Skip to content

Privacy Policy

Last updated

1. Who We Are

Zepilo is the controller of the personal data described in this Privacy Policy. We operate the Zepilo platform available at www.zepilo.com.

Questions about this policy or your personal data can be directed to our data protection contact at: privacy@zepilo.com.

2. What Personal Data We Collect and Why

2.1 Early-Access Form

When you submit the early-access request form on our website, we collect:

  • Name, to address you personally in our response
  • Email address, to contact you about your early-access request
  • Company name, to understand which agency you work for
  • Number of agents, to tailor the appropriate subscription plan
  • Current CRM, to understand your migration needs (optional)
  • Message, any additional context you choose to provide (optional)

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR), specifically, our legitimate interest in responding to inbound product enquiries from potential customers. We keep this data until your request has been processed, and for a maximum of 24 months thereafter unless you request earlier deletion or become a customer (in which case your data is retained under the customer relationship).

2.2 Contact Form

When you use the contact form, we collect your name, email address, and the content of your message. We use this data solely to respond to your enquiry.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data is retained for 12 months after the enquiry is resolved.

2.3 Website Analytics

We use Cloudflare Web Analytics to understand how visitors use our website. Cloudflare Web Analytics is a cookieless, privacy-first analytics service. It does not:

  • Set cookies or use local storage for tracking
  • Track individual visitors across sessions or across websites
  • collect or process personal data that could identify an individual visitor
  • use device fingerprinting

The analytics data we receive is aggregated (page views, referrers, browser types, country-level traffic) and does not constitute personal data under the GDPR. No legal basis under Art. 6 GDPR is required for processing that does not involve personal data.

For more information, see Cloudflare's Privacy Policy at cloudflare.com/privacypolicy.

2.4 Customer Account Data (SaaS Service)

When you create a Zepilo account, we collect and process additional data to provide the Service, including account credentials, billing information, and usage data. This processing is governed by the Zepilo Terms of Service and the Data Processing Agreement (DPA) applicable to your account.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and, where applicable, compliance with legal obligations (Art. 6(1)(c) GDPR).

3. Infrastructure and Data Storage

Our platform infrastructure is hosted using Cloudflare services. Customer Data, including early-access form submissions, is stored in Cloudflare D1 databases in the EU region. We do not transfer personal data to countries outside the European Economic Area (EEA) without appropriate safeguards.

Cloudflare, Inc. acts as a data processor for Zepilo under a Data Processing Agreement that includes the EU Standard Contractual Clauses (SCCs) for transfers to the United States where applicable. Cloudflare complies with the EU–US Data Privacy Framework.

4. How We Share Your Data

We do not sell personal data. We share personal data only with:

  • Cloudflare, infrastructure, CDN, and D1 database hosting (EU region), acting as our data processor;
  • Payment processors, for processing subscription payments (when applicable), under their own privacy policies;
  • Legal authorities, if required by law, court order, or to protect the rights and safety of Zepilo, our customers, or the public.

We use no advertising networks, social media tracking pixels, or third-party analytics platforms that receive personal data from our website.

5. Data Retention

We retain personal data for no longer than necessary for the purposes for which it was collected:

  • Early-access form data: Up to 24 months from submission, or until you request deletion, or until a customer relationship begins.
  • Contact form data: 12 months after the enquiry is resolved.
  • Customer account data: For the duration of your subscription, and for up to 30 days after account termination (for data export), followed by deletion. Certain data may be retained longer to comply with legal obligations (e.g., financial records for 7 years under Dutch law).

6. Your Rights Under the GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): You can request deletion of your personal data where we no longer have a lawful basis to retain it.
  • Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Where processing is based on consent or a contract and is carried out by automated means, you can request your data in a commonly used, machine-readable format.
  • Right to object (Art. 21): You can object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@zepilo.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

7. Supervisory Authority

If you believe we are not handling your personal data in accordance with the GDPR, you have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens
https://www.autoriteitpersoonsgegevens.nl

We ask that you contact us first so we can try to resolve any concerns directly.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encryption in transit (TLS), access controls, and regular security reviews. No method of transmission over the internet is completely secure; while we strive to protect your data, we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@zepilo.com so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or by a notice on our website. The updated policy will be effective from the date indicated at the top of this page. We encourage you to review this policy periodically.

11. Contact

For any questions, data subject requests, or privacy concerns, contact:
privacy@zepilo.com