Privacy Policy

This Privacy Policy explains how Zorexa App (“Zorexa”, “we”, “us” or “our”) collects, uses, stores and shares personal data when providing the Zorexa agent platform, including Zorexa Cortex, Agent Gateway, Agent Runtime, integrations, APIs, messaging channels and related support services (collectively, the “Services”).

1. Scope and roles

Zorexa provides a multi-tenant platform that allows organizations to configure and operate AI agents, process business requests, connect tools and data sources, and interact through channels such as web applications, email and WhatsApp.

Depending on the context, Zorexa may act as a data controller for account, commercial and service-administration data, or as a data processor/service provider when processing content on behalf of a customer organization. Each customer remains responsible for its own lawful use of the Services and for notices provided to its end users.

2. Data we may collect

• Account and identity data: name, email address, user ID, tenant membership, roles and permissions.
• Messaging data: phone number, profile name, message content, attachments, timestamps, message identifiers and delivery status received through channels such as WhatsApp.
• Agent request data: prompts, business requests, uploaded documents, generated answers, tool inputs and outputs, approvals and workflow status.
• Integration data: identifiers and data returned by customer-enabled systems, APIs, storage, databases, email services or other third-party tools.
• Technical and security data: IP address, device/browser information, logs, trace IDs, request IDs, authentication events, performance measurements and diagnostic information.
• Commercial and support data: organization details, subscription or billing information, and communications with support.

3. How we use data

• Provide, operate and secure the Services.
• Route requests through Agent Gateway and execute approved workflows in Agent Runtime.
• Generate responses, documents, notifications and other requested outputs.
• Authenticate users and enforce tenant, site, role and permission boundaries.
• Monitor reliability, troubleshoot incidents, prevent abuse and improve performance.
• Comply with legal obligations and enforce agreements.
• Communicate about service changes, security, support and administration.

4. AI processing

The Services may send relevant request content to configured AI model providers and other tools selected by the customer. Zorexa applies tenant configuration, access controls, guardrails and tool policies, but AI-generated results may be incomplete or inaccurate. Customers should apply appropriate human review, especially before financial, legal, medical, employment or other consequential actions.

5. WhatsApp and Meta data

When a customer or user communicates with a Zorexa-enabled WhatsApp number, we may receive data made available through the WhatsApp Business Platform, including the sender's phone number, profile name, message content, media, timestamps and delivery information. We process this data to receive the message, identify the appropriate tenant or workflow, generate a response, provide human handoff where configured, maintain security and satisfy support or audit requirements.

Use of WhatsApp is also subject to Meta's and WhatsApp's own terms and privacy notices. Zorexa does not control how Meta independently processes information on its platforms.

6. Legal bases

Where applicable under the GDPR or similar laws, processing may rely on performance of a contract, legitimate interests in operating and securing the Services, compliance with legal obligations, or consent where required. Customer organizations are responsible for establishing an appropriate legal basis for the content they submit and the communications they initiate.

7. Sharing and service providers

We may share data with infrastructure, hosting, identity, communications, monitoring, AI model and integration providers only as needed to provide the Services. These may include Google Cloud, Meta/WhatsApp, configured AI model providers, email delivery providers and customer-selected systems. We may also disclose data when legally required, to protect rights and security, or in connection with a corporate transaction.

We do not sell personal data.

8. International transfers

Data may be processed in countries other than the user's country. Where required, we use appropriate safeguards for international transfers, such as contractual protections and provider transfer mechanisms.

9. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this policy, customer instructions, contractual commitments, security, dispute resolution and legal obligations. Retention periods may differ for conversation history, uploaded files, generated artifacts, audit logs, backups and billing records. Customers may configure or request deletion subject to applicable restrictions.

10. Security

We use administrative, technical and organizational safeguards designed to protect data, including authentication, authorization, tenant isolation, encryption in transit, managed cloud security controls, structured audit logging and restricted access. No system can guarantee absolute security.

11. Your rights

Depending on applicable law, individuals may have rights to access, correct, delete, restrict or object to processing, request portability, withdraw consent and lodge a complaint with a data protection authority. When Zorexa processes data for a customer, requests may need to be directed to that customer first.

12. Children

The Services are intended for organizations and authorized business users. They are not directed to children, and we do not knowingly collect personal data from children through a consumer service.

13. Changes

We may update this policy periodically. The effective date above indicates the latest revision. Material changes will be communicated where required.

14. Contact

Data controller/operator: Zorexa App
Address: Carrer Alt de Gironella
Privacy contact: privacy@zorexa.app