Privacy Policy

1. Information We Collect

We collect only what is necessary to provide the service:

• Account information: your email address and profile, provided via Auth0 when you log in.
• Device identifier: a stable, randomly generated UUID stored locally on your device. Used to associate your session with your subscription.
• Snippet data: your text snippets are stored locally on your device. Cloud sync is enabled automatically for Trial, Premium, and Enterprise plans and stores an encrypted copy on our servers.
• Subscription and billing data: handled entirely by Stripe. We store only your subscription plan and status; we never see or store your payment card details.
• Usage data: AI Assist request counts, used to enforce your monthly usage quota. Expansion and other usage statistics are stored locally on your device only and are never transmitted to our servers.
• Feedback data: when you submit feedback through the app, we also collect your app version, operating system, and subscription plan to help us reproduce and prioritize issues.
• Crash report data: if crash reporting is enabled (on by default), an anonymous report is sent when the app encounters an unexpected error. Reports contain the error type, stack trace, app version, and your subscription plan. Local variable values are stripped before the report leaves your device, so no snippet content or personal data is ever included. You can turn crash reporting off at any time via the "Crash Reports" toggle in the app's bottom toolbar.
• Store order phone number: when you place a store order, you may optionally provide a phone number. If provided, it is passed directly to our manufacturing partner to enable carrier delivery notifications. ZillaSoft does not store your phone number.

2. How We Use Your Information

• To provide, maintain, and improve our products
• To verify your subscription status and enforce plan limits
• To sync your snippets across devices (Trial, Premium, and Enterprise only)
• To send transactional emails (receipts, subscription changes). No marketing emails without your explicit consent
• To respond to support requests you send us
• In the event of a merger, acquisition, or asset sale, your data may be transferred to the new owner. You will be notified in advance of any such transfer and of any changes to how your data is handled

We only process your data when we have a clear, legitimate reason to. Here is what that looks like in practice:

• Account and billing data: we need this to deliver the service you signed up for. Without it, we cannot create your account or process your subscription.
• Usage data: we use AI Assist request counts solely to enforce your plan's monthly quota. This is strictly necessary to deliver the service and cannot be opted out of while your subscription is active.
• Marketing and newsletter emails: only with your explicit opt-in. You can unsubscribe at any time, no questions asked.

3. Cookies and Local Storage

We use only essential browser storage. No advertising or tracking cookies are used on this site.

• Theme preference: stored in your browser's localStorage (key: "theme"). Stays in your browser and is never sent to our servers.
• Referral source: if you arrive via a link with UTM parameters (for example, from an ad or a partner site), those values are saved in localStorage (key: "utm"). Used only to understand which channels bring visitors to the site. Never sold or shared. Clear it any time by clearing your browser's local storage.
• Plan selection: a cookie named "zs_plan" is set when you click a pricing plan on the pricing page. It stores your selected plan and billing cycle (for example, "premium_annual") so the checkout can pre-select your choice. Expires in 30 days. No personal data is stored in this cookie.

4. Data Storage and Security

Snippet data synced to our servers is protected with end-to-end encryption. Your snippets are encrypted on your device with AES-256-GCM before they ever leave it, using a key derived from your personal recovery code. The server stores only the encrypted payload and has no access to your key or the plaintext content. Your data is isolated from all other users at the database level. All sync traffic is additionally secured in transit by HTTPS. Data is stored on infrastructure hosted in Europe.

Authentication is handled by Auth0 using industry-standard PKCE flows. We do not store passwords.

A note for users in the EU and EEA: our API server (Railway) and database (Neon) are hosted in Europe. Authentication is handled by Auth0 on their European tenant. Your core account and snippet data stays within Europe. The only exception is the AI Assist feature, which sends only your typed snippet description to Anthropic's API in the United States for processing. No personal data or existing snippet content is involved. That transfer is covered by Standard Contractual Clauses (SCCs). All of our other service providers (AWS, Auth0, Stripe, and Brevo) also support SCCs and are certified under the EU-US Data Privacy Framework.

5. Third-Party Services

We use the following third-party services to operate ZillaSoft products. Each one only receives the data it needs to do its job:

• Auth0: authentication and identity management. Your login credentials are processed and stored by Auth0.
• Stripe: payment processing. Billing information is handled directly by Stripe under their privacy policy. We never see your card details.
• Anthropic: AI Assist feature (Trial, Premium and Enterprise), processed in the United States. When you use AI Assist, only the description text you type for snippet generation is sent to Anthropic's API to produce a result. No personal information, no account data, and no existing snippet content is ever transmitted to Anthropic. Inputs are not used to train Anthropic's models per their standard API usage policies.
• Brevo: email delivery. We use Brevo to send transactional emails (such as contact form confirmations and subscription receipts) and to manage newsletter subscriptions when you opt in. All registered users are also added to a service notifications list used exclusively for material policy changes and critical service announcements. This list is separate from the newsletter and does not require opt-in, as it serves our legitimate interest in fulfilling the notice obligations described in our Terms. Brevo processes your email address for these purposes only.
• Amazon Web Services (AWS): our website is hosted on AWS (S3 + CloudFront). AWS may log standard web access data such as IP addresses as part of normal infrastructure operations.
• Railway: our API server is hosted on Railway. Like any hosting provider, Railway may log IP addresses and request metadata as part of normal infrastructure operations.
• Neon: our database is hosted on Neon (PostgreSQL). Your account, subscription, and synced snippet data (encrypted) are stored there.
• Atlassian (Jira): when you submit a support request through our contact form, your name, email, and message are stored in our Jira instance to manage the support ticket.
• Sentry: we use Sentry for error tracking in the Snipzilla desktop app. When crash reporting is enabled (the default), reports containing the error type, stack trace, app version, and subscription plan are sent to Sentry if an unexpected crash occurs. Local variable values and UI interaction history are stripped from every report before it leaves your device, so no snippet content is ever included. You can disable crash reporting at any time via the "Crash Reports" toggle in the app settings; the change takes effect on next launch.
• Fonts: the Inter typeface used on this site is self-hosted. No third-party font service is used, and no data is sent to external font providers when you visit our site.

Each of these services has its own privacy policy. We encourage you to review them.

6. Data Retention

We retain your account and subscription data for as long as your account is active. If you cancel your subscription and request account deletion, we will delete your data within 30 days, except where retention is required by law (e.g., billing records).

7. Your Rights

You are in control of your data. You have the right to:

• Access: ask us what personal data we hold about you and receive a copy of it.
• Correction: ask us to fix any data about you that is wrong or incomplete.
• Deletion: ask us to delete your account and all associated data. We will do so within 30 days, except where the law requires us to keep certain records. Please note that account deletion will immediately cancel any active subscription, and you may not be eligible for a refund of any remaining subscription period.
• Data portability: export your snippet data at any time from within the app in a standard format. You can also request a copy of any other personal data we hold about you.
• Object to processing: if we rely on a legitimate business interest to process your data (such as fraud prevention or security monitoring), you can ask us to stop. We will stop unless we have a compelling reason to continue, and we will always explain our reasoning. Note that this right does not apply to processing that is strictly necessary to deliver the service you subscribed to, such as billing and account management.
• Restrict processing: ask us to pause processing your data (for example, while you are disputing its accuracy). During that time we will store it but not use it.
• Withdraw consent: if you gave us consent for something (such as a newsletter), you can take it back at any time. Just unsubscribe or contact us. Withdrawing consent does not affect anything that happened before you withdrew it.

To exercise any of these rights, use our privacy request form or email us at [email protected]. We will respond within 30 days.

EU and UK users: if you feel we have not handled your data correctly and we have not resolved your concern, you have the right to lodge a complaint with your local data protection authority (for example, the ICO in the UK, CNIL in France, or the relevant authority in your country). We would always prefer you reach out to us first so we can try to make it right.

8. Children's Privacy

Our services are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. US State Privacy Rights (CCPA/CPRA and similar)

Several US states have enacted consumer privacy laws that give you additional rights on top of everything listed above. These include California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others. The following rights apply to residents of these states to the extent required by applicable law:

• The right to know exactly what personal information we collect about you and why
• The right to request deletion of your personal information
• The right not to be treated differently for exercising any of these rights

We do not sell your personal data and have no plans to do so. To exercise any of these rights, use our contact form or email us at [email protected].

10. Changes to This Policy

We may update this policy from time to time. Continued use of our services after the effective date of any change constitutes your acceptance of the updated policy.

11. Contact Us

Questions about this policy, or want to exercise your data rights? Reach us at: