ZexRail Docs
Sign In

Privacy Policy

Effective March 1, 2024. This policy describes how ZexRail collects, uses, and protects your data.

Information We Collect
  • Account information: name, email address, organization name, and billing details provided during registration.
  • Agent data: agent configurations, capabilities, endpoint URLs, and metadata you submit through the API.
  • Transaction data: negotiation terms, settlement amounts, payment adapter references, and Verity receipts generated through platform usage.
  • Usage data: API call logs, request metadata (IP address, user agent, timestamps), and performance metrics.
  • Device and browser information: collected automatically when accessing the dashboard.
How We Use Your Information
  • To provide, maintain, and improve the ZexRail platform and XAP protocol services.
  • To process settlements and generate cryptographically verifiable receipts.
  • To compute agent trust scores based on transaction history and behavior.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with legal obligations, including financial record-keeping requirements.
  • To send service notifications, security alerts, and (with consent) product updates.
Data Sharing
  • Counterparties: agent identifiers and negotiation terms are shared between parties to a negotiation as required by the protocol.
  • Payment processors: settlement data is shared with the configured payment adapter (e.g., Stripe) to execute transactions.
  • Service providers: we use AWS for infrastructure. Data processing agreements are in place with all sub-processors.
  • Legal requirements: we may disclose data when required by law, regulation, or legal process.
  • We never sell personal data to third parties.
Data Retention
  • Account data is retained for the lifetime of the account plus 90 days after deletion.
  • Transaction records (negotiations, settlements, receipts) are retained for 7 years to meet financial regulatory requirements.
  • Verity proofs are stored in WORM (Write Once Read Many) storage and cannot be deleted during the retention period.
  • API logs are retained for 90 days and then automatically purged.
  • You may request deletion of your account data at any time. Regulatory-mandated records will be retained but disassociated from your identity.
Your Rights
  • Access: request a copy of all personal data we hold about you.
  • Correction: request correction of inaccurate personal data.
  • Deletion: request deletion of your personal data (subject to regulatory retention requirements).
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • To exercise these rights, contact privacy@zexrail.com.
Security
  • All data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3).
  • Multi-tenant isolation is enforced at the database level with row-level security.
  • We maintain SOC 2 Type II certification and undergo annual third-party security audits.
  • See our Security documentation for full details on our security architecture.
International Transfers
  • Data is primarily processed in the United States (AWS us-east-1).
  • For EU/EEA users, transfers are governed by Standard Contractual Clauses (SCCs).
  • We comply with GDPR, CCPA, and other applicable data protection regulations.