Privacy Policy

This Privacy Policy explains how Zerokit ("we", "us") collects and processes personal data. It applies to our marketing site, the dashboard at zerokit.co, our API, and any other surface where we display this policy. For business customers using the Service to process recipient personal data, the Data Processing Addendum also applies.

1. Controller

For the personal data described below, the controller is Zerokit. You can reach us at [email protected]. Our legal entity details and registered address are provided on request and on the dashboard for paying customers.

2. What we collect

Account data

When you create an account we collect your email address, name (if provided), and authentication credentials (password hashes or OAuth identifiers from providers you choose, such as GitHub). We also store records of passkeys (public keys, device type, and friendly names) and two-factor authentication state.

Workspace and billing data

For each organization you create we keep its name, members, invitations, roles, and verified sending domains. Paid plans may require billing information (company name, billing email, VAT ID, billing address) — payment details themselves are handled by our payment processor and never stored on our systems.

Usage and technical data

We log API requests, dashboard activity, and email-delivery events (sent, delivered, bounced, complained, opened, clicked) needed to operate, debug, and bill the Service. This includes IP address, user agent, request timestamps, and response codes. Logs are retained for the periods listed in Section 7.

Email content you send through the Service

When you use the Service to send transactional email, the recipient addresses, subject lines, message bodies, and any attachments pass through and are temporarily stored on our systems. We act as a processor with respect to this data — see the DPA for details, including retention.

Communications

If you contact us by email, fill out a form, or join the waitlist, we keep that correspondence so we can respond and so we can later prove what was agreed.

3. Legal bases (GDPR)

Where the General Data Protection Regulation applies, we rely on the following lawful bases under Article 6:

• Contract (Art. 6(1)(b)) — to provide the Service you signed up for, including authentication, sending email, delivering events, and billing.
• Legitimate interests (Art. 6(1)(f)) — to operate and secure the platform, prevent abuse, debug incidents, and measure aggregate product usage. We weigh these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — to keep records required by tax, accounting, and consumer-protection law.
• Consent (Art. 6(1)(a)) — for optional marketing emails and for analytics cookies where required. You can withdraw consent at any time.

4. How we use your data

• To create and authenticate your account.
• To send transactional email on your behalf.
• To deliver delivery, bounce, complaint, open, and click events.
• To bill paid plans and prevent payment fraud.
• To detect and stop abuse, spam, and security incidents.
• To respond to your support requests.
• To improve the Service in aggregate (we deliberately avoid using email content for analytics or model training).
• To comply with legal obligations and lawful requests.

5. Sub-processors and recipients

We engage a small set of vendors to host infrastructure and deliver email. They are bound by contractual data-protection obligations and are listed at Sub-processors. We do not sell personal data and do not share it with third parties for their own marketing.

6. International transfers

Our infrastructure runs primarily in the European Union. Some sub-processors (notably AWS for email delivery and Cloudflare for edge compute) may transfer data to other jurisdictions, including the United States. Where personal data leaves the European Economic Area, we rely on Standard Contractual Clauses (Commission Decision (EU) 2021/914) and equivalent safeguards. The current list of regions per vendor is on the Sub-processors page.

7. Retention

• Account data — retained while your account is active, plus up to 90 days after deletion to allow recovery and handle disputes.
• Billing records — retained for the period required by Polish tax law (currently five years from the end of the tax year).
• Email metadata and events — 30 days by default, extendable on paid plans up to the limit on your pricing tier.
• Email message bodies — purged after a short processing window unless a customer explicitly enables longer retention for debugging.
• Security and abuse logs — up to 12 months.

8. Your rights

Subject to local law, you have the right to (a) access your personal data, (b) correct inaccurate data, (c) request erasure, (d) restrict or object to processing, (e) data portability, and (f) withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO).

To exercise any of these rights, email [email protected]. We may need to verify your identity before responding.

9. Cookies and similar technologies

We use a small number of cookies and equivalent storage mechanisms:

• Strictly necessary — session cookies to keep you signed in, CSRF tokens, and a passkey-prompt dismissal flag in local storage. These cannot be disabled without breaking the Service and do not require consent.
• Functional — preferences such as theme and active organization. Set only after you use the related feature.
• Analytics — privacy-respecting analytics on marketing pages to count visits and sources. Aggregate only, no cross-site tracking. Where required by law, we ask for consent.

We do not use advertising cookies. Browser controls and our cookie banner (when shown) let you manage non-essential cookies.

10. Security

We follow industry-standard practices to protect personal data, including encryption in transit, encryption at rest for credentials and tokens, least-privilege access, and continuous monitoring. More detail is on the Security page. No method of transmission or storage is perfectly secure; if we ever become aware of a breach affecting personal data, we will notify affected customers and authorities as required by law.

11. Children

The Service is intended for use by businesses and developers, not children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a dashboard notice at least thirty (30) days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For any privacy-related question, write to [email protected].