zaaidev

Legal

Privacy policy

Last updated 2026-05-15.

This policy covers how Zaai Studio (Pty) Ltd ("Zaai", "we", "us") handles personal data inside the Zaai Dev platform — the workspace at zaaistudio.com/dev, the API surface, and the sibling MCP server. The Chrome extension is governed by its own local-only privacy policy listed on the Chrome Web Store.

1. What we collect

We collect only what we need to run the workspace and the billing relationship.

  • Account — email address, optional display name, chosen authentication method (magic link or Google OAuth).
  • Workspace content — projects, captures pushed from the extension (screenshots, HTML, computed styles, palette, fonts, animation metadata, source URL + title), brief intake answers, brand brief versions, decisions log, API/MCP tokens.
  • Billing — Stripe customer ID and subscription / top-up history. We never store card numbers; Stripe handles them directly.
  • Telemetry — product analytics events for feature usage, error reports, and request-level performance. We do not record sessions or replay keystrokes.

2. How AI processes your content

When you ask Zaai Dev to generate a brand brief, classify a capture, or run an MCP read tool, the relevant data is sent to our AI providers — Anthropic (Claude) for synthesis and classification, OpenAI for embeddings.

  • Anthropic and OpenAI do not train on data submitted via the paid API; this is contractually guaranteed per their current terms.
  • Cached prompts and responses are retained only as long as needed to deliver the response and any retries.
  • You can run any account in AI_MOCK mode for evaluation; no data leaves Zaai infrastructure in that mode.

3. Subprocessors

The third-party services we rely on:

  • Supabase — Postgres, Auth, Storage, Realtime (EU region).
  • Vercel — application hosting + edge network.
  • Stripe — payments + invoicing + tax calculation.
  • Anthropic — Claude API (synthesis and classification).
  • OpenAI — embeddings API (text-embedding-3-small only).
  • Resend — transactional email delivery.
  • Sentry — error tracking.
  • PostHog — product analytics (EU cloud).
  • Better Stack — uptime monitoring + status page.

4. Where data sits

Your workspace data lives in our Supabase project in the EU region. The MCP server reads through the same backend.

5. Retention

Workspace data is retained for as long as your account is active and for 90 days after you cancel, to handle billing disputes and re-activation. After 90 days we permanently delete captures, briefs, intake drafts, and decisions; you can request immediate deletion at any time via the contact below.

Audit logs (sign-ins, token issuance, payment events) are retained for 12 months for security and compliance.

6. Your rights

You can access, export, correct, or delete your personal data at any time. Export buttons live inside the workspace; deletion requests go to the contact email below. We respond within 14 days.

EU and South African residents have the rights described in GDPR and POPIA respectively, including the right to lodge a complaint with your local supervisory authority.

7. Security

Captures are protected by row-level security; only members of your organisation can read them. API and MCP tokens are stored hashed and can be revoked at any time from /dev/settings/tokens. All traffic uses TLS.

8. Changes

When we change this policy materially we'll email account owners and update the "last updated" date above before the change takes effect.

9. Contact

Email privacy@zaaistudio.com with privacy questions, deletion requests, or DSAR submissions.