Privacy Policy

Black-Diamond, Inc. (“Z-Gateway,” “we,” “our,” or “us”) operates the Z-Gateway platform, a hosted runtime authorization layer for AI agents available at z-gateway.com (the “Service”). This Privacy Policy describes how we collect, use, disclose, and safeguard personal information about individuals who visit our website, create accounts, and use the Service on behalf of their organizations (“customers”).

This policy applies to personal information collected directly by Z-Gateway in connection with the Service. It does not govern data that customers collect, generate, or process using their own AI agents running through the Service. When customers configure agents that call third-party tools — such as GitHub, Jira, or Stripe — through the z-gateway runtime, the customer is the data controller for the underlying tool call payloads, and the third-party services’ own privacy policies apply to information handled by those services. Customers are independently responsible for ensuring that their agents and workflows comply with applicable privacy and data protection laws.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to the practices described herein, please do not use the Service.

2.1 Information Customers Provide Directly

When you register for an account, configure a workspace, or otherwise interact with the Service, we collect information you provide directly. This includes: your name and email address used for account registration; organization name and billing address; workspace configuration settings, including agent definitions (names, descriptions, mode settings), policy rules, and credential metadata (names, descriptions, and associated scopes — never raw secret values); team member email addresses included in workspace invitations; support inquiries and communications you send us; and any feedback, survey responses, or other information you choose to share with us. Billing information is collected and processed by Stripe on our behalf — we never receive or store full payment card numbers or bank account details.

2.2 Information Collected Automatically

When you access the Service, our servers and third-party service providers automatically collect certain technical and usage information. This includes: IP addresses and approximate geographic location derived from IP; browser type, version, and operating system; device identifiers; pages viewed, features accessed, and clickstream data within the dashboard; session start and end times; referring URLs; and error logs and performance diagnostics. This information is collected through standard web server logs, Clerk authentication session data, and similar technical mechanisms. We use this information to operate, secure, and improve the Service and do not use it for advertising or cross-site behavioral tracking.

2.3 Agent Runtime Data

A core function of the Service is intercepting tool calls made by AI agents and logging the policy decision for each call. For every tool invocation processed through the z-gateway runtime, we record: the workspace identifier; the agent identifier; the tool name and action requested; the policy decision (allowed, blocked, or escalated) and the applicable reason code; the timestamp of the event; and the runtime session identifier. Tool call parameters — the inputs passed by the agent to a particular tool — may be included in the log record and may contain customer-controlled data, including content originating from end-users of the customer’s own products. We treat parameter content with care: it is isolated by workspace, not used for any purpose other than providing the audit and monitoring features of the Service, and retained only for the periods described in Section 4. Customers should not transmit unencrypted regulated data (such as health records subject to HIPAA or financial account numbers) through agent tool call parameters unless they have evaluated applicable legal requirements.

2.4 Information from Third Parties

We receive limited information from the following third-party services that we integrate with to provide the Service:

• Clerk (authentication): When you sign in using Clerk, we receive basic profile information such as your email address, name, and a unique user identifier from Clerk. Clerk manages password storage, multi-factor authentication, and session management on our behalf.
• Stripe (billing): After a payment is processed, Stripe provides us with a tokenized customer identifier, subscription status, and billing history sufficient to manage your subscription. We do not receive raw card data.
• GitHub (integration metadata): When a customer installs our GitHub App, GitHub provides us with the installation identifier, the account or organization that owns the installation, and the list of repositories to which access was granted. We use this metadata solely to fulfill tool call requests that the customer’s agents direct at GitHub.

We use the information described in Section 2 for the following purposes:

• Providing and operating the Service: Processing account registrations, authenticating users and agents, enforcing customer-defined policies against incoming tool call requests, generating audit logs, routing approved tool calls to connected integrations, and delivering the dashboard and API.
• Improving and developing the Service: Analyzing aggregated, de-identified usage patterns to identify performance bottlenecks, prioritize new features, improve policy evaluation logic, and debug platform issues.
• Billing and subscriptions: Processing payments through Stripe, managing subscription entitlements (plan tier, log retention period, seat counts), and sending billing-related communications such as invoices and renewal reminders.
• Security, fraud prevention, and abuse detection: Monitoring for unauthorized access, detecting patterns indicative of credential compromise or API abuse, revoking tokens when anomalous behavior is detected, and protecting the integrity of the multi-tenant environment.
• Customer support and communications: Responding to support requests, sending product announcements, communicating planned maintenance windows, and notifying customers of changes to these policies.
• Legal and compliance: Retaining records as required by applicable law, responding to lawful requests from government authorities, and enforcing our Terms of Service.

We do not sell personal information to third parties, and we do not use personal information to build advertising profiles or engage in interest-based advertising.

We retain different categories of data for different periods depending on operational necessity, customer subscription tier, and legal obligations:

• Tool call logs:Retained according to the customer’s active subscription plan. Customers on the free tier have their tool call logs retained for a rolling three-day window. Paid tiers provide longer retention periods as specified in the pricing documentation at the time of subscription. Logs outside the retention window are purged on a scheduled basis.
• Account and workspace data: Retained for the life of the customer’s account and for thirty (30) days following account deletion, after which it is permanently purged from production systems. Backups may retain data for up to an additional ninety (90) days consistent with standard backup rotation schedules.
• Audit events: System-level audit events — including credential issuance, token revocation, workspace configuration changes, and member permission changes — are retained for a minimum of ninety (90) days regardless of subscription tier, as these records are necessary for security incident investigation.
• Legal holds: If we are required by applicable law, regulation, or a valid legal process to retain data beyond the standard periods described above, we will do so and will notify the affected customer to the extent permitted by law.

We do not share personal information with third parties except in the following circumstances:

• Service providers (subprocessors): We engage the following categories of service providers who process personal information on our behalf under data processing agreements that restrict their use of the data: Clerk, Inc. (identity and authentication); Stripe, Inc. (payment processing); Neon, Inc. (managed PostgreSQL database hosting, US-based); and Vercel, Inc. (application hosting and edge delivery). These providers are authorized to use personal information only to the extent necessary to perform services for us.
• GitHub:When a customer connects their GitHub App installation, we transmit the minimum information necessary to fulfill the specific tool call requested by the customer’s agent — for example, the parameters of a particular repository API call. We do not share data beyond what is needed to complete the requested operation, and we do not persist GitHub installation access tokens after the tool call is resolved.
• Business transfers: If Black-Diamond, Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, personal information may be transferred as part of that transaction. We will notify affected customers via email and an in-dashboard notice at least thirty (30) days prior to any such transfer becoming effective, and the acquiring entity will be required to honor the commitments made in this Privacy Policy.
• Legal compliance: We may disclose personal information if we believe in good faith that disclosure is required to comply with a legal obligation, respond to a valid subpoena or court order, protect the rights or safety of Z-Gateway, our customers, or the public, or detect, prevent, or address fraud, security incidents, or technical problems. Where legally permitted, we will attempt to notify the affected customer prior to disclosure.

We do not share, sell, rent, or trade personal information with any third party for that party’s own marketing or commercial purposes. We maintain strict workspace isolation: no customer’s data is ever accessible to, shared with, or visible to any other customer.

We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between clients (browsers, agent runtimes) and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Customer data stored in our Neon PostgreSQL database is encrypted at rest by the database provider using AES-256.
• Credential hashing: When customers create agent credentials (API secrets), the raw secret value is displayed exactly once at creation and is never stored in plaintext. We store only a salted cryptographic hash of the secret, which is used for verification purposes. There is no mechanism to retrieve the original secret after creation.
• GitHub App private key handling: Our GitHub App private key, used to mint short-lived installation access tokens on behalf of customers, is stored exclusively as a server-side environment variable and is never written to the database or included in any log output.
• Short-lived agent JWTs: Bearer tokens issued to agents for runtime authentication are short-lived JSON Web Tokens signed with a per-workspace secret. These tokens are not stored by us after issuance; validity is verified by cryptographic signature at each request.
• Workspace data isolation: All database queries are scoped to the authenticated customer’s workspace identifier at the application level. Cross-workspace data access is not possible through the API or dashboard.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and by using the Service you acknowledge that security incidents remain a possibility. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

Depending on your location, you may have certain rights with respect to personal information we hold about you. To exercise any of the rights described below, please contact us at privacy@z-gateway.com. We will respond to verified requests within thirty (30) days.

General Rights

• Access and correction: You may request a copy of personal information we hold about you and ask us to correct inaccurate information. Much of your account data is directly editable within the dashboard.
• Workspace data export: Customers may request an export of workspace data including tool call logs within the active retention window. We will provide this in a machine-readable format (JSON) within thirty (30) days.
• Account and data deletion: You may delete your account through the dashboard settings or by contacting us. Deletion removes workspace data subject to any applicable legal holds and our standard backup rotation schedule.
• Marketing communications opt-out: You may opt out of marketing emails at any time by clicking the unsubscribe link in any such email or by emailing us. You cannot opt out of transactional communications (billing notices, security alerts, policy update notices) while your account is active.

Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation provides you with the following additional rights: the right of access to your personal data; the right to rectification of inaccurate data; the right to erasure (“right to be forgotten”) where no overriding legitimate purpose applies; the right to restriction of processing; the right to data portability in a structured, commonly used, machine-readable format; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing are: performance of a contract (operating the Service), legitimate interests (security, fraud prevention, product improvement), legal obligation (compliance with law), and consent where applicable.

Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with the right to know what personal information we collect, use, disclose, and sell; the right to delete personal information we hold about you; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your privacy rights. As stated in this policy, we do not sell personal information. To submit a verifiable consumer request, contact us at privacy@z-gateway.com.

We use a limited set of cookies strictly necessary to operate the Service. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies that profile your activity across websites.

• Authentication cookies: Clerk sets session cookies when you sign in to maintain your authenticated session. These are essential to Service operation and cannot be disabled while you are logged in.
• Functional cookies: We may set first-party cookies to remember your dashboard preferences, such as table sort order or collapsed sidebar state.

You may configure your browser to refuse all cookies or to alert you when cookies are being set. If you disable cookies, authentication will not function and you will not be able to access the authenticated portions of the Service. Because we do not use advertising or tracking cookies, there is no opt-out mechanism specific to such cookies.

The Service is a business-to-business platform intended solely for use by organizations and their authorized personnel. It is not directed at individuals under the age of 16, and we do not knowingly collect personal information from children under 16 years of age. Access to the Service requires account registration with a business email address and agreement to our Terms of Service, which require legal capacity to enter a binding contract.

If we become aware that we have inadvertently collected personal information from a person under the age of 16, we will promptly delete such information from our systems. If you believe a minor has provided us with personal information, please contact us at privacy@z-gateway.com.

Black-Diamond, Inc. is based in the United States. Customer data, including tool call logs and workspace configuration, is stored and processed on infrastructure located in the United States: our primary database is hosted by Neon, Inc. on US-based cloud infrastructure, and the Service is deployed on Vercel’s US-based edge and compute infrastructure.

If you are located in the European Union, the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction. We implement appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms. By using the Service, users located outside the United States consent to the transfer and processing of their personal information in the United States in accordance with this Privacy Policy.

If you require a Data Processing Agreement (DPA) reflecting these safeguards, please contact us at privacy@z-gateway.com.

The Service is designed to sit between AI agents and third-party tools. When you connect integrations (such as GitHub or databases) or use authentication and billing services (Clerk, Stripe), information flows between our Service and those third parties. This section describes those interactions in detail.

GitHub

When you install our GitHub App into a GitHub account or organization, GitHub transfers the installation identifier and repository access list to us. When your agents make tool calls targeting GitHub APIs, we mint a short-lived GitHub installation access token on your behalf, execute the tool call, and immediately discard the token after the call resolves. We do not persist GitHub installation tokens. You remain solely responsible for the repository permissions you grant during installation. GitHub’s privacy policy governs information held by GitHub.

Databases (PostgreSQL / Neon)

When you configure Z-Gateway to govern AI agent access to database tools, the Service intercepts and evaluates tool calls that target your database(s) before execution. We do not store the contents of query results or database rows. We log metadata about the tool call — the tool name, action type (e.g. SELECT, INSERT, UPDATE, DELETE), policy decision, reason code, and timestamp — in accordance with your plan’s log retention period. Your database credentials or connection strings are stored encrypted and are never logged or exposed in audit output. You remain solely responsible for the access permissions you grant to agents operating against your databases, and for ensuring your database usage complies with applicable data protection obligations, including restrictions on processing personal data.

Clerk

Clerk manages authentication sessions, password storage, and multi-factor authentication for the Service. By using the Service, you are also subject to Clerk’s privacy policy. We rely on Clerk as a subprocessor and have a data processing agreement in place with Clerk.

Stripe

Payment processing is handled entirely by Stripe. When you provide payment information, it is transmitted directly to Stripe and governed by Stripe’s privacy policy. We receive only a tokenized reference to your payment method and subscription status. We never store full card numbers, CVV codes, or raw payment credentials on our servers.

In all cases where we execute tool calls on behalf of customers, we act as a data processor under the customer’s instructions. Customers are the data controller for any personal data processed through their configured agent workflows. Customers are responsible for ensuring they have appropriate legal authority to direct AI agents to call the tools they configure, and for ensuring that their use of those tools — including database access, API calls, and third-party service interactions — complies with applicable law, including relevant data protection obligations such as GDPR and CCPA.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. For non-material changes (such as clarifying edits or updates to subprocessor lists), we will update the “Last updated” date at the top of this page.

For material changes — such as changes to the categories of data we collect, how we use data, or the parties with whom we share data — we will provide at least thirty (30) days’ advance notice by email to the address associated with your account and by displaying a prominent notice within the dashboard. Continued use of the Service after the new effective date constitutes your acceptance of the revised Privacy Policy.

Prior versions of this Privacy Policy are available upon written request to privacy@z-gateway.com.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us at:

We will respond to privacy-related inquiries within thirty (30) days of receipt. For urgent security concerns (such as suspected unauthorized access to your account or data), please use the subject line “SECURITY” to help us prioritize your request.