Privacy Policy

ZSearch is a desktop application developed by PYKS Pty Ltd (ACN 664 035 438), an Australian proprietary limited company registered at 11 Throsby Court, Endeavour Hills, Victoria 3802, Australia. PYKS Pty Ltd is the data controller for the information described in this policy.

This policy describes how we handle personal information when you download, install, or use ZSearch — whether on macOS or Windows, in BYOK (Bring Your Own Keys) mode or as a Pro subscriber.

ZSearch operates in two modes. The privacy implications are materially different.

2.1 BYOK mode (your keys, your data)

In BYOK mode you supply your own API keys for AI providers (OpenAI, Groq, Anthropic, etc.). Concretely:

• Your documents, embeddings, chat history, and notes are stored locally in the application's PostgreSQL database on your machine.
• Your API keys are stored locally in an HMAC-signed envelope and never transmitted to PYKS Pty Ltd.
• AI calls go directly from your machine to the AI provider you configured. Those providers' privacy policies apply to that traffic.
• We do not receive, log, or retain anything about the documents you index, queries you run, or answers you generate.

2.2 Pro mode (managed AI through our proxy)

When you subscribe to ZSearch Pro, AI calls are routed through our managed proxy service (hosted on Microsoft Azure in Australia East). In this mode:

• Your queries and document context are sent over TLS to our proxy, which forwards them to the relevant AI provider using PYKS Pty Ltd's platform keys.
• The proxy does not retain the content of your prompts or AI responses after a request completes. We retain only short-lived operational metadata (timestamps, license identifier, token counts) for billing, abuse prevention, and capacity planning.
• Documents themselves still live in your local database. Only the relevant chunks needed for a specific query are sent to the proxy.
• The proxy is operated by PYKS Pty Ltd. The underlying AI providers process your content under their own data processing terms (linked in section 6).

3.1 Information you provide

3.2 Information collected automatically

3.3 What we explicitly do NOT collect

• The contents of your documents.
• The text of your queries or AI-generated answers (beyond the in-memory routing window described in section 2.2).
• Your BYOK API keys.
• Behavioural analytics, mouse tracking, session recording, or third-party advertising SDKs inside the desktop app.
• Persistent third-party cookies in the desktop app.

• Service operation — to authenticate you, run your subscription, route AI calls in Pro mode, and deliver updates.
• Billing and fraud prevention — to charge your card via Stripe, prevent abuse of trial credits, and enforce single-device licensing.
• Product improvement — to debug crashes (with consent) and understand which OS / hardware configurations are most common.
• Communications — to send transactional emails (receipts, password resets, license events). We do not send marketing emails without explicit opt-in.
• Legal compliance — to comply with Australian, EU, US, and other applicable laws where you reside.

If you are in the EU, UK, or another jurisdiction with similar laws, our legal bases for processing under the GDPR / UK GDPR are:

• Contract — to provide the ZSearch service you signed up for.
• Legitimate interests — to operate update checks, prevent fraud, and improve security. We have balanced these against your privacy interests.
• Consent — for optional crash diagnostics and any future marketing emails. You can withdraw consent at any time.
• Legal obligation — to retain billing records under tax law and to respond to lawful government requests.

We do not sell personal information. We do not share personal information with data brokers, advertising networks, or social media platforms for advertising purposes.

• Your machine — documents, embeddings, conversation history, license file, BYOK API keys. We have no copy of any of these.
• Microsoft Azure, Australia East — account profile, subscription state, license records, proxy operational metadata.
• Stripe — payment and invoice data, processed in the United States with EU Standard Contractual Clauses where applicable.
• AI providers — primarily United States and EU regions. See each provider's data residency statement.

When personal data is transferred outside Australia or the EU, we rely on Standard Contractual Clauses, adequacy decisions, or comparable safeguards, depending on the recipient and jurisdiction.

Depending on where you live, you may have the following rights:

• Access — get a copy of the personal information we hold about you.
• Correction — fix inaccurate or outdated information.
• Deletion — ask us to delete your account and associated personal information (subject to legal retention obligations like tax law).
• Portability — receive a machine-readable export of the data you provided.
• Restriction or objection — limit how we process certain data, including objecting to processing based on legitimate interests.
• Withdrawal of consent — withdraw consent you previously gave without affecting the lawfulness of prior processing.
• Lodging a complaint — with your local data protection authority. In Australia, that is the Office of the Australian Information Commissioner (oaic.gov.au).

To exercise any of these rights, email admin.services@zsearch.ai. We will respond within 30 days, or sooner where required by law.

• All network traffic to and from ZSearch services uses TLS 1.2 or higher.
• Account passwords are hashed with industry-standard algorithms; we never store them in plaintext.
• License files on your machine are signed with HMAC-SHA256 to detect tampering.
• BYOK API keys on your machine are stored in a signed envelope under the operating system's standard application data directory, accessible only to your user account.
• Production secrets are managed in Azure Key Vault with role-based access. We do not store production secrets in source code.
• We rate-limit per license to prevent abuse and protect availability for legitimate users.

No security measure is perfect. If you become aware of a vulnerability, please report it to admin.services@zsearch.ai.

ZSearch is not directed at children under the age of 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us so we can delete it.

The ZSearch desktop application does not set third-party cookies. The marketing website at zsearch.ai may use first-party cookies strictly necessary for login and a minimal set of analytics cookies that can be declined via a cookie banner.

We may update this policy as the product changes. Material changes will be announced inside the application and, where reasonable, by email to subscribers. The “Effective date” at the top of this document reflects the most recent version.