Skip to content

Privacy Policy

Last updated: April 17, 2026

1. Information We Collect

When you use Zebrafy, we collect:

  • Account information: Email address and authentication data via Clerk.
  • Brand data: Business names, URLs, brand voice preferences, and content you generate or score.
  • Usage data: Generation counts, score history, platform usage, and feature interactions.
  • Social connections: OAuth tokens for connected platforms (encrypted at rest). We never post on your behalf without your action.
  • Payment information: Processed securely by Stripe. We never store your credit card details.

2. How We Use Your Data

  • To provide and improve the Zebrafy service.
  • To generate on-brand content and score your writing using AI.
  • To build and refine your Brand DNA through the learning loop.
  • To process payments and manage your subscription.
  • To send transactional emails (account, billing, payouts, security alerts).
  • To send lifecycle emails that help you get value from Zebrafy (welcome, Brand DNA ready, activation nudges, re-engagement, upgrade reminders). You can opt out of these at any time via the unsubscribe page or any email footer. Transactional emails continue regardless.
  • To measure product usage and activation funnels so we can improve onboarding.
  • To prevent abuse, fraud, and enforce rate limits.

3. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with these sub-processors, each under contract:

  • Clerk: Authentication and user management.
  • Stripe: Payment processing and subscription billing.
  • Perplexity AI: Content generation and scoring (your brand context is sent to generate responses; no personally identifiable information is shared).
  • Brevo: Transactional and lifecycle email delivery.
  • PostHog: Product analytics (event-level usage data; we do not send full content you generate).
  • Sentry: Error monitoring (stack traces; configured with PII stripping).
  • Apify: Public-post scraping when you connect a social account for Brand DNA training.
  • Railway: Hosting infrastructure and managed PostgreSQL.

4. Data Security

We take security seriously:

  • Social OAuth tokens are encrypted at rest using AES-256-GCM.
  • API keys are stored as salted hashes, never in plain text.
  • All traffic is encrypted via HTTPS with HSTS enabled.
  • We use Content Security Policy, rate limiting, and abuse detection.
  • Database access is restricted and credentials are never exposed client-side.

5. Data Retention

  • Unapproved generations are deleted after 90 days.
  • All generations (including approved) are deleted after 365 days.
  • Brand scores are deleted after 180 days.
  • Revoked API keys are deleted after 30 days.
  • Disconnected social connections are deleted after 90 days.
  • You can delete your account at any time via Clerk, which cascades to all your data.

6. Your Rights

You have the right to:

  • Access, correct, or delete your personal data.
  • Export your brand profiles and generation history.
  • Disconnect social accounts at any time.
  • Cancel your subscription and delete your account.

7. Cookies & Local Storage

We use the minimum storage needed to run the product:

  • Essential cookies: Clerk session (authentication), OAuth state tokens (CSRF protection), Stripe checkout session.
  • Product analytics: PostHog uses a first-party cookie and local storage to attribute events to a stable anonymous ID. This is used for product improvement — never sold or shared. You can disable it by blocking analytics in your browser.
  • Local storage: We store your onboarding draft in your browser's local storage so you can resume if you close the tab. The draft lives only on your device, expires after 30 days, and is cleared automatically once you finish onboarding. You can clear it any time from your browser's site data settings.

We do not use advertising cookies or cross-site trackers.

8. Chrome Extension

The Zebrafy Chrome extension only activates on the supported sites listed in the extension's Chrome Web Store page (LinkedIn, Gmail, Google Reviews, X, Instagram, Reddit, Yelp, TripAdvisor, Outlook, Yahoo Mail, TikTok, Threads, Facebook, YouTube). It does not read or monitor other sites.

What the extension stores locally on your device:

  • Your Clerk session JWT (ephemeral — cleared when you sign out or close your browser).
  • Your preferred brand profile ID for quick selection.
  • A lifetime counter of successful generations/scores (used only to time the one-time review prompt).
  • Your extension settings (which sites to disable Zeb on, whether keyboard shortcuts are enabled, etc.). Manage these at any time via the extension's Settings page.

What the extension sends to our servers:

  • Generation requests: when you click Zeb to generate content, we send the platform name, content type, and any context you type into the prompt box. We do not send the page URL or surrounding page content.
  • Scoring requests: when you score highlighted text, we send only the text you selected and the active brand profile.
  • Anonymous usage telemetry (opt-out): event names like generate_success, the platform, extension version. No URLs, no content, no selections. You can turn this off in the extension's Settings → Privacy → "Share anonymous usage telemetry."

The extension does not read cookies, browsing history, or page content from sites we don't target. Source code for the extension is reviewed as part of the Chrome Web Store approval process.

9. Changes

We may update this policy from time to time. We will notify you of significant changes via email or in-app notification.

10. Contact

Questions about privacy? Email us at hello@getzebrafy.com.