Version 3.0

Privacy Policy.

Last updated: May 27, 2026 · Effective: June 1, 2026

Plain-English summary

  • We collect what's needed to run your audit, tracker, and content factory — and your billing details to charge you.
  • We do not train foundation models on your content. Your knowledge base, prompts, and outputs are siloed to your tenant.
  • We do not sell your personal data to advertisers, brokers, or anyone else.
  • You can export or delete your data from the dashboard, or by emailing privacy@zenithstack.ai. We action requests within 30 days.
  • If you're in the EU/UK or California, you have additional rights under GDPR / UK GDPR / CCPA — see Section 10.

01

Who we are and what this policy covers

This Privacy Policy describes how ZenithStack LLC, a Delaware limited liability company ("ZenithStack," "we," "us," "our"), collects, uses, discloses, and protects personal information when you visit our website at zenithstack.ai or use the ZenithStack platform (the "Service").

It applies to information about you as an individual — visitors to our site, signed-up users, customers, contacts of customers, and end users interacting with content we generate on a customer's behalf. It does not cover websites or services operated by third parties even when reached through links from the Service.

02

What information we collect

Information you provide directly

  • Account data — your name, email address, password (hashed; we never see the plaintext), and the brand / domain you're auditing.
  • Billing data — we don't store card numbers. Stripe handles all payment data under their privacy terms; we store only the Stripe customer/subscription ID and billing email.
  • Knowledge base — documents, FAQs, brand assets you upload to ground the content factory and chat agent (siloed to your tenant; never used to train shared models).
  • Tracker config — the prompts you choose to track, your competitor list, your tenant settings.
  • Support communications — anything you send via the support form, email, or in-product help.

Information we generate or collect automatically

  • Service telemetry — generated content, audit reports, tracker run results, credit ledger entries, dashboard activity timestamps.
  • Device + log data — IP address, user agent, referrer URL, the pages you view, timestamps. Used for security, debugging, and rate-limiting.
  • Email delivery events — bounce, open, and unsubscribe events on transactional email we send you, reported back by our email provider.

Information from third parties

  • Sign-in providers — if you sign in with Google, we receive your name, email, profile picture, and a Google-issued user ID. We do not receive your Google password.
  • Public web data — we crawl public pages on your domain (and your competitors' domains) to run the AEO audit and the citation tracker. We do not bypass robots.txt or access gated content.

03

How we use your information

We use the information described above only for the purposes listed below, and we don't combine it for purposes we haven't told you about:

  • Run the service — execute audits, tracker runs, content generation, distribution, and weekly digests on your behalf.
  • Account + billing — authenticate you, charge your subscription, send invoices and renewal notices.
  • Product communications — onboarding, security alerts, billing receipts. These are transactional and you can't opt out while you have an active account.
  • Marketing communications — product updates, research, occasional newsletters. You can unsubscribe with one click; we suppress your address on the next send.
  • Security + fraud prevention — detect abuse, throttle credential stuffing, investigate incidents.
  • Product analytics — aggregate, anonymized usage patterns to improve the service. We don't use third-party advertising trackers.
  • Legal compliance — respond to lawful requests, enforce our Terms, defend our rights.

04

Legal basis (GDPR / UK GDPR)

If you're in the EU, EEA, UK, or Switzerland, we process your personal data under one of these legal bases:

  • Contract — to deliver the Service you signed up for.
  • Legitimate interests — to keep the Service secure, improve features, and run reasonable, non-intrusive marketing to existing customers. We balance these interests against your rights; you can object at any time.
  • Consent — for optional cookies and marketing email to non-customers. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, and other applicable laws.

05

Service providers and subprocessors

We use the following vendors to deliver the Service. Each is bound by a data processing agreement with confidentiality, security, and (where applicable) Standard Contractual Clauses for international transfers.

Provider Purpose Location
NeonManaged Postgres database (your account, tenant, and service data live here)USA (AWS)
NetlifyWeb hosting, serverless functions, edge CDNUSA (global edge)
OpenAILLM generation (audit, content factory) and ChatGPT Search API (tracker)USA
AnthropicClaude API with web search (tracker — measures whether brands are cited in Claude responses) and content-generation fallbackUSA
PerplexitySonar API for tracker queriesUSA
GoogleGemini API (tracker) + Google Sign-InUSA / global
StripePayment processing, subscription billing, invoicesUSA / global
ResendTransactional and marketing email deliveryUSA
IndexNowSearch-engine indexing notifications (Bing, Yandex)Operated by Microsoft / Yandex
ZapierUsed only if you mint an API key from the Integrations page. Zapier polls our trigger endpoints with your key and forwards events to your selected Zaps.USA
CloudflareCDN for shared assets (Tailwind, lucide icons, web fonts)Global edge

We send each provider only what they need to perform their function. None of them are authorized to use your data for their own marketing.

06

International data transfers

ZenithStack is based in the United States, and most of our subprocessors are too. If you're in the EU/EEA, UK, or Switzerland, your data will be transferred to and processed in the US under EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable. You can request a copy of the safeguards in place by emailing privacy@zenithstack.ai.

07

How long we keep your data

  • Account + service data — for as long as your account is active. After you delete your account, we erase live records within 30 days; encrypted database backups roll off within 90 days.
  • Billing records — kept 7 years for tax and audit compliance, even after account deletion.
  • Email logs — 90 days for delivery diagnostics; unsubscribe / suppression list retained indefinitely so we don't accidentally email you again.
  • Server access logs — 30 days, then deleted.
  • Generated content — published blog posts remain online until you remove them; drafts and unpublished posts are deleted with your account.

08

How we protect your data

  • TLS 1.3 for all traffic in transit. HSTS enforced on all public domains.
  • Database encrypted at rest (AES-256). Backups encrypted and access-controlled.
  • Passwords hashed with bcrypt (cost factor 10). Plaintext passwords are never logged or stored.
  • Session cookies are HTTP-only, Secure, SameSite=Lax, and signed with a rotating server-side secret.
  • Principle of least privilege — production access is limited to a small set of engineers and audited.

If we discover a personal data breach affecting your information, we'll notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

09

Model training — what we promise

We do not train foundation models or shared classifiers on your content. Specifically:

  • Your knowledge base, uploaded documents, tracker prompts, and generated outputs are siloed to your tenant in the database.
  • Generation traffic to OpenAI and Anthropic runs under their enterprise / API terms with zero data retention for training — they don't use your inputs to train their models either.
  • Tracker queries to ChatGPT Search, Claude (web search), Perplexity Sonar, and Gemini Search send only the prompt text — they don't carry your account context.
  • The free public scorecard at /audit stores only the domain queried + a hashed IP address for rate-limiting. Results are cached for 12 hours so the same domain doesn't burn the API repeatedly.
  • If we ever change this — for example, to train a tenant-private ranking model on aggregate data — we'll ask for explicit opt-in consent first, with a clear off-switch.

10

Your rights

Rights available to everyone

  • Access — request a copy of the personal data we hold about you.
  • Correction — fix inaccurate or incomplete data from your account settings, or by emailing us.
  • Deletion — delete your account from the dashboard. We complete the erasure within 30 days.
  • Portability — export your tenant data as JSON via the dashboard or by emailing us.
  • Opt-out of marketing — unsubscribe links in every marketing email, or change preferences in your account.

Additional rights (EU/UK GDPR)

  • Restrict processing while a dispute is resolved.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where consent is our legal basis.
  • Lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France).

Additional rights (California — CCPA / CPRA)

  • Right to know what categories of personal information we collect, the sources, the purposes, and the third parties we share it with.
  • Right to delete personal information we collected from you, subject to lawful exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination for exercising your rights.

To exercise any of these rights, email privacy@zenithstack.ai. We'll verify your identity using your account email and respond within 30 days (or sooner where the law requires).

11

Cookies + similar technologies

We use a deliberately small number of cookies:

  • Session cookie (essential) — keeps you signed in. Expires when you log out or after 7 days of inactivity.
  • CSRF cookie (essential) — protects form submissions against cross-site request forgery.
  • Preferences cookie (functional) — remembers your dashboard layout choices.

We don't use third-party advertising trackers, Google Analytics, Facebook Pixel, or similar profiling cookies. You can block or delete cookies via your browser; the Service will still work but you'll need to sign in again.

12

Children's privacy

ZenithStack is a B2B service intended for use by adults acting on behalf of a business. We don't knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact privacy@zenithstack.ai and we'll delete it.

13

Changes to this policy

We'll update this policy as our service evolves. When we make material changes, we'll email registered users at least 30 days before the new version takes effect and update the "Last updated" date at the top. The current version always lives at zenithstack.ai/privacy.

14

Contact us

Privacy questions / DSARs

privacy@zenithstack.ai

Security disclosure

security@zenithstack.ai

Legal entity

ZenithStack LLC
Delaware, USA

EU/UK representative

Not currently designated. EU/UK users may contact privacy@zenithstack.ai directly.