on Zeptix, Zeptix and the respective tenant owner are joint controllers within the meaning of Art. 26 GDPR.

Allocation of responsibilities:

• Provision of the technical platform — Zeptix
• Security of the platform (TOMs, backups, patches) — Zeptix
• Selection of knowledge base and system prompt — Tenant
• Information of end-users about the processing — primarily Tenant
• Handling data subject requests for chats — primarily Tenant (Zeptix forwards)
• Legal basis for chat content — Tenant

The full agreement is concluded bindingly between Zeptix and each tenant during account onboarding. End-users may exercise their rights both against Zeptix and against the respective tenant.

Zeptix provides a GPAI-based platform on which tenant owners run their own chatbots. Where the EU AI Act applies, the following notes are relevant:

• Art. 50 — transparency: end-users are clearly informed before the first chat that they are interacting with an AI (see AI-disclosure modal and end-user terms).
• Art. 5 — prohibited practices: tenant owners are contractually bound not to use their bots for prohibited AI applications (manipulative techniques, social scoring, real-time biometric identification etc. — see Acceptable Use Policy).
• Art. 6 / Annex III — high-risk: Zeptix is not approved for high-risk applications. Anyone wanting to use a bot for e.g. medical diagnosis, credit scoring, recruitment, justice or migration must clarify this with us in writing in advance.
• Art. 85 — right to complain: if you believe a Zeptix-hosted bot violates the EU AI Act, you may file a complaint with the competent market surveillance authority and notify us via zeptix.io/legal/incident-reporting.
• Logging & retention: where required (esp. for high-risk configurations), we keep records pursuant to Art. 12/19 AI Act and provide them to authorities on request.

Single point of contact for AI Act queries and formal authority requests is the e-mail address listed in our imprint: [email protected].

For reporting problematic content or bot behaviour, a central notice-and-action channel exists at zeptix.io/legal/incident-reporting. You will also find the required information for a valid notice and the responsible mailboxes for privacy, abuse and law enforcement.

• Server logs (IP, user agent) — 14 days
• Newsletter sign-up data — until withdrawal, then 3 years proof
• Tenant account data — contract duration + 30 days
• Accounting-relevant data — 10 years (§ 147 AO)
• Chats of logged-in users — until account deletion (deletable by you at any time)
• Chats of anonymous guest users — no more than 90 days, then deletion
• Safety-moderation events (flagged content excerpts, max. 500 chars) — 6 months
• Audit log / end-user status change logs (incl. IP, suspension, ban) — 12 months
• Knowledge-base documents — contract duration + 30 days
• Backups (encrypted DB dumps) — rolling 14 days; after deletion, data may therefore persist in backup copies for up to 14 days
• Cookies zeptix_locale — 30 days; zeptix_tenant — 1 day; vl_consent (cookie consent) — 180 days
• Anonymous first-party traffic measurement (cookieless, pseudonymous daily hash) — up to 24 months aggregated
• Google Analytics 4 (only with consent) — event data by default up to 14 months; Google Ads conversion cookies up to 90 days

We take technical and organizational measures pursuant to Art. 32 GDPR:

• TLS encryption (HTTPS) for all connections
• Encryption of sensitive fields at rest (e.g. bcrypt for password hashes)
• Restricted access to production systems via SSH keys with passphrase
• Regular system updates (at least monthly)
• Automated backups, tested recovery
• Logging and monitoring of security-relevant events
• Separation of test and production environment

Full TOM documentation can be provided on request.

Data breaches. In the event of a personal data breach, we report it where required to the competent supervisory authority within 72 hours (Art. 33 GDPR) and inform affected individuals without undue delay where there is a high risk (Art. 34 GDPR).

In our assessment, the current processing (AI-assisted chat without profiling, without automated individual decisions, without systematic processing of special categories of data) does not reach the threshold of a likely high risk that would mandate a data protection impact assessment. We review this continuously and will carry out a DPIA as soon as risk-increasing features are added (e.g. profiling, large-scale processing of sensitive data, or automated decisions with significant effects).

This privacy policy is updated in case of material changes. Logged-in tenant owners are informed before such changes take effect via e-mail. The current version is always available at zeptix.io/privacy.

Current version: 05.06.2026