Legal

Privacy Policy

Zero-8 Solutions LLC · Effective June 29, 2026

1. Introduction

Zero-8 Solutions LLC (“we,” “our,” or “us”) operates Zero-8 OS, an AI-powered business operating system accessible at os.zero-8.io. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform, including when you connect third-party accounts such as Google Workspace or Microsoft 365 / Outlook.

By using Zero-8 OS, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and organization details necessary to provision your account and provide the service.

2.2 Third-Party Integration Data

Zero-8 OS allows you to connect third-party email and calendar accounts, including Google Workspace (Gmail + Google Calendar) and Microsoft 365 (Outlook + Microsoft Calendar). When you authorize a connection, we access the following data solely to provide the features of the platform:

  • Email (Gmail or Outlook): Message metadata (sender, subject, date) and message content for the purpose of generating your daily Morning and Afternoon Briefs, surfacing urgent communications, and drafting follow-up replies. When — and only when — you explicitly approve a draft, we send that email on your behalf from your connected Gmail account; nothing is ever sent automatically or without your action. We do not store full raw message bodies beyond the processing window required to generate your brief.
  • Calendar (Google Calendar or Microsoft Calendar): Event titles, times, attendees, locations, and descriptions for the purpose of populating your briefs and providing scheduling context, and — when you ask the assistant to schedule something — creating or updating events in your connected calendar on your behalf. Event data is processed and displayed within the platform and is not retained beyond your active session except as needed to deliver the service.
  • Business Management Platforms (PushPress, etc.): If you connect a business management platform, we may access customer/member data including names, email addresses, phone numbers, check-in records, attendance history, membership status, enrollment details, class schedules, and billing information. This data is accessed solely to provide operational intelligence features such as member health scoring, attendance trend analysis, retention alerts, and outreach draft generation. We process this data on your behalf as a data processor — you remain the data controller. We do not independently contact your customers or members.
  • Other Providers: As we expand integrations to include additional email, calendar, CRM, or productivity providers, this policy will govern all such connections. The same access principles apply: we access only what is necessary to deliver the service features you have enabled.

2.3 Usage Data

We collect information about how you interact with the platform, including pages visited, features used, and actions taken. This data is used to improve the platform and troubleshoot issues.

2.4 Device and Technical Data

We may collect your IP address, browser type, operating system, and other technical identifiers to maintain platform security and performance.

2.5 Push Notification Subscriptions

If you enable push notifications, your browser generates a push subscription endpoint (a URL issued by your browser's push service — Apple, Google, or Mozilla, depending on your device) along with encryption keys. We store these so we can deliver notifications to your device. You can revoke a push subscription at any time from the Notifications settings page or your browser's site settings.

2.6 Meeting Recordings and Notes

If you connect a meeting-notes or transcription service (such as Granola), we receive the meeting records you sync to the Platform — including meeting titles, dates, attendee names and email addresses, AI-generated summaries, and transcripts. We process this content solely to generate meeting digests (recaps, action items, opportunities, and follow-up drafts) within your organization's isolated storage. You are responsible for obtaining any consent required to record a meeting from its participants — see our Terms of Service.

2.7 Voice Interactions

If you use the optional voice assistant, your spoken requests are processed in real time by our voice provider (ElevenLabs) together with your business-profile context so the assistant can understand and respond to you. Voice interactions are used only to operate the feature and are not used to train any AI model.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To deliver the core features of Zero-8 OS, including the Morning Brief, Lead Pipeline, and AI Agents
  • To process and display data from your connected third-party accounts within the platform
  • To generate AI-powered summaries, drafts, and recommendations based on your connected data
  • To maintain platform security, detect fraud, and enforce our Terms of Service
  • To communicate with you about your account, support requests, and platform updates
  • To improve the platform through aggregated, anonymized usage analysis

3.1 AI Model Training — Your Data Is Not Used

We use Anthropic's Claude API to generate summaries, drafts, and other AI outputs. Under Anthropic's Commercial Terms of Service, data submitted through the Claude API is not used to train Anthropic's models. We do not use your data to train any first-party or third-party AI model, and we do not authorize any of our sub-processors to do so on our behalf.

4. Google API Data — Limited Use Disclosure

Zero-8 OS's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We access Google account data only to provide and improve the features of Zero-8 OS that you have explicitly enabled.
  • We do not use Google data to serve advertisements.
  • We do not allow humans to read your Google data unless you explicitly request support assistance, it is necessary for security purposes, or we are required to do so by law.
  • We do not transfer Google data to third parties except as necessary to provide the service, and only with your authorization.
  • We do not use Google data for any purpose not disclosed in this Privacy Policy.

You may revoke Zero-8 OS's access to your Google account at any time through your Google Account permissions page (myaccount.google.com/permissions) or through the Integrations settings page within Zero-8 OS.

4.1. Microsoft Graph Data — Use and Revocation

Zero-8 OS's use of data received from Microsoft Graph APIs (including Microsoft 365 / Outlook email and Microsoft Calendar) is governed by Microsoft's API Terms of Use and the same limited-use principles stated above for Google. Specifically:

  • We access your Microsoft account data only to provide and improve the features of Zero-8 OS that you have explicitly enabled.
  • We do not use Microsoft data to serve advertisements.
  • We do not allow humans to read your Microsoft data unless you explicitly request support assistance, it is necessary for security purposes, or we are required to do so by law.
  • We do not transfer Microsoft data to third parties except as necessary to provide the service, and only with your authorization.
  • We do not use Microsoft data for any purpose not disclosed in this Privacy Policy.

You may revoke Zero-8 OS's access to your Microsoft account at any time through Microsoft's My Account page (myaccount.microsoft.com/consent) or through the Integrations settings page within Zero-8 OS.

5. Data Storage and Security

Your data is stored on Supabase-managed infrastructure with row-level security policies that ensure strict organizational data isolation. No user's data is accessible to any other organization. We implement industry-standard security measures including encrypted data storage, secure HTTPS transmission, and OAuth tokens encrypted at rest using AES-256-GCM with a server-held key.

5.1 Breach Notification

In the event of a security breach that affects the confidentiality or integrity of your personal data, we will notify you by email within 72 hours of confirming the breach, to the extent consistent with applicable law. The notification will describe what data was affected, what we are doing in response, and what steps you can take to protect yourself.

6. Data Retention

We retain your account information for as long as your account is active. If you cancel your subscription, we retain your data for 30 days to allow for account recovery, after which it is permanently deleted. You may request immediate deletion of your data by contacting us at the address below.

Third-party integration tokens are deleted immediately upon disconnection of the integration or termination of your account.

6.1 What We Retain from Your Email and Calendar

We do not retain full raw email message bodies from Gmail or Outlook. However, to deliver the platform's features, we do persist the following derived data within your organization's isolated storage:

  • Brief summaries: AI-generated summaries of your recent email and calendar activity, produced for each Morning and Afternoon Brief. These may paraphrase or quote message content and are retained for 30 days.
  • AI-generated email drafts: Both the pre-approval draft and the final (edited) version you approved. Retained for 90 days for audit, debugging, and so you can reference what you sent.
  • Lead and contact records: Metadata you explicitly save about leads, including name, email, company, stage, notes, and activity history. Retained for the life of your account.

You may request earlier deletion of any of the above at any time by contacting support.

6.2 What We Retain from Business Management Platforms

When you connect a business management platform (such as PushPress), we access your customer/member data to generate operational intelligence. We handle this data as follows:

  • Transient processing: Member check-in data, attendance records, and class schedules are pulled on-demand for brief generation and health scoring. We do not maintain a persistent copy of your full member database.
  • Derived insights: AI-generated member health scores, retention alerts, and attendance summaries may be stored as part of your brief history (retained for 30 days) and pipeline contact records (retained for the life of your account).
  • Outreach drafts: AI-generated retention messages and follow-ups drafted from member data require your explicit approval before sending. Draft content is retained for 90 days.
  • API credentials: Your Business Platform API key is encrypted at rest using AES-256-GCM and is deleted immediately upon disconnection of the integration.

Disconnecting your Business Platform integration immediately stops all data access. You may request deletion of any derived data at any time.

6.3 What We Retain from Meeting Notes

Meeting records synced from a connected transcription service, and the digests we derive from them, are retained within your organization's isolated storage for the life of your account so you can reference them. You may delete any meeting record, or request deletion of all of them, at any time.

7. Data Sharing and Sub-processors

We do not sell your personal information. We do not share your data with third parties except:

  • The sub-processors listed below, who process data on our behalf to deliver the service
  • As required by applicable law, court order, or governmental authority
  • To protect the rights, property, or safety of Zero-8 Solutions LLC, our users, or the public

7.1 Sub-processors

We use the following sub-processors to deliver the Platform. Each has its own privacy and security commitments, and each has access only to the data necessary for its role.

  • Supabase Inc. (US) — primary application database, authentication, and file storage. Holds your account, business profile, leads, and derived data described in Section 6.1.
  • Vercel Inc. (US) — application hosting and serverless infrastructure. Processes requests and may temporarily cache non-sensitive data.
  • Anthropic PBC (US) — Claude API for AI inference. Receives email content, calendar events, and business-profile context strictly to generate summaries and drafts; per Anthropic's Commercial Terms, this data is not used to train models.
  • Resend Inc. (US) — transactional email delivery (sign-in magic links, welcome emails, receipts). Receives your email address and the contents of the outgoing message.
  • Stripe, Inc. (US) — payment processing. Receives payment-card data directly from your browser via Stripe Checkout; we do not see or store full card numbers.
  • Google LLC (US) — source of the Gmail and Google Calendar data that Google Workspace users authorize us to read, and the destination for emails approved for sending from a connected Gmail account.
  • Microsoft Corporation (US) — source of the Outlook email and Microsoft Calendar data that Microsoft 365 users authorize us to read, and the destination for emails approved for sending from a connected Outlook account.
  • PushPress Inc. (US) — business management platform for fitness businesses. When connected, provides member data, check-in records, class schedules, enrollment status, and messaging capabilities. Data is accessed via API on behalf of the account holder only.
  • Granola (US) — meeting notes and transcription. When connected, provides the meeting titles, attendees, summaries, and transcripts you sync, accessed via API on behalf of the account holder only.
  • ElevenLabs, Inc. (US) — voice assistant provider. When you use the voice feature, receives your spoken input and business-profile context to power real-time conversation; not used to train models.

We will update this list at least 30 days before adding a new sub-processor that has access to customer data. Existing customers may object to a new sub-processor by contacting support before the effective date.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Portability: Request a machine-readable export of your data
  • Revocation: Revoke access to any connected third-party account at any time

To exercise any of these rights, contact us at support@zero-8.io.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). We do not sell personal information as defined under the CCPA. For a full description of your California privacy rights or to submit a request, contact us at the address below.

10. Children's Privacy

Zero-8 OS is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice within the platform at least 14 days before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact

For questions, concerns, or requests related to this Privacy Policy, contact us at:

Zero-8 Solutions LLC
Redding, California
support@zero-8.io