Zophal
Legal

Privacy Policy

Last updated May 31, 2026. We collect as little as possible and never sell what we do.

This policy describes what data Zophal, Inc. ("we," "us") collects, why we collect it, how we use it, and the choices you have. We've kept it short on purpose. If anything is unclear, write us at [email protected].

1. What we collect

Account data. Your name, email, and password hash (we never see your plaintext password). Optional: profile picture, time zone, role inside a workspace.

Customer Content. The posts, captions, media, comments, and approval decisions you create inside the product. You own this — we host it for you.

Connected social accounts. Access tokens, account IDs, and metadata (handle, display name) from the social platforms you connect. Tokens are encrypted at rest.

Operational data. Logs, request timestamps, IP, and user-agent — retained for security and debugging.

2. How we use it

  • To operate, secure, and improve the service.
  • To publish, schedule, and analyze content on your behalf to platforms you connect.
  • To send transactional emails (verification, password reset, billing receipts).
  • To send product update emails — you can unsubscribe at any time.
  • To meet legal obligations.

We do not sell your data. We do not train third-party AI models on your Customer Content. We do not use your Customer Content for advertising.

3. AI features

When you use AI-powered features (caption assist, summarization, AI assistant actions) we send only the prompt or content fragment you trigger to our model provider. Outputs are stored in your workspace alongside the request. We use providers under contracts that prohibit training on your data.

4. Who we share data with

We share data only with vetted processors who help us run the service:

  • Cloud infrastructure (hosting, storage, queues).
  • Email delivery for transactional and product update emails.
  • Error monitoring and logging.
  • Payment processing (Stripe) — we never receive your full card details.
  • AI model providers — only for content you explicitly send through AI features.

We may disclose data when required by law or to protect our rights, in which case we will challenge overbroad requests where possible and notify you unless prohibited.

5. How long we keep it

Account data: while your account is active and up to 30 days after deletion. Customer Content: while your account is active; deleted on request or 30 days after the workspace is closed. Operational logs: up to 90 days. Backups roll off within 35 days.

6. Security

We encrypt data in transit and at rest, store passwords using industry-standard hashing, and keep connected social account credentials encrypted. Internal access is restricted and recorded. We won't claim to be unbreakable — write us at [email protected] if you find a vulnerability and we will respond fast.

7. Your rights

You can export your Customer Content from Settings → Workspace → Export at any time. You can request a copy of your personal data, ask for corrections, or ask us to delete it by emailing [email protected]. Depending on your region, you may also have the right to object to certain processing or lodge a complaint with your local data-protection authority.

8. Cookies and tracking

We use a small number of strictly necessary cookies (session, CSRF, theme preference) and an aggregate, privacy-preserving analytics tool to count page visits. We do not use cross-site advertising cookies.

9. Children

The service is not directed at people under 16. We do not knowingly collect their data.

10. Changes to this policy

We will announce material changes at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

11. Contact

Privacy questions: [email protected]