Privacy Policy.

This policy describes how Quinn Otto, trading as Zevyn Studio ("Zevyn Studio", "we", "us") handles personal data in connection with the desktop app and the website at zevyn.dev (the "Service"). The data controller is Quinn Otto, trading as Zevyn Studio, 3145CR Maassluis, the Netherlands.

Questions, requests, or complaints: [email protected].

We collect the minimum needed to sign you in and bill you. Nothing more. Specifically:

• Email address — required to sign in (magic link) and to send transactional email (receipts, security notices, account changes). Legal basis: contract.
• GitHub OAuth profile — username and avatar URL, only if you choose to sign in with GitHub. We request public profile scopes; we do not request access to your repositories. Legal basis: contract.
• Stripe customer ID — a short opaque identifier generated when you start a paid subscription. Your card number, expiry, and billing address live at Stripe; we never see them. Legal basis: contract + legitimate interest in fraud prevention.
• Device labels — short strings you type in the app to name your machine (e.g. "Quinn's ThinkPad"). Stored so you can list and revoke active devices. Legal basis: contract.
• Server-side HTTP logs — request method, path, status, IP address, and user-agent. Used for abuse mitigation and debugging. Rotated within 14 days. Legal basis: legitimate interest in service security.
• Zevyn Remote pairing data — if you pair a phone with the app: a push subscription, your phone's public key, opaque routing IDs, and the label you give the device. Detailed in section 10. Legal basis: contract.

• The desktop app does not phone home with usage statistics, feature pings, or crash reports. If you want to share a crash, you send it deliberately.
• We do not run Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, Segment, or any equivalent on the website or in the app.
• No marketing cookies, no third-party pixels, no fingerprinting scripts.
• Your prompts and your code do not pass through our servers. They go directly from the desktop app to the AI model provider you configured, using your own API key.
• Your project files stay on your machine. We never ingest, index, or back them up.

We set one first-party, HTTP-only session cookie when you sign in. It exists to keep you signed in. We set no third-party cookies. Because the session cookie is strictly necessary for the Service, no consent banner is required under GDPR/ePrivacy.

We share data with three processors, only for the purposes listed:

• Stripe (Ireland / US) — billing, tax calculation, payment processing. Subject to Stripe's Privacy Policy.
• Resend (US) — sending transactional email (magic links, receipts). Subject to Resend's Privacy Policy.
• GitHub (US) — OAuth, only if you choose GitHub sign-in. Subject to GitHub's Privacy Statement.

Standard Contractual Clauses apply for transfers of personal data outside the EU/EEA. We do not sell your personal data, and we do not share it with advertisers or data brokers — ever.

Our application database runs on a VPS hosted by Contabo GmbH in France. Backups are encrypted at rest and stored in the same region. Stripe and Resend host the data they process on their own infrastructure, as described in their policies.

• Account data (email, OAuth profile, device labels): kept while your account is active; deleted within 30 days of account deletion.
• Stripe customer ID and subscription history: kept while your account is active; on deletion, retained at Stripe under Stripe's own retention policy.
• Invoices and billing records: 7 years, as required by tax law in our jurisdiction. We cannot delete these on request.
• HTTP logs: rotated within 14 days.
• Email delivery logs at Resend: subject to Resend's retention policy.

Under GDPR and similar laws, you have the right to access, rectify, erase, port, restrict, and object to processing of your personal data. To exercise any of these, email [email protected]. We respond within 30 days. We do not charge for routine requests.

You may also lodge a complaint with your local data protection authority. In the Netherlands, that is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

• Session cookies are HTTP-only, Secure, and SameSite=Lax. They cannot be read by JavaScript.
• Database access is restricted to the application process on Quinn's VPS. The database is not exposed to the public internet.
• Refresh tokens on the desktop side live in your operating system's keychain (Windows Credential Manager, macOS Keychain, Linux Secret Service) — not in a plaintext file on disk.
• Subscription claims signed by the server are verified offline by the desktop app using an Ed25519 public key shipped with the binary.

Zevyn Remote is an optional feature that pairs your phone with a running copy of Zevyn Studio, so you can watch your agents and approve actions from your pocket. The connection between your phone and your desktop is end-to-end encrypted with keys that only those two devices ever hold. Our relay server forwards encrypted bytes between them and holds no decryption key — it cannot read what it forwards.

To make pairing and notifications work, Zevyn Remote stores a small amount of new data on our server, scoped to your account:

• Device public key — the public half of your phone's pairing key, so your desktop can recognise it. The matching private key never leaves your phone.
• Opaque routing IDs — random (≥128-bit) identifiers that let the relay connect the right phone to the right desktop. They map to no personal data and carry no content.
• Push subscription — only if you enable notifications: the push endpoint URL your browser issues, plus its Web Push (RFC 8291) transport keys. These are transport keys for delivering a notification; they are not your end-to-end key and cannot decrypt your agents' activity.
• Device label — the short name you give a paired phone (e.g. "Quinn's iPhone"), so you can recognise and remove it.
• A revoke timestamp and your account ID — used only to scope, list, and revoke a device.

Encryption at rest: the push endpoint and its transport keys are both personal data and a capability to send to your device, so they are encrypted at rest with AES-256-GCM — the database stores only ciphertext. Device public keys and routing IDs are non-secret identifiers.

Push notifications are doubly encrypted. The meaningful detail (which agent, what kind of event) is encrypted to your phone's key on your desktop before it leaves the machine; our push-sender then applies the standard Web Push (RFC 8291) encryption on top. Neither our relay, our push-sender, nor the platform push service (Apple, Google, or Mozilla) can read it. The notification your phone shows is deliberately generic ("an agent needs your input"); the real detail is fetched over the encrypted session only when you tap it.

Retention and deletion: we keep this data only while a phone is paired. Unpairing a phone — from the app, or from the "Zevyn Remote" panel on your account page — immediately deletes that device's push subscription and cuts its live connection at the relay. Deleting your account removes all of it. There is no separate retention window: remove the device and the data is gone.

Recipients: two components on our own VPS touch this data — the relay (forwards encrypted bytes, holds no key) and the push-sender (holds the push endpoint and the Web Push VAPID key, never your content). Platform push services (Apple, Google, Mozilla) receive only the doubly-encrypted notification. We add no new third-party processors for this feature.

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, email [email protected] and we will delete the account.

If we make material changes — new processors, new categories of data, new purposes — we will update the date at the top of this page and email registered users at least 30 days before the change takes effect. Trivial changes (typos, clarifications) are posted without notice.