Effective date: 2026-05-09 · Last updated: 2026-05-09
Source-of-truth: docs/legal/PRIVACY_POLICY.md — this page mirrors that file. Section files live under docs/legal/privacy/.
Quick links: Submit a DSAR · privacy@getzyra.io · legal@getzyra.io
Zyra is a distributed-compute marketplace operated by [NEEDS LEGAL REVIEW: Zyra Legal Entity Name]. Founded by Tal Wayn (Initiator) and built by Hadar Wayn (Builder). Primary infrastructure: Hetzner DE/FI. We act as controller for our account-holders' personal data and as processor for personal data submitted inside B2B Workloads under a DPA. We do not read Workload contents.
Minimised. By persona:
We do not collect: workload contents, PHI, minors' data, biometrics, precise geolocation, or third-party advertising IDs.
consent_records; withdraw any time.Service delivery, capacity matching (using only non-personal Workload requirements + Device telemetry — no Device Owner profile), billing and payouts, fraud and abuse, customer support, legal compliance.
We do not run third-party analytics on the marketing site or in the application today. If we add any, we update §9 and deploy a CMP-backed consent banner before any non-essential cookie fires, with 30 days' email notice.
What we do not do: we do not sell or share PI for advertising; do not enrich from data brokers; do not use Workload contents for AI training, marketing, benchmarking, or feature building; do not profile Device Owners.
We do not sell PI. We do not share PI for cross-context behavioural advertising. Material subprocessor changes get 30 days' notice.
Production data stored in the EU (Hetzner DE/FI). Non-EEA flows (Stripe US fallback, AWS SES cross-region, Cloudflare anycast) covered by EU SCCs (2021/914) + UK IDTA + per-flow Transfer Impact Assessment (Schrems II / EDPB Rec 01/2020). Supplementary measures: TLS 1.3, Hetzner volume + Fernet at-rest encryption, customer-controlled credentials. B2B data residency: per-org pinning to eu/us/apac/me/af/sa; strict mode rejects out-of-region scheduling.
Access, rectification, erasure, restriction, portability, objection, no solely-automated decisions with legal/significant effect (Art. 22 — we don't make any), withdraw consent, complain to a DPA. Submit via the public DSAR form, in-app Settings → Privacy, or privacy@getzyra.io. Acknowledged within 72h, fulfilled within 30 days (extendable to 90 with reasons). Verification by email link (public form) or session (in-app). Authorised agents allowed with written authorisation.
Essential only today. No third-party analytics, advertising, A/B, or behavioural-tracking SDKs anywhere. Cookies set today: zyra_session, zyra_csrf, cf_clearance, __cf_bm, Cloudflare Turnstile on /dsar.html. We honour Global Privacy Control. If we add analytics, we update this section, deploy a CMP-backed banner before any new cookie fires, and email a 30-day notice.
TLS 1.3, HSTS preload, Hetzner volume + Fernet at-rest encryption (credential_vault.py, sso/secret_cipher.py), bcrypt(12), JWT HS256 with token blacklist, MFA on admin, SAML 2.0 SSO, RBAC v2 + permission engine, per-tenant Docker sandbox (read-only root, dropped caps, no priv-esc, network isolation by default), anomaly monitor + security_alerts, external health monitor, rate limiting, Dependabot + Trivy + CI gates. We do not claim a current SOC 2 Type II report, ISO 27001 certification, or HIPAA compliance — honest scorecard at docs/compliance/CURRENT_STATE_2026-05-08.md.
Runbook: docs/runbooks/GDPR_BREACH_NOTIFICATION.md. 72-hour clock from awareness; Art. 33 to lead supervisory authority; Art. 34 to data subjects without undue delay where high risk. S0/S1 events get a public post-mortem within 30 days at getzyra.io/security.
You must be 18+ to create a Zyra account. We do not knowingly collect data of minors. If we learn we hold any, we disable the account, delete within 30 days, and reverse payouts where lawful. Reports to privacy@getzyra.io.
We do not make decisions that fall within Art. 22. The scheduler uses non-personal Workload requirements and non-personal Device telemetry only — no Device Owner profile, no rating, no leaderboard. Suspension and termination are not solely automated; a human authorises. You can request human review of any decision.
Categories collected (last 12 months): identifiers, customer records, commercial info, internet/network activity, country-level geolocation, professional/employment info. No SPI, no inferences, no biometric, no precise geolocation, no children's data. We do not "sell" or "share" PI; we honour Global Privacy Control. Rights: know, delete, correct, opt out of sale/share, limit SPI use (none collected), portability, non-discrimination. Submit via the public form, in-app, or privacy@getzyra.io; authorised agents allowed with written authorisation. No "Shine the Light" disclosures (we don't share for third-party direct marketing).
VA, CO, CT, UT, OR, TX, and other comprehensive state laws — access, correct, delete, portability, opt out of sale / targeted ads / profiling with legal effect, appeal a refusal. 45-day response (extendable once). Same channels as §8. Appeals reviewed by a person other than the original reviewer.
Material changes (new categories, purposes, subprocessors with identifiable access, reduced rights, extended retention, weaker safeguards, new non-essential cookies) get 30 days' notice by email + in-app banner. Non-material changes update "Last updated" only. Master is docs/legal/PRIVACY_POLICY.md; mirrors synchronised; prior versions retained 5 years in git.
DPO: [NEEDS LEGAL REVIEW: DPO appointment]. EU Art. 27 representative: [NEEDS LEGAL REVIEW: address]. UK Art. 27: [NEEDS LEGAL REVIEW: address]. Lead supervisory authority: [NEEDS LEGAL REVIEW: likely Hessen DE (HBDI) or Finland FI (Tietosuojavaltuutettu)]. UK ICO. California AG / CPPA. Other US states: state Attorney General.