Privacy Policy

Last updated: May 26, 2026 · Oliver Labs LLC
SMS Messaging Privacy: Zaxin does NOT share your phone number or your leads' phone numbers with third parties for marketing purposes. Phone numbers are used solely to deliver messages you explicitly create, approve, and send through the Service. We never sell, rent, or license phone numbers to advertisers, data brokers, or any other third party.

1. Information We Collect

Account Information: name, email, phone, real estate license number, brokerage, service area cities — provided by you during registration. Lead & Contact Data: You import or enter lead information including names, phone numbers, emails, property preferences, status, notes, and communication history. You are the data controller — Zaxin processes it on your behalf. Communication Data: When you send SMS (via Twilio) or email (via Gmail / Outlook / Resend), we store message content, timestamps, delivery status, channel, and associated lead info. Inbound replies you log are also stored. Email Reply Routing & Storage: Emails sent through Zaxin use the agent sender identity configured for your account. If you use a Zaxin-provided sending handle, replies route through that handle's reply-routing address so the response can appear in your Zaxin Inbox. If you configure a verified custom domain or direct agent reply address, replies route through that configured address. Older email threads sent before the current routing system may still be received through a legacy Zaxin reply alias for continuity. Inbound email replies are received by Zaxin's email infrastructure, stored in your account's communication history, and displayed in your Zaxin Inbox tab. The content of inbound email replies is stored in Supabase, encrypted at rest, accessible only by your account, and subject to the same 90-day retention policy as other communication data. You may optionally enable "Forward email replies to my inbox" in Settings → Integrations to also receive a copy in your personal email. You may disable this at any time. Usage Analytics: Anonymized feature usage counts, generation counts, message send counts, reply rates, and engagement metrics. Not tied to your leads' personal information.

2. AI-Generated & AI-Inferred Data

Zaxin's AI generates and stores the following data types from your interactions with leads. ALL items below are algorithmic inferences — NOT verified facts:

3. How We Use Your Data

We use your data to provide the Zaxin CRM service including AI message generation, lead management, and analytics; classify emotional states and communication patterns to improve personalization; detect potential life events to surface relevant opportunities (never for discriminatory purposes); calculate conversion probabilities and referral readiness; schedule and deliver messages you approve via SMS and email; process auto-fire sequence messages you have explicitly activated; sync data across devices; create, update, and delete Google Calendar / Outlook Calendar events when you manage appointments in Zaxin; improve the Service through aggregated analytics. We do NOT: train AI models on your data, sell or share lead data with third parties, target advertising, make discriminatory decisions based on protected characteristics, or contact your leads without your explicit approval.

4. Phone Numbers and SMS — Explicit Disclosure

Phone numbers collected by Zaxin (both the agent's phone number and the phone numbers of your imported leads) are used exclusively for the following purposes:

Zaxin does NOT: sell phone numbers to advertisers, share phone numbers with third parties for marketing purposes, use your leads' phone numbers for any marketing outside of the messages you (the agent) personally approve, or permit any other party (including Oliver Labs LLC, our employees, contractors, or service providers) to contact your leads via phone or SMS for any purpose other than service operation.

Phone numbers are never shared with third parties except as strictly necessary to deliver SMS messages you have approved (e.g., to Twilio as the carrier-routing service), and only for the single purpose of routing that message.

5. Sleep-Window Guardrail

Zaxin does NOT auto-send during your sleep window. By default, no automated messages are sent between 10 PM and 7 AM in your configured agent timezone. The window is per-agent configurable in Settings → Profile → Working Hours. Messages you initiate manually from within the app (tap-to-send, click-to-send) are exempt and send immediately when you trigger them. Auto-fire sequences, scheduled sends, speed-to-lead replies, and Zero Work Mode auto-replies are all subject to the sleep-window check and queue (rather than fire) until the next allowed send time.

6. Fair Housing Compliance

Zaxin incorporates Fair Housing Act (42 U.S.C. §§ 3601-3619) and California FEHA guardrails into every AI generation. AI-generated content is designed to never reference, imply preference for, or steer based on protected characteristics. Life event detection is provided as informational context ONLY and must NEVER be used to discriminate in housing recommendations or any housing-related decision. You are responsible for ensuring all communications comply with Fair Housing laws.

7. DRE §10140.6 First-Contact Disclosure

California Business & Professions Code §10140.6 requires licensed real estate agents to identify themselves and their license number on first written solicitation to consumers. Zaxin's California first-contact templates include the agent's name and DRE license number by default. The disclosure is required on the first written solicitation only — it does not need to repeat on every CRM message in an ongoing conversation. Agents are responsible for verifying their first-contact templates contain the required disclosure for their license type and jurisdiction.

Service operator: Oliver Labs LLC (Zachary Oliver, principal licensee).

8. Microsoft / Outlook User Data

If you connect a Microsoft account (personal or work / school), Zaxin requests OAuth access to a limited set of Microsoft identity and Microsoft Graph scopes. The same no-sell, no-share, no-AI-training commitments apply.

Scopes requested

Scopes we do NOT request: Zaxin does not request Mail.Send, Mail.Read, Mail.ReadWrite, Calendars.Read, Calendars.ReadWrite, or any other Microsoft Graph scope beyond the two listed above. If you see any other scope listed on a Microsoft consent screen for Zaxin, do not approve it and contact support immediately.

How we use Microsoft data

Microsoft user data is used solely to perform user-initiated actions inside Zaxin. Microsoft user data is NEVER used to train AI models, NEVER shared with third parties for marketing, and NEVER sold.

Retention & revocation

OAuth tokens are stored server-side in our managed database (Supabase / PostgreSQL), which encrypts data at rest at the infrastructure layer; all transmission uses TLS. Zaxin does not currently add application-layer (per-token) encryption on top of this storage; that hardening is on our roadmap. When you disconnect Microsoft in Settings → Integrations, all tokens are deleted within 24 hours. You can also revoke access at any time from your Microsoft account permissions page.

9. Landing Page Analytics (Microsoft Clarity)

We use Microsoft Clarity (clarity.microsoft.com) for anonymized session analytics on our public marketing pages (landing page, pricing page, blog, etc.). Clarity collects heatmaps, click maps, scroll depth, and session recordings of visitor interactions with our marketing pages.

What Clarity does NOT see: All PII form fields (email address, name, brokerage, DRE license number, phone number, and any password fields) are automatically masked via Clarity's "Mask sensitive content" setting. Clarity is never loaded inside the signed-in Zaxin application — it is strictly limited to anonymous marketing page visitors.

Opt-out: You may opt out of Clarity's session recording by enabling your browser's "Do Not Track" setting or by emailing privacy@zaxin.ai. Clarity is GDPR and CCPA compliant as a Microsoft service.

10. Google User Data

If you connect your Google account, Zaxin requests OAuth access to a limited set of scopes. We follow Google API Services User Data Policy and the Limited Use requirements.

Scopes requested

How we use Google data

Google user data is used solely to perform user-initiated actions you take inside Zaxin (sending an email you composed, importing a contact you selected, creating an appointment you scheduled). Google user data is NEVER used to train AI models, NEVER shared with third parties for marketing, and NEVER sold.

Retention & revocation

OAuth tokens are stored server-side in our managed database (Supabase / PostgreSQL), which encrypts data at rest at the infrastructure layer; all transmission uses TLS. Zaxin does not currently add application-layer (per-token) encryption on top of this storage; that hardening is on our roadmap. Tokens are tied to your Zaxin account and only readable by the server processes that send email, import contacts, or sync calendar events on your behalf. When you disconnect Google in Settings → Integrations, all tokens are deleted within 24 hours and Zaxin loses access immediately. You can also revoke access at any time from your Google account permissions page. Imported contacts and created calendar events remain in your Zaxin account after disconnect (they are your data). Email content sent via gmail.send remains in your Gmail Sent folder under Google's normal retention.

Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to other parties except as necessary to provide the Service or as required by law.

11. CCPA — Your California Privacy Rights

California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by CPRA, and the California Generative AI Training Data Transparency Act (AB-2255):

To exercise these rights, use the in-app features in Settings → Data, visit Zaxin Account Deletion, or contact privacy@zaxin.ai. We will respond within 45 days. We will verify your identity before processing requests.

11.1 Categories of personal information collected (CCPA §1798.110(c))

In the prior twelve months, Zaxin has collected the following categories of personal information about California consumers. The list maps to the categories enumerated in CCPA §1798.140:

Zaxin does NOT collect: biometric identifiers (no fingerprints, retina, facial recognition, or voiceprint identifiers), precise geolocation, race, religion, sexual orientation, immigration status, or union membership.

11.2 Sources of personal information (CCPA §1798.100(b))

Personal information is collected from: (a) you directly, when you sign up, enter agent profile data, import leads, send messages, configure integrations, or interact with Zaxin features; (b) lead-source integrations you authorize (CRM imports from FUB / kvCORE / BoldTrail / Lofty / CINC / Real Geeks / BoomTown / Sierra / Chime / Zapier / Make / n8n / lead-gen vendors); (c) OAuth providers you connect (Google for Gmail/Contacts/Calendar; Microsoft for Contacts); (d) public real estate data feeds (CRMLS Trestle Member resource for license/office verification; CoreLogic Trestle MLS listings); (e) browser-derived data (IP for geolocation, cookies for session continuity, Clarity session recordings when not opted out).

11.3 Business and commercial purposes for collection (CCPA §1798.100(b))

Personal information is collected and used for the following purposes: (a) providing the Zaxin Service (lead management, AI-assisted messaging, MLS integration, Chrome extension); (b) account creation, authentication, billing, and subscription management; (c) sending transactional emails (receipts, password resets, system notifications) and approved outbound messages (SMS / email / voice / browser-call) to your leads; (d) AI-driven personalization of drafts, summaries, and recommendations; (e) security, fraud prevention, abuse detection, and rate-limiting; (f) compliance with TCPA (SMS consent + opt-out tracking), CCPA (data subject request fulfillment), DRE §10140.6 (license disclosure on first contact), Fair Housing (protected-class proxy scrubbing); (g) product analytics and quality improvement (aggregate or de-identified where feasible); (h) communicating with you about service changes, Zaxin updates, and product offerings (you may opt out of non-transactional emails).

11.4 Right to opt-out of sale or sharing — clarification (CCPA §1798.120)

Zaxin does NOT sell personal information to third parties for monetary or other valuable consideration. Zaxin does NOT share personal information for cross-context behavioral advertising. We do not display third-party advertising in the Zaxin app, and we do not provide data to ad networks. The "Do Not Sell or Share My Personal Information" right under §1798.120 is structurally preserved: because no sale or sharing occurs, there is no opt-out mechanism to expose, but you may still confirm this posture by emailing zacharyoliver@zaxin.ai.

11.5 Verifiable consumer request methods (CCPA §1798.130(a)(1))

You may submit a verifiable consumer request by either of two designated methods:

We verify your identity before processing any request that returns or alters data. For account-holders, verification is satisfied by requesting from the account-of-record email; non-account-holders may need to provide additional identifying information. We will not discriminate against you for exercising any CCPA right.

12. CRMLS & MLS Data Redistribution

Zaxin integrates MLS data through CoreLogic Trestle and similar approved syndication APIs under MLS-data-display licenses. MLS listing content (photos, descriptions, prices, status, agent attribution) is shown only to authenticated Zaxin users who have a verified MLS membership for the originating MLS. We do not redistribute MLS data to non-members or to third parties.

MLS listing data is NEVER used to train AI models. AI features that summarize or surface MLS data operate on the data only at request time and do not persist a derivative training corpus.

Per CRMLS Photo Policy effective 2026-02-18, listing photos are filtered by status: Active and Pending listings show full photo sets; Sold, Withdrawn, Expired, and Closed listings show a status-conditional reduced set per the policy. Coming Soon listings respect the syndication windows defined by each MLS.

13. Third-Party Services & Vendor Data Processors

Zaxin uses the following processors. We share only the minimum data necessary for each processor to function. None of these processors is permitted to use your data for marketing.

14. Data Storage & Security

Lead data stored in Supabase (PostgreSQL) with row-level security policies. Local device caching via localStorage. API keys and credentials stored server-side only. HTTPS / TLS encryption on all data transmission. Rate limiting on sensitive endpoints. 30-day session timeout. Prompt injection sanitization on all user-provided data before AI processing. A baseline Content Security Policy (frame-ancestors, object-src, base-uri) is enforced; a broader policy covering script, style, and connect sources is currently in Report-Only telemetry mode and will be promoted to full enforcement after production-traffic verification.

15. Data Retention & Deletion

Account and lead data retained while the account is active. AI-generated data retained while the associated lead exists. Deleted leads are permanently removed along with all associated AI-generated data. CCPA deletion requests follow the 45-day response period described in Section 11. After a verified account-deletion request is approved, active account and lead data is purged within 30 days unless a legal-retention exception applies.

TCPA Consent Records: Records of SMS opt-in consent (including the consent timestamp, consent method, phone number, and opt-in language presented) are retained for a minimum of 7 years from the date of consent, even after account deletion, as required for TCPA compliance and potential litigation defense.

16. Chrome Extension — Social Intelligence

The Zaxin Social Intelligence Chrome extension ("Extension") is an optional companion to the Zaxin CRM. It scans publicly visible social media posts on LinkedIn, Facebook, and Instagram to detect real estate signals (e.g., "just sold," "house hunting," "moving soon") while you are logged in to those platforms.

What the Extension collects:

What the Extension does NOT do:

Host permissions: The Extension requires access to linkedin.com, facebook.com, and instagram.com to read post content in your feed. Access to zaxin.ai is required to send captured leads to your Zaxin webhook. These permissions are used solely for the purposes described above.

You can uninstall the Extension at any time via Chrome's extension management page. Uninstalling removes all locally stored data (webhook URL and capture history). Leads already sent to Zaxin remain in your Zaxin account and are subject to the data retention and deletion policies described in Section 14 above.

17. Children's Privacy

Zaxin is not intended for use by individuals under 18. We do not knowingly collect personal information from children.

18. Changes & Contact

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification. Continued use of the Service after changes constitutes acceptance. Oliver Labs LLC Address: 220 S Prospect Ave #12, Redondo Beach, CA 90277 Email: zacharyoliver@zaxin.ai Website: https://zaxin.ai