Privacy Policy
1. Introduction
ZP Consultants LLC (“Zalmy.AI,” “Company,” “we,” “us”) operates LedgerRail (“Service”), an AI agent governance platform. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Service.
2. Information We Collect
2.1 Account Information
- Name, email address, and organization name provided during registration
- Authentication credentials (stored encrypted)
2.2 Financial Data via Third-Party Integrations
When you connect LedgerRail to QuickBooks Online (QBO) or other supported accounting systems via OAuth 2.0:
- Chart of accounts, journal entries, invoices, bills, and related financial records
- Transaction metadata (dates, amounts, account codes, vendor/customer names)
- We access only the data scopes you authorize during the OAuth consent flow
2.3 Governance and Audit Data
- AI agent action proposals, policy evaluations, approval/denial decisions
- Audit trail records (hash-chained, tamper-detectable)
- User actions within the Service (approvals, policy changes, configuration)
2.4 Usage Data
- IP address, browser type, device information
- Pages visited, features used, session duration
- Error logs and performance data
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Govern and audit AI agent actions per your configured policies
- Generate audit trail records and compliance reports
- Communicate with you about your account and the Service
- Comply with legal obligations
We do not use your financial data to train AI models.
We do not sell your data. Period.
4. Data Sharing
We share your information only in the following circumstances:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Cloud hosting provider (e.g., GoDaddy) | Infrastructure | Encrypted application data |
| Intuit (via QBO OAuth) | Integration functionality | OAuth tokens only — data flows to us, not from us to Intuit beyond standard API calls |
| Law enforcement | Legal requirement | Only if compelled by valid legal process |
We do not share data with advertisers, data brokers, or analytics companies.
5. Data Security
We implement reasonable technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Hash-chained audit trails with SHA-256 (tamper-detectable)
- Role-based access controls
- Regular security assessments
No system is 100% secure. We cannot guarantee absolute security but will notify you of any breach affecting your data within 72 hours of discovery.
6. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account closure
- Financial data from integrations: Deleted within 30 days of disconnecting the integration, unless required for audit trail integrity
- Audit trail records: Retained for 7 years (standard accounting retention period) or as required by applicable law
- Usage data: Retained for 12 months
7. Your Rights
7.1 All Users
- Access your data and request a copy
- Correct inaccurate information
- Delete your account and associated data (subject to legal retention requirements)
- Disconnect third-party integrations at any time
7.2 California Residents (CCPA)
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt-out of sale — we do not sell your data, so this right is satisfied by default
- Right to non-discrimination for exercising your rights
7.3 EU/EEA Residents (GDPR)
- Rights of access, rectification, erasure, restriction, portability, and objection
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
- Legal basis for processing: contract performance and legitimate interest
8. Cookies and Tracking
We use essential cookies only for session management and authentication. We do not use advertising cookies or third-party tracking pixels. We do not use Google Analytics or similar tracking services at launch.
9. Children’s Privacy
The Service is not directed to individuals under 18. We do not knowingly collect data from minors.
10. International Data Transfers
Your data is processed in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses or other lawful transfer mechanisms for international transfers where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The “Last Updated” date will reflect the most recent revision.
12. Contact Us
For privacy-related inquiries, data access requests, or complaints:
ZP Consultants LLC d/b/a Zalmy.AI
Email: privacy@ledgerrail.com
General: hello@ledgerrail.com