Zettel Logo

Privacy Policy

Effective Date: August 1st, 2025

Zettel ("we", "us", or "our") values your privacy. This Privacy Policy describes how we collect, use, and share your information when you use our platform and explains the rights and choices you have. It is designed to meet the transparency requirements of the EU GDPR, UK UK-GDPR, US state privacy laws (including CCPA / CPRA), Canada PIPEDA, and other applicable regulations.

1. Information We Collect

  • Account Data: Name, email, password (hashed & salted), authentication tokens, and profile details you choose to provide.
  • Learning Data: Goals, curricula, chat messages, uploaded materials, progress metrics, and feedback.
  • Payment Data: Limited billing-related data (last 4 card digits, subscription tier). All card processing is handled by Stripe; we do not store full card numbers.
  • Usage Data & Identifiers: IP address, device/browser type, crash logs, and in-product events collected via PostHog (self-hosted in EU) for product analytics.
  • Cookies & Similar Tech: Session cookies for authentication, optional analytics cookies (consent banner provided in EEA/UK).
  • Communications: Email engagement data sent via Resend (e.g., link clicks, open rates).

2. How We Use Information & Legal Bases

  • Provide & Improve the Service (Art. 6-1-b GDPR — contract). We use account and learning data to build personalised roadmaps and track progress.
  • Payments & Fraud Prevention (Art. 6-1-b/c). Stripe processes payments; we keep minimal billing data to manage subscriptions and detect fraud.
  • Product Analytics (Art. 6-1-f — legitimate interest /  opt-in consent where required). Aggregated usage helps us improve curriculum quality and performance.
  • Marketing Emails (Art. 6-1-a — consent). We only send newsletters if you opt in; unsubscribe anytime.
  • Legal Compliance & Security (Art. 6-1-c/f). Logs and backups help detect abuse, enforce Terms, and meet audit / tax obligations.

3. Sharing & Disclosure

  • Service Providers: Supabase (hosting & auth), Stripe (payments), PostHog (analytics), Resend (email). They process data under written DPA / SCCs.
  • Legal Authorities: When required by valid subpoena, court order, or to protect rights, safety, or property.
  • Business Transfers: In the event of a merger, acquisition, or asset sale, we will notify you and honour this Policy.
  • We never sell personal data.

4. Cookies & Tracking

Necessary cookies are set when you log in. Optional analytics cookies are disabled by default in jurisdictions that require consent. You can manage cookies in your browser settings or via our in-product cookie banner.

5. Data Security

We use TLS/HTTPS, encrypt data at rest, implement role-based access controls, run regular penetration tests, and store credentials using industry-standard hashing algorithms. No method is 100% secure, but we take reasonable steps to protect your data.

6. Data Retention

We keep your account data while your account is active. You can delete your account at any time from settings; associated personal data is permanently erased within 30 days except where legal obligations (e.g., financial records) require longer retention.

7. International Transfers

We host data in Supabase EU-West and rely on EU Standard Contractual Clauses for transfers to non-EEA providers such as Stripe & Resend (US). A copy of the SCCs is available on request.

8. Your Privacy Rights

  • Access & Portability — Download a copy of your data.
  • Correction — Update inaccurate or incomplete data.
  • Deletion — Delete your account and personal data.
  • Opt-out of Marketing — Unsubscribe anytime via email footer.
  • Objection & Restriction (EEA/UK).

9. Children’s Privacy

Our platform may be used by learners under 18 with parental consent. We do not knowingly collect data from children under 13. Parents can request deletion by emailing us.

10. Changes to This Policy

We will post any updates on this page with a new effective date. For material changes, we will notify registered users via email or in-app notice at least 30 days in advance.

11. Contact Us

If you have questions about this Privacy Policy, please email [email protected].