Privacy Policy

Effective Date: March 23, 2026 | Last Updated: March 23, 2026

1. What Zamm Is

Zamm is an AI-powered messaging platform with a companion web studio. It consists of:

  • Zamm Mobile — a messaging app (iOS & Android) where users chat with people and AI agents that have memory, tools, and voice capabilities.
  • Zamm Studio — a web application for creating, configuring, evaluating, and publishing AI agents.

Both share the same Firebase project, authentication system, and backend infrastructure.

2. Data We Collect

2.1 Account Data

  • Phone number: Used for OTP authentication via Firebase Phone Auth. Your phone number is SHA-256 hashed before storage in our database. The plaintext number exists only in Firebase Authentication, not in our application database.
  • Display name & profile photo: Optional. Stored in your user profile for personalization.
  • Email address: Optional secondary credential. Used for account recovery if provided.

2.2 Chat Messages

Messages you send and receive are stored in our database to provide the messaging service. This includes:

  • Text messages, reactions, and read receipts between you and other users or AI agents.
  • AI agent responses generated from your conversations.
  • Messages in group chats you participate in.

2.3 Memory Bank (AI-Extracted Facts)

When you chat with AI agents, our system automatically extracts structured facts from your conversations (preferences, interests, relationships, action items). These facts:

  • Are stored per-user and tagged with confidence scores.
  • May be shared across your agents to improve personalization (high-confidence facts only).
  • Can be viewed, edited, exported, or permanently deleted by you at any time.

2.4 Voice Call Data

When you make voice calls with AI agents:

  • Audio is processed in real-time and is NOT permanently recorded or stored unless you explicitly enable call recording in agent settings.
  • Audio is streamed to Google Speech-to-Text for transcription and discarded after processing.
  • Call metadata (duration, timestamp, status) is stored for your call history.
  • Voice calls have a hard limit of 30 minutes.

2.5 Agent Configurations

If you create AI agents (via Studio or mobile), we store the agent name, personality, system prompt, selected tools, voice settings, and scheduling configuration.

2.6 Device & Usage Data

  • Push notification tokens: Firebase Cloud Messaging tokens stored for delivering notifications. Expired tokens are automatically cleaned up.
  • Observability metrics: We track LLM token usage, tool execution counts, latency, and estimated costs per-user. Conversation content is NOT logged — only metadata.

2.7 What We Do NOT Collect

  • No marketing pixels, Google Analytics, Hotjar, or third-party behavior tracking.
  • No cookies for authentication or tracking. Sessions use in-memory Firebase tokens.
  • No location data (unless you explicitly use the commute tool).
  • No contacts access beyond your opt-in contact sharing for user discovery.

3. Encryption & Security

3.1 End-to-End Encryption (E2EE)

Zamm supports optional end-to-end encryption for private conversations:

  • Key exchange: X25519 elliptic curve Diffie-Hellman.
  • Message encryption: XChaCha20-Poly1305 authenticated encryption.
  • Private keys never leave your device. Public keys are stored in our database for key exchange.
  • E2EE and AI are mutually exclusive by design. When encryption is enabled on a chat, AI agent features are automatically disabled. You choose the trade-off.

3.2 Bring Your Own Keys (BYOK)

If you provide your own API keys (Gemini, search providers, etc.):

  • Keys are encrypted with AES-256-CBC on your device before being stored in our database.
  • Encryption key is derived from your user ID and a server-side pepper using SHA-256.
  • Keys are decrypted only on our backend at the moment of API calls, never stored in plaintext.

3.3 Integration Tokens

OAuth tokens for connected services (Google Calendar, Shopify, etc.) are encrypted at rest with AES-256-GCM before database storage.

3.4 Infrastructure Security

  • All data in transit encrypted with TLS 1.2+.
  • Backend hosted on Google Cloud Run with managed TLS certificates.
  • SSRF protection blocks requests to private IP ranges and cloud metadata endpoints.
  • Input/output guardrails screen for prompt injection and harmful content.

4. Third-Party Services & Data Sharing

We share user data with the following services solely to provide our product functionality. We do not sell your data.

ServiceData SentPurposeUser Control
Google Gemini APIChat messages, system prompts, memory factsAI agent inferenceBYOK key override available
Google Cloud STTVoice audio (real-time, discarded after use)Speech-to-text transcriptionUsed only during voice calls
Google Cloud TTS / CartesiaAgent response textText-to-speech synthesisProvider configurable per agent
Web Search ProvidersSearch queries onlyReal-time web searchBYOK key required; user chooses provider
TelnyxAudio streams, phone numbersVoice call routingUsed only for voice agent calls
StripePayment metadata only (no card numbers)Subscription billingPCI-DSS compliant; Stripe handles payment details
Firebase (Google)Auth tokens, push notification tokensAuthentication & notificationsRequired for core functionality

None of these services use your data to train their public models. We do not use your data for advertising.

Google API Limited Use Disclosure

Zamm's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We do not use Google User Data to serve advertisements.
  • We do not sell Google User Data to third parties.
  • We do not use Google User Data for purposes other than providing the Zamm service.
  • Google Calendar data (if connected) is encrypted at rest and accessed only on-demand by your agents.

5. Agent Tools & Your Data

Zamm agents can execute 24+ tools on your behalf. When a tool runs, it may create data in your account:

  • Finance tools (expense tracker, bill splitter, price watch): Store entries in your personal collections. No financial institution data is accessed.
  • Health tools (habit tracker, nutrition logger): AI-estimated data stored locally. Not medical data and not shared with health providers.
  • Smart home tools: Commands sent to your configured webhook URLs (IFTTT, Home Assistant). Zamm acts as a relay, not a data processor.
  • Commerce tools: Product searches query your own storefront data. Checkout sessions are stored in your account.
  • Custom connectors: You can connect external APIs (Slack, Notion, etc.). Credentials are encrypted; data flows directly between your connector and Zamm's backend.

6. Data Retention & Deletion

  • Chat messages: Retained until you delete them. No automatic expiry.
  • Memory facts: Retained until you delete them. You can export all facts as JSON or clear all memory at any time.
  • Voice call audio: NOT retained. Processed in real-time and discarded.
  • Analytics data: Usage metrics retained for 90 days.
  • Account deletion: Deleting your account permanently removes your profile, agents, and associated data from our production systems.

7. Children's Privacy

Zamm is not intended for users under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

8. Changes to This Policy

We will notify you of material changes via in-app notification or the email associated with your account. Continued use after changes constitutes acceptance.

9. Contact

For privacy inquiries or data requests, contact us at: support@zamm.ai

Terms of ServiceBack to Zamm.ai

© 2026 Zamm.ai