This page explains how ZeroTwo handles your data — what’s collected, where it’s stored, how it’s protected, and what rights you have. For full legal details, see the Privacy Policy at zerotwo.ai/privacy.
Data Storage Infrastructure
ZeroTwo stores user data in Supabase, which is hosted on AWS infrastructure. Supabase provides:
- Encryption at rest — all data stored on disk is encrypted using AES-256
- Encryption in transit — all data transferred between your browser and ZeroTwo’s servers uses TLS (HTTPS)
- Access controls — strict row-level security policies govern which users can access which data
Data residency: By default, ZeroTwo’s Supabase infrastructure is US-based. If you have enterprise data residency requirements (e.g., EU-only storage), contact ZeroTwo support to discuss options.
What Data ZeroTwo Stores
| Data Type | Description | Notes |
|---|
| Account / Profile | Email address, display name, avatar, account preferences | Required to operate your account |
| Conversation history | All chat messages, AI responses, and conversation metadata | Stored per-account; not shared with other users |
| Uploaded files | Files you upload for use in conversations | Stored in Supabase storage; encrypted at rest |
| Memory entries | Personal facts learned from your conversations | Per-account; controllable via Settings |
| Connector OAuth tokens | Access tokens for connected integrations (GitHub, Google Drive, etc.) | Stored encrypted; never in plaintext |
| Settings and preferences | Custom instructions, UI preferences, notification settings | Per-account |
| Shared links | Links you’ve created to share chats or canvases | Revocable at any time |
What ZeroTwo Does Not Store
- Your passwords — ZeroTwo uses Supabase Auth for authentication. Passwords are hashed by the auth layer and never stored in plaintext by ZeroTwo
- A persistent searchable index of your files — files are analyzed at the time they’re referenced in a conversation, but ZeroTwo does not build a long-term index of your file contents
- Third-party credentials — OAuth tokens are stored encrypted; ZeroTwo never stores the raw credentials of your connected services
Model Training
ZeroTwo does not use your data to train AI models.
This applies to:
- Your conversation messages and history
- Files you upload
- Memory entries
- Custom instructions
- Any other personal data
ZeroTwo acts as an interface to AI models from third-party providers (Anthropic, OpenAI, Google, etc.). Those providers have their own data policies. ZeroTwo does not pass your personal account information to model providers beyond what is necessary to process your request.
OAuth Token Security
When you connect third-party services (e.g., GitHub, Google Drive, Notion) to ZeroTwo:
- OAuth access tokens are stored encrypted at rest in Supabase
- Tokens are never transmitted in plaintext — all token handling occurs server-side over encrypted connections
- Tokens are automatically refreshed when they expire, without requiring you to re-authenticate
- When you disconnect a connector, the token is deleted immediately from ZeroTwo’s storage. ZeroTwo no longer has access to that service.
Regulatory Compliance
ZeroTwo supports the key data rights established under GDPR and similar privacy regulations:
| Right | How to Exercise It |
|---|
| Right to Access | Settings → Data Controls → Export Data → download JSON of all your data |
| Right to Rectification | Edit your profile and settings directly in ZeroTwo |
| Right to Erasure | Settings → Account → Delete Account → permanently deletes all your data |
| Right to Data Portability | Data Export produces a JSON file with all your data in a portable format |
| Formal Data Requests | Email reed@zerotwo.ai for formal GDPR data requests |
ZeroTwo’s self-service controls (export and deletion) cover the vast majority of data rights requests. For formal legal requests or data processing agreements, contact reed@zerotwo.ai. Data Export
You can download a complete copy of your ZeroTwo data at any time:
- Go to Settings → Data Controls → Export Data
- Click Export
- ZeroTwo generates a JSON file containing your conversations, memories, and profile data
- Download the file — it’s yours to keep
The export file includes:
- All conversation history
- Memory entries
- Profile information
- Settings and preferences
Data Deletion
Account deletion permanently removes all your data from ZeroTwo:
- Go to Settings → Account → Delete Account
- Follow the deletion confirmation steps
- ZeroTwo cancels any active Stripe subscriptions
- All your data is deleted: conversations, files, memories, settings, profile
- Your auth user record is deleted
- This action is irreversible
Account deletion cannot be undone. Before deleting, export your data and download any important files from /files. Once deleted, your data cannot be recovered.
Business Plan Data Considerations
If you’re using ZeroTwo through a Business plan org:
- Org admins may have visibility into member activity per your organization’s data policy
- Your org’s Owner is responsible for the org’s data governance
- Review your organization’s internal privacy policy to understand what admins can access
- Individual member data (personal chats outside org context) is subject to ZeroTwo’s standard privacy practices
Security Practices
Beyond encryption, ZeroTwo follows security best practices:
- 2FA support — TOTP-based two-factor authentication available for all accounts
- Session management — view and revoke active sessions from Security settings
- Logout all devices — revoke all sessions immediately from Security settings
- AAL enforcement — Authenticator Assurance Level tracking for sensitive operations
- Regular security reviews — ZeroTwo’s infrastructure and code are reviewed for security issues
Contact
For privacy questions, data requests, or security concerns:
Email: reed@zerotwo.ai
Privacy Policy: zerotwo.ai/privacy 
