Nexus Intelligence

Zelth ("we", "us", "our") operates the Nexus Intelligence platform. This Privacy Policy explains what data we collect, how we handle it, and the architectural guarantees we provide to protect your information.

1. Data Architecture & Isolation

Nexus Intelligence uses a split-database architecture that physically separates platform administration from client workspace data:

Platform Database (managed by Zelth)

Contains only: user accounts, authentication sessions, subscription and billing records, security event logs (blocked SQL injection attempts, anomalous login alerts), and admin audit trails. This database contains no client business data whatsoever.

Workspace Database (owned by you)

Each tenant connects their own PostgreSQL database. Your query sessions, dashboards, correlations, datasource configurations, and all workspace data are stored exclusively in your database that you provide and control. Zelth has no access to this database and does not store your connection credentials in readable form.

2. Information We Collect

Account information: Name, email address, and a hashed password (Argon2id). We never store plaintext passwords.

Billing information: Subscription plan, usage counts (number of queries, active seats), and Stripe customer/subscription identifiers. We do not store credit card numbers — payment processing is handled entirely by Stripe.

Security logs: IP addresses, user agent strings, login timestamps, and anomaly detection scores. These are used to detect and block unauthorized access attempts.

Audit trails: Records of administrative actions (user creation, role changes, tenant management) for compliance and accountability purposes.

3. Information We Do NOT Collect

We never see your query results

When you ask a question in natural language, the generated SQL runs against your own database. The results are returned to your browser and stored in your workspace database — not ours.

We never store your database credentials in readable form

When you connect your workspace database, the connection URL is encrypted with AES-256-GCM before storage. It cannot be decrypted by any user interface, API endpoint, or admin panel. Not even Zelth super administrators can view your database credentials.

We never access your business data

Your datasource connections (to your PostgreSQL, MySQL, or MongoDB databases) are configured and stored in your own workspace database. Zelth platform infrastructure never reads from or writes to your business databases.

4. How We Use Your Information

Authentication & authorization: To verify your identity, enforce role-based access control, and manage session security.

Billing & subscriptions: To manage your subscription plan, enforce usage limits, and process payments through Stripe.

Security monitoring: To detect anomalous login patterns, block SQL injection attempts, enforce IP allowlists, and maintain comprehensive audit trails.

Service improvement: Aggregated, anonymized usage statistics (total queries run, feature adoption) may be used to improve the platform. Individual query content is never used for this purpose.

5. Data Security Measures

Encryption

All data in transit is encrypted via TLS/SSL. Sensitive credentials (database connection URLs, API keys) are encrypted at rest using AES-256-GCM with a derived key. Passwords are hashed with Argon2id (memory-hard, timing-attack resistant).

Access Control

Six-level role hierarchy: Super Admin, Tenant Owner, Admin, Power User, Analyst, Viewer. Each role has strictly defined permissions. Cross-tenant access is blocked at the database query level. Super admin accounts operate independently of any tenant lifecycle.

Threat Detection

Real-time anomaly detection scores every login attempt based on IP history, user agent changes, geographic patterns, and failure rates. Admin logins have a stricter blocking threshold. All dangerous SQL patterns (injection, privilege escalation, schema changes) are detected and blocked before execution.

Audit Logging

Every authentication attempt, admin action, and security event is logged in append-only tables with database-level triggers preventing deletion. Access to security logs is itself audited (who viewed which logs, when).

6. Tenant Isolation Guarantees

Each tenant organization is fully isolated:

Workspace data lives in a separate database that you provide and own
Deleting or suspending a tenant does not affect other tenants or platform administrators
Foreign key constraints use ON DELETE SET NULL (not CASCADE) for user-tenant relationships, preventing accidental data loss
Tenant owners control their own user management, datasource connections, and workspace configuration
Zelth super administrators can manage billing and user accounts but cannot access tenant workspace data

7. Data Retention

Account data: Retained while your account is active. Upon account deletion, authentication records are removed. Security logs may be retained for up to 90 days for compliance purposes.

Workspace data: Stored in your own database. When you disconnect your workspace database, we delete the encrypted connection reference. Your data remains in your database under your control.

Billing records: Retained as required by applicable tax and financial regulations.

8. Third-Party Services

We use the following third-party services:

Stripe — Payment processing. Subject to Stripe's privacy policy.
Neon — Platform database hosting (admin data only). Your workspace database provider is your choice.
LLM Providers (when configured by tenant) — Natural language query processing. Query content is sent to the configured AI provider for SQL generation. We log the prompt but not the full response.

9. Your Rights

You have the right to:

Access your account data and security logs through the admin panel
Export logs in CSV, JSON, Excel, or PDF format
Delete your account (tenant owners can request account deletion)
Disconnect your workspace database at any time, retaining full ownership of your data
Request information about what data we hold about you by contacting support

10. Contact

For privacy-related questions or requests, contact us at privacy@zelthlabs.com.