Marketing Toolbox is live! Build AI visibility, find gaps, and know exactly what to do next. Try it now
ZELITHO

Privacy Policy

Privacy Policy

Privacy Policy

Last Updated: April 19, 2026

Zelitho ("we", "us", or "our") operates the Zelitho platform (the "Service"), a content intelligence engine that helps businesses create evidence-backed content. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service.

1. Information We Collect

1.1 Account Information

You may create or access an account using Google OAuth or email and password (via our authentication provider, Supabase). When you use Google, we receive and store your name, email address, and profile picture URL from Google. We do not collect or store your Google password. When you sign up with email, we store your email address and a securely hashed password (we never store your password in plain text). If you complete phone verification during signup, we process the phone number you provide for that step as part of account security and delivery of verification messages. If you are part of an organization or agency workspace, we store your membership and associate your activity with that workspace for billing, access control, and collaboration within the Service.

1.2 Business Information You Provide

During onboarding and normal use, you may provide:

  • Website URL
  • Business description, audience location, and customer problem
  • Ideal Customer Profiles (ICPs)
  • Seed keywords and content preferences
  • CMS credentials (WordPress site URL, application password; Webflow site token)

CMS credentials are encrypted at rest using AES-256-GCM and are only used to publish content on your behalf. We never share your CMS credentials with third parties.

1.3 Content and Generated Data

We store content you create or that the system generates on your behalf, including keyword research results, topic fingerprints, extracted research data from web sources, content outlines, and published articles. This data is tied to your account and used solely to deliver the Service. You are responsible for reviewing and verifying AI-generated content before publishing (see our Terms of Service).

1.4 Google API Data (Optional)

If you connect your Google account for SEO analysis, we may access Google Search Console and Google Analytics data for your authorized properties. Access tokens are encrypted at rest. We use this data only to generate SEO reports for you and do not share it with third parties.

1.5 Billing, Plans, and Credits

When you subscribe, start a trial, or purchase add-ons (such as prepaid credit packs), our payment processor handles payment details. We store subscription status, plan tier, credit balances, Stripe customer and subscription identifiers, and related metadata needed to operate billing and entitlements. We do not store your full payment card number on our servers.

1.6 Usage Data

We collect standard server logs (IP address, browser type, timestamps) to maintain service reliability and security. We also use PostHog, our product analytics provider, to collect limited usage and performance data for authenticated product use. This may include product page paths, key actions taken, browser and device metadata, and similar diagnostic information. We use this data to understand onboarding, improve workflows, and monitor product reliability. We do not use advertising trackers. Our error monitoring provider may receive limited technical diagnostics when something fails in the app; we configure it to minimize personal data.

2. How We Use Your Information

  • Provide the Service: Authenticate your account, run content workflows, generate and store content, publish to your CMS, and apply plan limits, credits, and billing status.
  • Improve the Service: Diagnose technical issues, monitor performance, measure feature usage and onboarding, and improve reliability.
  • Communicate: Send transactional messages related to your account or the Service (e.g. password reset, billing receipts and notices from our payment processor, and operational emails from our email provider—including summaries when you use in-app support so we can respond). No marketing emails in v1.
  • Legal compliance: Comply with applicable laws, respond to lawful requests.

Where required by law (e.g. GDPR), we process account and profile data to perform our contract with you; usage and security data for our legitimate interests; and optional Google API data on the basis of your consent.

3. Third-Party Services (Subprocessors)

To deliver the Service, we share limited data with the following categories of third-party providers. Our current subprocessor list is maintained in our application and published at https://app.zelitho.com/legal/subprocessors (single source of truth).

ProviderPurposeData shared
Supabase (database, auth, storage)Authentication, PostgreSQL database, file storage, and application APIsAccount info, session data, and stored workspace content
StripePayment processing, subscriptions, trials, optional credit packs, and customer billing portal; Stripe notifies us of subscription lifecycle events so we can update your accountBilling contact details, transaction and subscription metadata, and payment method references (full card numbers are processed by Stripe, not stored on our servers)
OpenAIContent generation, keyword qualification, embeddings, SEO analysisBusiness context, keywords, URLs, content for processing
Anthropic (Claude)Content generation (outlines, articles)Business context, extracted research data, content for processing
Google (Gemini)Image generation for blog sectionsSection headings and prompts for images; optional brand logo image when you enable branded images
DataForSEOKeyword metrics (volume, difficulty, CPC) and, for some workflows, Google SERP data used in topic researchSeed keywords, queries, and titles sent for those requests
SerpAPISearch result analysis for topic researchKeywords and titles used for SERP lookup
ApifyAccess to public web pages for fact extractionURLs of public web pages used for content research
Vercel / Railway (hosting)Application and backend hostingNetwork traffic, application data in transit
PostHogAuthenticated product usage analytics and performance monitoringPseudonymous user ID, product page paths, event names, event properties, browser metadata
LoopsTransactional email (e.g. password reset, account-related notifications) and operational alerts when you contact supportEmail address, name, and message content required to deliver the email (including a summary of support requests when applicable)
SentryError and performance monitoring for the applicationTechnical diagnostics and limited contextual data when errors occur (configured to minimize personal data)

Each provider processes data under their own privacy policy and terms. We select providers that offer appropriate data protection. Data sent to AI providers (OpenAI, Anthropic, Google) is used for processing your requests and is subject to their respective data usage policies. Product analytics data sent to PostHog is limited to authenticated usage analytics and performance signals. We do not opt in to model training programs with your data where the option to opt out exists. We maintain data processing agreements and, where required, EU standard contractual clauses (or equivalent transfer mechanisms) with these subprocessors.

4. Data Retention

  • Account data: Retained for as long as your account is active.
  • Generated content and research data: Retained for the duration of your account. You may request deletion (see Section 7).
  • Server logs: Retained for up to 90 days for operational purposes.
  • Encrypted credentials (CMS, Google tokens): Deleted when you disconnect the integration or delete your account.
  • Billing records: Retained as needed for accounting, dispute resolution, and legal obligations; otherwise aligned with account lifecycle.

5. Data Security

We implement the following security measures:

  • All data in transit is encrypted via TLS/HTTPS.
  • Payment card information is collected and processed by Stripe. We do not store your full payment card number on our servers; Stripe provides us with tokens and subscription metadata needed to operate billing.
  • Sensitive credentials (OAuth tokens, CMS passwords) are encrypted at rest using AES-256-GCM.
  • Row-Level Security (RLS) in PostgreSQL ensures users can only access their own data.
  • API keys and secrets are stored in server-only environment variables, never exposed to the client.
  • Authentication is enforced on all protected endpoints via server-side JWT validation.
  • Server logs do not contain personal data or business-sensitive information (e.g. URLs, keywords, or credentials).

6. Cookies

We use essential cookies only: session cookies managed by Supabase Auth for authentication and a sidebar state cookie for UI preferences. We also use limited analytics storage provided by PostHog to understand authenticated product usage and performance. We do not use advertising cookies.

7. Your Rights

Depending on your jurisdiction (including under GDPR and CCPA), you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate data.
  • Deletion: Request that we delete your personal data and account.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to certain processing of your data.

Self-service: Signed-in users may download a structured export of their personal data from Profile / account settings in the app (rate limits may apply). You may also request account deletion from the same place. When you request deletion, access to the Service is revoked immediately; we then complete erasure of your personal data after a short verification window, typically within 30 days, subject to limited retention where the law requires (for example, billing records).

To exercise any of these rights or for other requests, contact us at privacy@zelitho.com. We will respond within 30 days where applicable. You may also request that we opt your account out of non-essential product analytics.

8. International Data Transfers

Your data may be processed and stored in the United States and other jurisdictions where our service providers operate. By using the Service, you consent to this transfer. Where applicable, we rely on standard contractual clauses or other lawful transfer mechanisms.

9. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email. Continued use after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy or your data, contact: privacy@zelitho.com