zeblade
Client Login

Privacy Notice

Privacy from the
first request.

We are a security company. Privacy is not decoration here — it is a design constraint. This notice explains exactly what we collect on zeblade.com, what we do with it, who else sees it, and how long we keep it. In plain language. No dark patterns.

Draft

This Privacy Notice is a working draft. It accurately describes our current data practices, but it has not yet been reviewed by counsel. The final version will be published before Zeblade is generally available. Feedback welcome at [email protected].

The three things you should know

Our commitments.

01

No third-party trackers. Ever.

No Google Analytics. No Meta or LinkedIn pixels. No fingerprinting scripts. No advertising SDKs. The browser you arrive in is the same browser you leave in. You can verify it in DevTools.

02

Minimum data collection.

We collect only what is necessary to operate the site and respond to inquiries you initiate. No accounts to create. No persistent cookies. No data we have not earned.

03

No selling. No profiling.

We do not sell, rent, or share your data with advertisers or data brokers. We do not build a profile of your interests, employer, or browsing history. The only people who will read your contact-form message are our team.

What we collect

The full inventory.

Below is everything zeblade.com collects, organized by what causes the collection. If a category is not listed here, we do not collect it.

Visiting the site

Just loading a page on zeblade.com involves no analytics, tracking, or persistent cookies. We do not set any first-party cookies. We do not load any third-party tracking scripts. You can verify this with your browser's developer tools.

Our hosting provider (Cloudflare) does record standard edge telemetry for every request — your IP address, user-agent string, the path you requested, and the response code. This is used for security (rate limiting, abuse detection) and to keep the site running. We do not query or aggregate these logs. Cloudflare retains them according to their own privacy policy.

The contact form

When you submit the contact form, we collect:

  • Your name, email, and (optional) organization
  • The source field you selected
  • The message you wrote
  • An intent flag (e.g. "compass-report", "pentest") if you arrived via a CTA
  • The IP address and user-agent of the request, for spam mitigation
  • A timestamp of submission

That record is stored in a Cloudflare KV namespace under our account, and a notification email containing the submission is sent to our inbox via Resend. We use this data only to respond to you. We do not enrich it with third-party data. We do not add you to a marketing list without your explicit opt-in.

Conversations with Piper

Piper is the chat assistant in the bottom-right corner of the site, powered by Claude Haiku via Anthropic's API. When you send a message to Piper:

  • Your message and the recent conversation history are transmitted to Anthropic's API to generate a response. Anthropic does not use API traffic to train its models by default.
  • The conversation is stored only in your browser's sessionStorage — never on our servers. When you close the tab, it is gone.
  • We do not log conversation contents, retain transcripts, or use them to identify you. Server-side, we only see the IP of the request (for rate limiting) and the model's response we relay back to your browser.

If you would prefer not to use Piper, simply do not open the chat panel. The site is fully functional without it.

What we do not collect

  • We do not collect data for advertising or remarketing purposes.
  • We do not collect biometric data.
  • We do not collect location data beyond what an IP reveals.
  • We do not buy data about you from third-party data brokers.
  • We do not have account registration, so there is no account profile to collect.

How we use it

What we do with the data we collect.

The complete list:

  • Respond to inquiries. Contact-form submissions go to our inbox so a human can reply. That is the entire purpose.
  • Operate Piper. Messages you send to Piper are processed by the Anthropic API to generate a response, which is returned to your browser. Then the message is gone from our servers.
  • Site security. IP, user-agent, and request path are used by Cloudflare and our own functions for rate limiting, bot mitigation, and intrusion detection.
  • Aggregate analytics. We currently do not have analytics on zeblade.com. If we add privacy-preserving analytics in the future (e.g. Cloudflare Web Analytics, which is cookie-less), we will update this notice and disclose it here before turning it on.

That is the full list. We do not use your data for any other purpose.

Who else sees your data

Sub-processors.

These are the third parties that process data on our behalf to make the site work. We have no other data-sharing relationships.

Cloudflare

What they process
Hosting, CDN, DNS, edge security, server-side functions, and contact-form storage (KV).
When
On every request to zeblade.com.
Region
Global edge network.

Resend

What they process
Transactional email delivery — sends us a notification when you submit the contact form.
When
Only when you submit the contact form.
Region
United States.

Anthropic

What they process
Processes the natural-language conversation with Piper (Claude Haiku 4.5 via the Anthropic API).
When
Only when you send a message to Piper. Anthropic does not use API traffic to train models by default.
Region
United States.

How long we keep it

Retention.

We keep the minimum amount of data for the minimum amount of time required to operate the site.

Contact-form submissions
Retained for up to 24 months from the date of submission, or until you ask us to delete it — whichever comes first. After 24 months, the record is removed from our KV namespace as part of normal cleanup.
Piper conversations
Never stored on our servers. History lives only in your browser's sessionStorage and is cleared when you close the tab.
Edge server logs (Cloudflare)
Retained by Cloudflare per their standard log retention (typically days, not months). We do not export, archive, or mirror these logs.
Notification emails (Resend)
Resend retains email delivery records per their standard policy. Email content is not retained beyond the delivery window.

Your rights

What you can ask us to do.

Email [email protected] at any time to:

  • Access — request a copy of any personal data we hold about you (which is almost certainly just a contact-form submission, if anything).
  • Correct — ask us to fix a typo, an outdated email, or a wrong organization.
  • Delete — ask us to permanently remove any record of you from our systems. We will confirm in writing when it is done.
  • Object — tell us to stop responding to your inquiry, or to never re-contact you, even if you submitted the form first.

We aim to action requests within 7 business days. We do not require you to prove a "legitimate interest" or fill out a form — a plain email is enough.

For California residents

California privacy rights.

If you are a California resident, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA") gives you additional rights. zeblade.com falls within scope of the CCPA because we accept inquiries from California residents, including business contacts.

Categories of personal information we collect

Mapped to the CCPA's defined categories. We collect only what is listed below, only when you take the action described, and only for the purposes described in "How we use it" above.

Identifiers Yes Name, email, IP address (contact form, Piper requests)
Customer records Yes Organization name, your message (contact form)
Commercial information Limited How you heard about us (contact form "source" field)
Internet activity Limited Request path, user-agent (Cloudflare edge logs only)
Geolocation data No We do not collect precise geolocation. IP infers approximate region only.
Biometric information No
Audio, visual, sensory No
Inferences / profiles No We do not build profiles or behavioral inferences.
Sensitive personal information No We do not solicit or retain sensitive PI as defined by the CCPA.

Sources, purposes, and disclosures

  • Sources. Directly from you (contact form, Piper messages) or as a byproduct of your visit (Cloudflare edge logs).
  • Purposes. As described in "How we use it" — to respond to your inquiry, operate the site, and secure it. No advertising, marketing, or profiling purposes.
  • Disclosed to. Only the sub-processors named above (Cloudflare, Resend, Anthropic). We do not "sell" personal information as defined by the CCPA, and we do not "share" it for cross-context behavioral advertising.

Your CCPA/CPRA rights

  • Right to know — request a copy of the personal information we hold about you, plus categories, sources, purposes, and third parties we disclosed it to.
  • Right to correct — ask us to fix inaccurate personal information.
  • Right to delete — ask us to delete your personal information, subject only to limited exceptions (such as completing a transaction or complying with a legal obligation).
  • Right to opt out of sale or sharing — we do not sell or share for cross-context behavioral advertising, so there is nothing to opt out of. You may submit a request anyway and we will confirm in writing.
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information, so this is moot. We will confirm in writing if you ask.
  • Right to non-discrimination — we will not deny services, charge different prices, or provide a different level of service because you exercised any CCPA right.

How to exercise these rights

Email [email protected] with "California privacy request" in the subject line. We will respond within 45 days as required by the CCPA, though we typically respond within 7 business days. The CCPA allows us to extend the response window by an additional 45 days when reasonably necessary; if we need that extension, we will tell you why before the original window closes.

Authorized agents

You may designate an authorized agent to make a CCPA request on your behalf. We will require verification that the agent is in fact authorized to act for you (typically a signed permission), and we may contact you directly to confirm before we action the request.

Not for children. B2B only.

Who this site is for.

Zeblade is a business-to-business platform and marketing site. Our products and services are designed for security and compliance professionals working at healthcare organizations — not for individual consumers, and not for minors.

We do not market to, do not solicit information from, and do not knowingly collect personal information from anyone under 18. The contact form and Piper are not designed for use by minors.

If you believe a minor has submitted information through the contact form or via Piper, please email [email protected] and we will delete the record immediately on confirmation.

One more thing

The platform is governed separately.

This Privacy Notice covers zeblade.com — the marketing site. It does not cover the Zeblade GRC Portal (`*.zeblade.io`), which is the production platform our customers log into.

Customer data inside the GRC Portal — policies, controls, risks, vendor information, evidence — is governed by a separate Master Subscription Agreement and Data Processing Addendum signed at the start of an engagement. The platform runs on customer-controlled infrastructure (self-hosted) or within an isolated Zeblade Cloud tenant; the two domains share no data and no infrastructure.

If you are a Zeblade customer asking about how the platform handles your data, please refer to your MSA or contact us directly.

Changes & contact

If anything changes.

We will update this notice if our data practices change. The "Last updated" date at the bottom of the page will always reflect when. For material changes — new sub-processors, new data categories, new retention windows — we will announce them before they take effect, not after.

Questions, concerns, or privacy requests: [email protected].

Last updated: May 2026