Privacy policy

We hold what we need to log you in, no more. We don't run analytics, we don't track you across sites, we don't sell anything to anyone. Each Zippytal service stores the data it needs to do its job — meet, chat, projects, drive — scoped to your account id, and you can ask for any of it to be deleted.

"Zippytal" refers to the open-source ecosystem at zippytal.com and its subdomains (meet.zippytal.com, chat.zippytal.com, projects.zippytal.com, and others). The data controller is Zippytal, [postal address — TODO]. Reach us at privacy@zippytal.com.

Account. A username, a bcrypt hash of your password (we never see the password itself), an optional display name, and — if you choose to set one — a public ECDSA key used as a recovery factor.

Session. A signed cookie named zippytal_session issued at sign-in. It is HTTP-only, secure in production, and scoped to .zippytal.com so the same login works across every Zippytal service.

Per-service data. Each service writes its own rows tied to your account id:

• Meet — rooms you create, invitees you authorise, optional scheduled-meeting metadata.
• Chat — messages and threads (encrypted in transit; end-to-end where the client supports it).
• Drive — files you upload, organised in folders you control.
• Community — posts and reactions you publish.
• Projects — projects, tasks, comments, time entries, documents, calendar events. Detailed in the projects.zippytal.com privacy notice.

• No behavioural analytics or product telemetry.
• No third-party trackers, advertising pixels, or social-media tags.
• No device fingerprinting or IP-based geolocation.
• No cross-site profiling or data sale to anyone.

We keep short-window server access logs (request line, timestamp, response code) for security and abuse mitigation. They are rotated and deleted automatically.

We use exactly one cookie: zippytal_session. It carries a signed JWT identifying your account so subsequent requests don't need you to log in again. There are no third-party cookies on the marketing site.

Your Zippytal account works across every service in the ecosystem. That means your username, password hash, and recovery key are stored once in a shared accounts database and queried by each service through the same JWT cookie. Service-specific data (rooms, messages, projects, …) stays in the service's own tables.

Anyone can operate a Zippytal node — a piece of self-hosted infrastructure that relays calls, chat, files, or community traffic. When traffic flows through a node you operate, that data sits on your hardware. We don't see it. Operators agree to a limited set of obligations spelled out in the terms of use.

• Google Calendar — optional, on projects.zippytal.com only, when you click "Connect Google" in the calendar tab. We exchange the OAuth code for a refresh token, encrypt it at rest with AES-256-GCM, and use it to push CRM events to your calendar and pull external events for the chosen window. Disconnect any time from the same screen.
• Payment processors for Zippytal Business and Zippytal Academy — [processor name — TODO]. They receive only what is strictly required to take payment; their privacy policy applies to the handling of that data.
• Hosting providers — Zippytal runs on [hosting provider — TODO] servers in [region — TODO]. They process data on our behalf as a sub-processor.

Whether or not your local law grants them, we extend these rights to every account: access a copy of your data, correct what's wrong, delete what you no longer want, take it elsewhere (portability), restrict or object to specific processing, and lodge a complaint with your data-protection authority. Email us at privacy@zippytal.com and we'll respond within 30 days.

We keep account data while your account is active. When you delete your account (or ask us to), we erase it from production within 30 days. Encrypted backups roll over within the same window.

Zippytal isn't directed at users under 13 (or under 16 in the EEA). We don't knowingly collect data from anyone in that age range. Tell us at privacy@zippytal.com if you believe we have, and we'll delete it.

Production data is stored in [region — TODO]. If a sub-processor is located outside that region we rely on standard contractual clauses (or equivalent legal mechanisms) to transfer data lawfully.

We'll update the "Effective" date at the top whenever we change anything. For material changes we'll also email account holders with a summary before they take effect.

privacy@zippytal.com for privacy and data-protection questions. hello@zippytal.com for everything else.