Legal — 02
Privacy Policy
Last updated: July 1, 2026
We collect the minimum, we keep it briefly, and we never sell it. This policy explains exactly what that means, in the same plain language we use everywhere else.
The short version
We need your email and name to give you an account, and request headers to give you analytics. We do not use cookies for analytics, we do not fingerprint, we do not advertise, and we do not sell data — we could not afford the lawyers, and we do not want the money.
What we collect
- Account data: your name, email and profile picture, provided by Google when you sign in.
- Usage data: the links, contacts, issues and events you create inside the products.
- Analytics data: when someone clicks a short link, we record the timestamp, the referrer, the approximate country (resolved from the IP, which is then discarded), device type, browser and OS — all parsed from request headers.
- Technical data: server logs with IP addresses, kept for at most 30 days for security and debugging.
- Payment data: if you use the cloud, invoices and amounts. Card details are handled by the payment processor; we never see them.
What we do not collect
- No analytics cookies. None.
- No device fingerprinting.
- No cross-site tracking, no advertising identifiers, no data brokers.
- No passwords: authentication is delegated to Google.
- No contents of your emails — even with email sync, we store only the threads you explicitly attach.
How click analytics work without cookies
When a browser follows a short link, it tells us where it came from (the Referer header), what it is (the User-Agent header) and roughly where it is (the IP address, which we resolve to a country and immediately discard).
That is enough for honest statistics — clicks per day, per referrer, per country — without following anyone around the internet.
How we use data
- To provide the service: show your dashboard, count your clicks, send your invites.
- To keep it secure: detect abuse, block attacks, debug errors.
- To communicate with you: receipts, security notices, and product updates you can turn off.
- Never to advertise, profile or sell.
Legal bases (GDPR)
If you are in the EEA or the UK: we process account and usage data to perform the contract with you; logs and analytics under our legitimate interest in running a secure, reliable service; and product communications with your consent, which you can withdraw at any time.
Retention
- Account and product data: kept while your account is active.
- After account closure: exportable for 30 days, deleted from production within 60, and from backups within 90.
- Click analytics: stored in aggregate form; raw IPs are never kept.
- Server logs: 30 days.
Where data lives
The cloud runs on mainstream infrastructure providers, in the region shown at signup. If we ever change providers or regions, we will announce it in advance.
Self-hosted instances keep their data wherever you put it — we never see it.
Sharing
We do not sell data. We share it only with: the infrastructure providers that host the service (under data-processing agreements), the payment processor (to bill you), Google (to authenticate you), and authorities when the law genuinely compels us. That is the entire list.
Your rights
Wherever you live, we honor the GDPR set: access, rectification, erasure, portability, restriction and objection. Export tools are built into the product; for anything else, write to privacy@zerosoft.ai and we will answer within 30 days.
EEA residents may also complain to their supervisory authority — though we would rather you complain to us first.
Children
The service is not directed at children under 16, and we do not knowingly collect their data. If you believe a child created an account, write to us and we will delete it.
Changes and contact
Changes to this policy will be posted here with a new date; material changes are announced by email 15 days in advance.
Privacy questions, requests and complaints: privacy@zerosoft.ai.