Legal
Privacy Policy
Effective date: May 31, 2026. Last updated: June 2, 2026.
1. Introduction and Scope
Black Diamond Labs Inc.(“Black Diamond Labs,” “we,” “our,” or “us”) owns and operates z-gateway, a hosted runtime governance platform for AI agents available at z-gateway.com.
This Privacy Policy applies to the z-gateway website, dashboard, product, contact pages, legal pages, and related services. For Customer Data processed through customer-configured agents, integrations, and connected systems, the customer is generally the controller or business, and Black Diamond Labs acts as a processor or service provider where applicable.
2. Information We Collect
Depending on how you use the Service, we may collect account information, authentication identifiers, organization and workspace information, invited user and member information, billing customer metadata, support or contact form messages, workspace and agent configuration, connector metadata, GitHub installation and repository metadata, database connection metadata, runtime logs, audit logs, IP address, device and browser data, server logs, cookies, and session data.
Billing information is processed by Stripe. We do not receive full payment card numbers or bank account details from Stripe.
3. Agent Runtime Data
Depending on your configuration and the action routed through the Service, runtime logs may include workspace ID, agent ID, session ID, tool name, action name, resource identifiers, policy decision, reason code, risk or approval state, timestamps, latency, status, target resource metadata, sanitized parameters, parameter hashes, request metadata, response metadata, execution summaries, connector result metadata, and related audit context.
Tool call parameters may contain customer-controlled data or end-user data depending on how you configure agents and connected systems. For database connector actions, z-gateway may process query text, query previews, schema metadata, explain-plan metadata, execution metadata, hashes, and query results returned to the requesting runtime depending on the action.
Runtime and audit logs are designed to retain sanitized metadata rather than full raw result sets, but customers should not submit sensitive data to routed actions unless they are authorized to do so and the action is appropriate for their use case.
4. Information from Third Parties
We receive information from service providers and connected platforms used to operate z-gateway:
- Clerk: authentication identifiers, profile details, organization/session metadata, and sign-in state.
- Stripe: customer identifiers, subscription status, invoice/payment metadata, and billing portal state.
- GitHub: GitHub App installation metadata, account metadata, repository access metadata, and API responses for customer-directed GitHub actions.
- Vercel: hosting, deployment, performance, analytics, and request infrastructure data.
- Neon: managed PostgreSQL database infrastructure for Service data.
- PostHog: product analytics data if the PostHog API key is configured.
- Sentry: error monitoring, crash reporting, debugging, application diagnostics, and performance/reliability monitoring data.
See our Subprocessors page for a current provider summary.
5. How We Use Information
We use information to:
- Provide, operate, secure, monitor, and troubleshoot the Service.
- Monitor application errors, diagnose bugs, debug failures, improve performance, detect reliability issues, and maintain Service security and stability.
- Authenticate users and agents and manage accounts, organizations, workspaces, invitations, members, and credentials.
- Process billing, subscriptions, plan limits, renewals, cancellations, and payment support.
- Evaluate routed tool calls, enforce policies where configured, generate runtime logs, and maintain audit trails.
- Provide support, respond to contact messages, detect abuse, investigate security issues, and enforce our Terms.
- Improve product reliability, usability, performance, and feature quality.
- Comply with legal obligations and protect rights, safety, and security.
We do not sell personal information, and we do not use personal information for cross-site behavioral advertising.
6. Error Monitoring and Application Diagnostics
We use Sentry, provided by Functional Software, Inc. d/b/a Sentry, to help us monitor application errors, diagnose bugs, improve performance, detect reliability issues, and maintain the security and stability of z-gateway. Depending on the issue and configuration, Sentry may process diagnostic information such as error messages, stack traces, request metadata, request URLs and query strings, browser and device information, runtime information, IP address where enabled or configured, pages or routes associated with an error, console breadcrumbs, and user or account identifiers where necessary to troubleshoot the issue.
We do not intentionally send passwords, authentication secrets, payment card numbers, API keys, uploaded user files, raw database contents, or other sensitive customer data to Sentry, and we use reasonable controls to limit and redact sensitive data from diagnostic events.
7. Data Retention
We retain account, organization, workspace, connector, and agent configuration while accounts or workspaces are active and for a reasonable period afterward as needed for operations, security, legal obligations, backups, and dispute resolution. Billing records are retained as required for tax, accounting, fraud-prevention, and legal purposes.
Runtime logs are retained based on plan limits and configuration where applicable. The current Free plan includes 7-day runtime log retention. Security and audit logs may be retained for a longer period when needed to investigate incidents, detect abuse, enforce policies, or comply with legal requirements. Deleted data may remain in backups for a limited period before rotation.
8. How We Share Information
We share information only as needed for the following purposes:
- Service providers and subprocessors: Vercel for hosting, delivery, analytics, and speed insights; Neon for managed PostgreSQL database hosting; Clerk for authentication; Stripe for billing and payment processing; GitHub for customer-connected GitHub actions; PostHog for product analytics if configured; and Sentry for error monitoring, debugging, application diagnostics, and reliability monitoring.
- Customer-connected integrations: When you connect GitHub or database providers, z-gateway processes metadata and runtime information needed to provide the Service under your instructions.
- Legal, security, and compliance: We may disclose information to comply with law, respond to valid legal process, prevent abuse, investigate security issues, or protect rights and safety.
- Business transfers: Information may be transferred in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections.
We do not share personal information with third parties for their own marketing or advertising purposes.
9. Data Security
We use technical and organizational safeguards designed to protect the Service, including access controls, encrypted transport where supported, secret handling controls, workspace scoping, server-side authorization checks, hashed agent secrets, short-lived agent JWTs, encrypted database connection strings, logging, and provider-managed infrastructure safeguards.
The Service is designed to prevent cross-workspace data access through workspace scoping, access controls, and server-side authorization checks. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
10. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, export, restrict, object to, or opt out of certain processing of personal information. These rights may include GDPR/EEA/UK rights and CCPA/CPRA rights. To submit a request, contact privacy@z-gateway.com. We may need to verify your request and may retain information where required or permitted by law.
Many workspace settings are available in the dashboard. Other exports, deletions, and privacy requests are handled by request and may be limited by active retention windows, security needs, legal holds, backup rotation, and billing or compliance requirements.
11. Cookies and Tracking
We use cookies and similar technologies necessary for authentication, session management, security, preferences, and Service operation. Clerk sets authentication/session cookies. Vercel Analytics and Speed Insights may collect performance and usage data. PostHog may collect product analytics data if configured. We do not use advertising cookies or cross-site behavioral advertising.
12. Children's Privacy
z-gateway is a business product and is not directed to children under 16. We do not knowingly collect personal information from children under 16. Contact privacy@z-gateway.com if you believe a child provided personal information to the Service.
13. International Data Transfers
Personal information may be processed in the United States and other regions where we or our service providers operate. Where required, we use appropriate transfer mechanisms or safeguards for international transfers.
14. Third-Party Integrations
Customers control what GitHub accounts, repositories, databases, credentials, schemas, users, roles, and other systems they connect to z-gateway. z-gateway may process metadata and runtime information necessary to provide the Service for connected integrations. Connected third-party services have their own terms and privacy policies.
z-gateway only governs activity routed through the Service or supported connectors. Activity that bypasses z-gateway may not be visible to or governed by z-gateway.
For database connectors, customers control the database provider, database contents, credentials, permissions, and environments. Use least-privilege database credentials and avoid routing sensitive data through agent workflows unless you have evaluated the risks and legal requirements.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the date above for non-material changes. For material changes, we will provide reasonable notice by email, dashboard notice, or other appropriate means before the changes take effect, unless faster changes are needed for legal, security, or operational reasons.