ZepthosZepthos Back
Legal

Privacy Policy

Last updated: July 4, 2026

1. Who we are

Zepthos (“we”, “us”, “our”) is an AI product-photography studio that turns reference images into 360° turntable renders and lifestyle shots. This policy explains what data we collect, why, and how you can control it.

Contact: privacy@zepthos.com

2. Data we collect

• Account data — name, email, hashed password (bcrypt), plan, credit balance.

• Content you upload — reference images, prompts, generated renders, and metadata (project title, tier, angle count).

• Billing data — Stripe customer ID and payment status. We never see or store raw card numbers; Stripe handles all card data (PCI DSS Level 1).

• Usage data — pages visited, feature usage, API request timing, error logs. Used for reliability and product improvement.

• Shopify data (if you connect a store) — shop domain, offline access token, and IDs of products we publish on your behalf. We do not read customer or order data.

3. How we use it

• To run your account, generate renders, and deliver the service you signed up for.

• To process payments through Stripe and issue receipts.

• To send transactional email (verification, receipts, password reset) via Resend.

• To detect abuse, prevent fraud, and comply with legal obligations.

• We do NOT sell your data. We do not train foundation models on your uploads.

4. Data sharing / sub-processors

We rely on a small set of vetted vendors, each under a Data Processing Addendum:

• Stripe — payments.

• Resend — transactional email.

• Google (Gemini) & Emergent — AI image generation.

• MongoDB Atlas — database hosting.

• Cloudflare — CDN and DDoS protection.

We disclose data only when strictly required by law, subpoena, or to protect the safety of users and the public.

5. Retention

• Account data — kept for as long as your account is active.

• Uploaded reference images — stored until you delete the project or delete your account.

• Generated renders — stored until you delete them.

• Billing records — retained for 7 years to meet tax and accounting obligations.

• Logs — 90 days.

6. Your rights

You can, at any time:

• Access, export, or delete your projects from the Account page.

• Delete your account (Account → Danger Zone). This purges profile, projects, and uploaded files.

• Email privacy@zepthos.com for GDPR / CCPA data-subject requests — we respond within 30 days.

7. Shopify merchants

If you install Zepthos as a Shopify app, we honor Shopify’s three mandatory GDPR webhooks:

• customers/data_request — forwards to privacy@zepthos.com so we can respond within 30 days.

• customers/redact — we do not store shopper-level PII, so this is a no-op logged for audit.

• shop/redact — fires 48 hours after uninstall; we purge your shop record, access token, and any publish history.

You can uninstall Zepthos from your Shopify admin at any time — the access token is revoked immediately on our side.

8. Security

All traffic runs over TLS 1.2+. Passwords are hashed with bcrypt. Access tokens are stored encrypted at rest. Backups are encrypted and rotated. We follow the principle of least privilege for internal access.

9. Children

Zepthos is not directed at children under 16 and we do not knowingly collect data from them.

10. Changes to this policy

We’ll post material changes on this page and, for significant updates, notify you by email. Effective date: July 4, 2026.

Questions? privacy@zepthos.com