Início

Privacy Policy

Version 2.0 — Updated June 4, 2026

Platform controller: Zihin AI Inc., 651 N Broad St, Suite 206, Middletown, DE 19709, USA.

1. Overview and Roles under LGPD/GDPR

Zihin acts in two distinct roles when processing personal data:


1.1. As Controller. For personal data of tenant administrators and operators (name, e-mail, password hash, billing, platform usage telemetry), Zihin is the Controller and determines the purposes and means of processing.


1.2. As Processor. For personal data that the Customer (tenant) processes through the platform — including message content, the Customer's end-customer data, data accessed via database connections, trigger and MCP payloads, and other data under the Customer's control and direction — Zihin acts as Processor. The Customer is the Controller of such data and is responsible for the legal basis and purpose of processing. Zihin's obligations in this capacity are detailed in the DPA attached to the Terms of Use.

2. What We Collect (as Controller)

2.1. Registration and account data:


  • Administrator's full name
  • Corporate e-mail
  • Password hash
  • Billing information (via Stripe; we do not store card data directly)
  • Tenant identification

    • 2.2. Technical and usage data:


  • IP address, browser, user agent
  • Platform usage telemetry
  • API call logs
  • Token consumption and cost metrics
  • Response times and provider selection
  • Error and diagnostic events

    • 2.3. Content submitted for AI processing:


  • Prompts and instructions
  • Attached files
  • Conversation history
  • Model-generated outputs
  • Data returned from configured connections and MCPs

    • For the items in section 2.3, processing occurs in the capacity of Processor, under the Customer's direction.

    3. How We Use Your Data

    Zihin uses data to:


  • Provide the platform and its features
  • Route requests to AI providers selected by the Customer
  • Improve model selection and performance
  • Prevent fraud, abuse, and security threats
  • Monitor performance and stability
  • Process payments and manage subscriptions
  • Communicate about the account, updates, and support
  • Comply with legal and tax obligations

    • Zihin does not sell personal data under any circumstances.

    4. Sharing with AI Providers

    When the Customer makes a request via the platform, the following is forwarded to the LLM provider selected by the Customer:


  • Prompt and input content
  • System instructions (when configured)
  • Conversation history (when applicable)

    • The following is not shared with providers:


  • Administrator's e-mail or personal identification
  • The Customer's API key
  • Billing information
  • Usage history of other tenant requests
  • Data from other tenants

    • Each request is processed in isolation. Providers receive only the content strictly necessary to generate the response.

    5. Legal Basis for Processing

    Zihin processes personal data based on:


    Contract performance: to provide the contracted services

    Legitimate interest: to improve the service, prevent fraud, and ensure security

    Legal obligation: to comply with tax, accounting, regulatory, and judicial requirements

    Consent: for optional communications and analytics, where required


    The Customer may withdraw consent for optional processing at any time, upon request.

    6. Sharing with Sub-processors and Third Parties

    Zihin shares data, strictly to the extent necessary, with:


    AI providers: OpenAI, Anthropic, Google, and others, as selected by the Customer for request processing

    Payment processor: Stripe

    Infrastructure and hosting: Vercel, Supabase, or equivalent providers

    Analytics and monitoring: internal and/or third-party tools, on an aggregated and anonymized basis whenever possible

    Aionz Integração Serviços e Tecnologia Ltda: when the Customer contracts professional services in Brazil (item 3.2 of the Terms)

    Accredited integration partners: when the Customer contracts professional services via channel (item 3.3 of the Terms)

    Legal authorities: when required by law, court order, or to protect the rights of Zihin or third parties


    Data processing agreements are maintained with key suppliers. Zihin never shares personal data for advertising purposes.

    7. International Transfers

    Data may be processed in:


  • United States (Zihin AI Inc. headquarters and primary infrastructure)
  • European Union (selected providers and regions)
  • Brazil (operations via Aionz)
  • Other geographies, depending on LLM providers and infrastructure

    • Zihin observes GDPR and LGPD requirements for international transfers, including standard contractual clauses (SCC) and equivalent mechanisms where applicable.

    8. Data Retention

    API request logs: 30 days (configurable for enterprise)

    Error logs: 90 days

    Usage analytics (aggregated): 12 months

    Billing records: 7 years (legal requirement)

    Account data: until deletion + 30-day grace period

    Webhook events: 90 days


    After the retention periods, data is permanently deleted or anonymized.

    9. Cookies

    The use of cookies is governed by our Cookie Policy, which forms part of this Privacy Policy.

    10. Data Subject Rights

    Under LGPD, GDPR, and analogous regulations, data subjects have the right to:


    Access: receive a copy of the personal data processed

    Correction: update inaccurate or outdated data

    Deletion: request erasure ("right to be forgotten")

    Portability: receive data in a structured, interoperable format

    Restriction: limit types of processing

    Objection: object to certain processing

    Information: know with whom data is shared


    Requests must be sent to contact@zihin.ai. Zihin responds within 30 days and may request identity verification. For data where Zihin acts as Processor, data subject requests should be directed primarily to the Customer (Controller), with Zihin's technical support where applicable.

    11. Security

    Zihin adopts reasonable technical and organizational measures to protect personal data, including:


  • Encryption in transit (TLS) and at rest for sensitive data
  • Password hashing
  • Multi-tenant segregation
  • Role-based access control
  • Audit logs
  • Continuous monitoring

    • No system is completely immune to risk. In the event of a security incident involving personal data, Zihin will notify affected Customers in accordance with applicable legal requirements and the DPA procedures.

    12. Minors

    Zihin is not intended for individuals under 18 years of age. The platform must not be used to process minors' data without a specific legal basis and adequate supervision by the Customer.

    13. Data Protection Contact

  • E-mail: contact@zihin.ai
  • Data Protection Officer / DPO: contact@zihin.ai
  • Address: Zihin AI Inc., 651 N Broad St, Suite 206, Middletown, DE 19709, USA
  • Representative in Brazil (LGPD): Aionz Integração Serviços e Tecnologia Ltda, CNPJ 52.400.922/0001-90, Anápolis/GO, via e-mail contact@zihin.ai

    • 14. Updates to this Policy

    Zihin may update this Policy periodically. Material changes will be communicated at least 14 days in advance via e-mail or dashboard notification.