← zucchini.chat

Privacy Policy

Last updated: May 15, 2026

Data Controller

The data controller for personal data processed through Zucchini is Hayaku Tech Limited, a private company incorporated in the Republic of Cyprus under company number HE 400807, with its registered office at Griva Digeni 78, 2nd floor, Office B1, 3101 Limassol, Cyprus. You can contact us about any privacy matter at [email protected].

Overview

Zucchini is a messenger app for chatting with Claude Code agents. Your privacy matters — we collect as little data as possible and never sell your information.

What We Collect

• Account credentials — login and password, used solely for authentication with our messaging backend.
• Chat messages — messages you send and responses from Claude Code agents, stored on our server to provide the chat functionality.
• Project metadata — names of project folders on your machine, used to organize chats by project.

What We Don't Collect

• We do not collect analytics, telemetry, or usage tracking data.
• We do not read or access your files beyond what Claude Code does in response to your messages.
• We do not use cookies or third-party trackers.

How Your Data Is Stored

Messages and account data are stored on our server infrastructure. The spawner component runs entirely on your local machine — your code and files stay on your device.

Message bodies, chat titles, drafts, and attachment blobs are end-to-end encrypted on your device before they reach our servers using XChaCha20-Poly1305 (IETF variant) authenticated encryption with a per-account symmetric key (K_user) that never leaves your devices. Our servers see ciphertext only and cannot read the contents of your messages, your chat titles, your drafts, or your attachments. Routing metadata that we cannot encrypt without breaking the service — account identifiers, machine and project names, project paths, message timestamps, and ordering — is stored in plaintext.

Data Retention

We keep your personal data only for as long as we need it to provide the service or to meet legal obligations:

• Account data and chats are retained for as long as your account is active.
• Account deletion: when you delete your account from the app, your account record and associated rows (including encrypted message ciphertext, chats, machines, and projects) are removed from our live database within 30 days. Encrypted backups containing those rows are purged within 90 days as backup snapshots age out of rotation.
• Individual chat deletion: when you delete a single chat, its encrypted message ciphertext and metadata rows are removed from our live database immediately; the same 90-day backup window applies.
• Billing and subscription records (entitlement expiry timestamps and Apple's original transaction id, described in "Subscription Data" below) are retained for 7 years from the end of the fiscal year in which the transaction occurred, as required by Cyprus tax and accounting law.

Your Rights

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that grants similar rights (including California under the CCPA/CPRA), you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR) — obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Art. 16 GDPR) — have inaccurate personal data corrected and incomplete data completed.
• Right to erasure / deletion (Art. 17 GDPR) — have your personal data deleted, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) — ask us to limit how we process your data in specific circumstances.
• Right to data portability (Art. 20 GDPR) — receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — object to processing carried out on the basis of our legitimate interests.
• Right to withdraw consent at any time, where processing is based on your consent, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority. In Cyprus, the supervisory authority is the Office of the Commissioner for Personal Data Protection.

To exercise any of these rights, email us at [email protected]. We will respond within one month, in accordance with Article 12(3) GDPR.

Subscription Data

If you purchase a Zucchini Pro subscription, payment is processed entirely by Apple. We never see or store your credit card number, billing address, country, Apple ID, or password.

After a successful purchase, Apple sends our server a signed payload (a JSON Web Signature) that contains your subscription's original transaction id, the app bundle id, and the expiration timestamp. The only subscription data we store on our servers is:

• Your Pro entitlement expiry timestamp, so every device signed into your account knows whether Pro features are active.
• Apple's original transaction id for your subscription, used to dedupe renewal notifications and prevent the same purchase from being claimed by multiple accounts.

We do not receive or store any other information about your purchase, your Apple ID, or your payment method. Refunds, family sharing, and subscription management are handled entirely by Apple under Apple's privacy policy.

Third Parties

Chat messages are processed by Anthropic's Claude Code on your own machine to generate responses. Sign-in is handled by Stytch and, if you choose them, Apple and Google. Push notifications are delivered by Apple. Attachments are stored on Cloudflare R2. Subscriptions are processed by Apple. Each provider handles your data under their own privacy policy.

Data Deletion

You may request deletion of your account and all associated data by contacting us. Upon deletion, all messages and account information are permanently removed from our servers.

Contact

For questions about this policy, reach out at [email protected].