ZyptAI Managed Service - Privacy Policy

Last Updated: April 3, 2025

1. Introduction

ZyptAI ("Publisher", "We", "Us", "Our") is committed to protecting your privacy. This Privacy Policy explains how we handle information in connection with your use of the ZyptAI Managed Service ("Services") deployed via the Azure Marketplace. The Services include components like our Web Chat interface, Microsoft Word Add-in, and backend Azure infrastructure deployed within your Azure environment.

2. Scope

This policy applies to the information processed in relation to the Services deployed as an Azure Managed Application into Your ("Customer", "You", "Your") Azure subscription. It details ZyptAI's role as a Data Processor and manager of the deployed Azure resources.

3. Information We Process

We process different categories of information:

  • Customer Data: This is Your data, processed and stored by the Services within the Azure resources deployed in Your Azure subscription's Managed Resource Group (MRG). This includes:
    • Content of documents indexed from Your SharePoint or other connected sources (stored within Azure AI Search indexes or Azure Storage in the MRG).
    • Prompts entered by Your users into the Web Chat or Word Add-in.
    • Conversation history stored within services like Azure Cosmos DB within the MRG (if applicable).
    • Images uploaded for analysis (stored in Azure Blob Storage within the MRG).
    • Content generated by the AI based on Your prompts and Customer Data.
  • Our Access: As the service manager via Azure Lighthouse, ZyptAI's permissions primarily grant access to manage the Azure resources themselves (e.g., infrastructure configuration, updates, monitoring). Our standard operational procedures and technical access controls prevent ZyptAI personnel from directly accessing or viewing the content of Your Customer Data stored within the data services (databases, storage accounts, search indexes) inside the MRG. We do not query your search index, browse your storage accounts, or access your database content as part of normal operations. Access to data content would only occur in exceptional, limited circumstances, such as when necessary for technical support explicitly requested or approved by You, and would be logged and handled under confidentiality. You remain the Data Controller for all Your Customer Data.
  • Usage Data (Telemetry): We collect technical and operational data about how the Services perform and are used. This is collected via Azure Application Insights and potentially other logging mechanisms within the Managed Resource Group. This may include:
    • Performance metrics (response times, resource utilization within the MRG).
    • Feature usage statistics (e.g., frequency of RAG queries, image analysis requests).
    • Error logs and diagnostics information (which might incidentally include metadata about requests, but generally not the full content of Customer Data unless necessary for debugging with Your consent).
    • Configuration settings of the managed resources.
    • Information about the Azure environment hosting the Services (e.g., region, VM size).
    This Usage Data helps us maintain, secure, and improve the Services. It is typically aggregated or anonymized where possible and is handled according to this policy.
  • Azure Marketplace Transaction Data: When you purchase the Services through the Azure Marketplace, Microsoft processes transaction details. ZyptAI may receive necessary information from Microsoft for billing reconciliation, license validation, and reporting as required by Marketplace Publisher agreements.
  • Support Information: If you contact ZyptAI for support, we will collect information you provide, such as contact details and the description of the issue, to assist you.

4. How We Use Information

  • To Provide and Manage the Services: We use Customer Data solely as instructed by Your use of the Services (e.g., processing a prompt to generate a response, indexing a document). We use Usage Data and Azure resource access to deploy, maintain, update, secure, and monitor the health of the Azure resources within the MRG.
  • To Improve the Services: We analyze Usage Data to understand performance, identify potential issues, optimize resource usage, and inform future enhancements.
  • For Billing and Reporting: We use Marketplace Transaction Data and potentially some Usage Data for billing reconciliation with Microsoft and internal reporting.
  • For Support: We use Support Information to address Your technical issues.
  • To Comply with Legal Obligations: We may process information if required by law or legal process.

5. Data Sharing

Customer Data: We do not share the content of Your Customer Data with third parties, except:

  • As inherent in the use of underlying Azure Services (e.g., data flowing through Azure OpenAI or Azure AI Search within Your MRG is subject to Microsoft's terms).
  • If required by law or valid legal process.

Usage Data: We may share aggregated or anonymized Usage Data with Microsoft as required for Marketplace reporting. We do not sell Your Usage Data.

Subprocessors: If ZyptAI uses third-party subprocessors for its own operational needs related to managing the service (e.g., a support ticketing system), these would be listed in a separate Subprocessor list or DPA. The core Azure services running within Your MRG are governed by Your agreement with Microsoft.

6. Data Security

We implement appropriate technical and organizational measures designed to protect the Usage Data we collect and to manage the security of the Azure resources within the MRG via our Lighthouse access. The security of Your Customer Data within those Azure resources relies heavily on the inherent security of the Azure platform and Your own security practices for Your Azure subscription and Azure AD tenant.

7. Data Retention

Customer Data: You, as the Data Controller, determine the retention policies for Customer Data stored within the Azure services (Cosmos DB, Storage Accounts) in Your MRG by configuring those Azure services directly. ZyptAI does not define the primary retention period for Your data. Upon service cancellation via Marketplace, the MRG and its resources (including data) may be deprovisioned according to Azure policies.

Usage Data: We retain Usage Data for as long as necessary for the purposes outlined in this policy, including service improvement, analysis, and compliance with legal obligations.

8. Your Data Rights

Since Your Customer Data resides within Your Azure subscription, requests regarding access, correction, or deletion of that data should typically be directed to Your own organization's IT administrators who manage Your Azure environment and data governance policies. ZyptAI will cooperate with reasonable requests from You (as the Customer organization) related to data processed by the Services, as outlined in the DPA (if applicable).

9. International Data Transfers

The Services are deployed into the Azure region(s) You select for the Managed Resource Group. Customer Data primarily resides in those regions, subject to Microsoft Azure's data processing and residency policies. Usage Data collected by ZyptAI may be processed in regions where ZyptAI or its service providers operate, primarily the United States.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify You of significant changes where required by law. The "Last Updated" date at the top indicates the latest revision.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:
Email: tim.barrow@zyptai.com
Website: https://www.zyptai.com