Privacy Policy

Account information. When you sign up, we collect your email address and a hashed password. If you complete your creator profile, we also store your name, niche, social handles, preferred brand categories, minimum deal rates, and AI reply preferences.

Email content. When you connect a Gmail or SMTP email account, we access your inbox to fetch emails. We process only emails that appear to be brand partnership, sponsorship, or collaboration inquiries. We store the sender name, sender email, subject line, and body of those emails on our servers to power AI analysis and to display them in the app.

Contracts and documents. If you upload a contract PDF, we store the file in encrypted object storage and extract deal terms using AI. Contract files are retained alongside your account and deleted when you delete your account.

SMTP credentials. If you connect a non-Gmail email account via SMTP, we store your SMTP server settings and your SMTP password. Passwords are encrypted at rest using AES-256-GCM with a key held only in our production environment.

Push notification subscriptions. If you opt in to Web Push notifications, your browser generates a push subscription endpoint that we store so we can deliver notifications to your device. You can revoke this at any time in your browser settings or in Settings → Notifications.

Usage data. We collect information about how you use the Service — pages visited, features used, credit consumption, and session timestamps. This helps us improve the product.

Billing data. If you subscribe, payment is processed by Stripe. We store only your subscription status, plan tier, and Stripe customer identifiers — we never see or store full card numbers.

We use the information we collect to:

• Provide, operate, and improve the Service
• Analyse brand partnership emails using AI and surface recommendations
• Generate draft reply emails at your request
• Send replies through your connected Gmail or SMTP account at your direction
• Extract and summarise terms from contract PDFs you upload
• Deliver push, in-app, and email notifications you have opted into
• Track your credit usage and manage your subscription
• Send transactional emails (password reset, billing receipts, usage alerts)
• Detect and prevent fraud or abuse
• Comply with legal obligations

We do not use your email content, contracts, or any other personal data to train AI models beyond the scope of delivering the Service to you. We do not use your data for advertising purposes.

When you connect Gmail, Zenbx requests two OAuth scopes: gmail.readonly (to read incoming brand emails) and gmail.send (to send reply emails you have reviewed and approved). We never request scopes that would allow us to delete, archive, or modify the messages in your Gmail inbox.

If you connect a non-Gmail account via SMTP, we store your SMTP credentials encrypted at rest. We use these credentials only to send reply emails you have authored and approved.

Email data fetched from your inbox is transmitted securely and stored in our database (Supabase, hosted on AWS). Only emails identified as potential brand partnerships are stored — general personal emails are never read or retained.

You can disconnect your Gmail or SMTP account at any time from Settings → Connected Accounts. You can also revoke Gmail access directly at myaccount.google.com/permissions. Revoking access stops future syncs but does not automatically delete emails already stored — you can delete all your data by deleting your account (Settings → Account → Delete Account).

Email analysis, draft generation, and contract parsing are powered by Anthropic's Claude models. Email content (sender, subject, body) and contract document text are sent to Anthropic's API for processing. Anthropic does not use data submitted via the API to train their models — see Anthropic's privacy policy. We have executed a Data Processing Addendum with Anthropic that governs this processing.

Contract summaries produced by the AI are descriptive only. They are not legal advice. For anything that materially affects your rights, consult an attorney.

We use the following third-party processors to deliver the Service:

• Supabase — database, authentication, and object storage (AWS-hosted)
• Anthropic — AI model provider for email analysis, draft generation, and contract parsing
• Stripe — payment processing and subscription management
• Google — Gmail OAuth and Gmail API access
• Vercel — application hosting, serverless functions, and web analytics

Each processor handles data only as necessary to deliver their service and is contractually bound to protect your data. A current list of subprocessors is available on request at privacy@zenbx.com.

We use Vercel Web Analytics to measure aggregate usage of the Service (page views, referrers, device type, general geography). Vercel Analytics is cookieless and does not track individuals across sites. No advertising or cross-site tracking cookies are set by Zenbx.

We set only first-party cookies strictly necessary to deliver the Service — specifically, an authentication session cookie when you log in.

Your data is processed and stored in United States (AWS us-east-1). If you are located in the European Economic Area, United Kingdom, or Switzerland, your data is transferred to the United States under appropriate safeguards including the European Commission's Standard Contractual Clauses where applicable. Our US-based subprocessors (Anthropic, Stripe, Vercel) also rely on Standard Contractual Clauses or equivalent safeguards for international transfers.

We retain your account data, analysed emails, and contract uploads for as long as your account is active. If you delete your account, all associated data — including emails, opportunities, deals, draft replies, contract files, push subscriptions, and profile information — is permanently deleted from our systems within 30 days.

Billing records may be retained longer where required by law (typically 7 years for tax compliance purposes). Admin audit logs, which record administrative actions taken on accounts, are retained for 2 years.

All data is encrypted in transit using TLS 1.2 or higher, and at rest using the encryption provided by our infrastructure providers. Sensitive secondary credentials — specifically SMTP passwords — are additionally encrypted by us using AES-256-GCM with a key held only in our production environment. We use Supabase Row-Level Security to ensure your data is accessible only to you. We follow industry-standard practices for credential management, least-privilege access, and regular credential rotation.

No system is perfectly secure. If you discover a security issue, please contact us immediately at privacy@zenbx.com.

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (via Settings → Account → Delete Account)
• Export your data
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@zenbx.com. We will respond within 30 days.

Zenbx is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are located in the European Economic Area, you must be 16 or older (or have the consent of a parent or guardian) to use the Service. If you believe we have inadvertently collected information from a child under these thresholds, please contact us and we will delete it promptly.

We may update this Privacy Policy periodically. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy questions, data rights requests, or security reports, contact us at privacy@zenbx.com. For general support, contact support@zenbx.com.