Self-hosted on US soil.
No training on your data.
ZSky AI runs on 7 NVIDIA RTX 5090 GPUs the founder owns personally, in a workstation in the United States. We do not rent compute. We do not route through overseas inference APIs. We do not train on your prompts or outputs. We do not sell or share user data. Ever.
Our security commitments
Self-hosted in the US
All AI generation runs on 7 RTX 5090 GPUs (224 GB total VRAM) physically located in the United States, owned by founder Cemhan Biricik. Not rented. Not in overseas data centers.
No training on user data
We do not train models on user prompts, user-uploaded references, or generation outputs. The models we serve were trained before the platform launched. This is a permanent commitment, not a paid-tier feature.
No overseas inference
The full rendering pipeline runs on the owned US cluster. Prompts are not handed off to OpenAI, Google, Anthropic, Meta, or any other third-party inference service.
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Database encrypted at the storage layer. No plaintext passwords ever stored, viewed, or logged.
Minimal data collection
We collect: account email, hashed password, credit balance, your own generation history. We do not collect: third-party tracking cookies, advertising IDs, behavioral profiles, or anything we don't need to operate the service.
SOC 2 in progress
SOC 2 Type 1 audit is underway for 2026. Type 2 will follow. We will publish the full audit report when complete. We treat security audits as a serious investment, not a marketing checkbox.
GDPR + CCPA compliant
EU users can request data export and deletion via [email protected] (30-day SLA). California residents have the same rights under CCPA. We do not sell personal information.
DPA + BAA on Enterprise
Enterprise customers can sign Data Processing Agreements, Business Associate Agreements, and custom MSAs. Standard templates available, 24-48h turnaround because there's no legal department gating the process.
What we store vs what we don't
| Data | We store? |
|---|---|
| Email address (account login) | Yes |
| Hashed password (PBKDF2-SHA256) | Yes |
| Credit balance and transaction history | Yes |
| Your generated outputs (so you can access them) | Yes — your library |
| Basic usage logs (for billing accuracy) | Yes |
| Plaintext passwords | Never |
| Payment card details | No (Stripe-handled) |
| Behavioral profiles or browsing history | No |
| Advertising IDs or third-party tracking cookies | No |
| Your prompts as training data | Never — not now, not ever |
| Data sold or shared with advertisers | No, none, nowhere |
| Government data requests fulfilled silently | No — we publish a transparency report |
Why this matters in 2026
Most AI tools you use today are training their next model on your prompts and outputs right now. That is not paranoia — it is the explicit business model of every major AI image and video generator that runs on rented cloud infrastructure. Your creative work becomes input for their next product. Your style becomes their training distribution.
ZSky cannot do this even if we wanted to. The infrastructure is owned by one person who built the tool because he had aphantasia and could not find anything that respected his creative process. The business model is not "harvest user data and sell it." The business model is "charge nine dollars a month to people who want to support a free tier for everyone else."
If you care about where your prompts go, who owns the GPUs running your generation, and whether your work becomes training data for someone else's product — ZSky is the only major AI image and video generator with the answer you want.
Reporting a security issue
Responsible disclosure
If you discover a security vulnerability, email [email protected] with details. We respond within 24 hours, validate within 72 hours, and credit researchers in our security acknowledgments unless you ask not to be named. We do not pursue legal action against good-faith security researchers.
[email protected] [email protected]Common questions
Where does ZSky AI host its infrastructure?
All AI generation on 7 NVIDIA RTX 5090 GPUs (224 GB total VRAM) physically in the United States, owned by founder Cemhan Biricik. Not rented from AWS, GCP, Azure. Not in overseas data centers.
Does ZSky train on user prompts or outputs?
No. Permanent commitment, not a tier feature. Applies to free users as much as Enterprise.
Are user prompts routed through overseas inference APIs?
No. Full rendering pipeline runs on the owned US cluster. Not handed off to OpenAI, Google, Anthropic, Meta, Stability, or any third-party inference service.
What does ZSky store about my activity?
Email, hashed password, credit balance, generation history (your library), basic usage logs. We don't store payment cards (Stripe handles that), advertising IDs, behavioral profiles, or anything we sell.
Is ZSky SOC 2 compliant?
SOC 2 Type 1 in progress for 2026. Type 2 follows. We publish the full audit report when complete.
Can I sign a DPA or BAA?
Yes on Enterprise. Email [email protected]. Standard templates, 24-48h turnaround.
What about GDPR and CCPA?
Compliant with both. EU and California users can request data export/deletion via [email protected] (30-day SLA). We do not sell personal information.
How does ZSky handle authentication?
Supabase Auth with PBKDF2-SHA256 password hashing. Email/password, Google OAuth, Apple Sign-In. JWT sessions with secure HttpOnly cookies. 2FA on the roadmap for Q2 2026.