zion
Log inGet API key
Back to home

Privacy Policy

Privacy Policy - Zion Router

Last updated: 2026-04-26
Effective date: 2026-04-26
Jurisdiction: Vietnam

This Privacy Policy explains how Zion Router ("Zion", "we", "us", or "our") collects, uses, stores, shares, protects, and deletes personal data when you use Zion Router, a multi-model AI API routing platform, including the dashboard, API gateway, payment flows, support channels, and related services.

This Policy should be read together with the Zion Router Terms of Service. By creating an account, generating an API key, making a payment, connecting a third-party account, or using the Service, you acknowledge that your personal data will be processed as described in this Policy.

For users located in Vietnam or transactions governed by Vietnamese law, this Policy is intended to be interpreted consistently with applicable Vietnamese laws on personal data protection, cybersecurity, electronic transactions, information technology, and consumer protection.

1. Scope

This Policy applies to personal data processed in connection with:

  • https://zionrouter.com and related dashboard, admin, and marketing pages;
  • https://api.zionrouter.com and related API endpoints;
  • backup, alias, or migration domains operated by Zion, including domains used for continuity or rebranding;
  • support communications through email, dashboard messages, Telegram, or other official support channels;
  • payment, receipt, refund, dispute, and fraud-prevention workflows.

This Policy does not apply to websites, services, APIs, or platforms operated by third parties, including upstream AI providers, payment providers, blockchain networks, or infrastructure providers. Those third parties process data under their own policies.

2. Data Controller and Contact

For the purposes of this Policy, the data controller is the person or entity operating Zion Router.

Zion is currently operated by Truong Quoc Tuan as an individual business operator. Transaction receipts are provided for payment confirmation only and are not VAT invoices unless expressly stated otherwise.

References to "Zion" mean Truong Quoc Tuan, operating as a cá nhân kinh doanh, and any authorized personnel or service providers used to operate the Zion Router service, account system, billing records, and user-data processing.

Zion may also act as a data processor where it processes data on behalf of users for the limited purpose of routing API requests. Upstream AI providers act independently under their own terms, privacy policies, data-retention rules, safety systems, and legal obligations when they process prompt and response content.

3. Personal Data We Collect

Zion follows a data-minimization approach. We collect only the data reasonably necessary to provide the Service, secure the platform, process payments, comply with legal obligations, and handle support or disputes.

3.1 Account Data

We may collect and process:

  • email address;
  • password hash, never plaintext password;
  • display name or profile name;
  • account status, role, plan, and creation date;
  • email verification state and timestamps;
  • linked identity information if you sign in or connect via a third-party service, such as Google ID, GitHub ID, Telegram ID, or equivalent account identifier;
  • support preferences and notification settings.

3.2 API Key and Usage Data

We may collect and process:

  • virtual API key metadata, including key name, creation date, last-used timestamp, revocation state, and permission scope;
  • hashed API key values for verification and audit purposes;
  • request counts;
  • model or endpoint used;
  • input token count, output token count, cached token count, and billing units;
  • request duration, timestamp, HTTP status, error category, and upstream routing tier;
  • per-request identifiers used for billing reconciliation, debugging, rate limiting, and abuse prevention.

Zion stores usage metadata for billing and security. Zion does not store prompt content or response content as part of normal operation.

3.3 Payment and Transaction Data

We may collect and process:

  • invoice number, invoice status, amount, currency, payment method, creation time, expiry time, and paid time;
  • credit ledger entries, subscription events, top-up events, refunds, manual adjustments, and balance changes;
  • bank transfer reference, memo, transaction note, and limited counterparty information visible in settlement records;
  • crypto transaction hash, receiving address, chain or network, token type, amount, and confirmation status;
  • Binance Pay or similar payment order identifiers;
  • dispute, refund, chargeback, and fraud-investigation records.

Zion does not store payment card numbers, CVV codes, bank login credentials, seed phrases, private keys, or full payment instrument secrets.

3.4 Technical, Security, and Anti-Abuse Data

We may collect and process:

  • IP address;
  • user agent string;
  • device, browser, and operating-system metadata;
  • session identifier and CSRF token;
  • approximate country or region derived from IP address;
  • login timestamps, failed-login attempts, lockout events, and session events;
  • rate-limit events, account restrictions, and abuse-prevention flags;
  • payment-risk and fraud-risk signals;
  • coarse device, browser, and network metadata;
  • limited device or browser fingerprinting signals where reasonably necessary for account security, fraud prevention, sanctions screening, rate limiting, or abuse prevention; and
  • error logs, diagnostic telemetry, API latency, server metrics, and security logs.

We do not collect precise GPS location data. Zion does not use anti-abuse signals for third-party advertising or cross-site behavioral advertising.

3.5 Support and Communication Data

If you contact support, we may process:

  • your email address, Telegram handle, or other contact identifier;
  • message content you send to us;
  • attachments or screenshots you voluntarily provide;
  • support ticket status, internal notes, and resolution history.

Do not send sensitive personal data, passwords, private keys, seed phrases, or confidential third-party data through support unless strictly necessary.

3.6 Data We Do Not Collect or Store

Zion does not, as part of normal operation, collect or store:

  • prompt content sent to AI models;
  • response content returned by AI models;
  • plaintext passwords;
  • full card numbers, CVV, private keys, seed phrases, or bank login credentials;
  • precise GPS location;
  • browsing history outside Zion services;
  • third-party advertising identifiers;
  • advertising profiles.

Zion does not use prompts or responses to train AI models. Zion does not operate its own model-training system.

4. How We Use Personal Data

Zion processes personal data for the following purposes.

4.1 Service Operation

We use personal data to:

  • create and manage accounts;
  • authenticate users and sessions;
  • issue, validate, rotate, and revoke virtual API keys;
  • route API requests to selected upstream AI providers and model routes;
  • calculate token usage, billing units, balances, subscriptions, rate limits, and quotas;
  • process payments, top-ups, subscriptions, refunds, receipts, and transaction records;
  • send transactional emails, such as receipts, renewal reminders, security notices, and service notices;
  • provide dashboard functionality and support.

4.2 Security, Fraud Prevention, and Abuse Control

We use personal data, technical metadata, and limited anti-abuse signals to:

  • detect suspicious login patterns, credential stuffing, account takeover, and leaked-key activity;
  • enforce rate limits and account restrictions;
  • identify duplicate-account abuse, payment fraud, chargeback abuse, sanctions risk, or suspicious settlement activity;
  • detect abnormal API usage patterns, automated abuse, provider-policy violations, and attempts to bypass technical restrictions;
  • investigate violations of the Terms of Service;
  • protect Zion, users, upstream providers, and third parties from misuse; and
  • maintain audit trails for sensitive administrative actions.

Where necessary and proportionate, anti-abuse processing may use IP address, approximate country, user agent, device/browser metadata, account history, payment metadata, request metadata, and limited fingerprinting signals. Zion does not use these signals for advertising.

4.3 Billing, Accounting, and Legal Compliance

We use personal data to:

  • reconcile payments;
  • maintain credit ledgers;
  • issue transaction receipts;
  • verify refund eligibility;
  • comply with tax, accounting, anti-fraud, dispute-resolution, and legal-record obligations;
  • respond to lawful requests from competent authorities.

4.4 Product Analytics and Service Improvement

We use aggregated or pseudonymized metadata to:

  • measure service performance, latency, and error rates;
  • plan capacity and upstream routing;
  • understand which models or endpoints are used most;
  • improve pricing, rate limits, and dashboard features.

We do not use prompt or response content for analytics.

4.5 Communications

We may use your contact details to send:

  • security alerts;
  • account notices;
  • payment receipts;
  • subscription renewal reminders;
  • policy update notices;
  • service outage or maintenance notices;
  • responses to support requests.

Zion will send marketing or promotional emails only if you opt in or where otherwise permitted by applicable law. You may withdraw marketing consent or unsubscribe from promotional emails at any time. Transactional, security, payment, legal, and service notices may still be sent even if you opt out of marketing.

5. Legal Basis for Processing

Zion processes personal data based on one or more of the following grounds, depending on the context:

Processing purposeMain legal basis
Account creation, login, API-key management, service deliveryPerformance of contract or pre-contract steps
Payment, balance, subscription, refund, and receipt handlingPerformance of contract; legal and accounting obligations
Security logging, fraud prevention, abuse prevention, sanctions screening, rate limitingLegitimate operational interest; legal obligation where applicable
Compliance with law, court orders, and authority requestsLegal obligation
Support requests and user communicationsPerformance of contract; consent where the user voluntarily provides information
Product analytics using aggregated or pseudonymized metadataLegitimate operational interest
Optional integrations, optional notifications, or optional marketingConsent where required
Cross-border transfer necessary to operate the ServicePerformance of contract; consent or other applicable lawful basis where required

Where Vietnamese law requires consent for a specific processing activity, Zion will request consent before or at the time of processing. You may withdraw consent where processing is based on consent, subject to Section 11.

6. Prompt and Response Handling

Zion is designed as a pass-through multi-model API routing and billing layer for third-party AI providers.

When you send an API request:

  1. Your request is received by Zion's API gateway.
  2. Zion authenticates your API key and checks quota, balance, rate limits, provider routing settings, and billing rules.
  3. The request body is forwarded to the selected upstream AI provider and model route.
  4. The upstream provider generates a response.
  5. Zion returns the response to you.
  6. Zion stores usage metadata for billing, security, debugging, and abuse prevention, but not the prompt or response content by default.

Zion may temporarily process prompt and response content in server memory or network transit solely to route the request and return the response. Zion does not store that content in normal application databases, analytics logs, or error logs by default.

However, upstream AI providers receive your prompt content and may process it under their own terms, privacy policies, abuse-monitoring systems, data-retention rules, safety systems, and legal obligations. You should not send data to upstream AI providers unless you are allowed to do so.

Where available, Zion may provide provider privacy indicators, routing preferences, or data-retention controls, such as avoiding certain providers or preferring provider routes with stronger data-retention commitments. These controls depend on available provider information and may change when provider policies or routes change.

Zion may offer optional request-content logging, history, debugging, or observability features in the future. If enabled by a User or workspace, Zion may store prompt and response content for the purposes shown in the dashboard. Such features should be disabled by default unless the User affirmatively enables them.

7. Third-Party Recipients and Processors

Zion uses third parties only where reasonably necessary to operate the Service.

7.1 Upstream AI Providers

During Phase 1, Zion routes API requests only to OpenAI models and APIs that are made available through Zion's dashboard, API documentation, or official product interface.

If Zion adds additional upstream AI providers in the future, such as Anthropic, Google, or others, Zion will update this Policy, the dashboard, the API documentation, or other official product notices before making those providers available for use.

The selected upstream provider receives the request body and related technical metadata required to generate a response. The provider's handling of prompt and response content is governed by its own terms, privacy policy, data-retention rules, safety systems, and legal obligations.

7.2 Payment, Settlement, and Blockchain Providers

Zion may use bank transfer reconciliation providers and other settlement providers where operationally supported and legally appropriate.

Crypto-related settlement methods, Binance Pay, public blockchain networks, blockchain indexers, or RPC providers may be unavailable, restricted, delayed, refused, or replaced with alternative settlement methods as described in the Terms of Service.

If a crypto-related settlement method is operationally accepted, public blockchain transactions may be visible to anyone. Do not send crypto from a wallet address whose public history you consider sensitive.

7.3 Email and Notification Providers

Zion may use email or notification providers, such as Resend or equivalent services, to send transactional messages. These providers may process your email address, delivery status, bounce events, and complaint events.

7.4 Infrastructure and Security Providers

Zion may use infrastructure providers such as:

  • Hetzner or equivalent hosting providers;
  • Cloudflare for DNS, CDN, security, and DDoS protection;
  • Let's Encrypt for TLS certificates;
  • container, backup, monitoring, and logging tools used to operate the platform.

7.5 Legal, Compliance, and Safety Recipients

Zion may disclose personal data where reasonably necessary to:

  • comply with applicable law;
  • respond to valid legal process, court orders, or competent authority requests;
  • enforce the Terms of Service;
  • investigate fraud, abuse, cybersecurity incidents, or payment disputes;
  • protect the rights, safety, property, or security of Zion, users, upstream providers, or third parties.

Where legally permitted and practical, Zion may notify affected users of legal requests. Zion may be prohibited from doing so in some cases.

For Vietnam-related cybersecurity, data-protection, fraud, or public-order matters, competent authorities may include the Department of Cybersecurity and High-Tech Crime Prevention (A05) under the Ministry of Public Security or other competent Vietnamese authorities, depending on the matter.

8. International Data Transfers

Zion may store or process personal data outside Vietnam. For example:

  • primary infrastructure may be hosted in Germany or another jurisdiction;
  • upstream AI providers may process API content in the United States, the European Union, or other jurisdictions;
  • Cloudflare and similar providers may route traffic globally;
  • payment and blockchain infrastructure may operate across multiple jurisdictions.

By using the Service, you acknowledge that your personal data may be transferred, stored, and processed outside Vietnam where necessary to provide the Service.

Where required by Vietnamese law, Zion will maintain internal records, cross-border transfer documentation, and data transfer impact assessments relating to cross-border transfers and will cooperate with competent authorities as required. Zion will take reasonable steps to ensure that cross-border transfers are limited to what is necessary for service operation, security, payment, support, and compliance.

9. Data Storage and Security

9.1 Storage Locations

Zion stores data in production systems appropriate to the data category, including:

  • a primary relational database for account, billing, and operational records;
  • an analytics data store for usage metadata, request metrics, and aggregate operational data;
  • an in-memory cache or session store for short-lived session, rate-limit, and operational state;
  • encrypted backup storage;
  • secure logging, monitoring, and observability systems; and
  • internal support and payment-reconciliation tools.

9.2 Security Measures

Zion uses reasonable technical and organizational measures appropriate to the nature of the data, including:

  • HTTPS/TLS for traffic in transit;
  • password hashing using a modern password-hashing algorithm such as Argon2id or equivalent;
  • encryption or strong protection for sensitive secrets such as upstream provider API keys;
  • hashed storage of virtual API keys;
  • access controls for administrative systems;
  • audit logs for sensitive administrative actions;
  • environment-based secret management;
  • rate limiting and abuse detection;
  • backup and recovery procedures;
  • separation of production access from normal user access.

9.3 Security Limitations

No electronic system is perfectly secure. Zion cannot guarantee absolute security. You are responsible for securing your own account, email inbox, API keys, devices, wallets, and access credentials.

If you believe your account or API key has been compromised, contact support immediately and rotate or revoke the affected key.

10. Data Retention

Zion retains personal data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

10.1 Active Accounts

For active accounts, Zion retains account, payment, billing, usage, and security data for as long as necessary to operate the account and provide the Service.

10.2 Deleted Accounts

When you request account deletion, Zion applies a 30-day grace period unless immediate deletion is required or approved. During the grace period, you may cancel the deletion request.

After the grace period:

Data categoryTreatment
Email addressReplaced with a one-way hash where needed for fraud prevention and duplicate-account prevention
NameReplaced with "Deleted User" or equivalent placeholder
OAuth identifiersDeleted or set to null
Telegram IDDeleted or set to null
Phone number, if anyDeleted or set to null
SessionsDeleted
API key namesDeleted or set to null
Hashed API key recordsRetained where needed for audit, fraud prevention, or security history
Usage logsAnonymized or disassociated from the user where technically feasible
Payment, invoice, refund, and ledger recordsRetained where required for tax, accounting, dispute, fraud-prevention, or legal purposes

Anonymization is one-way. After completion, account restoration may not be possible.

10.3 Logs

Typical log retention periods are:

  • application logs: up to 90 days;
  • error and diagnostic logs: up to 180 days;
  • security and fraud-investigation logs: as long as reasonably necessary for investigation and protection;
  • audit logs for administrative actions: retained long-term as control records;
  • payment and accounting records: retained for the period required by applicable law or legitimate dispute/accounting needs.

10.4 Backups

Data deleted from the live system may remain in backups until those backups expire through normal rotation. Zion will not intentionally restore deleted personal data except where necessary for security, disaster recovery, legal compliance, or dispute resolution.

11. Your Rights

Subject to applicable law and reasonable identity verification, you may exercise the following rights.

11.1 Right to Know and Access

You may request confirmation of whether Zion processes your personal data and request access to the personal data Zion holds about you.

11.2 Right to Rectification

You may request correction or update of inaccurate or incomplete personal data. Some changes may be available directly in the dashboard.

11.3 Right to Deletion

You may request deletion of your account and associated personal data. Some records may be retained where necessary for legal, accounting, security, fraud-prevention, or dispute-resolution purposes.

11.4 Right to Restriction or Objection

You may request that Zion restrict or stop certain processing activities. If the requested restriction prevents Zion from operating your account, Zion may need to close or suspend the account.

11.5 Right to Data Portability

You may request a copy of certain account, payment, and usage data in a structured format such as CSV or JSON, where technically feasible and legally required.

11.6 Right to Withdraw Consent

Where Zion relies on your consent, you may withdraw that consent at any time. Withdrawal does not affect processing that occurred before withdrawal and does not affect processing based on other lawful grounds.

11.7 Right to Complain

You may contact Zion with privacy concerns or lodge a complaint with the competent Vietnamese authority where applicable.

11.8 How to Exercise Rights

Send requests to:

Zion may request information to verify your identity before fulfilling a request. Zion will respond within the period required by applicable law. As an operational standard, Zion aims to acknowledge requests within 7 days and resolve them within 30 days, unless the request is complex, legally restricted, or requires additional verification.

12. Cookies and Similar Technologies

Zion uses only essential or functional cookies and similar technologies unless stated otherwise.

12.1 Cookies We Use

Zion may use:

  • authentication/session cookies;
  • CSRF-protection tokens;
  • language, theme, and dashboard preference cookies;
  • security and rate-limiting identifiers.

12.2 Cookies We Do Not Use

Zion does not use:

  • third-party advertising cookies;
  • retargeting pixels;
  • cross-site advertising trackers;
  • third-party browser analytics scripts for advertising profiling.

12.3 Managing Cookies

You may control cookies through your browser settings. Disabling essential cookies may prevent login, payment, dashboard use, or API-key management.

13. Children and Minors

The Service is intended for users who are at least 18 years old or the age of majority in their jurisdiction, whichever is higher.

Zion does not knowingly collect personal data from minors. If Zion becomes aware that a minor has created an account or provided personal data, Zion may delete the account and associated data, subject to legal, security, and fraud-prevention retention needs.

14. Security Incidents and Data Breaches

If Zion becomes aware of a security incident that compromises personal data, Zion will:

  • take reasonable steps to contain and investigate the incident;
  • assess the type and scope of affected data;
  • take reasonable remedial measures;
  • notify affected users where required or appropriate;
  • notify competent authorities where required by applicable law, which may include A05 or other competent Vietnamese authorities depending on the incident; and
  • document the incident and response steps.

Where feasible, Zion aims to notify affected users within 72 hours after confirming a personal-data breach that creates material risk to user rights or interests. Zion will also make authority notifications within the timeline required by applicable law where such notification is mandatory. Notification timing may depend on investigation status, legal restrictions, authority instructions, operational feasibility, and the need to avoid worsening the incident.

Where notification is required, Zion will provide information reasonably available at the time, such as the nature of the incident, affected data categories, mitigation steps, and recommended user actions.

15. Automated Processing

Zion uses automated systems for authentication, rate limiting, quota checks, balance checks, abuse detection, and routing.

These systems support service operation and security. Materially adverse account actions, such as permanent suspension for suspected fraud or serious abuse, may be reviewed by a human operator where reasonably practical.

16. User Responsibilities

You are responsible for:

  • keeping your login credentials secure;
  • protecting your email account and devices;
  • keeping API keys confidential;
  • rotating API keys if they are leaked or suspected to be compromised;
  • ensuring you have the right to submit data to upstream AI providers;
  • avoiding submission of confidential, regulated, or third-party personal data unless you have proper authorization;
  • complying with applicable laws, upstream provider policies, and the Zion Terms of Service.

Zion is not responsible for unauthorized use caused by your failure to secure your account, API keys, devices, wallets, or credentials.

17. Changes to This Policy

Zion may update this Policy from time to time.

For material changes, Zion will provide notice by email, dashboard notice, or another reasonable method before the changes take effect, unless immediate changes are required for legal, security, or operational reasons.

Your continued use of the Service after the effective date of an updated Policy means you acknowledge the updated Policy. If you do not agree, you should stop using the Service and request account deletion.

18. Language

This Policy may be provided in English and Vietnamese.

For users located in Vietnam or transactions governed by Vietnamese law, the Vietnamese version shall prevail to the extent required by applicable law. The English version may be used as an operational reference or convenience translation unless a separate written agreement validly provides otherwise.

19. Contact

For privacy questions, data-subject requests, security concerns, or complaints, contact:

For urgent security issues involving account compromise or leaked API keys, contact support and immediately revoke or rotate the affected API keys from the dashboard.

Appendix A - Policy Change Log

  • 2026-04-26: Final publication draft prepared for Phase 1 launch under individual-business operation.
  • 2026-04-26: Updated to reflect Zion Router's provider-routing positioning as a multi-model AI API routing platform with third-party provider routing, provider data-policy disclosure, and optional future content-logging controls.
  • 2026-04-26 (v5, P0–P2 review): Restricted Phase 1 upstream scope to OpenAI only with explicit notice procedure for adding future providers (§7.1); disclosed anti-abuse signals, including limited device/browser fingerprinting and payment-risk metadata, used for security and sanctions screening (§3.4, §4.2); switched marketing communications to opt-in only (§4.5); named A05 (Department of Cybersecurity and High-Tech Crime Prevention, Ministry of Public Security) as the relevant Vietnamese authority for cybersecurity and data-protection matters (§7.5, §14); added cross-border transfer documentation and data transfer impact assessments (§8); added a 72-hour target for affected-user breach notifications (§14); clarified handling of crypto-related settlement (§7.2).