Privacy Policy

Last updated: March 11, 2026

1. Data Controller

The controller of your personal data is Piotr Zapolski Web Development, ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland, NIP: 5811976789, REGON: 523629115 ("Controller", "we", "us", or "our").

For any questions regarding your personal data, contact us at: hi@zoye.ai.

2. What Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, provided during registration.
• Billing data — payment information processed by third-party payment processors (Stripe). We do not store card details.
• Usage data — IP address, browser type and version, pages visited, time and date of visit, time spent on pages, device identifiers, and other diagnostic data collected automatically.
• Cookie data — session cookies, preference cookies, and security cookies (see Section 10).
• Communication data — content of emails and support requests you send us.

3. Purposes and Legal Basis of Processing

We process your personal data for the following purposes:

• Providing the Service — to create and manage your account, provide access to the platform, and deliver features you subscribe to. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Billing and payments — to process payments, issue invoices, and manage subscriptions. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Tax and accounting obligations — to comply with fiscal and accounting regulations. Legal basis: legal obligation (Art. 6(1)(c) GDPR).
• Customer support — to respond to your inquiries and resolve technical issues. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Service improvement and analytics — to analyze usage patterns, diagnose technical problems, and improve the Service. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Marketing communications — to send newsletters, product updates, and promotional materials. Legal basis: consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.
• Legal claims — to establish, exercise, or defend legal claims. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4. Data Recipients

Your personal data may be shared with the following categories of recipients:

• Payment processors — Stripe, for payment processing. Their use of your data is governed by their own privacy policy.
• Cloud infrastructure providers — for hosting and data storage.
• AI service providers — for processing customer support messages through the platform (OpenAI, Anthropic, and others as described in the Service). Customer messages are processed using AI models to generate responses.
• Analytics providers — for website usage analytics.
• Accounting and legal advisors — for compliance with legal obligations.
• Public authorities — where required by law or a valid legal request.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers (cloud hosting, AI providers, payment processors) are located. Such transfers are safeguarded by:

• European Commission adequacy decisions;
• Standard Contractual Clauses (SCCs) approved by the European Commission; or
• Other appropriate safeguards as required by the GDPR.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy:

• Account data — for the duration of your account and up to 30 days after deletion.
• Billing data — for the period required by tax and accounting regulations (typically 5 years from the end of the fiscal year).
• Usage data — up to 26 months for analytics purposes.
• Communication data — for the duration of the business relationship plus 3 years for legal claims.

7. Your Rights

Under the GDPR, you have the following rights:

• Right of access — to obtain confirmation of whether your data is being processed and receive a copy.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — to request deletion of your data where there is no compelling reason for continued processing.
• Right to restriction — to request that we limit how we process your data.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to object — to object to processing based on legitimate interest, including profiling.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hi@zoye.ai. We will respond within 30 days.

8. Right to Lodge a Complaint

If you believe that your personal data is being processed in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl.

9. Customer Data Processing

When you use the Service to process personal data of your end users (e.g., customer support messages), you act as the Data Controller and we act as the Data Processor. This processing is governed by our Data Processing Agreement. We process Customer Data only as instructed by you and solely for the purpose of providing the Service.

10. Cookies

We use the following types of cookies:

• Essential cookies — required for the Service to function (session management, authentication, CSRF protection). These cannot be disabled.
• Preference cookies — remember your settings and preferences (e.g., language, theme).
• Analytics cookies — help us understand how the Service is used so we can improve it.

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using the Service.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including TLS encryption for data in transit, encrypted data at rest, regular backups, access controls, and security testing. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

12. Children's Privacy

The Service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.

13. Profiling

We may use anonymized and aggregated data for analytics and service improvement purposes. We do not make automated decisions that produce legal effects or similarly significant effects on you based solely on automated processing, including profiling.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a notice on the Service at least 14 days before the changes take effect. We encourage you to review this page periodically.

15. Contact

For any questions regarding this Privacy Policy or your personal data, contact us:

• Piotr Zapolski Web Development
• ul. Cybernetyki 2B/124, 02-677 Warsaw, Poland
• NIP: 5811976789 | REGON: 523629115
• Email: hi@zoye.ai