Privacy Policy

Zykra (“we”, “our”, “us”) respects your privacy. This policy explains what personal data we collect, how we use it, who we share it with, and your rights. By using zykra.io, you agree to this policy.

1. Data we collect

• Account data: email address, name (if provided via Google OAuth), account creation date.
• Billing data: Stripe customer ID, active plan, payment history — processed directly by Stripe, we never see your card details.
• Content: text prompts, reference images you upload, and generated images/videos.
• Usage data: credits consumed, generation logs, model used, feature interactions.
• Technical data: IP address, browser user-agent, session cookies, device type.

2. How we use your data

We process your data to:

• deliver the Service (authentication, billing, generation);
• display your private creation library;
• prevent fraud, abuse, and violations of our Terms;
• improve the product through aggregated, anonymized analytics;
• send transactional emails (receipts, account changes, critical updates).

We do not use your generated content or prompts to train AI models. We do not sell your data to third parties.

3. Legal basis for processing (GDPR Art. 6)

• Contract performance — to provide the Service you signed up for (account, generation, billing).
• Legal obligation — tax and accounting records.
• Legitimate interest — fraud prevention, security, product analytics (always aggregated).
• Consent — marketing communications (you can opt out anytime).

4. Third-party subprocessors

We rely on the following processors to deliver the Service. Each is bound by data processing agreements:

• Supabase (EU hosting) — authentication, database, storage.
• Stripe (US/EU) — payment processing. Privacy policy.
• Fal.ai (US) — AI model execution (Kling, Seedance, Nano Banana).
• OpenAI (US) — prompt enhancement, optional.
• Vercel (US) — application hosting, CDN.
• ImprovMX — email forwarding for support@zykra.io.

5. International data transfers

Some of our subprocessors (Fal.ai, OpenAI, Vercel, Stripe) are located in the United States. Data transferred outside the European Economic Area is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and/or the EU-US Data Privacy Framework where applicable.

6. Cookies and local storage

We use only strictly necessary cookies and localStorage items:

• authentication session token (Supabase);
• current page persistence;
• in-progress generation detection.

We do not use advertising cookies or third-party trackers. No consent banner is required under the ePrivacy directive for strictly functional cookies.

7. Data retention

• Account + creations: kept as long as your account is active.
• After account deletion: all personal data is erased within 30 days.
• Billing records: retained for 10 years as required by tax law.
• Server logs: 30 days rolling window.

8. Your rights (GDPR)

If you are in the European Economic Area, UK, or Switzerland, you have the following rights under GDPR:

• Access — request a copy of your data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion (“right to be forgotten”).
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent.

To exercise any right, email privacy@zykra.io. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority (in France: CNIL).

9. Security

We protect your data with:

• TLS 1.3 encryption for all traffic;
• hashed passwords (Supabase Auth, never stored in plain text);
• row-level security on all database access;
• limited access to production data (admins only, with audit trail).

In case of a data breach affecting your personal data, we will notify you and the competent supervisory authority within 72 hours as required by GDPR Art. 33–34.

10. Age restriction

Zykra is not intended for users under 16 years old. If you are under 16, please do not use the Service without parental consent. We do not knowingly collect data from children under 16.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in law or in our Service. Material changes will be communicated by email or a prominent notice on zykra.io at least 14 days before they take effect. The “Last updated” date at the top reflects the current version.

12. Contact

For any privacy-related question or to exercise your rights:

Privacy email: privacy@zykra.io
General support: support@zykra.io