Privacy Policy

Overview

ZeroSecure provides enterprise security products including Zero Secure Messaging, ZeroVault, ZeroConnect, ZeroProtect, ZeroMDM, and ZeroOS. This privacy policy explains how we handle data across all products.

Zero-Knowledge Architecture

All ZeroSecure products are built on zero-knowledge principles:

• Zero Secure Messaging — Messages are end-to-end encrypted with Kyber + X25519. Messages are relayed and immediately deleted. We cannot read message content or see who messages whom.
• ZeroVault — All vault data (passwords, contacts, files) is encrypted locally with AES-256. We never have access to your encryption keys.
• ZeroConnect — VPN traffic is encrypted end-to-end. We do not log traffic, destinations, or browsing activity.
• ZeroProtect — Threat detection runs entirely on-device. Security data is not transmitted to our servers.
• ZeroMDM — Device management policies are enforced locally. We facilitate policy distribution but cannot access device content.
• ZeroOS — A fully degoogled operating system with no telemetry, tracking, or data collection of any kind.

What We Do NOT Collect

Across all ZeroSecure products, we do not collect:

• Message content, files, or media
• Vault data (passwords, contacts, stored files)
• VPN traffic logs or browsing history
• Device content or personal files
• Location data
• Biometric data
• Usage analytics or telemetry
• Advertising identifiers

What We Do Collect

For service operation, we collect minimal data:

• Account Information — Organization name and admin contact email for billing and support purposes.
• License Data — License keys and activation status to manage subscriptions.
• Aggregate Statistics — Anonymous, aggregated metrics (total users, devices enrolled) for capacity planning. No individual user data.

Encryption Standards

ZeroSecure employs military-grade encryption:

• Kyber (ML-KEM) — NIST-approved post-quantum key encapsulation
• X25519 — Elliptic curve Diffie-Hellman key exchange
• AES-256-GCM — Symmetric encryption for data at rest
• WireGuard — Modern VPN protocol for ZeroConnect
• HMAC-SHA256 — Message authentication

Data Residency

Because ZeroSecure operates on zero-knowledge principles with no server-side storage of user data, data residency concerns are minimized. Your organization's sensitive data never leaves your devices in unencrypted form.

Third Parties

We do not share data with third parties because we have no user data to share. We do not use:

• Third-party analytics services
• Advertising networks
• Data brokers
• Social media tracking

Law Enforcement & Government Requests

In the event of a legal request:

• We cannot provide message content — we don't have it
• We cannot provide vault data — it's encrypted with keys we don't possess
• We cannot provide VPN logs — we don't keep them
• We can only confirm whether an organization has an active license

Our architecture makes it technically impossible to comply with requests for user data.

Compliance

ZeroSecure's privacy-by-design approach supports compliance with:

• GDPR — EU General Data Protection Regulation
• HIPAA — Healthcare data protection (with BAA available)
• SOC 2 — Security and availability standards
• CCPA — California Consumer Privacy Act

Data Retention

We retain minimal operational data:

• Account and billing information — retained for the duration of the subscription plus 90 days
• Support tickets — retained for 2 years for quality assurance
• No user content is ever stored on our systems

Changes to This Policy

We may update this policy periodically. Enterprise customers will be notified of material changes via their admin contact email. Our core commitment to zero-knowledge architecture will never change.

Contact

For privacy inquiries:

Email: support@zerosecure.org