Privacy Policy

1. Introduction

Virtual Factory Solutions Ltd. (trading as “VFS” and operating the “Zeodyn” brand) (“we”, “us”, or “our”) is the data controller responsible for your personal data. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

This Privacy Policy explains how we collect, use, and protect information when you use our website at zeodyn.com and related services (the “Service”). If you are located in the European Economic Area (EEA), we also process your data in compliance with the EU General Data Protection Regulation (EU GDPR).

2. Data controller

Virtual Factory Solutions Ltd.
Registered in England and Wales
Email: Contact us

3. What data we collect

We collect minimal data to operate the Service:

• URLs submitted for scanning:When you use the Zeodyn Scanner™, the URL you submit is processed to generate your report. URLs are not linked to your identity.
• Email addresses (optional): If you voluntarily provide your email address (e.g. to receive launch notifications), we store it solely for that purpose.
• Technical data: We may collect standard server log data including IP addresses, browser type, and referring pages. This data is used for security monitoring and service operation only.
• Cookies: We use essential cookies only. See our Cookie Policy for details.
• URLs scanned through AI platform integrations:When an AI platform integration (such as a ChatGPT custom GPT or Claude tool) initiates a scan, the target URL and scan results are processed and retained. The identity of the AI platform user who requested the scan is not collected or stored by us — we receive only the target URL.

4. Analytics

We use Plausible Analytics, a privacy-friendly, cookie-free analytics service hosted in the European Union. Plausible collects no personal data, sets no cookies, and does not track individual visitors across sites. All data is aggregated and anonymous.

Key points:

• No cookies are set by our analytics.
• No personal data is collected.
• No cross-site tracking.
• All data is aggregated and anonymous.
• Plausible is compliant with UK GDPR, the Data Protection Act 2018, PECR, EU GDPR, and CCPA without requiring visitor consent.

For details on how Plausible handles data, see their data policy.

5. How we use your data

We use the data we collect to:

• Provide and operate the Zeodyn Scanner™.
• Generate and store scan reports.
• Send launch notifications if you have opted in.
• Monitor and protect the security of the Service.
• Comply with legal obligations.
• Build and maintain a market intelligence corpus of agent commerce readiness data, derived from agent-initiated background scans and market research campaigns. User-initiated scans on zeodyn.com are not included in this corpus.

6. Legal basis for processing

We process your personal data on the following legal bases under Article 6(1) UK GDPR:

• Contractual necessity (Art. 6(1)(b)): Processing URLs you submit to provide the scanning service and generate your report.
• Legitimate interests (Art. 6(1)(f)): Processing technical data (server logs, IP addresses) to maintain the security and integrity of the Service, and to prevent abuse.
• Consent (Art. 6(1)(a)): Processing email addresses for optional notifications, where you have given explicit consent. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Where we are required to process data to comply with applicable law.

7. Data sharing

We do not sell your personal data. We may share data with:

• Infrastructure providers: We use Microsoft Azure (UK South region) to host the Service. Data is processed and stored within the United Kingdom.
• Analytics: We use Plausible Analytics, which is hosted in the European Union. Plausible does not collect personal data or set cookies. See section 4 for details.
• DNS and security:We use Cloudflare for DNS resolution and DDoS protection. Cloudflare processes requests at global edge nodes. Cloudflare acts as a data processor and is certified under the EU–US Data Privacy Framework.
• Legal requirements: We may disclose data if required by law, court order, or governmental regulation.
• AI platform integrations:We operate scanner integrations on third-party AI platforms. When a scan is requested through these integrations, scan results are returned to the user via the AI platform. The AI platform’s own data handling is governed by that platform’s privacy policy, not ours.
• Stytch Inc.: Authentication provider for ChatGPT App users. Stytch processes authentication tokens on our behalf.
• OpenAI:MCP transport provider for ChatGPT users. Scan requests and results are transmitted via OpenAI’s infrastructure.
• Anthropic:MCP transport provider for Claude users. Scan requests and results are transmitted via Anthropic’s infrastructure.

8. Proactive website assessment

In addition to user-initiated scans, we proactively assess publicly accessible websites to evaluate their readiness for AI agent discovery and interaction. This activity supports our market intelligence research, benchmark publications, and industry analysis.

What we assess

We examine publicly observable signals only — the same information available to any web browser, crawler, or AI agent visiting a website. This includes HTTP headers, HTML content, structured data markup, robots.txt, well-known endpoints, SSL certificates, and page performance characteristics. We do not access login-protected content, scrape personal information, or store copyrighted content.

Data collected

The only data retained from proactive assessments is the URL assessed and the resulting Zeodyn Score™ and dimension-level scores. No personal data is collected during proactive assessments.

Legal basis

Proactive assessments are processed under legitimate interests (Art. 6(1)(f) UK GDPR). We have a legitimate interest in assessing and publishing information about the AI commerce readiness of publicly accessible websites, in the same manner as product review services, comparison websites, and industry analysts. This processing does not override the rights of website owners, as we assess only publicly available technical signals.

How we use assessment data

• Generate Zeodyn Score™ reports and technical assessments.
• Publish benchmark analyses, industry comparisons, and research findings.
• Improve and validate our scoring methodology.
• Provide aggregated market intelligence to subscribers.

Publication

We may publish assessment results, including Zeodyn Score™ values and benchmark comparisons, on our website and in reports. Published scores represent our independent assessment at the stated date and do not imply any relationship with, endorsement by, or affiliation with the assessed party.

Geographic measurement

Scans are conducted from cloud infrastructure located in the United Kingdom. Scores reflect how a website responds to requests originating from this geographic location. Websites that employ geographic restrictions or bot-detection measures may receive scores that reflect this behaviour, as it is relevant to AI agent accessibility.

Opt out

Website owners may opt out of proactive assessment by:

• Blocking our scanner via robots.txt (User-Agent: ZeodynScanner).
• Contacting Contact us to request permanent exclusion.

We honour opt-out requests within 5 business days.

Data accuracy

If you believe an assessment of your website is inaccurate, you may dispute it under our Terms of Service dispute and correction process.

9. Agent-initiated scans

When a scan is initiated through an AI platform integration:

• Homepage assessment: The target URL is scanned using publicly observable signals (as described in Section 8). The result is returned to the AI platform user.
• Background assessment: We may conduct a subsequent multi-page scan of the same URL for market intelligence purposes. This background scan assesses up to 5 pages and retains the data for aggregate analysis.
• No user data collected: We do not receive or store any information about the AI platform user who requested the scan. We receive only the target URL from the AI platform.

Legal basis

Background data collection from agent-initiated scans is processed under legitimate interests (Art. 6(1)(f) UK GDPR), on the same basis as proactive website assessment (Section 8). The target is a publicly accessible commercial website, and the data collected relates to technical website characteristics, not personal data.

For full details on our scanning practices, see our Responsible Scanning Policy.

10. AI Agent & MCP Tool Usage

When AI agents use Zeodyn tools via MCP (Model Context Protocol), we collect:

• Domain scanned: The target URL submitted for assessment.
• Timestamp: The date and time of the tool call.
• Platform identifier: The AI platform through which the tool was invoked (e.g. ChatGPT, Claude).
• Session metadata: Technical identifiers used to correlate requests within a single session.
• Tool call duration: The time taken to process the request.

This data is used to provide the scanning service, enforce rate limits, monitor service health, improve accuracy, and generate aggregate statistics. We do not collect or store the content of AI conversations in which our tools are used.

11. Data retention

• Scan results: Retained for 30 days from the date of the scan, after which they are automatically deleted.
• Email addresses: Retained until the relevant notification is sent or you request deletion, whichever is earlier.
• Server logs: Retained for up to 90 days for security monitoring purposes.
• Market intelligence corpus data (proactive assessments and agent-initiated background scans): Retained indefinitely as part of the market intelligence corpus. This data consists of technical website characteristics (scores, structured data presence, protocol support, performance metrics) of publicly accessible commercial websites. Website owners may request removal via the opt-out mechanism described in Section 8.

MCP data retention

• Tool call logs: Retained for 90 days (raw), then aggregated to daily counts.
• Connection signals: Retained for 30 days.
• Scan cache: Retained for 24 hours.

12. International transfers

Our primary hosting infrastructure is in the United Kingdom (Microsoft Azure, UK South region). In addition:

• Plausible Analytics is hosted in the European Union. No personal data is transferred, as Plausible does not collect any.
• Cloudflareprocesses DNS and security requests at global edge nodes. Cloudflare is certified under the EU–US Data Privacy Framework and operates as a data processor under appropriate safeguards.
• OpenAI (US-based):Scan results are transmitted via OpenAI’s infrastructure for ChatGPT users. OpenAI is certified under the EU–US Data Privacy Framework.
• Anthropic (US-based):Scan results are transmitted via Anthropic’s infrastructure for Claude users.

Where any transfer of personal data outside the UK is required, we ensure appropriate safeguards are in place in accordance with UK GDPR, including standard contractual clauses or adequacy decisions as applicable.

13. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (“right to be forgotten”).
• Object to or restrict processing of your data.
• Request portability of your data.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact Contact us. We will respond within one month.

14. Children's privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make changes, we will update the “Effective” date at the top of this page. We encourage you to review this page periodically.

16. Contact

For privacy enquiries, contact Contact us.