Privacy Policy

We collect only what we need to deliver the service. Broadly, this falls into five categories:

• Account data: Your name, email, phone number, company name, company country, and the password hash (never the password itself).
• Business data you create: Customers, deals, activities, notes, tasks, quotes, and any content you choose to store in Zyrix.
• Payment data: Your plan, billing cycle, currency, invoice email, and transaction history. Card numbers are never stored on our servers — they are handled entirely by our payment providers.
• Usage data: Which pages you open, which features you use, timestamps, IP address, browser and device type. This helps us fix bugs and prioritize improvements.
• Communications: Support tickets, email conversations, and any messages you send us.

We use your data only for specific, narrow purposes:

• To provide the CRM service you signed up for.
• To process payments and send invoices and receipts.
• To respond to your support requests.
• To send essential service emails (security alerts, password resets, payment failures, subscription changes).
• To improve the product — in aggregate, non-identifiable form only.

We use a small number of vetted vendors to operate Zyrix. Each of them has their own privacy policy and processes data only on our instructions:

• Iyzico — Payment processing for Turkey (TRY, USD).
• HyperPay — Payment processing for Saudi Arabia, the UAE, and the wider GCC (SAR, AED, USD).
• Resend — Transactional email delivery (verification, password reset, receipts).
• Google OAuth — Sign-in via Google account. We only receive your email and public profile — nothing else.
• Google Gemini — AI features. When you use an AI feature, the prompt and relevant data are sent to Google Gemini. Google does not use this data to train its models.
• Railway / Vercel / Cloudflare — Hosting and content delivery.

We do not sell your data to anyone. We do not share your data with advertisers. We do not use your business data to train AI models.

Zyrix uses cloud infrastructure to operate. Your data is stored in the following regions depending on the service:

• Application servers and database — Railway (US/EU regions).
• Static assets — Vercel global edge network.
• DNS and security — Cloudflare global network.
• We may transfer data across borders for service delivery. When we do, we rely on standard contractual clauses or other legally recognized mechanisms.

We apply strong technical and organizational measures to protect your data:

• All traffic is encrypted in transit using TLS 1.2 or higher.
• Passwords are hashed using bcrypt with a strong cost factor.
• Access tokens are short-lived (15 minutes) and refresh tokens are rotated.
• Database access is restricted to a small number of production engineers.
• All administrative actions are logged in an immutable audit log.
• We never store raw payment card numbers.

No system is ever 100% secure. If you believe your account has been compromised, email us immediately at security@zyrix.co.

You have full rights over your personal data. You can exercise any of these at any time by emailing privacy@zyrix.co:

• Access: Request a copy of all personal data we hold about you.
• Correction: Fix any inaccurate or incomplete information.
• Deletion: Delete your account and all associated business data. Note: invoice records must be retained for legal and tax purposes.
• Export: Receive your business data in a structured, machine-readable format (CSV or JSON).

We keep your business data for as long as your account is active. If you delete your account, we remove your business data within 30 days.

Invoices, payment records, and audit logs are retained for up to 10 years to comply with accounting and anti-money-laundering regulations in Türkiye and the GCC.

We use only essential cookies required to keep you signed in and remember your language preference. We do not use marketing or advertising cookies on any page of crm.zyrix.co.

Zyrix is a business product. It is not directed at anyone under 18. We do not knowingly collect data from minors.

We may update this policy from time to time. When we make significant changes, we notify all active customers by email at least 15 days before the changes take effect. The 'Last updated' date at the top always reflects the current version.