Privacy Policy

Last updated: April 2026 · Version 2.0 · [DRAFT — NOT PUBLISHED]

Zephra is built on the principle of data isolation. We do not use your personally identifiable data to train shared AI models, and we provide full transparency into how every signal is used.

NO AD TARGETING

We never use your data to sell ads or target you with third-party advertising.

NO SHARED AI TRAINING

Your identifiable campaign data never trains models shared with other customers.

GOOGLE LOGIN ONLY

We never store passwords. All sign-in is via Google OAuth — you control access.

DELETE ANY TIME

Request deletion of your account and all associated data at any time via email.

ENCRYPTED STORAGE

All OAuth tokens stored encrypted at rest. Database encrypted with AES-256 (Neon PostgreSQL).

GDPR + DPDP + CCPA

Compliant with EU, UK, India, and California privacy laws. Jurisdiction-specific rights in §16.


Effective Date: April 2026 · Issued by: Growthsynth LLP · Version 2.0

This Privacy Policy explains how Growthsynth LLP ("we", "us", "our"), operating the Zephra AI marketing platform and the marketing website at zephraai.com, collects, uses, stores, and protects your personal data. It applies to:

This single policy governs all three groups. Where provisions apply only to a specific group, this is stated clearly. Additional jurisdiction-specific provisions for EU/UK, California, and India residents are in Section 16.

By using Zephra, you acknowledge you have read and understood this Policy. If you do not agree, please do not use the platform.

Growthsynth LLP is a Limited Liability Partnership incorporated in India. We develop and operate Zephra — an AI-powered marketing intelligence and automation platform for businesses globally.

Data Controller / Data Fiduciary

Growthsynth LLP is the data controller (GDPR), data fiduciary (India DPDP Act 2023), and equivalent responsible entity under all applicable data protection regimes worldwide. Where we process personal data on behalf of our platform customers (e.g. visitor data collected through sdk.js), we act as data processor and our customers act as controllers — see Section 14.

Contact

We collect only the following categories of data:

2.1 Account Data

2.2 Third-Party Platform Credentials

All OAuth tokens are stored encrypted (AES-256 via Fernet symmetric encryption). We never store third-party passwords. You can revoke access at any time from your account settings or directly from the third-party platform.

2.3 Campaign and Performance Data

2.4 Website Visitor Data (Server-Side Tracking)

This applies to visitors of your website where you have installed our sdk.js tracking script, and to visitors of zephraai.com itself.

For sdk.js customers: You are the data controller for your website visitors' data. You must include an appropriate disclosure in your own privacy notice. See Section 14 for a copy-paste template and our Data Processing Agreement terms.

2.5 Payment and Billing Data

2.6 Usage and Technical Data

2.7 Communications Data

Email correspondence, support ticket content, demo booking information, survey responses.

2.8 Data We Never Collect

The table below summarises our legal bases under GDPR (Article 6). These bases also correspond to equivalent provisions under India's DPDP Act 2023 and other applicable laws.

Data CategoryLegal Basis
Account data, platform credentials, campaign data, billing dataContract Performance (Art. 6(1)(b))
Usage data, security logs, user activity records, service communications to existing customers, Microsoft Clarity analyticsLegitimate Interests (Art. 6(1)(f)) — platform improvement, fraud prevention, security
Billing records, tax dataLegal Obligation (Art. 6(1)(c))
Marketing emails, non-essential analytics cookies (GA4 performance cookies)Consent (Art. 6(1)(a)) — withdrawable at any time
sdk.js visitor tracking data (processed on behalf of customers)Customer's own legal basis — we act as processor (Art. 28)

4.1 Delivering the Platform

4.2 Security and Integrity

4.3 Platform Improvement

We do not use your personally identifiable campaign data, ad spend figures, or business performance data to train AI models shared with other customers.

4.4 Communications

This section covers tracking on zephraai.com (our marketing website). For sdk.js tracking on customer websites, see Section 14. For full details see our Tracking & Analytics Disclosure.

TechnologyPurposeBasisCategory
Session cookies (1st party)Remembering login state, CSRF protectionStrictly NecessaryEssential
Consent preference cookie (localStorage)Remembering your cookie choicesStrictly NecessaryEssential
Google Analytics 4 (GA4)Website visitor analytics, page performance measurementConsentPerformance
Microsoft ClarityAnonymised heatmaps and session behaviour analysisConsentPerformance

We implement Google Consent Mode v2. All analytics are set to denied by default until you grant consent via our cookie banner. Ad storage is permanently denied — we do not use advertising cookies on our website.

EU AI Act Notice: Zephra is an AI system that automates marketing decisions. In compliance with the EU AI Act transparency obligations, we disclose its operation, capabilities, and limitations here and in our product documentation.

6.1 What Zephra's AI Does

Zephra uses machine learning and large language models to:

6.2 Human Oversight and Controls

6.3 Data Isolation Guarantee

Your identifiable campaign data, business metrics, audience insights, and brand assets are used exclusively within your own Zephra account (your Context Engine). They are never shared with other Zephra customers or used to influence recommendations for other accounts.

6.4 AI Limitations Disclosure

Like all AI systems, Zephra can produce incorrect, incomplete, or suboptimal outputs. AI-generated recommendations should be reviewed critically. Zephra does not guarantee business outcomes, campaign performance, or ROAS targets. You retain full responsibility for all final advertising decisions.

6.5 Right to Object to Automated Decisions

Under GDPR Article 22, you have the right to object to decisions based solely on automated processing. Zephra does not make such decisions — all consequential actions require human approval. If you have concerns about a specific AI output, contact hello@zephraai.com and a human will review it.

We do not sell your personal data. We do not share it with data brokers. We never share it for third-party advertising purposes.

We share data only in the following circumstances:

7.1 At Your Direction — Connected Platforms

When you connect a third-party platform (Meta Ads, Google Ads, YouTube, Google Analytics), we transmit data to and from that platform as required to deliver the service you requested.

Google Ads conversion forwarding. When sdk.js records a conversion event, Zephra forwards the following fields to the Google Ads Conversions API: (1) conversion action name; (2) event timestamp; (3) Google click ID (gclid), where present; (4) order or event value, where configured; (5) the visitor's truncated IP address; and (6) where a lead form is submitted and the customer has configured Enhanced Conversions, the visitor's email address hashed with SHA-256 prior to transmission. No unhashed email address is ever sent to Google.

7.1a Social Media Integration (Planned Feature)

// Planned — not yet active

When implemented, Zephra will request only minimum permissions to publish content on connected social accounts. We will not read follower data, direct messages, or audience analytics unless explicitly offered and opted into.

7.2 Sub-processors

Sub-processorPurposeCountry
Google Cloud (Cloud Run, Cloud Storage)Platform hosting, compute, file storageUSA / EU
Neon (PostgreSQL)Database (AES-256 at rest, SSL in transit)USA
Google Analytics 4Website analytics (consent-gated)USA
Microsoft ClarityAnonymised session analytics (consent-gated)USA
Meta Conversions APIServer-side conversion forwarding (at customer direction)USA
Google Ads API / Enhanced ConversionsServer-side conversion forwarding (at customer direction)USA
OpenAILLM inference — AI ad copy, creative generation, campaign recommendationsUSA
Groq / CerebrasLLM inference — fast AI features; no training on customer dataUSA
MaxMind (GeoLite2)IP-to-country geolocation — IP address is looked up locally; no data transmitted to MaxMind serversUSA (local DB)
Redis Labs (Upstash)In-memory state storage for AI optimisation coordination. Stores campaign action state only; no PII.USA
Cloudflare R2Object storage for AI-generated videos, brand asset uploads, and generated creative filesUSA / Global edge
Payment processor (TBD)PCI-DSS payment processingUSA / EU

7.3 Legal Requirements

We may disclose data if required by law, court order, or to protect the rights and safety of Zephra, our users, or the public. We will notify you of such requests where legally permitted.

7.4 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will notify you before any transfer occurs and your rights under this policy will be preserved.

Growthsynth LLP is incorporated in India. Our infrastructure sub-processors operate primarily in the United States. Where we transfer personal data of EU/UK residents to countries without an adequacy decision, we rely on:

For EU/UK users, you can request a copy of the applicable SCCs by emailing hello@zephraai.com.

For India-based data, all processing complies with the Digital Personal Data Protection Act 2023 (DPDP Act).

We retain data for the shortest period necessary for its purpose:

Data TypeRetention PeriodReason
Active account dataDuration of account + 1 year after closureService delivery; account reactivation within 1 year of closure
OAuth tokens (platform credentials)Deleted immediately on revocation or account closureSecurity — no long-lived credential retention
Campaign and performance dataDuration of account + 1 year after closureAccount reactivation; dispute resolution
Billing and transaction records7 yearsIndian GST / international tax law
Security and audit logs12 monthsSecurity monitoring and incident response
Application logs (Google Cloud Run)30 days (GCP default)Operational debugging
Consent records (terms acceptance timestamps)Duration of account + 7 yearsDemonstrating legal basis for processing
Website visitor analytics (GA4)14 months (GA4 default)Performance measurement
sdk.js conversion events (on behalf of customers)90 days after forwardingAttribution window + debugging
AI-generated videos and creative assets30 days after generation (unless saved to your library)Storage cost management
Support correspondence3 yearsCustomer service continuity
Anonymised and aggregated dataIndefiniteAI model improvement; platform-wide benchmarking. No personal data is held in or recoverable from this data.

Account reactivation. We retain your account and campaign data for 1 year after closure specifically to support your return. If you reactivate within this period, your history, configurations, and performance records will be fully restored.

Following account deletion, we will purge all personal data within 90 days per the schedule above, except where retention is required by law or a legal hold applies.

Depending on your location, you may have the following rights regarding your personal data. All requests should be sent to hello@zephraai.com with subject "Privacy Request — [Your Name]".

RightWhat It MeansAvailability
AccessReceive a copy of all personal data we hold about youAll users
RectificationCorrect inaccurate personal dataAll users
ErasureDelete your account and all associated personal data (subject to legal retention obligations)All users
PortabilityReceive your data in a machine-readable format (CSV/JSON)EU/UK/India
RestrictionRequest we limit processing while you contest accuracy or objectEU/UK
ObjectObject to processing based on legitimate interests or for direct marketingEU/UK/India
Withdraw ConsentWithdraw marketing consent or cookie consent at any timeAll users
ComplainLodge a complaint with your supervisory authorityAll users

We will respond to all requests within 30 days. In complex cases, we may extend this by a further two months with notification. We will not charge a fee unless requests are manifestly unfounded or excessive.

We implement technical and organisational measures appropriate to the risk of processing personal data:

Breach notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected users without undue delay and notify relevant supervisory authorities within 72 hours (where required by GDPR Article 33).

To report a security vulnerability, email hello@zephraai.com with subject "Security — [brief description]".

Zephra integrates with third-party advertising and analytics platforms at your direction. Once you connect a platform (Meta, Google, YouTube, LinkedIn), that platform's own privacy policy governs the data you send to and receive from them.

Google APIs disclosure: Zephra's use and transfer to any other app of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

YouTube: Zephra uses YouTube API Services. These are covered in full in the dedicated Section 13 — YouTube API Services below.

This section is provided specifically to comply with the YouTube API Services Terms of Service and the YouTube API Services Developer Policies. It explains our use of YouTube API Services, how we handle YouTube data, and how you can control or delete it.

13.1 We Use YouTube API Services

Zephra uses YouTube API Services. When you connect your YouTube channel, Zephra uses the YouTube Data API to upload the video creatives you generate to your own channel so they can be used in your Google Ads and YouTube advertising campaigns. We request only the youtube.upload scope and do not request access to read your subscribers, watch history, comments, or other channel analytics.

13.2 Agreement to YouTube's Terms

By using Zephra's YouTube-connected features, you are agreeing to be bound by the YouTube Terms of Service.

13.3 Google Privacy Policy

Because YouTube API Services rely on Google authentication and data, Google's own privacy practices apply to that data. You can review the Google Privacy Policy at http://www.google.com/policies/privacy.

13.4 What We Store, and How Often We Refresh or Delete It

Zephra does not continuously crawl, cache, or display YouTube content. The only YouTube API data we store is: (1) the OAuth authorisation token that lets us upload on your behalf, encrypted at rest; and (2) the video ID and URL of each video we upload for you, so we can attach it to your campaign. Authorisation tokens are refreshed automatically by Google's OAuth libraries on use and are refreshed or revalidated at least every 30 days; any stored YouTube authorised data that has not been used or revalidated within 30 days is refreshed on next use or deleted. Tokens are deleted immediately when you disconnect YouTube, revoke access, or close your account; uploaded video IDs/URLs are deleted within 30 days of account closure.

13.5 How to Delete Your Stored Data or Revoke Our Access

You can revoke Zephra's access to your YouTube and Google data at any time:

Revoking access deletes the stored authorisation token immediately. Note that videos already uploaded to your own YouTube channel remain on your channel under your control and can be deleted by you directly in YouTube Studio.

If you are a Zephra platform customer using our sdk.js tracking script on your website, this section explains how we handle the personal data of your website visitors.

14.1 Controller and Processor Roles

You (the Zephra customer) are the data controller for your website visitors' personal data. Growthsynth LLP acts as your data processor when receiving, processing, and forwarding that data via sdk.js.

14.2 What sdk.js Collects from Your Visitors

14.3 Your Obligations as Controller

As data controller, you are responsible for:

14.4 Copy-Paste Privacy Policy Text

If you need to update your website's privacy policy to disclose Zephra tracking, you may use or adapt the following text:

// COPY-PASTE TEMPLATE — adapt as needed

Server-Side Analytics and Conversion Tracking

We use Zephra, an AI marketing platform provided by Growthsynth LLP, to measure and improve the performance of our advertising campaigns. Zephra's tracking script (sdk.js) collects anonymised information about your visit — including pages viewed, events completed, and a pseudonymous browser identifier — and forwards conversion data to advertising platforms such as Meta (Facebook) and Google Ads on our behalf via their server-side APIs.

No third-party advertising cookies are set by this script. Your IP address is pseudonymised (the last segment is zeroed) before any storage or forwarding. Data is processed by Growthsynth LLP as our data processor under a Data Processing Agreement incorporating EU Standard Contractual Clauses.

For more information about how Zephra handles data, see zephraai.com/privacy.html.

Zephra is a B2B platform intended solely for business use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided personal data through our platform, please contact us at hello@zephraai.com and we will delete it promptly.

16.1 EU and UK Residents (GDPR / UK GDPR)

You have all rights listed in Section 10. You may lodge a complaint with your local supervisory authority:

16.2 California Residents (CCPA / CPRA)

Zephra does not sell your personal information as defined under the CCPA or CPRA. We do not share personal information for cross-context behavioural advertising.

Residents of California, Virginia, Colorado, and other applicable U.S. states have the right to:

To exercise any of these rights, email hello@zephraai.com. We will respond within 45 days.

16.3 India Residents (DPDP Act 2023)

Under the Digital Personal Data Protection Act 2023, Indian residents (Data Principals) have the right to:

Growthsynth LLP is the Data Fiduciary for Indian users. Contact: hello@zephraai.com.

16.4 Other Jurisdictions

We also serve users in the UAE, Saudi Arabia, Singapore, and Australia. We apply the relevant local privacy law requirements on request. Contact us if you have jurisdiction-specific questions.

We may update this Privacy Policy from time to time. For material changes, we will:

Continued use of Zephra after the effective date constitutes acceptance of the updated policy. If you do not accept material changes, you may delete your account before they take effect.

Entity: Growthsynth LLP

Platform: Zephra (zephraai.com)

Privacy Enquiries: hello@zephraai.com

Subject line: "Privacy Request — [Your Name]"

Sub-processor list: zephraai.com/terms/sub-processors

© 2026 Growthsynth LLP · Effective: April 2026 · Version 2.0