Zephra is built on the principle of data isolation. We do not use your personally identifiable data to train shared AI models, and we provide full transparency into how every signal is used.
NO AD TARGETING
We never use your data to sell ads or target you with third-party advertising.
NO SHARED AI TRAINING
Your identifiable campaign data never trains models shared with other customers.
GOOGLE LOGIN ONLY
We never store passwords. All sign-in is via Google OAuth — you control access.
DELETE ANY TIME
Request deletion of your account and all associated data at any time via email.
ENCRYPTED STORAGE
All OAuth tokens stored encrypted at rest. Database encrypted with AES-256 (Neon PostgreSQL).
GDPR + DPDP + CCPA
Compliant with EU, UK, India, and California privacy laws. Jurisdiction-specific rights in §16.
Effective Date: April 2026 · Issued by: Growthsynth LLP · Version 2.0
This Privacy Policy explains how Growthsynth LLP ("we", "us", "our"), operating the Zephra AI marketing platform and the marketing website at zephraai.com, collects, uses, stores, and protects your personal data. It applies to:
This single policy governs all three groups. Where provisions apply only to a specific group, this is stated clearly. Additional jurisdiction-specific provisions for EU/UK, California, and India residents are in Section 16.
By using Zephra, you acknowledge you have read and understood this Policy. If you do not agree, please do not use the platform.
Growthsynth LLP is a Limited Liability Partnership incorporated in India. We develop and operate Zephra — an AI-powered marketing intelligence and automation platform for businesses globally.
Growthsynth LLP is the data controller (GDPR), data fiduciary (India DPDP Act 2023), and equivalent responsible entity under all applicable data protection regimes worldwide. Where we process personal data on behalf of our platform customers (e.g. visitor data collected through sdk.js), we act as data processor and our customers act as controllers — see Section 14.
Contact
We collect only the following categories of data:
All OAuth tokens are stored encrypted (AES-256 via Fernet symmetric encryption). We never store third-party passwords. You can revoke access at any time from your account settings or directly from the third-party platform.
This applies to visitors of your website where you have installed our sdk.js tracking script, and to visitors of zephraai.com itself.
For sdk.js customers: You are the data controller for your website visitors' data. You must include an appropriate disclosure in your own privacy notice. See Section 14 for a copy-paste template and our Data Processing Agreement terms.
Email correspondence, support ticket content, demo booking information, survey responses.
The table below summarises our legal bases under GDPR (Article 6). These bases also correspond to equivalent provisions under India's DPDP Act 2023 and other applicable laws.
| Data Category | Legal Basis |
|---|---|
| Account data, platform credentials, campaign data, billing data | Contract Performance (Art. 6(1)(b)) |
| Usage data, security logs, user activity records, service communications to existing customers, Microsoft Clarity analytics | Legitimate Interests (Art. 6(1)(f)) — platform improvement, fraud prevention, security |
| Billing records, tax data | Legal Obligation (Art. 6(1)(c)) |
| Marketing emails, non-essential analytics cookies (GA4 performance cookies) | Consent (Art. 6(1)(a)) — withdrawable at any time |
| sdk.js visitor tracking data (processed on behalf of customers) | Customer's own legal basis — we act as processor (Art. 28) |
We do not use your personally identifiable campaign data, ad spend figures, or business performance data to train AI models shared with other customers.
This section covers tracking on zephraai.com (our marketing website). For sdk.js tracking on customer websites, see Section 14. For full details see our Tracking & Analytics Disclosure.
| Technology | Purpose | Basis | Category |
|---|---|---|---|
| Session cookies (1st party) | Remembering login state, CSRF protection | Strictly Necessary | Essential |
| Consent preference cookie (localStorage) | Remembering your cookie choices | Strictly Necessary | Essential |
| Google Analytics 4 (GA4) | Website visitor analytics, page performance measurement | Consent | Performance |
| Microsoft Clarity | Anonymised heatmaps and session behaviour analysis | Consent | Performance |
We implement Google Consent Mode v2. All analytics are set to denied by default until you grant consent via our cookie banner. Ad storage is permanently denied — we do not use advertising cookies on our website.
EU AI Act Notice: Zephra is an AI system that automates marketing decisions. In compliance with the EU AI Act transparency obligations, we disclose its operation, capabilities, and limitations here and in our product documentation.
Zephra uses machine learning and large language models to:
Your identifiable campaign data, business metrics, audience insights, and brand assets are used exclusively within your own Zephra account (your Context Engine). They are never shared with other Zephra customers or used to influence recommendations for other accounts.
Like all AI systems, Zephra can produce incorrect, incomplete, or suboptimal outputs. AI-generated recommendations should be reviewed critically. Zephra does not guarantee business outcomes, campaign performance, or ROAS targets. You retain full responsibility for all final advertising decisions.
Under GDPR Article 22, you have the right to object to decisions based solely on automated processing. Zephra does not make such decisions — all consequential actions require human approval. If you have concerns about a specific AI output, contact hello@zephraai.com and a human will review it.
We do not sell your personal data. We do not share it with data brokers. We never share it for third-party advertising purposes.
We share data only in the following circumstances:
When you connect a third-party platform (Meta Ads, Google Ads, YouTube, Google Analytics), we transmit data to and from that platform as required to deliver the service you requested.
Google Ads conversion forwarding. When sdk.js records a conversion event, Zephra forwards the following fields to the Google Ads Conversions API: (1) conversion action name; (2) event timestamp; (3) Google click ID (gclid), where present; (4) order or event value, where configured; (5) the visitor's truncated IP address; and (6) where a lead form is submitted and the customer has configured Enhanced Conversions, the visitor's email address hashed with SHA-256 prior to transmission. No unhashed email address is ever sent to Google.
// Planned — not yet active
When implemented, Zephra will request only minimum permissions to publish content on connected social accounts. We will not read follower data, direct messages, or audience analytics unless explicitly offered and opted into.
| Sub-processor | Purpose | Country |
|---|---|---|
| Google Cloud (Cloud Run, Cloud Storage) | Platform hosting, compute, file storage | USA / EU |
| Neon (PostgreSQL) | Database (AES-256 at rest, SSL in transit) | USA |
| Google Analytics 4 | Website analytics (consent-gated) | USA |
| Microsoft Clarity | Anonymised session analytics (consent-gated) | USA |
| Meta Conversions API | Server-side conversion forwarding (at customer direction) | USA |
| Google Ads API / Enhanced Conversions | Server-side conversion forwarding (at customer direction) | USA |
| OpenAI | LLM inference — AI ad copy, creative generation, campaign recommendations | USA |
| Groq / Cerebras | LLM inference — fast AI features; no training on customer data | USA |
| MaxMind (GeoLite2) | IP-to-country geolocation — IP address is looked up locally; no data transmitted to MaxMind servers | USA (local DB) |
| Redis Labs (Upstash) | In-memory state storage for AI optimisation coordination. Stores campaign action state only; no PII. | USA |
| Cloudflare R2 | Object storage for AI-generated videos, brand asset uploads, and generated creative files | USA / Global edge |
| Payment processor (TBD) | PCI-DSS payment processing | USA / EU |
We may disclose data if required by law, court order, or to protect the rights and safety of Zephra, our users, or the public. We will notify you of such requests where legally permitted.
In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will notify you before any transfer occurs and your rights under this policy will be preserved.
Growthsynth LLP is incorporated in India. Our infrastructure sub-processors operate primarily in the United States. Where we transfer personal data of EU/UK residents to countries without an adequacy decision, we rely on:
For EU/UK users, you can request a copy of the applicable SCCs by emailing hello@zephraai.com.
For India-based data, all processing complies with the Digital Personal Data Protection Act 2023 (DPDP Act).
We retain data for the shortest period necessary for its purpose:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account + 1 year after closure | Service delivery; account reactivation within 1 year of closure |
| OAuth tokens (platform credentials) | Deleted immediately on revocation or account closure | Security — no long-lived credential retention |
| Campaign and performance data | Duration of account + 1 year after closure | Account reactivation; dispute resolution |
| Billing and transaction records | 7 years | Indian GST / international tax law |
| Security and audit logs | 12 months | Security monitoring and incident response |
| Application logs (Google Cloud Run) | 30 days (GCP default) | Operational debugging |
| Consent records (terms acceptance timestamps) | Duration of account + 7 years | Demonstrating legal basis for processing |
| Website visitor analytics (GA4) | 14 months (GA4 default) | Performance measurement |
| sdk.js conversion events (on behalf of customers) | 90 days after forwarding | Attribution window + debugging |
| AI-generated videos and creative assets | 30 days after generation (unless saved to your library) | Storage cost management |
| Support correspondence | 3 years | Customer service continuity |
| Anonymised and aggregated data | Indefinite | AI model improvement; platform-wide benchmarking. No personal data is held in or recoverable from this data. |
Account reactivation. We retain your account and campaign data for 1 year after closure specifically to support your return. If you reactivate within this period, your history, configurations, and performance records will be fully restored.
Following account deletion, we will purge all personal data within 90 days per the schedule above, except where retention is required by law or a legal hold applies.
Depending on your location, you may have the following rights regarding your personal data. All requests should be sent to hello@zephraai.com with subject "Privacy Request — [Your Name]".
| Right | What It Means | Availability |
|---|---|---|
| Access | Receive a copy of all personal data we hold about you | All users |
| Rectification | Correct inaccurate personal data | All users |
| Erasure | Delete your account and all associated personal data (subject to legal retention obligations) | All users |
| Portability | Receive your data in a machine-readable format (CSV/JSON) | EU/UK/India |
| Restriction | Request we limit processing while you contest accuracy or object | EU/UK |
| Object | Object to processing based on legitimate interests or for direct marketing | EU/UK/India |
| Withdraw Consent | Withdraw marketing consent or cookie consent at any time | All users |
| Complain | Lodge a complaint with your supervisory authority | All users |
We will respond to all requests within 30 days. In complex cases, we may extend this by a further two months with notification. We will not charge a fee unless requests are manifestly unfounded or excessive.
We implement technical and organisational measures appropriate to the risk of processing personal data:
Breach notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users without undue delay and notify relevant supervisory authorities within 72 hours (where required by GDPR Article 33).
To report a security vulnerability, email hello@zephraai.com with subject "Security — [brief description]".
Zephra integrates with third-party advertising and analytics platforms at your direction. Once you connect a platform (Meta, Google, YouTube, LinkedIn), that platform's own privacy policy governs the data you send to and receive from them.
Google APIs disclosure: Zephra's use and transfer to any other app of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.
YouTube: Zephra uses YouTube API Services. These are covered in full in the dedicated Section 13 — YouTube API Services below.
This section is provided specifically to comply with the YouTube API Services Terms of Service and the YouTube API Services Developer Policies. It explains our use of YouTube API Services, how we handle YouTube data, and how you can control or delete it.
Zephra uses YouTube API Services. When you connect your YouTube channel, Zephra uses the YouTube Data API to upload the video creatives you generate to your own channel so they can be used in your Google Ads and YouTube advertising campaigns. We request only the youtube.upload scope and do not request access to read your subscribers, watch history, comments, or other channel analytics.
By using Zephra's YouTube-connected features, you are agreeing to be bound by the YouTube Terms of Service.
Because YouTube API Services rely on Google authentication and data, Google's own privacy practices apply to that data. You can review the Google Privacy Policy at http://www.google.com/policies/privacy.
Zephra does not continuously crawl, cache, or display YouTube content. The only YouTube API data we store is: (1) the OAuth authorisation token that lets us upload on your behalf, encrypted at rest; and (2) the video ID and URL of each video we upload for you, so we can attach it to your campaign. Authorisation tokens are refreshed automatically by Google's OAuth libraries on use and are refreshed or revalidated at least every 30 days; any stored YouTube authorised data that has not been used or revalidated within 30 days is refreshed on next use or deleted. Tokens are deleted immediately when you disconnect YouTube, revoke access, or close your account; uploaded video IDs/URLs are deleted within 30 days of account closure.
You can revoke Zephra's access to your YouTube and Google data at any time:
Revoking access deletes the stored authorisation token immediately. Note that videos already uploaded to your own YouTube channel remain on your channel under your control and can be deleted by you directly in YouTube Studio.
If you are a Zephra platform customer using our sdk.js tracking script on your website, this section explains how we handle the personal data of your website visitors.
You (the Zephra customer) are the data controller for your website visitors' personal data. Growthsynth LLP acts as your data processor when receiving, processing, and forwarding that data via sdk.js.
As data controller, you are responsible for:
If you need to update your website's privacy policy to disclose Zephra tracking, you may use or adapt the following text:
// COPY-PASTE TEMPLATE — adapt as needed
Server-Side Analytics and Conversion Tracking
We use Zephra, an AI marketing platform provided by Growthsynth LLP, to measure and improve the performance of our advertising campaigns. Zephra's tracking script (sdk.js) collects anonymised information about your visit — including pages viewed, events completed, and a pseudonymous browser identifier — and forwards conversion data to advertising platforms such as Meta (Facebook) and Google Ads on our behalf via their server-side APIs.
No third-party advertising cookies are set by this script. Your IP address is pseudonymised (the last segment is zeroed) before any storage or forwarding. Data is processed by Growthsynth LLP as our data processor under a Data Processing Agreement incorporating EU Standard Contractual Clauses.
For more information about how Zephra handles data, see zephraai.com/privacy.html.
Zephra is a B2B platform intended solely for business use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided personal data through our platform, please contact us at hello@zephraai.com and we will delete it promptly.
You have all rights listed in Section 10. You may lodge a complaint with your local supervisory authority:
Zephra does not sell your personal information as defined under the CCPA or CPRA. We do not share personal information for cross-context behavioural advertising.
Residents of California, Virginia, Colorado, and other applicable U.S. states have the right to:
To exercise any of these rights, email hello@zephraai.com. We will respond within 45 days.
Under the Digital Personal Data Protection Act 2023, Indian residents (Data Principals) have the right to:
Growthsynth LLP is the Data Fiduciary for Indian users. Contact: hello@zephraai.com.
We also serve users in the UAE, Saudi Arabia, Singapore, and Australia. We apply the relevant local privacy law requirements on request. Contact us if you have jurisdiction-specific questions.
We may update this Privacy Policy from time to time. For material changes, we will:
Continued use of Zephra after the effective date constitutes acceptance of the updated policy. If you do not accept material changes, you may delete your account before they take effect.
Entity: Growthsynth LLP
Platform: Zephra (zephraai.com)
Privacy Enquiries: hello@zephraai.com
Subject line: "Privacy Request — [Your Name]"
Sub-processor list: zephraai.com/terms/sub-processors
© 2026 Growthsynth LLP · Effective: April 2026 · Version 2.0