Data privacy

Your data belongs only to you.

Zephra is built on the principle of data isolation. We do not use your personally identifiable data to train shared AI models, and we provide full transparency into how every signal is used. Anonymised, aggregated data is used for system improvement as described below.

// Privacy at a Glance

NO AD TARGETING

We never use your data to sell ads or target you with third-party advertising.

NO SHARED AI TRAINING

Your identifiable campaign data never trains models shared with other customers.

GOOGLE LOGIN ONLY

We never store passwords. All sign-in is via Google OAuth — you control access.

DELETE ANY TIME

Request deletion of your account and all associated data at any time via email.

ENCRYPTED STORAGE

All OAuth tokens stored encrypted at rest. Database encrypted with AES-256 (Neon PostgreSQL).

GDPR + DPDP + CCPA

Compliant with EU, UK, India, and California privacy laws. Jurisdiction-specific rights in §16.

Introduction+

Effective Date: April 2026 · Issued by: Growthsynth LLP · Version 2.0

This Privacy Policy explains how Growthsynth LLP ("we", "us", "our"), operating the Zephra AI marketing platform and the marketing website at zephraai.com, collects, uses, stores, and protects your personal data. It applies to:

  • Website visitors — anyone browsing zephraai.com
  • Platform users — businesses and individuals with a Zephra account at app.zephraai.com
  • Customer website visitors — end-users of websites where our sdk.js tracking script is installed by our customers

This single policy governs all three groups. Where provisions apply only to a specific group, this is stated clearly. Additional jurisdiction-specific provisions for EU/UK, California, and India residents are in Section 16.

By using Zephra, you acknowledge you have read and understood this Policy. If you do not agree, please do not use the platform.

1. Who We Are+

Growthsynth LLP is a Limited Liability Partnership incorporated in India. We develop and operate Zephra — an AI-powered marketing intelligence and automation platform for businesses globally.

DATA CONTROLLER / DATA FIDUCIARY

Growthsynth LLP is the data controller (GDPR), data fiduciary (India DPDP Act 2023), and equivalent responsible entity under all applicable data protection regimes worldwide. Where we process personal data on behalf of our platform customers (e.g. visitor data collected through sdk.js), we act as data processor and our customers act as controllers — see Section 14.

CONTACT

  • Email: hello@zephraai.com
  • Subject line: "Privacy Request — [Your Name]"
  • Response: 30 days for standard requests; 72 hours for security matters
2. Data We Collect+

We collect only the following categories of data:

2.1 Account Data

  • Full name, work email, company name, job title (sourced from your Google profile at sign-in)
  • Google account ID (used as your unique identifier — we never store passwords)
  • Profile photo URL (from Google)
  • Account creation date and last login timestamp
  • Consent record: timestamp of terms acceptance, privacy policy acceptance, terms version number, and marketing email opt-in status — stored to demonstrate your consent

Authentication method: Zephra uses Google OAuth 2.0 exclusively. We do not store, process, or have access to your Google password at any time.

2.2 Third-Party Platform Credentials

  • OAuth access tokens and refresh tokens for connected platforms: Meta Ads, Google Ads, Google Analytics, YouTube, and others you connect
  • Platform account identifiers (ad account IDs, property IDs, channel IDs)
  • Read/write permissions as granted by you during OAuth authorisation

All OAuth tokens are stored encrypted (AES-256 via Fernet symmetric encryption). We never store third-party passwords. You can revoke access at any time from your account settings or directly from the third-party platform.

2.3 Campaign and Performance Data

  • Campaign names, status, objectives, budgets, and spend figures
  • Audience targeting parameters and performance metrics (impressions, clicks, conversions, ROAS)
  • Attribution data including conversion events and revenue
  • Historical campaign data used to build your Context Engine profile
  • Publicly available competitor ad data from ad libraries
  • Brand assets: your brand name, colour palettes, tone-of-voice guidelines, and creative briefs that you submit for AI-assisted ad creative generation
  • Generated content: AI-generated ad copy, image prompts, and video files created within the platform on your behalf; stored temporarily for review and download

2.4 Website Visitor Data (Server-Side Tracking)

This applies to visitors of your website where you have installed our sdk.js tracking script, and to visitors of zephraai.com itself.

  • Pseudonymised visitor event data (page views, conversions, form completions, custom events)
  • IP addresses — received for geolocation purposes; we extract country/city data and then pseudonymise the IP by zeroing the last octet (IPv4) or last 80 bits (IPv6) before any further storage or forwarding
  • Browser type, device type, referring URL, user agent string
  • client_id: a pseudonymous first-party identifier generated by sdk.js, stored in a first-party cookie on your website visitors' browsers — used to link events for the same session; does not contain personally identifiable information
  • Lead data: where your website visitors submit a form (e.g. contact, lead capture), the data they enter may be captured by sdk.js and forwarded as a server-side conversion event to Meta CAPI or Google Ads Enhanced Conversions, at your direction and subject to your website's own privacy notice
  • Facebook click ID (fbclid) and Google click ID (gclid) where present in the URL — used solely for attribution matching with the relevant ad platform

For sdk.js customers: You are the data controller for your website visitors' data. You must include an appropriate disclosure in your own privacy notice. See Section 14 for a copy-paste template and our Data Processing Agreement terms.

2.5 Payment and Billing Data

  • Billing name, email, and address (where required by tax law)
  • Transaction records, token purchase history, subscription status
  • Payment card details are never stored by us — processed by PCI-DSS-compliant payment processors only

2.6 Usage and Technical Data

  • Log data: pseudonymised IP, browser type, pages visited, timestamps
  • Device data: operating system, screen resolution
  • User activity records: which platform features you use, when, and in what sequence — used for debugging, fraud detection, and platform improvement (stored in our internal user_activity table)
  • Error and crash reports
  • Microsoft Clarity session analytics: anonymised heatmap, scroll depth, and session recording data (no identifiable personal data is captured). Loaded only after you grant analytics consent. Basis: Legitimate Interests (platform usability improvement).

2.7 Communications Data

Email correspondence, support ticket content, demo booking information, survey responses

2.8 Data We Never Collect

  • Passwords of any kind (authentication is via Google OAuth only)
  • Payment card numbers, bank account details (handled by payment processors)
  • Special categories of personal data (health, biometric, racial, religious, political, or sexual orientation data)
  • Data from children under 16 (our service is for businesses only)
  • Third-party tracking cookies or cross-site tracking identifiers
4. How We Use Your Data+

4.1 Delivering the Platform

  • Account creation and management
  • Connecting to and acting on third-party advertising platforms at your direction
  • Building your Context Engine intelligence profile
  • Generating campaign strategies and decisions through the Decision Engine
  • Executing approved actions through the Execution Layer
  • Generating AI-assisted ad creative (copy, images, video) using your brand assets
  • Generating audit reports, performance summaries, and the Founder's Brief
  • Processing token purchases and subscription billing
  • Forwarding conversion events to Meta CAPI and Google Ads Enhanced Conversions on your behalf via server-side tracking

4.2 Security and Integrity

  • Detecting unauthorised access and suspicious activity via user activity logs
  • Preventing fraud and abuse
  • Maintaining audit logs of all actions taken on connected accounts

4.3 Platform Improvement

  • Analysing aggregated, anonymised usage patterns to improve features
  • Identifying bugs, performance issues, and reliability gaps via error logs and Clarity heatmaps

We do not use your personally identifiable campaign data, ad spend figures, or business performance data to train AI models shared with other customers. Your identifiable data powers your Context Engine only and remains yours. Anonymised, aggregated patterns may inform general model tuning as described in Section 6.

4.4 Communications

  • Transactional: account confirmations, billing receipts, security alerts
  • Service: maintenance notices, policy updates, feature launches
  • Product: Founder's Brief and performance summaries (where enabled)
  • Marketing: only where you have explicitly opted in at signup; unsubscribe at any time
5. Cookies and Tracking Technologies+

This section covers tracking on zephraai.com (our marketing website). For sdk.js tracking on customer websites, see Section 14.

Technology Purpose Basis Category
Session cookies (1st party) Remembering login state, CSRF protection Strictly Necessary Essential
Consent preference cookie (localStorage) Remembering your cookie choices Strictly Necessary Essential
Google Analytics 4 (GA4) Website visitor analytics, page performance measurement Consent Performance
Microsoft Clarity Anonymised heatmaps and session behaviour analysis Consent Performance

We implement Google Consent Mode v2. All analytics are set to denied by default until you grant consent via our cookie banner. EU, UK, and Indian visitors receive the strictest defaults. Ad storage is permanently denied — we do not use advertising cookies on our website.

You can change your preferences at any time by clicking "Cookie Preferences" in the website footer.

6. AI and Automated Decision-Making+

EU AI Act Notice: Zephra is an AI system that automates marketing decisions. In compliance with the EU AI Act transparency obligations, we disclose its operation, capabilities, and limitations here and in our product documentation.

6.1 What Zephra's AI Does

Zephra uses machine learning and large language models to:

  • Analyse your connected platform data and surface performance insights
  • Generate campaign strategy recommendations, audience targeting suggestions, and budget allocation advice
  • Draft ad copy, creative briefs, and audience descriptions
  • Execute approved optimisation actions (bid adjustments, budget changes, status changes) on your connected accounts — only after your explicit approval or within pre-configured automation rules you define

6.2 Human Oversight and Controls

  • All significant actions require your approval before execution
  • Automation rules are defined, adjustable, and revocable by you at any time
  • You can pause, revert, or override any AI-initiated action from your account dashboard
  • Audit logs record every action taken, who or what initiated it, and when

6.3 Data Isolation Guarantee

Your identifiable campaign data, business metrics, audience insights, and brand assets are used exclusively within your own Zephra account (your Context Engine). They are never shared with other Zephra customers or used to influence recommendations for other accounts.

Anonymised, aggregated patterns (e.g. general effectiveness of certain creative types across an industry segment, with all identifiers removed) may be used to tune our general models. This processing is subject to technical anonymisation that is irreversible — no individual account's data is recoverable from such aggregates.

6.4 AI Limitations Disclosure

Like all AI systems, Zephra can produce incorrect, incomplete, or suboptimal outputs. AI-generated recommendations should be reviewed critically. Zephra does not guarantee business outcomes, campaign performance, or ROAS targets. You retain full responsibility for all final advertising decisions. See our Terms of Service for full limitation of liability.

6.5 Right to Object to Automated Decisions

Under GDPR Article 22, you have the right to object to decisions based solely on automated processing where those decisions produce legal or similarly significant effects. Zephra does not make such decisions — all consequential actions require human approval. If you have concerns about a specific AI output, contact hello@zephraai.com and a human will review it.

7. How We Share Your Data+

We do not sell your personal data. We do not share it with data brokers. We never share it for third-party advertising purposes.

We share data only in the following circumstances:

7.1 At Your Direction — Connected Platforms

When you connect a third-party platform (Meta Ads, Google Ads, YouTube, Google Analytics), we transmit data to and from that platform as required to deliver the service you requested.

Google Ads conversion forwarding. When sdk.js records a conversion event on a customer's website, Zephra forwards the following fields to the Google Ads Conversions API on the customer's behalf: (1) conversion action name; (2) event timestamp; (3) Google click ID (gclid), where present in the originating URL; (4) order or event value, where configured; (5) the visitor's IP address after truncation — last IPv4 octet or last 80 IPv6 bits zeroed before transmission; and (6) where a lead form is submitted and the customer has configured Enhanced Conversions, the visitor's email address hashed with SHA-256 prior to transmission. No unhashed email address is ever sent to Google. This forwarding occurs server-to-server; no browser-side cookie is used for this purpose.

Internal administrative operations. Zephra administrators may access and export account, campaign, and lead data in CSV format for support, compliance, and audit purposes. Any administrator with access to this data is bound by confidentiality obligations. Where any administrator operates outside India, such access constitutes a cross-border transfer governed by EU SCCs Module 1 (controller-to-controller) or equivalent safeguards, and is limited to the minimum data necessary for the operational purpose.

Database backups. Zephra's production database is backed up automatically by our infrastructure provider (Neon PostgreSQL). Backups contain personal data including user email addresses, lead data, and campaign configurations. Backups are encrypted at rest (AES-256) and in transit (TLS 1.2+), stored in the same geographic region as the primary database, and are retained for 7 days before automatic deletion. Access to backups is restricted to Zephra infrastructure administrators.

Website data caching. Where you use Zephra's landing page or website analysis features, Zephra may fetch, analyse, and temporarily cache content from URLs you provide. If those URLs belong to your own website and your website has end-users, Zephra processes that website content on your behalf as a data processor. No end-user personal data is extracted from cached website content beyond what is present in publicly accessible page source. Cached website data is used solely to deliver the requested feature and is not retained beyond 30 days.

7.1a Social Media Integration (Planned Feature)

// Planned — not yet active

This feature is not currently available. When implemented, the following will apply.

When you connect Instagram, Twitter/X, TikTok, or LinkedIn to Zephra, we will request limited API access to publish content on your behalf. The following principles will govern this integration:

  • Minimal scope: We will request only the permissions necessary to publish content (e.g. publish_content). We will not request access to read your followers' personal data, direct messages, or audience analytics unless those features are explicitly offered and you opt in.
  • No follower data: We do not read, store, or process the personal data of your social media followers. Content scheduling and publishing does not involve access to your audience's profiles or engagement data.
  • Token encryption: OAuth refresh tokens issued by social media platforms will be encrypted at rest using the same AES-256 (Fernet) symmetric encryption applied to all platform credentials stored by Zephra.
  • Platform terms compliance: Your use of automated posting features through Zephra must comply with the terms of service and community standards of each connected social media platform. Zephra is not responsible for content that violates a platform's policies.
  • Revocation: You can revoke Zephra's social media access at any time from your account settings or directly from the relevant platform's connected apps settings.

This section will be updated with the specific data fields, API scopes, and retention periods when the feature is released. We will notify registered users by email before enabling social media integration on their accounts.

7.2 Sub-processors

We use the following categories of sub-processors to operate Zephra:

Sub-processor Purpose Country
Google Cloud (Cloud Run, Cloud Storage)Platform hosting, compute, file storageUSA / EU
Neon (PostgreSQL)Database (AES-256 at rest, SSL in transit)USA
Google Analytics 4Website analytics (consent-gated)USA
Microsoft ClarityAnonymised session analytics (consent-gated)USA
Meta Conversions APIServer-side conversion forwarding (at customer direction)USA
Google Ads API / Enhanced ConversionsServer-side conversion forwarding (at customer direction)USA
LinkedIn Ads API (planned)Campaign management and conversion forwardingUSA
OpenAILLM inference — AI ad copy, creative generation, campaign recommendationsUSA
Groq / CerebrasLLM inference — fast AI features; no training on customer dataUSA
MaxMind (GeoLite2)IP-to-country geolocation — determines privacy region for GDPR/DPDP consent logic. IP address is looked up locally; no data is transmitted to MaxMind servers.USA (local DB)
Redis Labs (Upstash)In-memory state storage for AI optimisation coordination, approval workflows, and circuit-breaker state. Stores campaign action state only; no PII.USA
Cloudflare R2Object storage for AI-generated videos, brand asset uploads, and generated creative files. Files are encrypted at rest. Customer-uploaded assets are stored only as long as the account is active.USA / Global edge
Payment processor (TBD)PCI-DSS payment processingUSA / EU

All sub-processors are bound by data processing agreements. We maintain a current sub-processor list at zephraai.com/sub-processors. Platform customers (Business tier and above) will be notified of material sub-processor changes with 30 days' notice.

7.3 Legal Requirements

We may disclose data if required by law, court order, or to protect the rights and safety of Zephra, our users, or the public. We will notify you of such requests where legally permitted.

7.4 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will notify you before any transfer occurs and your rights under this policy will be preserved.

8. International Data Transfers+

Growthsynth LLP is incorporated in India. Our infrastructure sub-processors operate primarily in the United States. Where we transfer personal data of EU/UK residents to countries without an adequacy decision, we rely on:

  • EU Standard Contractual Clauses (SCCs), Module 2 (Controller-to-Processor) as approved by the European Commission in Decision 2021/914, incorporated into our Data Processing Agreement (Annex 1 of Platform Terms)
  • Google Cloud's and Neon's own SCCs and adequacy mechanisms for onward transfers

For EU/UK users, you can request a copy of the applicable SCCs by emailing hello@zephraai.com.

For India-based data, all processing complies with the Digital Personal Data Protection Act 2023 (DPDP Act). Where cross-border transfers occur, we apply the protections required under the DPDP Act and its implementing rules.

9. Data Retention+

We retain data for the shortest period necessary for its purpose. The table below is our standard retention schedule:

Data Type Retention Period Reason
Active account dataDuration of account + 1 year after closureService delivery; account reactivation within 1 year of closure
OAuth tokens (platform credentials)Deleted immediately on revocation or account closureSecurity — no long-lived credential retention
Campaign and performance dataDuration of account + 1 year after closureAccount reactivation; dispute resolution; post-closure legal claims
Billing and transaction records7 yearsIndian GST / international tax law
Security and audit logs12 monthsSecurity monitoring and incident response
Application logs (Google Cloud Run)30 days (GCP default)Operational debugging. Cloud Run logs may contain user email addresses in request context. Logs are retained for 30 days by GCP's Cloud Logging service and then automatically deleted.
Consent records (terms acceptance timestamps)Duration of account + 7 yearsDemonstrating legal basis for processing
Website visitor analytics (GA4)14 months (GA4 default)Performance measurement
sdk.js conversion events (on behalf of customers)90 days after forwardingAttribution window + debugging
AI-generated videos and creative assets30 days after generation (unless saved to your library)Storage cost management
Support correspondence3 yearsCustomer service continuity
Anonymised and aggregated dataIndefiniteAI model improvement; platform-wide benchmarking. No personal data is held in or recoverable from this data.

Account reactivation. We retain your account and campaign data for 1 year after closure specifically to support your return. If you reactivate within this period, your history, configurations, and performance records will be fully restored. After the retention window expires, restoration is no longer possible and personal data will be purged.

Legal hold. Regardless of the standard periods above, we may retain any category of data beyond the stated period where required by applicable law, court order, regulatory inquiry, audit, or to establish, exercise, or defend legal claims. We will notify you of any such extended retention unless prohibited from doing so by law.

Anonymised data. Campaign performance benchmarks, AI optimisation signals, and aggregate usage patterns derived from your activity are irreversibly stripped of all personal identifiers. This anonymised data is retained indefinitely as it does not constitute personal data under GDPR, DPDP, or equivalent laws. No re-identification is possible from this data.

Following account deletion, we will purge all personal data within 90 days per the schedule above, except where retention is required by law or a legal hold applies.

10. Your Rights+

Depending on your location, you may have the following rights regarding your personal data. All requests should be sent to hello@zephraai.com with subject "Privacy Request — [Your Name]".

Right What It Means Availability
AccessReceive a copy of all personal data we hold about youAll users
RectificationCorrect inaccurate personal dataAll users
ErasureDelete your account and all associated personal data (subject to legal retention obligations)All users
PortabilityReceive your data in a machine-readable format (CSV/JSON)EU/UK/India
RestrictionRequest we limit processing while you contest accuracy or objectEU/UK
ObjectObject to processing based on legitimate interests or for direct marketingEU/UK/India
Withdraw ConsentWithdraw marketing consent or cookie consent at any timeAll users
ComplainLodge a complaint with your supervisory authorityAll users

We will respond to all requests within 30 days. In complex cases, we may extend this by a further two months with notification. We will not charge a fee unless requests are manifestly unfounded or excessive.

11. Security+

We implement technical and organisational measures appropriate to the risk of processing personal data:

  • Encryption at rest: Neon PostgreSQL database encrypted with AES-256
  • Encryption in transit: All connections enforced over TLS 1.2+; database connections require SSL (sslmode=require)
  • OAuth token encryption: All platform OAuth tokens encrypted with AES-256 (Fernet) before database storage
  • Secrets management: No secrets stored in code repositories; all credentials managed via environment variables on Google Cloud Run
  • Access control: Role-based access; principle of least privilege applied to all internal systems
  • Audit logging: All actions on connected advertising accounts are logged with timestamps and attribution
  • Authentication: Zephra accounts protected by Google's OAuth 2.0 infrastructure including MFA as configured by users in their Google accounts

Breach notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users without undue delay and notify relevant supervisory authorities within 72 hours (where required by GDPR Article 33).

To report a security vulnerability, email hello@zephraai.com with subject "Security — [brief description]".

13. YouTube API Services+

This section is provided specifically to comply with the YouTube API Services Terms of Service and the YouTube API Services Developer Policies. It explains our use of YouTube API Services, how we handle YouTube data, and how you can control or delete it.

13.1 We Use YouTube API Services

Zephra uses YouTube API Services. When you connect your YouTube channel, Zephra uses the YouTube Data API to upload the video creatives you generate to your own channel so they can be used in your Google Ads and YouTube advertising campaigns. We request only the youtube.upload scope and do not request access to read your subscribers, watch history, comments, or other channel analytics.

13.2 Agreement to YouTube's Terms

By using Zephra's YouTube-connected features, you are agreeing to be bound by the YouTube Terms of Service.

13.3 Google Privacy Policy

Because YouTube API Services rely on Google authentication and data, Google's own privacy practices apply to that data. You can review the Google Privacy Policy.

13.4 What We Store, and How Often We Refresh or Delete It

Zephra does not continuously crawl, cache, or display YouTube content. The only YouTube API data we store is: (1) the OAuth authorisation token that lets us upload on your behalf, encrypted at rest; and (2) the video ID and URL of each video we upload for you, so we can attach it to your campaign. Authorisation tokens are refreshed automatically by Google's OAuth libraries on use and are refreshed or revalidated at least every 30 days; any stored YouTube authorised data that has not been used or revalidated within 30 days is refreshed on next use or deleted. Tokens are deleted immediately when you disconnect YouTube, revoke access, or close your account; uploaded video IDs/URLs are deleted within 30 days of account closure.

13.5 How to Delete Your Stored Data or Revoke Our Access

You can revoke Zephra's access to your YouTube and Google data at any time:

  • From the Google security settings page, where you can review and remove Zephra's access to your Google/YouTube account; or
  • By disconnecting YouTube in your Zephra account settings; or
  • By emailing hello@zephraai.com with subject "Privacy Request — [Your Name]" to request deletion of all YouTube API data we hold about you.

Revoking access deletes the stored authorisation token immediately. Note that videos already uploaded to your own YouTube channel remain on your channel under your control and can be deleted by you directly in YouTube Studio.

14. Customer Data and sdk.js+

If you are a Zephra platform customer using our sdk.js tracking script on your website, this section explains how we handle the personal data of your website visitors.

14.1 Controller and Processor Roles

You (the Zephra customer) are the data controller for your website visitors' personal data. Growthsynth LLP acts as your data processor when receiving, processing, and forwarding that data via sdk.js. The terms under which we process this data are set out in the Data Processing Agreement (DPA) incorporated as Annex 1 of our Platform Terms of Service.

14.2 What sdk.js Collects from Your Visitors

  • Page view events, custom conversion events you configure
  • IP address (pseudonymised before storage/forwarding — last octet zeroed)
  • Browser/device type, referring URL
  • A first-party client_id cookie set on your domain
  • Form submission data (if you configure lead capture events) — forwarded to Meta CAPI or Google Ads Enhanced Conversions as directed by you
  • Facebook click ID (fbclid) and Google click ID (gclid) from URL parameters, where present

14.3 Your Obligations as Controller

As data controller, you are responsible for:

  • Disclosing server-side tracking in your own website's privacy policy
  • Having a lawful basis for the tracking (typically: consent from your visitors, or legitimate interests with appropriate disclosure)
  • Responding to your visitors' data rights requests
  • Ensuring compliance with GDPR, PECR, CCPA, and other applicable laws in your jurisdiction

14.4 Copy-Paste Privacy Policy Text

If you need to update your website's privacy policy to disclose Zephra tracking, you may use or adapt the following text:

// COPY-PASTE TEMPLATE — adapt as needed

Server-Side Analytics and Conversion Tracking

We use Zephra, an AI marketing platform provided by Growthsynth LLP, to measure and improve the performance of our advertising campaigns. Zephra's tracking script (sdk.js) collects anonymised information about your visit — including pages viewed, events completed, and a pseudonymous browser identifier — and forwards conversion data to advertising platforms such as Meta (Facebook) and Google Ads on our behalf via their server-side APIs.

No third-party advertising cookies are set by this script. Your IP address is pseudonymised (the last segment is zeroed) before any storage or forwarding. Data is processed by Growthsynth LLP as our data processor under a Data Processing Agreement incorporating EU Standard Contractual Clauses.

For more information about how Zephra handles data, see zephraai.com/privacy.

15. Children+

Zephra is a B2B platform intended solely for business use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided personal data through our platform, please contact us at hello@zephraai.com and we will delete it promptly.

16. Jurisdiction-Specific Rights+

16.1 EU and UK Residents (GDPR / UK GDPR)

You have all rights listed in Section 10. You may lodge a complaint with your local supervisory authority:

  • EU: Your national Data Protection Authority (list at edpb.europa.eu)
  • UK: Information Commissioner's Office (ICO) — ico.org.uk

International transfers from the EU/UK are protected by Standard Contractual Clauses (Module 2) — see Section 8.

16.2 California Residents (CCPA / CPRA)

Zephra does not sell your personal information as defined under the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA). We do not share personal information for cross-context behavioural advertising. There is no need to opt out — we simply do not engage in these practices.

California residents have the right to:

  • Know what personal information we collect, use, disclose, or sell about you
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (not applicable — we do not sell)
  • Non-discrimination for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information (not applicable — we do not process sensitive categories)

To exercise any of these rights, email hello@zephraai.com. We will respond within 45 days.

16.3 India Residents (DPDP Act 2023)

Under the Digital Personal Data Protection Act 2023, Indian residents (Data Principals) have the right to:

  • Access a summary of the personal data we process about you
  • Correct or update inaccurate personal data
  • Erasure of your personal data where processing is no longer necessary
  • Nominate another person to exercise rights on your behalf in case of death or incapacity
  • Grieve: lodge a complaint with the Data Protection Board of India once the Board is constituted

Growthsynth LLP is the Data Fiduciary for Indian users. Contact: hello@zephraai.com.

16.4 Other Jurisdictions

We also serve users in the UAE, Saudi Arabia, Singapore, and Australia. We apply the relevant local privacy law requirements (PDPA Singapore, Privacy Act Australia, etc.) on request. Contact us if you have jurisdiction-specific questions.

17. Changes to This Policy+

We may update this Privacy Policy from time to time. For material changes, we will:

  • Post the updated policy at zephraai.com/privacy with a new effective date
  • Send registered platform users an email notification at least 30 days before the change takes effect (for significant changes to how we use your data)
  • For website visitors, display a banner notification on the site

Continued use of Zephra after the effective date constitutes acceptance of the updated policy. If you do not accept material changes, you may delete your account before they take effect.

18. Contact and Summary+

Entity: Growthsynth LLP

Platform: Zephra (zephraai.com)

Privacy Enquiries: hello@zephraai.com

Subject line: "Privacy Request — [Your Name]"

Sub-processor list: zephraai.com/sub-processors

© 2026 Growthsynth LLP · zephraai.com/privacy · Effective: April 2026 · Version 2.0