z3t.ai

Privacy Policy

Last updated: July 13, 2026

1. Introduction

This Privacy Policy explains how Appesco B.V. ("Appesco", "we", "us", or "our") collects, uses, stores, and protects personal data when you visit z3t.ai or use the z3t.ai platform (the "Platform").

This Privacy Policy applies to:

  • website visitors;
  • account holders;
  • Customers;
  • Creators;
  • Buyers;
  • individuals who communicate directly with us.

This Privacy Policy should be read together with our:

2. Who Is Responsible for Your Data

The controller for the personal data described in this Privacy Policy is:

Appesco B.V.
Hofwijckstraat 18, 2275 AL, Voorburg, The Netherlands
KvK: 82619468
VAT: NL862541499B01

Email: [email protected]

When Appesco Acts as a Controller

Appesco acts as a controller for:

  • account registration data;
  • billing and payment records;
  • security and audit logs;
  • customer support communications;
  • website operation;
  • fraud prevention;
  • legal compliance.

When Appesco Acts as a Processor

Where a Customer or Creator uses the Platform to process personal data through an Agent, Appesco may act solely as a processor on behalf of that Customer or Creator.

In those situations, the relevant Customer or Creator determines the purposes and means of processing and remains responsible for complying with applicable data protection laws.

Additional information is available in our Data Processing Agreement.

3. Information We Collect

Account Information

When you create an account, we may collect:

  • name;
  • email address;
  • password hash;
  • multi-factor authentication status;
  • organization membership information;
  • account preferences.

Billing Information

We may collect:

  • billing records;
  • subscription information;
  • Free Credit and EUR balances;
  • transaction history;
  • payout, tax, and identification information for Creators.

Payment card information is processed by third-party payment providers and is not stored by Appesco B.V.

Platform Usage Information

We may collect:

  • Agent executions;
  • workflow activity;
  • execution timestamps;
  • usage metrics;
  • billing-related activity;
  • error logs;
  • operational diagnostics.

Agent Configuration Data

We may store:

  • prompts;
  • workflows;
  • templates;
  • Agent configurations;
  • integration settings.

Integration Credentials

Where integrations are configured, associated credentials and access tokens may be stored in encrypted form and used solely to provide the requested functionality.

Communications

We may collect information provided through:

  • support requests;
  • emails;
  • feedback submissions;
  • account-related communications.

Technical Information

Our systems may automatically collect:

  • IP addresses;
  • browser information;
  • device information;
  • operating system information;
  • request metadata;
  • security logs.

This information is used primarily for security, fraud prevention, reliability, and troubleshooting.

4. AI Processing and Agents

The Platform enables Customers and Creators to create and operate AI-powered Agents and workflows.

Creators determine:

  • the purpose of their Agents;
  • prompts and instructions;
  • integrations and data flows;
  • AI provider selection;
  • outputs and functionality.

Appesco provides the infrastructure used to execute these workflows but does not determine the business purpose of processing performed through Creator-built Agents.

Where personal data is processed through an Agent, responsibility for determining the purposes and means of that processing generally rests with the Creator or Customer operating the Agent.

When a Buyer runs an Agent published by a Creator:

  • the Buyer is responsible for the data it chooses to submit to the Agent;
  • the Creator determines how the Agent processes that data, including which AI providers and integrations receive it;
  • Appesco processes the run data in order to execute the run.

Creators are responsible for ensuring that their Agents comply with applicable privacy laws and provide any legally required notices, disclosures, or consents.

Additional information is available on our AI Processing & Data Flows page.

5. How We Use Personal Data

We may use personal data to:

  • provide and operate the Platform;
  • authenticate users;
  • process payments and payouts;
  • manage accounts and organizations;
  • provide customer support;
  • secure the Platform;
  • detect fraud, abuse, and unauthorized access;
  • assess the credibility of dispute filings and abuse reports — including signals such as account age, usage and spending history, and whether payment instruments, IP addresses, or devices are shared across accounts (used to weight reports and prevent coordinated abuse, never to decide a dispute's outcome, which is always reviewed by a person);
  • monitor performance and reliability;
  • comply with legal obligations;
  • communicate service-related information.

Where permitted by law, we may also send product updates and marketing communications.

You may opt out of marketing communications at any time.

Where GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:

Performance of a Contract

Processing necessary to provide the Platform and fulfill contractual obligations.

Legitimate Interests

Processing necessary for:

  • platform security;
  • fraud prevention;
  • service reliability;
  • business operations;
  • customer support;
  • product improvement.

Processing necessary to comply with legal, tax, accounting, regulatory, or law-enforcement obligations.

This includes platform tax reporting obligations, such as the EU DAC7 rules, which may require us to collect, verify, and report identification and earnings information about Creators to tax authorities.

Where required by law, we rely on consent and allow withdrawal of consent at any time.

7. Sharing Personal Data

We share personal data only where reasonably necessary to provide the Platform or comply with legal obligations.

Recipients may include:

  • infrastructure providers;
  • hosting providers;
  • payment providers;
  • email delivery providers;
  • customer support providers;
  • AI model providers;
  • professional advisers;
  • auditors;
  • legal and tax authorities where required, including under EU platform reporting rules (DAC7).

A current list of service providers is available on our Subprocessors page.

Creator-Controlled Disclosures

Creators may configure Agents to send information to external systems, integrations, APIs, databases, or AI providers.

Where such disclosures occur, they occur at the direction of the Creator or Customer operating the Agent.

Appesco does not determine the business purpose of those disclosures.

8. International Transfers

Some service providers may process personal data outside the European Economic Area or the United Kingdom.

Where required by applicable law, we implement appropriate safeguards, including:

  • Standard Contractual Clauses;
  • adequacy decisions;
  • other legally recognized transfer mechanisms.

9. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy.

Typical retention periods include:

Data TypeTypical Retention
Run inputs and outputs72 hours by default; 7 days for paid runs (the dispute window)
Uploaded files72 hours by default; files tied to paid runs follow the paid-run period
Disputed runsRetained while a dispute is open; a snapshot of the disputed run's input and output is kept as evidence until the dispute is resolved and for as long as needed to handle related claims
Account informationDuration of account plus legal retention periods
Billing recordsAs required by law
Security logsAs reasonably necessary for security purposes

Backup copies may remain temporarily within disaster recovery systems before being automatically overwritten.

10. Security

We maintain technical and organizational measures designed to protect personal data.

These measures may include:

  • encryption in transit;
  • encryption at rest;
  • access controls;
  • multi-factor authentication;
  • monitoring and logging;
  • vulnerability management processes.

Additional information is available on our Security page.

No system can guarantee absolute security.

11. Your Rights

Depending on your location and applicable law, you may have rights to:

  • access personal data;
  • correct inaccurate information;
  • request deletion;
  • restrict processing;
  • object to processing;
  • receive a portable copy of your data;
  • withdraw consent.

Requests may be submitted to:

[email protected]

If you are located in the EEA or United Kingdom, you may also lodge a complaint with your local supervisory authority.

12. Children's Privacy

The Platform is not intended for children under the age of 16.

We do not knowingly collect personal data from children.

If we become aware that such data has been collected in violation of applicable law, we will take reasonable steps to remove it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When material changes are made, we will update the "Last updated" date and, where appropriate, provide additional notice.

14. Contact

Questions regarding this Privacy Policy may be directed to:

Appesco B.V.
Hofwijckstraat 18, 2275 AL, Voorburg, The Netherlands
KvK: 82619468
VAT: NL862541499B01

Email: [email protected]