Zephra is built on the principle of data isolation. We do not use your personally identifiable data to train shared AI models, and we provide full transparency into how every signal is used. Anonymised, aggregated data is used for system improvement as described below.
Effective Date: June 2025 · Issued by: Growthsynth LLP
This Privacy Policy explains how Growthsynth LLP ("we", "us", "our"), operating the Zephra AI marketing platform (zephraai.com), collects, uses, stores, and protects your personal data. It applies to all users worldwide. Additional jurisdiction-specific provisions for EU/UK, California, and India residents are in Section 15. By using Zephra, you acknowledge you have read and understood this Policy. If you do not agree, do not use the platform.
Growthsynth LLP is a Limited Liability Partnership incorporated in India. We develop and operate Zephra — an AI-powered marketing intelligence and automation platform for businesses globally.
Growthsynth LLP is the data controller (GDPR), data fiduciary (India DPDP Act 2023), and equivalent responsible entity under all applicable data protection regimes.
CONTACT
We collect only the following categories of data:
OAuth tokens are stored encrypted. We never store third-party passwords. You can revoke access at any time from your account settings or directly from the third-party platform.
Email correspondence, support ticket content, demo booking information
Account data, platform credentials, campaign data, and billing data are processed to provide the Zephra service you have contracted for.
Usage and technical data are processed on the basis of our legitimate interests in improving platform performance, detecting fraud, ensuring security, and sending service communications to existing customers. We have conducted Legitimate Interests Assessments and concluded our interests do not override your rights.
Billing and tax records are processed to comply with Indian GST requirements and equivalent international tax obligations.
Optional marketing emails and non-essential cookies are only sent/set with your explicit consent, which can be withdrawn at any time.
We do not use your personally identifiable campaign data, ad spend figures, or business performance data to train shared AI models. Your identifiable data powers your Context Engine only and remains yours. However, we use anonymised, aggregated data for model intelligence as described in Section 5 below.
We may anonymise and aggregate data generated through your use of the Platform — including campaign performance metrics, ad engagement signals, bidding patterns, and optimisation outcomes — in a form that does not identify you or any individual user. Such anonymised, aggregated data may be used to train, improve, and inform Zephra's artificial intelligence and machine learning models, and to generate industry-level benchmarks and insights that may be applied across other accounts on the Platform. No personally identifiable information is retained in or recoverable from this anonymised data. By using the Platform, you consent to this use of your data in anonymised form.
This section discloses how AI systems within Zephra process your data and make decisions, as required under EU AI Act transparency obligations, UK AI regulations, and as best practice for AI services that influence financial decisions.
Zephra's Decision Engine uses your campaign data, business context, and historical performance to generate marketing recommendations and, where you have enabled Autonomous Mode, to execute actions on your advertising accounts.
AI capabilities are powered by models from one or more providers listed at zephraai.com/terms/sub-processors. This list is maintained in real time and may change as the AI landscape evolves.
Under the standard API terms published by each provider, data submitted via their API is not used to train their general-purpose models by default. Growthsynth LLP relies on these published standard terms — we have not entered into separately negotiated data processing agreements with AI model providers. We cannot independently verify providers' internal data practices beyond what their published terms state. Provider terms may change; we monitor for material changes and will update the sub-processor page and notify customers if the position on training use changes for any provider.
Current AI model providers include: OpenAI (GPT-4 and related models), Anthropic (Claude), Google (Gemini), and Groq (inference platform for open-source models). The full current list is always at https://zephraai.com/terms/sub-processors.
In Supervised Mode, all significant decisions require your approval before execution. In Autonomous Mode, Zephra executes pre-approved action categories within parameters you configure. You retain the right at all times to review the Reasoning Audit Trail, override any decision, switch to Supervised Mode, and set hard limits on autonomous operations.
EU and UK residents: Under Article 22 GDPR you have the right not to be subject to solely automated decisions producing significant legal effects. Zephra's autonomous actions concern your advertising campaigns, not your personal legal rights. You may request human review of any automated decision by emailing hello@zephraai.com.
Growthsynth LLP staff periodically review how Autonomous Mode is performing across the platform and may adjust the AI system's operating parameters — such as decision thresholds (how confident the AI must be before taking an action), signal weighting (how much weight is given to different data inputs), and action logic (the rules the AI uses to select between options) — to improve accuracy, safety, and performance. This is system-level oversight of the AI itself. In Autonomous Mode, this may also include specialist-level intervention on individual accounts (as described in our Terms of Use) to optimize performance or prevent unintended outcomes. Specialist interventions are discretionary and are logged in the Reasoning Audit Trail.
This oversight does not occur on a fixed schedule — it takes place as and when needed, based on performance monitoring, anomaly detection, or improvements to the AI models in use. When Growthsynth LLP staff conduct a review and make changes to system parameters, the review and any changes are logged internally.
What this means for you: the AI system that generates decisions for your campaigns may be periodically refined by Growthsynth LLP to work better. Your configured parameters — your Hard Spend Cap, Action Type Restrictions, and account-specific settings — are set and controlled by you. If we manually intervene, we do so to support your campaign objectives. However, like all AI platforms, Zephra is probabilistic and can make mistakes. You are responsible for monitoring campaign outputs via the Reasoning Audit Trail.
The legal basis for this processing is our legitimate interests in maintaining and improving the platform, and contract performance — ensuring the AI system operates correctly in delivering the service you have contracted for. This type of system-level oversight and improvement is inherent in the provision of any AI service and is necessary for the platform to function as contracted. Because this processing is necessary for the delivery of the contracted service, it is not subject to an unconditional right to object under GDPR Article 21.
Zephra logs every autonomous action to the Reasoning Audit Trail. At minimum, the trail records: the action taken, the account affected, and the timestamp. Where the AI model provides additional context, the trail may also include data signals reviewed and alternatives considered. Zephra uses commercially reasonable efforts to capture this additional context but does not warrant its completeness or availability — the content of each trail entry depends on what the underlying AI model returns.
If the audit trail system is unavailable at the time an autonomous action is attempted, the action will not execute. Audit trail generation failures are treated as anomalies per Section 8 of the Terms of Use.
The Reasoning Audit Trail is accessible within your account and retained for 12 months from the date of each entry. Growthsynth LLP does not guarantee uninterrupted availability of the audit trail and accepts no liability for losses arising from temporary unavailability, provided commercially reasonable efforts were made to maintain the system.
Zephra builds an intelligence profile of your business — the Context Engine — using your historical campaign data, business context, and performance patterns. This constitutes profiling within the meaning of GDPR Article 4(4). This profiling is used solely to generate AI Decisions tailored to your specific business. It does not produce legal effects concerning you as an individual, and it does not involve processing of special category personal data.
The legal basis for this profiling is contract performance — it is necessary to provide the Zephra platform you have contracted for. You may request that we cease building your Context Engine profile at any time by contacting hello@zephraai.com. Ceasing this profiling will materially limit the platform's ability to generate AI Decisions for your campaigns.
We do not sell your data. We do not share your personal data with third parties for their own independent marketing purposes. We do share certain data with Connected Platforms at your direction for advertising measurement, targeting, and attribution — this is described in full in Section 7.2 below. All other sharing is as follows:
We share data with service providers in connection with providing the platform. The current and always-authoritative list of all sub-processors — including infrastructure, AI model providers, and payment processors — is maintained in real time at zephraai.com/terms/sub-processors. That page includes a timestamped change log of every addition or change. An email notification is sent to registered users whenever the page is updated.
For infrastructure and payment processors (Google Cloud, Stripe, Razorpay): these providers process data strictly on our behalf under their standard cloud and payment processing terms, which restrict use of customer data to service provision only.
For AI model providers (OpenAI, Anthropic, Google AI): under their standard published API terms, data submitted via the API is not used to train their general-purpose models by default. We rely on these published terms — we have not entered into separately negotiated data processing agreements with AI model providers. We cannot independently verify their internal data practices beyond what their published terms state.
When you connect advertising platforms (such as Google Ads and Meta Ads) to Zephra, we share certain data with those platforms at your explicit direction to enable conversion tracking, audience targeting, campaign measurement, and advertising attribution. This section explains what is shared, why, and on whose legal basis.
Conversion events:
When a conversion occurs on your website or landing page (a purchase, signup, or other goal event), Zephra sends a conversion signal to your Connected Platforms via their Conversion APIs (e.g. Google Ads Conversion API, Meta Conversions API). This tells the platform's algorithm that an ad-attributed action occurred, enabling campaign optimisation. These signals may include event metadata such as event type, value, and timestamp.
First-party pixel and behavioural data:
Where you have deployed Zephra's server-side tracking on your website, Zephra collects first-party visitor event data (page views, session data, conversion paths) and forwards relevant signals to your Connected Platforms. This enables accurate attribution of conversions to advertising campaigns and supports algorithm optimisation.
Hashed audience data:
Where you use Zephra's audience features, Zephra may upload hashed email addresses and/or hashed phone numbers from your customer lists to your Connected Platforms (e.g. Google Customer Match, Meta Custom Audiences) to enable custom audience targeting. Data is hashed before transmission — plain-text personal identifiers are never sent.
Campaign performance data:
Aggregated campaign performance signals (spend, ROAS, audience engagement) are used within your Connected Platform accounts to inform bidding strategies and campaign optimisation. This data flows within your own Connected Platform accounts.
Two categories of data subjects are involved:
You are the data controller for your end users' data. You are responsible for having a valid lawful basis — consent, legitimate interests, or another applicable basis — for sharing your end users' data with Connected Platforms for advertising purposes. Zephra does not obtain consent from your end users on your behalf. If you instruct Zephra to share your end users' data with a Connected Platform, you represent and warrant that you have the necessary lawful basis, consents, and rights to do so.
Google and Meta require that conversion and pixel signals sent via their APIs are accompanied by appropriate consent signals (Google Consent Mode, Meta Data Processing Options). You are responsible for configuring these consent signals correctly in your Zephra tracking settings. Zephra supports these signals but does not configure them on your behalf.
Sharing of audience data and conversion signals with Google and Meta is subject to those platforms' own policies, including Google's Customer Match Policy and Meta's Custom Audiences Terms. You are responsible for complying with those policies. By connecting a platform and instructing Zephra to share data with it, you confirm you have accepted and comply with that platform's data sharing terms.
Once data is transmitted to a Connected Platform (Google, Meta, or others), it is subject to that platform's own privacy policy and data practices. Zephra is not responsible for how Connected Platforms use, process, or retain data they receive. Google's privacy policy is at policies.google.com. Meta's privacy policy is at facebook.com/privacy/policy.
Zephra acts as your data processor when sharing data with Connected Platforms. Zephra does not independently determine the purposes or means of this sharing — you do, by connecting the platform and enabling the relevant features. Zephra and Google, and Zephra and Meta, are not joint controllers. Each party processes data under its own, independent legal basis once the data is transmitted.
We may disclose data where required by law, court order, or regulatory authority. We will notify you to the extent permitted by law.
In the event of a merger, acquisition, or asset sale, data may transfer to a successor entity. We will provide 30 days' notice before data transfers to an entity with a materially different privacy policy.
We may share aggregated, anonymised statistics that cannot reasonably identify you or your business.
Growthsynth LLP is incorporated in India. Our infrastructure may be located in India and/or internationally, depending on current hosting providers and server availability. Infrastructure locations may change as we adopt new providers or as existing providers update their offerings.
Where Personal Data is transferred outside the country in which it was collected, we ensure appropriate safeguards:
We take appropriate steps to protect your data regardless of where it is processed.
We retain data for the following periods after account closure. Legally required data cannot be deleted early regardless of requests.
Account reactivation. We retain your account and campaign data for 1 year after closure specifically to support your return. If you reactivate within this period, your history, configurations, and performance data will be fully restored. After the retention window expires, restoration is no longer possible.
Legal hold. Regardless of the standard retention periods above, we may retain any category of data beyond the stated period where required by applicable law, court order, regulatory inquiry, audit, or to establish, exercise, or defend legal claims. We will notify you of any such extended retention unless prohibited from doing so by law.
Data is not automatically deleted at account closure — it is retained for the periods above. You may request earlier deletion of non-legally-required data at any time via Settings → Privacy or by emailing hello@zephraai.com. We process deletion requests within 30 days.
We honour the following rights for all users globally:
Email hello@zephraai.com with subject "Data Rights Request — [Your Name]". We respond within 30 days and may need to verify your identity. You also have the right to complain to your local data protection authority.
In the event of a personal data breach posing risk to your rights, we will notify affected users and relevant authorities within 72 hours of becoming aware, as required by GDPR and equivalent laws. This notification obligation applies where we have been made aware of a breach — either through our own monitoring or notification from our infrastructure provider.
Session management, authentication. Cannot be disabled.
Anonymised platform usage data. Consent required.
Remembers your preferences. Consent required.
No third-party advertising cookies are used on the Zephra platform itself. Cookie preferences are manageable through your browser or our in-platform cookie preference centre.
Where you connect social media accounts to Zephra, those platforms (Facebook, Instagram, LinkedIn, etc.) may set their own cookies in accordance with their own privacy policies when you interact with those platforms through our interface. We do not control third-party platform cookies.
Zephra is a B2B service for businesses and professionals. We do not knowingly collect data from individuals under 18. Contact hello@zephraai.com if you believe we hold data from a minor and we will delete it promptly.
We may update this Policy periodically. The notification approach mirrors our Terms of Use:
Continued use after the effective date of any change constitutes acceptance.
The following provisions supplement the general Policy. Where they conflict with the general Policy, the jurisdiction-specific provision prevails for residents of that jurisdiction.
Legal Bases: We process EU/UK personal data under: contract performance (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)); and consent (Art. 6(1)(a)) where applicable. We do not intentionally process special category data.
EU / UK Representative: As an entity established outside the EU/UK, we are in the process of appointing a representative under Article 27 GDPR. Details will be published at zephraai.com/privacy upon appointment. In the interim, all GDPR enquiries: hello@zephraai.com.
Supervisory Authorities: EU residents may lodge complaints with their national supervisory authority. UK residents: Information Commissioner's Office (ico.org.uk).
PECR — Privacy and Electronic Communications Regulations: Cookie use on the Zephra platform is also governed by the Privacy and Electronic Communications Regulations 2003 (PECR) for UK users. Our cookie practices comply with both UK GDPR and PECR. No non-essential cookies are set without your prior consent.
International Transfers: EU/UK-to-third-country transfers are governed by SCCs (EU) and the IDTA (UK). A copy of applicable mechanisms is available on request.
California Privacy Rights:
Categories Collected (Past 12 Months): Identifiers (name, email); Commercial information (transactions, token usage); Internet/network activity (usage, logs); Professional information (company, role). No sensitive personal information categories as defined under CPRA are intentionally collected.
To exercise California rights, email hello@zephraai.com with subject "California Privacy Request". Response within 45 days.
California Civil Code Section 1798.83 (Shine the Light): We do not disclose personal information to third parties for their own independent direct marketing purposes. California residents who wish to confirm this may contact us at hello@zephraai.com.
Rights Under the DPDP Act 2023:
Grievance Officer:
Consent and Cross-Border Transfers: Consent is obtained freely, specifically, informedly, and unambiguously. Data of Indian residents may be transferred to infrastructure in India and/or internationally in compliance with the DPDP Act 2023.
Entity: Growthsynth LLP
Platform: Zephra (zephraai.com)
Privacy Enquiries: hello@zephraai.com
Sub-processor list: zephraai.com/terms/sub-processors
Privacy Policy: zephraai.com/privacy
© 2025 Growthsynth LLP · zephraai.com/privacy · Effective: June 2025