Privacy Policy

Last updated: February 2026

This Privacy Policy explains how Zelkir ("we", "us", "our") collects, uses, and protects information when you use our service — including the Zelkir admin dashboard, backend API, and Chrome browser extension.

1. What data we collect

Account data: When you register, we collect your email address, full name, and organisation name. We store a hashed version of your password (bcrypt).

Event metadata: The Chrome extension sends metadata about AI tool usage events to our servers. This includes: AI tool domain, data category (e.g. "PII_EMAIL"), risk level, action taken, employee email, timestamp, and page URL. Raw prompt text is never transmitted. All content classification happens locally in the browser.

Billing data: Payment is handled by Stripe. We store your Stripe customer ID and subscription status. We never store card numbers.

Usage analytics: We may use PostHog to collect anonymised product analytics (page views, feature usage). No personally identifiable information is included in these events.

2. How we use your data

• To provide the Zelkir service and generate compliance reports
• To send transactional emails (welcome, password reset, email verification)
• To send alert notifications (Slack, email) when high-risk events are detected
• To calculate risk scores and compliance metrics for your organisation's dashboard
• To improve the product based on anonymised usage patterns

3. Data sharing

We do not sell your data. We share data only with the following third-party services necessary to operate Zelkir:

• Stripe — payment processing
• AWS S3 — compliance PDF storage
• Resend — transactional email delivery
• Sentry — error monitoring (no personal data in error payloads)
• PostHog — anonymised product analytics

4. Data retention

Event data is retained for 12 months. Compliance reports are retained for 90 days in S3 then deleted. Account data is retained until you delete your account.

5. Your rights (GDPR)

If you are located in the EU/EEA, you have the right to access, correct, export, or delete your personal data. Email us at privacy@zelkir.com to exercise these rights.

6. Chrome Extension — permissions

The Zelkir extension requests these Chrome permissions:

• storage — to store your API key and cached policies locally
• tabs — to read the current tab title for event metadata
• webNavigation — to detect navigation to supported AI tool domains
• alarms — to schedule policy refresh and event batch flush every 30 seconds
• Host permissions — to inject content scripts that intercept form input for local classification. The extension only requests access to the following specific AI tool domains, and no others:
  • chat.openai.com (ChatGPT)
  • claude.ai (Anthropic Claude)
  • gemini.google.com (Google Gemini)
  • copilot.microsoft.com (Microsoft Copilot)
  • github.com (GitHub Copilot)
  • perplexity.ai (Perplexity)
  • notion.so (Notion AI)
  • grammarly.com (Grammarly)
  • huggingface.co (HuggingChat)

The extension does not request access to all websites, your browsing history, or any other sensitive permissions.

7. Security

All data is transmitted over HTTPS/TLS. Passwords are hashed with bcrypt. API keys are stored hashed. JWTs are short-lived (60 minutes). We apply rate limiting and security headers on all API endpoints.

8. Contact

Questions about this policy: privacy@zelkir.com