1. Introduction

Zapmark ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

Account Information: Name, email address, and password when you create an account
Payment Information: Billing details processed securely through Stripe (we do not store credit card information)
Content: Prompts, descriptions, and any reference images you provide to generate visual content
Communications: Messages you send to our support team

2.2 Automatically Collected Information

Usage Data: Information about how you use the Service, including features accessed and actions taken
Device Information: Browser type, operating system, IP address, and device identifiers
Bot-protection signals: When you sign up, our bot-protection providers (Cloudflare Turnstile and reCAPTCHA Enterprise via Firebase App Check) collect IP address, user-agent, and behavioural signals from your browser to score the request as human vs. automated. This is processed under our legitimate interest in preventing abuse
Cookies: We use cookies and similar technologies to maintain your session and preferences (see Section 9)
Analytics: Privacy-preserving, aggregated usage statistics via Vercel Web Analytics. No third-party advertising trackers are used

3. How We Use Your Information

We use the collected information to:

Provide, maintain, and improve the Service
Process your transactions and manage your subscription
Generate AI-powered images (logos, illustrations, animations) based on your prompts
Send you service-related communications and updates
Respond to your support requests
Detect and prevent fraud or abuse
Analyze usage patterns to improve user experience
Comply with legal obligations

4. AI and Data Processing

When you use our AI generation features:

Your prompts and any reference images you upload are sent to the AI model provider selected for your generation. The currently available providers are Google Gemini (Google LLC) and, where enabled, OpenAI (OpenAI, L.L.C.)
The selected provider may retain prompt and output data per its own policies; we do not control their retention. See the Google AI terms and the OpenAI API data-usage policy for details
Generated images are stored in your account on Google Cloud Storage (via Firebase) for your access
We do not sell or share your specific prompts with third parties beyond the AI provider needed to fulfil your request
We do not train any models on your data ourselves
Generated content belongs to you (for paid subscriptions, per the Terms of Service)

4a. Content Review and Abuse Prevention

To enforce our Acceptable Use Policy (Terms of Service Section 6) and comply with our obligations under the EU Digital Services Act and applicable criminal law, we may review user-generated content in the following circumstances:

Automated filtering: the underlying AI providers (Google Gemini, OpenAI) apply safety filters to every generation. We surface their safety blocks to you and do not bypass them
Report-driven review: when content is reported via hello@zapmark.space or our in-product reporting flow, an authorised administrator reviews the specific content and takes action under the AUP
Targeted abuse investigation: where logs indicate suspected abuse (rate-limit evasion, automated scraping, payment fraud), an authorised administrator may review the affected account's recent generations to confirm or rule out misuse
Curation: the administrator may review their own generations to select examples for a public showcase. Other users' generations are not used for showcase curation

Every administrative action is recorded in an internal audit log. We do not browse user content for entertainment, monetisation, or to train AI models. Where we suspect content depicting child sexual abuse material, we are legally required to report it to the relevant authorities.

The legal basis for this processing is Art. 6(1)(f) GDPR — our legitimate interest in operating a safe, lawful service and complying with platform-safety law — balanced against your reasonable expectation of privacy. You retain all rights under Section 8 to access, correct, or delete this data.

5. Information Sharing and Disclosure

We do not sell your personal information. We use the following sub-processors to operate the Service. Each receives only the data necessary for its role and processes it under a data-processing agreement:

Stripe, Inc. (United States) — payment processing and subscription billing
Google LLC / Firebase (Ireland and United States) — authentication, database (Firestore), image storage (Cloud Storage), and Gemini AI image generation
OpenAI, L.L.C. (United States) — image generation, where the OpenAI model is selected
Resend (Resend Inc.) (United States) — delivery of transactional email (sign-in links, account notifications)
Cloudflare, Inc. (United States) — bot protection via Turnstile and reCAPTCHA Enterprise (the latter as part of Firebase App Check)
Vercel Inc. (United States) — hosting and privacy-preserving Web Analytics
ImprovMX (where used) — inbound email forwarding for our support address

Outside of these sub-processors, we may disclose information:

Legal Requirements: When required by law or to protect our rights
Business Transfers: In connection with a merger, acquisition, or sale of assets
With Your Consent: When you explicitly agree to share information

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your information:

Data is encrypted in transit using SSL/TLS
Data is stored securely using Firebase and Google Cloud Platform
Access to personal data is restricted to authorized personnel
Regular security audits and updates
However, no method of transmission over the Internet is 100% secure

7. Data Retention

We retain your information for as long as necessary to provide the Service, comply with legal obligations, and resolve disputes. Specifically:

Account data (email, profile, subscription state) is retained while your account is active
Generated images are retained while your account is active. After account deletion, all images and personal data are removed within 30 days
Credit transaction logs are retained for at least 12 months for billing audit and dispute resolution
Pre-signup trial generations: When you generate without an account, we briefly store the prompt, the generated image, and a salted, irreversibly hashed form of your IP address in a separate trialGenerations store for at most seven (7) days. This data is used to prevent abuse and to evaluate quality; it is then automatically deleted. We do not link this data to any account if you later sign up
After deletion, we may retain non-identifying aggregated analytics indefinitely

8. Your Rights (GDPR Compliance)

If you are in the European Economic Area, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data
Restriction: Limit how we use your data
Portability: Receive your data in a structured format
Objection: Object to processing of your data
Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at hello@zapmark.space

9. Cookies and Tracking

We use a minimal set of cookies and similar browser-storage technologies. All of them are strictly necessary to operate the Service — we do not set advertising, marketing, social-media, or third-party tracking cookies. Our analytics provider does not use cookies. Specifically:

Firebase Auth session cookie: keeps you signed in across pages. Without it you cannot use the authenticated parts of the Service
Firebase App Check token: verifies that a request originated from our app, not a script or bot
Cloudflare Turnstile challenge state: issued during signup to score requests as human vs. automated
Stripe checkout cookies: set on Stripe's domain (not ours) during payment to keep your checkout session
Browser localStorage: we store a few non-cookie items locally — the email address you typed at sign-in (so the magic-link flow can complete without re-asking), your dismissal of the privacy notice pill, and (for the operator) the maintenance-mode bypass

Our analytics is Vercel Web Analytics, which is cookieless and aggregates page-view data without fingerprinting individual visitors. Because it sets no cookies it does not require consent under ePrivacy; we still surface a privacy notice pill on first visit for transparency.

You may block any of the cookies above through your browser settings. Blocking the auth cookie will prevent you from signing in; blocking the App Check or Turnstile cookies may prevent signup. Strictly necessary cookies are exempt from prior-consent requirements under Article 5(3) of the ePrivacy Directive.

10. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately and we will delete it.

11. International Data Transfers

Several of our sub-processors are based outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) incorporated into our agreements with each sub-processor, together with the supplementary measures required by the Schrems II ruling. The current US-based sub-processors are listed in Section 5 (Stripe, Google/Firebase, OpenAI, Resend, Cloudflare, Vercel). You may request a copy of the relevant SCCs by contacting us.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date
Sending you an email notification for material changes

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: hello@zapmark.space
Support: hello@zapmark.space