Zetadeck
Sign InGet Started

Privacy Policy

Effective Date: June 25, 2026

VaultPoint Systems LLC ("VaultPoint", "we", "us", or "our") provides Zetadeck, a composable, multi-tenant business operations platform available at zetadeck.com (the "Service"). This Privacy Policy explains what information we collect, how we use and share it, the choices you have, and how we protect it.

This policy covers our public website, the per-workspace application, and the AI agent. It does not cover third-party products you connect to the Service, which are governed by their own privacy policies.

1. Controller and Processor Roles

When you create a workspace, the organization that owns that workspace (your employer or the account holder) is the controller of the business data placed into it. VaultPoint acts as a processor that handles that data on the organization's behalf and under its instructions. For our website, marketing, account registration, and billing, VaultPoint is the controller. If you are an individual member of a workspace, please direct data requests about workspace content to your workspace administrator first.

2. Information We Collect

  • Account data. Your name, work email, password (stored only as a salted hash), role, and workspace membership.
  • Workspace content. The operational data you and your team put into the Service, including tasks, client and pipeline records, documents, budgets, vesting data, calendar events, custom settings, and any records created by the modules you enable. You decide what goes in.
  • Vault data. Credentials and secrets stored in the Vault. Server-side Vault items are encrypted with AES-256-GCM. End-to-end encrypted (E2EE) Vault items are encrypted in your browser and we never receive the plaintext or the keys.
  • Connected financial data. If you connect a banking or finance integration (for example Mercury or Plaid), we receive account balances and transaction data from that provider to power finance, budget, and runway features. We do not receive your banking login credentials.
  • AI and agent data. The messages you send the agent, the relevant workspace context assembled to answer them, and the content the agent generates or the actions it proposes. See Section 5.
  • Billing data. Your plan, the seats and premium modules you purchase, AI-action usage, and invoices. Card details are collected and stored by our payment processor (Stripe), not by us.
  • Security and audit data. IP address, browser and device information, login events, active sessions, and an activity and audit log of actions taken in the workspace.
  • Usage and analytics data. Pages viewed, features used, and similar product-analytics events, recorded per workspace to help us understand and improve the Service.
  • Cookies. See Section 8.

3. How We Use Information

  • To provide, operate, secure, and maintain the Service and your workspace.
  • To authenticate you, manage roles and permissions, and isolate each tenant's data.
  • To process payments, manage subscriptions, meter seats and agent credits, and send billing communications.
  • To run the features you enable, including syncing connected bank data and powering the AI agent.
  • To provide support and respond to your requests.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To analyze usage, diagnose problems, and improve and develop features.
  • To comply with legal obligations and enforce our Terms.

Our legal bases for processing (where the GDPR or similar laws apply) are performance of our contract with you, our legitimate interests in operating and securing the Service, your consent where required, and compliance with legal obligations.

4. How We Share Information

We do not sell your personal information. We share it only as described here:

  • Within your workspace. Workspace content is visible to other members of the same workspace according to the roles and permissions your administrators configure.
  • Sub-processors. We use vetted service providers to run the Service. See Section 6 for the current list.
  • Legal and safety. When we believe disclosure is required to comply with law or legal process, to enforce our Terms, or to protect the rights, property, or safety of VaultPoint, our users, or the public.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
  • With your direction. When you connect an integration or instruct us to share data with a third party.

5. Artificial Intelligence and the Agent

The Service includes an AI agent. When you use it, your prompts and a relevant slice of your current workspace context are sent to our AI model provider (Nebius Token Factory) to generate a response. We send only the context needed to answer, never your Vault secret values.

  • The agent can propose changes to your workspace (for example creating a task or document). Write actions require explicit approval by a member before they take effect, and every action is recorded in your audit log.
  • AI output can be inaccurate or incomplete. You are responsible for reviewing it before relying on or approving it.
  • We do not use your workspace content to train our own models. Our AI provider processes the data under its API terms and, per those terms, does not use API content to train its models.

6. Sub-Processors

We rely on the following providers. The list may change as the Service evolves, and we will keep this section current.

  • Supabase - database, authentication, and storage.
  • Cloudflare - application hosting and edge delivery.
  • Stripe - payment processing and subscription billing.
  • Nebius Token Factory - AI model provider that powers the agent.
  • Plunk - transactional email.
  • Mercury and Plaid - banking and financial data, only if you connect them.
  • Discord and Slack - notifications, only if you connect them.

7. Regulated and Sensitive Data

The Service is general-purpose business operations software, not a system of record for regulated data. You are responsible for determining whether your use complies with the laws that apply to you, such as HIPAA, financial, or professional-conduct rules. The Service is not offered as a HIPAA Business Associate arrangement and should not be used to store protected health information unless we have signed a separate written agreement (such as a Business Associate Agreement) with you. Do not place regulated data into the Service until you have confirmed an appropriate agreement is in place.

8. Cookies and Similar Technologies

We use strictly necessary cookies to keep you signed in, remember your active workspace, support the public demo, honor a privacy or preview toggle, and store your theme. We also record product-analytics events to improve the Service. We do not use third-party advertising cookies. You can control cookies through your browser, though blocking necessary cookies may break sign-in.

9. Security

We use administrative, technical, and organizational measures to protect your information. These include encryption in transit (TLS) and at rest, row-level tenant isolation so one workspace cannot read another's data, role-based access control, encrypted Vault storage (with a zero-knowledge option), audit logging, and least-privilege access to production systems. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

10. Data Retention

We retain workspace content for as long as your workspace is active and as needed to provide the Service. When a workspace or account is deleted, we delete or de-identify its content within a commercially reasonable period, except where we must retain certain records to comply with legal, tax, accounting, or security obligations, or as kept in routine backups for a limited time before they expire.

11. Your Rights

Depending on where you live, you may have rights to access, correct, export, delete, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. To exercise these rights, contact us at the address below or use the in-app controls. If your data lives inside a workspace controlled by your organization, we may direct your request to that organization. We will not discriminate against you for exercising your rights.

12. International Transfers

We and our sub-processors may process information in countries other than yours, including the United States. Where required, we rely on appropriate safeguards, such as standard contractual clauses, for these transfers.

13. Demo Mode

We offer a public, read-only demo workspace so you can explore the Service. The demo is shared and visible to anyone. Do not enter real or confidential information into the demo.

14. Children

The Service is not directed to individuals under 18, and we do not knowingly collect their personal information. If you believe a minor has provided us information, contact us and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy. We will post the updated version here and revise the Effective Date, and for material changes we will provide additional notice where required. Continued use of the Service after an update means you accept the revised policy.

16. Contact Us

Questions or requests about this policy or your data can be sent to:

VaultPoint Systems LLC
Email: zetadeck@vaultpoint.systems