Privacy Policy
Last updated: April 19, 2026
1. Who We Are
Zauth, Inc. ("we," "us," or "our") builds security infrastructure for the agentic internet. Our products include Vector (an automated vulnerability scanner), RepoScan (a code trust scoring engine), and the x402 payment protocol for machine-to-machine transactions. This privacy policy applies to all services operated under the zauth brand, including the websites zauthx402.com and zauth.inc, our APIs, and any related tools or extensions.
2. Information We Collect
2.1 Account Information
When you create an account, we collect the information you provide during sign-up. This may include your email address, display name, and wallet address (Ethereum or Solana). If you sign in through a third-party provider such as Google, GitHub, Bitbucket, or X (formerly Twitter), we receive basic profile information from that provider, including your username and email address. We do not receive or store your passwords for third-party accounts.
2.2 Payment and Billing Data
For cryptocurrency deposits, we record the transaction signature, the sending address, the deposit address, the token type (SOL or USDC), and the USD-equivalent value at the time of the transaction. For card payments processed through Stripe, we do not receive or store your full card number. Stripe provides us with a transaction identifier, the payment amount, and confirmation status. All credit balances and transaction history are maintained in our database for billing accuracy and dispute resolution.
2.3 Scan and Usage Data
When you use Vector, we store information about the domains you scan, the scan configuration you select (depth, target scope, custom headers), the findings produced, and the associated costs. RepoScan stores GitHub repository URLs you submit, the resulting analysis, and trust scores. This data is tied to your account and is necessary to deliver the service.
2.4 Technical and Log Data
Our servers automatically collect information about how you interact with our services. This includes your IP address, browser type, operating system, referring URLs, pages visited, and timestamps. We also log API request metadata such as endpoints called, response codes, and rate limit counters. This data is used for security monitoring, abuse prevention, and debugging.
2.5 Cookies and Local Storage
We use session tokens stored in your browser to keep you logged in. We do not use third-party advertising cookies. We may use basic analytics to understand traffic patterns. You can clear cookies and local storage at any time through your browser settings, though doing so will end your active session.
3. How We Use Your Information
We use the information we collect for the following purposes:
- To provide, maintain, and improve our products and services.
- To process payments, manage credit balances, and handle billing.
- To authenticate your identity and secure your account.
- To detect, prevent, and respond to fraud, abuse, and security incidents.
- To enforce rate limits and prevent misuse of our scanning infrastructure.
- To communicate with you about your account, transactions, and service updates.
- To comply with legal obligations and respond to lawful requests.
- To generate aggregated, non-identifying statistics about service usage.
We do not sell your personal information. We do not use your data to build advertising profiles. We do not share your scan results, findings, or repository analysis with other users or third parties unless you explicitly choose to make them public.
5. Data Storage and Security
Your data is stored in PostgreSQL databases hosted on managed infrastructure. Sensitive credentials and secrets (API keys, wallet private keys, webhook secrets) are stored as environment variables on our hosting platforms and are never committed to source control or exposed to the client.
We use HTTPS/TLS for all data in transit. Session tokens are validated on every authenticated request. API endpoints are protected by rate limiting and IP-based banning for failed authentication attempts. Internal service communication between our main server and microservices (Vector, RepoScan) is authenticated with internal API keys.
Cryptocurrency deposit addresses are derived from a hierarchical deterministic (HD) wallet using unique derivation paths per user. Deposits are swept to a treasury wallet after confirmation. We do not store your personal wallet private keys.
While we take reasonable measures to protect your information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
6. Data Retention
We retain your account information for as long as your account is active. Scan results, findings, and reports are retained indefinitely unless you request deletion. Credit ledger entries and payment records are retained for accounting and compliance purposes. Server logs and rate limit data are rotated periodically and are not retained beyond what is necessary for security and operational purposes.
If you delete your account, we will remove your personal information from our active systems within a reasonable timeframe. Some data may persist in backups for a limited period. Aggregated, non-identifying data derived from your usage may be retained indefinitely.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Request deletion of your personal information.
- Object to or restrict certain types of processing.
- Request a portable copy of your data.
- Withdraw consent where processing is based on consent.
To exercise any of these rights, contact us at the email address listed below. We will respond to your request within 30 days. If you are located in the European Economic Area and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.
When you request deletion of your account, we will remove your personal information from our active databases and cancel any pending scan reservations. Your credit balance will be forfeited unless you withdraw it before requesting deletion. We may retain certain records (such as payment history and ledger entries) where required by law or where we have a legitimate interest in keeping them for fraud prevention or dispute resolution.
If you wish to export your data, we can provide your account information, scan history, credit ledger, and any findings associated with your account in a machine-readable format. Export requests are processed manually and typically fulfilled within 14 days.
8. Children
Our services are not directed at anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
Creating an account on our platform requires you to be at least 18 years old, or the age of majority in your jurisdiction, whichever is higher. We do not offer any services designed for or marketed toward minors. If we learn that we have collected data from someone under 18, we will take steps to delete that information as quickly as possible and terminate the associated account.
Parents or guardians who believe their child may have created an account or submitted personal information through our services should contact us immediately. We will work with you to identify and remove any such data.
9. International Users
Our services are operated from the United States. If you are accessing our services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer.
We process data lawfully, fairly, and in compliance with applicable data protection regulations. For users in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases for processing: performance of a contract (to provide our services), legitimate interests (for security, fraud prevention, and service improvement), and consent (where you have explicitly opted in, such as linking a third-party account).
Data transferred from the EEA to the United States is protected through standard contractual clauses with our infrastructure providers. We evaluate the data protection practices of all third-party services we use and only work with providers who maintain appropriate safeguards for international data transfers.
For users in California, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.
10. Changes to This Policy
We may update this privacy policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. If we make material changes that affect how we handle your personal information, we will notify you through the email address associated with your account or through a notice on our website.
Your continued use of our services after any changes constitutes your acceptance of the updated policy. If you do not agree with the revised terms, you should stop using our services and contact us to request account deletion.
We encourage you to review this policy periodically. For significant changes, such as a new category of data being collected, a change in purpose for processing, or a new third-party data recipient, we will provide at least 30 days of notice before the changes take effect. Minor clarifications or formatting changes may be made without advance notice.
11. Contact
If you have questions about this privacy policy, want to exercise your data rights, or need to report a security concern related to your personal information, email us at [email protected]. You can also reach us on our Discord server where you can open a ticket for faster responses.
We aim to acknowledge all privacy-related requests within 5 business days and to resolve them within 30 days. If your request requires additional time due to complexity or volume, we will let you know and provide an updated timeline.