Privacy
Your research data is yours. Virza is designed with privacy as a core architectural principle, not an afterthought. This page explains exactly how your data is handled.
Core commitments
- Your documents are never used to train AI models. Document content sent to AI providers (OpenAI, Anthropic) for processing is governed by zero-data-retention agreements. Providers do not store, log, or learn from your content.
- Your data stays in your workspace. Strict workspace-level isolation ensures your documents, notes, and conversations are invisible to other workspaces. See Data Isolation.
- No PII in logs. Emails, names, tokens, and passwords are never logged in plain text. Structured logging masks all personally identifiable information.
- Presigned URLs for file access. Your document files are never proxied through the API server. The browser downloads directly from encrypted storage via time-limited presigned URLs.
What we collect
| Data | Purpose | Retention |
|---|---|---|
| Account information | Email, name (for authentication and workspace membership) | Until account deletion |
| Workspace data | Documents, collections, notes, conversations, citations | Until workspace deletion |
| AI conversation history | Chat messages and responses within your workspace | Stored within your workspace; accessible to workspace members with appropriate roles |
| Usage metrics | AI credit consumption, document count, storage used | Retained for billing and displayed in Settings |
| System telemetry | Performance metrics, error rates, feature usage counts (anonymized) | Aggregated, no PII |
What we do not collect
- File content is never logged or cached outside of your workspace storage
- Search queries are not associated with individual user identities in analytics
- AI model responses are not stored outside of your workspace conversations
- We do not track individual reading behavior (which documents you open, how long you read)
AI provider data handling
Virza uses third-party AI providers for certain features:
| Feature | Provider | Data sent | Provider retention |
|---|---|---|---|
| Chat responses | OpenAI, Anthropic | Retrieved document passages + your question | Zero-retention agreement (no storage, no training) |
| Document summaries | OpenAI, Anthropic | Document text (up to 32,000 characters) | Zero-retention agreement |
| Query embeddings | OpenAI | Search query text | Zero-retention agreement |
| Document embeddings | OpenAI | Document section text | Zero-retention agreement |
| Vision descriptions | OpenAI, Anthropic | Cropped figure images | Zero-retention agreement |
Zero-retention agreement means the provider processes the request and returns a response without storing the input data, logging it, or using it for model training. This is contractually enforced.
Data at rest
- All stored files are encrypted using AES-256 encryption at rest
- Database records are encrypted at the storage layer
- Backups are encrypted and access-controlled
Data deletion
- Document deletion: deleted documents go to Trash (recoverable for 30 days), then are permanently deleted from all storage
- Workspace deletion: all workspace data (documents, collections, notes, conversations, member associations) is permanently and irreversibly deleted
- Account deletion: contact support@serenoty.com to request full account deletion, including all associated workspace data
Contact
For privacy questions, data subject access requests, or security concerns:
- Privacy: privacy@serenoty.com
- Security: security@serenoty.com
- General support: support@serenoty.com
Last updated on