Privacy Policy
Last updated: March 30, 2026
This Privacy Policy explains how SBI, operating as ZOE Pulse ("we," "us," or "our"), collects, uses, shares, and protects personal data when you use our websites at zoepulse.pro and zoeai.pro and our AI-powered market research platform (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Identity and Contact Details
The data controller responsible for your personal data is:
SBI, operating as ZOE Pulse
Websites: zoepulse.pro / zoeai.pro
Email: legal@zoepulse.pro
As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is carried out in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
2. Contact for Privacy Inquiries
For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us at:
Privacy Team
Email: legal@zoepulse.pro
We aim to respond to all privacy inquiries within 30 days. For requests made under GDPR, we will respond within one calendar month of receipt, unless the request is complex, in which case we may extend the response period by up to two additional months with prior notice to you.
3. Purposes of Processing and Legal Basis
We process your personal data for the following purposes, each paired with its lawful basis under Article 6(1) of the GDPR:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Name, email address, hashed password | Performance of a contract (Art. 6(1)(b)) |
| Providing the AI market research service | Business name, industry, location, research inputs | Performance of a contract (Art. 6(1)(b)) |
| Generating AI-powered research reports | Business profile data, research parameters, Google Places public data | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Email, subscription tier, payment metadata (card details handled solely by Stripe) | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (confirmations, reports, password resets) | Name, email address | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing communications (with consent) | Name, email address | Consent (Art. 6(1)(a)) |
| Improving service quality and performance | Usage data, anonymized interaction patterns, error logs | Legitimate interest (Art. 6(1)(f)) — improving our platform |
| Ensuring platform security and preventing fraud | IP address, user agent, access logs, authentication events | Legitimate interest (Art. 6(1)(f)) — security |
| Complying with legal obligations | Account data, transaction records | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us at legal@zoepulse.pro.
4. Categories of Personal Data
4.1 Account Data
When you create an account, we collect your full name, email address, and a password. Your password is cryptographically hashed using industry-standard algorithms before storage; we never store passwords in plaintext.
4.2 Business Profile Data
To deliver market research, we collect your business name, industry classification, geographic location, and any additional business details you choose to provide during onboarding or research configuration. We may also retrieve publicly available data about your business from the Google Places API, including public reviews, ratings, business hours, and address information.
4.3 Usage Data
We automatically collect technical and usage data when you interact with our Service, including:
- IP address, browser type and version, operating system
- Pages visited, features used, and actions taken within the platform
- Time and date of visits, session duration, and referring URL
- Research projects created, reports generated, and report configurations
- Error logs and performance metrics
4.4 Payment Data
We use Stripe as our payment processor. When you subscribe to a paid plan, Stripe collects and processes your payment card details directly. We do not receive, access, or store your full credit card number. We receive only a Stripe customer ID, the last four digits of your card, the card brand, subscription status, and billing-related metadata necessary to manage your account.
4.5 Data We Do Not Collect
We do not knowingly collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, sexual orientation) unless you voluntarily include such information in free-text research inputs. We strongly advise against providing sensitive personal data in research parameters.
5. Third-Party Processors
We share personal data with the following third-party service providers who process data on our behalf under appropriate data processing agreements:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase (US) | Database hosting and storage | All account and business data stored in our PostgreSQL database | supabase.com/privacy |
| Vercel (US) | Application hosting and edge delivery | IP address, request headers, access logs | vercel.com/legal/privacy-policy |
| Google (US) | Places API — public business data retrieval; Gemini LLM — AI report generation | Business name, location, industry (for Places API lookups); anonymized research parameters (for LLM processing) | policies.google.com/privacy |
| OpenAI (US) | LLM processing for AI-generated research content | Anonymized research parameters and business context (no direct personal identifiers sent) | openai.com/policies/privacy-policy |
| DeepSeek (China) | LLM processing for AI-generated research content | Anonymized research parameters and business context (no direct personal identifiers sent) | deepseek.com/privacy |
| Brevo (EU/France) | Transactional and marketing email delivery | Name, email address | brevo.com/legal/privacypolicy |
| Stripe (US) | Payment processing and subscription management | Email, payment card details (handled directly by Stripe), billing metadata | stripe.com/privacy |
We do not sell, rent, or trade your personal data to any third party. Data shared with the processors listed above is strictly limited to what is necessary for them to perform their designated service on our behalf.
6. International Transfers
Your personal data is stored in the United States on Supabase's PostgreSQL infrastructure. Our application is hosted on Vercel's global edge network, with primary compute resources in the United States.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your data is transferred to the United States and potentially to other countries where our third-party processors operate. We ensure that such transfers are protected by appropriate safeguards, including:
- EU-US Data Privacy Framework (DPF): Where our processors are certified under the EU-US Data Privacy Framework, we rely on this adequacy decision as the legal mechanism for transfer.
- Standard Contractual Clauses (SCCs): Where the DPF does not apply, we have executed the European Commission's Standard Contractual Clauses with our processors to ensure an adequate level of data protection.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs as applicable.
Please note that DeepSeek operates from China. When DeepSeek is used for LLM processing, only anonymized research parameters are transmitted; no direct personal identifiers (such as your name or email address) are sent to DeepSeek. This transfer is safeguarded by Standard Contractual Clauses and supplementary technical measures including data minimization and pseudonymization.
You may request a copy of the relevant transfer mechanisms by contacting us at legal@zoepulse.pro.
7. Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. The specific retention periods are as follows:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data (name, email, password hash) | Duration of account + 30 days after deletion request | Contract performance; grace period for account recovery |
| Business profile data | Duration of account + 30 days | Required to deliver the Service |
| Research projects and generated reports | Duration of account + 90 days | Extended grace period so users can export reports before permanent deletion |
| Payment and billing records | 7 years after transaction | Legal obligation — tax and accounting regulations |
| Usage and access logs | 12 months | Security monitoring and service improvement |
| Marketing consent records | Duration of consent + 3 years after withdrawal | Legal obligation — demonstrating valid consent |
| Support correspondence | 3 years after last interaction | Legitimate interest — service continuity and dispute resolution |
When retention periods expire, data is permanently deleted or irreversibly anonymized. Anonymized data that can no longer identify you may be retained indefinitely for statistical and analytical purposes.
8. Data Subject Rights (GDPR)
If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR with respect to your personal data:
- Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes, categories of data, recipients, retention periods, and your rights. You may request a copy of your personal data free of charge.
- Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most account information directly through your account settings, or contact us for assistance.
- Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent (where consent is the basis), you object to processing and there are no overriding legitimate grounds, or the data has been unlawfully processed. This right does not apply where retention is required for compliance with a legal obligation.
- Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data where you contest the accuracy of the data, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of our legitimate grounds.
- Right to Data Portability (Art. 20): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance. This applies to data processed by automated means based on consent or contract performance.
- Right to Object (Art. 21): You have the right to object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You may object to direct marketing at any time, and we will cease processing for that purpose immediately.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. See Section 11 for details on how AI is used in our Service.
- Right to Withdraw Consent (Art. 7(3)): Where we rely on consent as a legal basis, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw marketing consent by clicking the unsubscribe link in any marketing email or by contacting us directly.
You also have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at edpb.europa.eu.
9. How to Exercise Your Rights
To exercise any of the rights described above, you may:
- Email us: Send a request to legal@zoepulse.pro with the subject line "Privacy Rights Request."
- Use in-app controls: You can update your profile information, download your data, or delete your account from the account settings page within the platform.
When you submit a request, we may need to verify your identity before processing it. We will ask you to confirm information associated with your account (such as your email address) or to respond to a verification email. We will not require you to create an account solely to make a privacy request.
We will process your request free of charge unless the request is manifestly unfounded or excessive (for example, due to its repetitive character), in which case we may charge a reasonable fee or refuse to act on the request, providing you with reasons for our decision.
We will respond to your request within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months. We will inform you of any extension within the first month along with the reasons for the delay.
10. Statutory or Contractual Requirement
The provision of your name, email address, and password is a contractual requirement necessary to create your account and access the Service. Without this data, we cannot provide the Service to you.
The provision of business profile data (business name, industry, location) is a contractual requirement necessary to generate AI-powered market research reports. Without this data, the core functionality of the Service cannot operate.
The provision of payment data (processed by Stripe) is a contractual requirement for paid subscription tiers. You are not obligated to subscribe to a paid plan, but certain features are available only to paying subscribers.
You are not under a statutory obligation to provide any personal data to us. However, failure to provide the data described above will prevent us from fulfilling our contractual obligations to you.
11. Automated Decision-Making and Profiling
ZOE Pulse uses artificial intelligence (AI) and large language models (LLMs) to generate market research reports, competitive analyses, and strategic recommendations. This processing is a core feature of the Service and operates as follows:
- Input: You provide business profile information and research parameters. Our system may also retrieve publicly available business data from the Google Places API.
- Processing: This input is sent to LLM providers (Google Gemini, OpenAI, or DeepSeek) in an anonymized form to generate research content. Personal identifiers such as your name and email are not transmitted to LLM providers.
- Output: The AI generates research reports containing market analysis, competitor insights, and strategic recommendations based on the input data and the model's training data.
Important: AI-generated reports are informational tools, not decisions that produce legal effects or similarly significantly affect you. The reports do not determine your eligibility for services, credit, employment, or any other outcome. They are research aids intended to support your own business decision-making.
We do not engage in automated individual decision-making or profiling that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR.
If you have concerns about how AI is used in the Service, you may contact us at legal@zoepulse.pro to request human review of any AI-generated output.
12. Cookie Policy
Our Service uses cookies and similar technologies for the following purposes:
12.1 Strictly Necessary Cookies
These cookies are essential for the Service to function and cannot be disabled. They include session authentication cookies that maintain your logged-in state and CSRF tokens that protect against cross-site request forgery. Legal basis: legitimate interest (security and functionality).
12.2 Functional Cookies
These cookies remember your preferences (such as theme settings or dashboard configurations) to enhance your experience. Legal basis: legitimate interest (user experience).
12.3 Analytics Cookies
We may use analytics tools to understand how visitors interact with our Service. Where analytics cookies are used, they are deployed only with your consent, and you may withdraw consent at any time via your browser settings or our cookie management controls.
12.4 Managing Cookies
You can control and delete cookies through your browser settings. Note that disabling strictly necessary cookies may impair the functionality of the Service. For more information on managing cookies, visit allaboutcookies.org.
13. AI-Specific Disclosures
13.1 AI-Generated Content
Research reports, market analyses, competitive assessments, and strategic recommendations produced by ZOE Pulse are generated using artificial intelligence. While we strive for accuracy and quality through multi-pass auditing and validation processes, AI-generated content may contain inaccuracies, outdated information, or incomplete analyses. AI-generated reports should be used as one input among many in your business decision-making process, not as the sole basis for significant decisions.
13.2 No AI Training on Customer Data
We do not use your personal data, business data, research inputs, or generated reports to train, fine-tune, or improve any artificial intelligence or machine learning models. Your data is used solely to deliver the Service to you. The LLM providers we use (Google Gemini, OpenAI, and DeepSeek) are engaged under API terms of service that prohibit them from using API inputs and outputs to train their models.
13.3 Data Minimization in AI Processing
When sending data to LLM providers for report generation, we apply data minimization principles. Personal identifiers (your name, email address, and account credentials) are stripped before transmission. Only the business context and research parameters necessary for report generation are transmitted. LLM providers receive anonymized prompts and do not have access to your account information.
13.4 Human Oversight
Our AI system includes automated quality checks (dual audit at both the section and cross-section level). You may also request human review of any AI-generated output by contacting us. We continuously monitor and improve the quality of our AI outputs.
14. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section supplements the rest of this Privacy Policy with information specific to California residents.
14.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Name, email address, IP address, unique account ID
- Commercial information: Subscription tier, transaction history, services purchased
- Internet or other electronic network activity: Browsing history on our Service, interaction data, search queries within the platform
- Professional or employment-related information: Business name, industry, business location (as voluntarily provided)
- Inferences: Business profile characteristics derived from the above categories to deliver relevant research
14.2 Sale and Sharing of Personal Information
We do not sell your personal information. We have not sold personal information in the preceding 12 months, and we have no plans to sell personal information in the future.
We do not share your personal information for cross-context behavioral advertising. We do not participate in cross-context behavioral advertising as defined by the CPRA.
14.3 Your CCPA/CPRA Rights
As a California resident, you have the right to:
- Right to Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your personal information.
- Right to Delete: Request the deletion of your personal information, subject to certain exceptions (for example, where retention is required to complete a transaction, detect security incidents, or comply with a legal obligation).
- Right to Correct: Request the correction of inaccurate personal information that we maintain about you.
- Right to Opt-Out of Sale or Sharing: Although we do not sell or share personal information for behavioral advertising, you may submit an opt-out request at any time. We will honor Global Privacy Control (GPC) signals as a valid opt-out request.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Service, charge different prices, provide a different quality of service, or suggest that you will receive any of these as a consequence of exercising your rights.
14.4 Exercising Your California Rights
To exercise your rights under the CCPA/CPRA, you may:
- Email us at legal@zoepulse.pro with the subject line "California Privacy Rights Request"
- Use the account settings within the platform to access, download, or delete your data
We will verify your identity before processing your request by confirming your email address and account information. You may designate an authorized agent to make a request on your behalf. If you use an authorized agent, we may require proof that you provided the agent with written permission and may require the agent to verify their own identity.
We will respond to verifiable consumer requests within 45 calendar days. If we need additional time, we will inform you of the reason and the extension period (up to an additional 45 days).
14.5 Financial Incentive Programs
We do not offer financial incentive programs tied to the collection, retention, or sale of personal information.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:
- Update the "Last updated" date at the top of this page
- Post the revised Privacy Policy on our website
- For material changes that significantly affect how we process your personal data, notify you via email to the address associated with your account at least 30 days before the changes take effect
Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acknowledgment of the changes. If you do not agree with the revised policy, you should discontinue use of the Service and delete your account.
16. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
SBI, operating as ZOE Pulse
Email: legal@zoepulse.pro
Website: zoepulse.pro
For EU/EEA residents, you may also contact your local data protection supervisory authority if you are unsatisfied with our response. A list of supervisory authorities is available at edpb.europa.eu.