Privacy Policy

Last updated: May 22 2025

Data Controller
ZestScout sp. z o.o.
Nadwiślańska 11/69, 30-527 Kraków, Poland
KRS 0001172902, REGON 541759306, NIP 6793331395

We are not obliged to appoint a Data Protection Officer under Article 37 GDPR.

QUICK SUMMARY

  • No special-category data. We do not intentionally collect “sensitive” data (Art. 9 GDPR).
  • No significant automated decisions. Our algorithms never make legal or similarly significant decisions about you (see §6).
  • Cookies. We obtain consent for non-essential cookies through the CookieYes CMP, using Consent Mode v2 for Google services. Manage preferences any time in the banner or at our Cookie Notice (§5).
  • Cross-border transfers. When data leaves the EEA/UK/Switzerland we rely on the EU-US Data Privacy Framework, UK Extension, UK Addendum, or Standard Contractual Clauses plus a Transfer-Impact Assessment (TIA) (§8).
  • Your rights. GDPR, UK GDPR, Swiss FADP, US state laws and other regimes give you access, deletion, objection, portability and other rights (§12, §14). We answer within 30 days (extendable to 60).
  • Contact us. Questions? Write to privacy@zestscout.com.

TABLE OF CONTENTS

  1. What information do we collect?
  2. How do we process your information?
  3. Legal bases under GDPR/UK GDPR
  4. When and with whom do we share personal information?
  5. Cookies and similar tracking technologies
  6. Artificial-intelligence features & automated decision-making
  7. Social logins
  8. International transfers
  9. Data retention
  10. Security measures
  11. Minors
  12. Your privacy rights
  13. Do-Not-Track signals
  14. Notice for United States residents
  15. Updates to this notice
  16. How to contact us
  17. How to exercise your data rights

1. WHAT INFORMATION DO WE COLLECT?

Personal information you give us

  • Identifiers: name, email, company, billing address
  • Payment data: handled solely by Paddle.com Market Ltd. (see their privacy notice)
  • Optional social-login profile data

Special-category data: We do not collect or ask for data revealing racial or ethnic origin, political opinions, health, or other Art. 9 GDPR categories.

Information collected automatically

IP address, device/browser details, usage logs and crash reports. Collected via server logs and cookies (see §5).

Information from other sources

Public databases, marketing partners and social-media platforms may provide business contact data (name, email, company) used for B2B marketing where lawful. We collect this data based on our legitimate interest in conducting B2B marketing activities.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts.
  • To deliver our services. This includes generating curated content and providing AI-powered features.
  • To fulfil and manage your orders. This includes processing payments via Paddle and handling invoicing.
  • To respond to user inquiries/offer support to users.
  • To send administrative information to you. This includes details about products and services, changes to terms and policies, and other similar information.
  • To send you marketing and promotional communications. We may process your personal information for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time (see §12).
  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention (e.g., IP-based abuse detection).
  • To personalise your experience. We record the options you click and the text you submit to adapt future recommendations (e.g. relevance score, tone, content type, writing style). This “profiling” never produces legal or similarly significant effects. You can disable it in your account settings or by contacting us.
  • To improve our models. We may also use aggregated and pseudonymised usage patterns to improve our recommendation engine. You can opt out at any time by contacting privacy@zestscout.com.
  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them (usage analytics).
  • Account provisioning — Create/login accounts — Contract (Art. 6 (1)(b))
  • Service delivery — Generate curated content — Contract
  • Payments & invoicing — Process orders via Paddle — Contract; Legal obligation (tax)
  • Security & fraud — IP-based abuse detection — Legitimate interest (Art. 6 (1)(f))
  • Usage analytics — Improve features — Legitimate interest (Art. 6 (1)(f))
  • Marketing emails — Newsletters, offers — Consent or legitimate interest ('soft opt-in', Art. 6 (1)(f) + Art. 172 Polish TL; every e-mail includes an opt-out link)

3. LEGAL BASES UNDER GDPR/UK GDPR

We rely on consent, contract, legitimate interest, and legal obligation as described in §2. You can withdraw consent at any time (see §12).

4. WHEN AND WITH WHOM DO WE SHARE PERSONAL INFORMATION?

We share personal information with vendors, consultants, and other third-party service providers who perform services for us or on our behalf. The categories of third parties we share personal information with include:

  • Hosting & cloud — Vercel (US-East edge) — EU-US Data Privacy Framework
  • Payment processor — Paddle — Standard Contractual Clauses (EU 2021/914) + UK Addendum
  • Analytics & marketing — Google Analytics, Microsoft Clarity — Consent-based cookies
  • Data Storage — Neon (US-East) — Standard Contractual Clauses (EU 2021/914) + UK Addendum (per Neon DPA)
  • User Authentication — clerk.com — EU-US Data Privacy Framework

Sub-processor list: A more detailed list of specific sub-processors is available on request via privacy@zestscout.com. We will notify customers of material changes to our sub-processors at least 10 days in advance.

Business transfers: Data may be part of a merger, acquisition, or sale of all or a portion of our assets. We will give advance notice of any such transfer.

5. COOKIES AND SIMILAR TRACKING TECHNOLOGIES

We deploy CookieYes as our consent-management platform. Non-essential cookies (analytics, marketing) load only after you grant consent in the banner. We use Google Consent Mode v2 to manage consent signals for Google services like Google Analytics and Google Ads.

  • Cookie Notice: www.zestscout.com/cookies (contains a live cookie table)
  • Manage preferences anytime via the “Cookie Settings” link at page footer.

You can also block cookies in your browser; some features may break.

Google Analytics

We use Google Analytics to track and analyze usage of our Services. Google Analytics may collect information about your use of the website and your IP address. We use this data to understand user behavior and improve the Service. Google's ability to use and share information collected by Google Analytics is restricted by the Google Analytics Terms of Service and the Google Privacy Policy. We may also use Google Analytics features like Remarketing or Demographics and Interests Reporting. You can opt-out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on or via our cookie banner. For more information on Google's privacy practices, please visit the Google Privacy Policy.

6. ARTIFICIAL-INTELLIGENCE FEATURES & AUTOMATED DECISION-MAKING

AI features

Our service offers optional AI-powered content generation, insights, translation, and other features (e.g., text analysis, image generation and automation), provided by third-party AI service providers including but not limited to OpenAI Enterprise API and Google Cloud AI. Your prompts and outputs are transmitted to these providers solely to provide the requested result. Providers contractually agree not to train their general models on customer data.

Automated decision-making

We do not subject users to decisions based solely on automated processing that produce legal or similarly significant effects within the meaning of Art. 22 GDPR. All account actions (e.g., suspensions) involve a human review.

7. SOCIAL LOGINS

If you sign in with Google, Facebook, X (formerly Twitter) or another provider, we receive the profile data you authorise (e.g., name, email). Use is limited to authentication and account management. Please note that your use of the social-media provider is governed by their own privacy policy, not ours.

8. INTERNATIONAL TRANSFERS

Data may be processed in the United States, EU, Switzerland and other countries. We use one of:

  1. EU-US Data Privacy Framework (for providers certified under it),
  2. Swiss-U.S. Data Privacy Framework (for transfers from Switzerland to certified providers in the US),
  3. UK Extension to the EU-US Data Privacy Framework (for transfers from the UK to certified providers in the US),
  4. Standard Contractual Clauses + Transfer-Impact Assessment (plus technical measures such as encryption at rest/in transit and access controls)..

A copy of the relevant SCCs and UK Addendum is available on request.

9. DATA RETENTION

  • Operational account data: Up to 12 months after account deletion
  • Invoices & tax records: 5 years
  • Backups: Encrypted; deleted within 30 days after primary data expiry

When no longer needed we delete or anonymise data; if deletion is impossible (e.g., in backups) we isolate and protect it until deletion is feasible.

10. SECURITY MEASURES

We apply ISO-27001-aligned technical and organisational measures: encryption at rest/in transit, least-privilege access, continuous logging. Still, no internet transmission is 100% secure; use the Service at your own risk.

11. MINORS

Our Services target business users age 18+. We do not knowingly collect data from anyone under 18. If you believe we have done so, email privacy@zestscout.com and we will delete it.

12. YOUR PRIVACY RIGHTS

  • Access & copy: Yes
  • Rectification: Yes
  • Erasure (“right to be forgotten”): Yes
  • Restrict processing: Yes
  • Data portability: Yes
  • Object to processing: Yes (incl. marketing & profiling)
  • Withdraw consent: Where processing is based on consent

These rights are primarily granted by the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). Similar rights may apply to individuals in other jurisdictions.

We respond within 30 days (extendable to 60 days for complex cases).
You may lodge a complaint with the Polish UODO, the UK ICO, the Swiss FDPIC, or your local supervisory authority. Swiss residents may also lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

13. DO-NOT-TRACK SIGNALS

Industry standards for Do-Not-Track (DNT) signals are not final; we therefore do not respond to generic browser DNT headers. However, we do honour the Global Privacy Control (GPC) signal for residents of US states where required by law, as described in §14.

14. NOTICE FOR UNITED STATES RESIDENTS

This section provides information for residents of US states with comprehensive privacy laws, such as California (CPRA), Virginia (VCDPA), Colorado (CPA), Utah (UCPA), Connecticut (CTDPA), and others.

Notice at collection

  • Identifiers (A) — Yes — Account, billing, marketing* — Until account deletion + 12 months
  • Customer records (B) — Yes — Billing — 5 years
  • Internet activity (F) — Yes — Analytics, security — 12 months
  • Geolocation (G) — Yes (IP-based) — Security, analytics — 12 months
  • Inferences (K) — Yes — Marketing optimisation* — 12 months

*We share identifiers, internet activity and inferences with advertising partners for targeted advertising. Under certain US state laws, this may be considered a "sale" or "sharing" of personal information. You have the right to opt-out of targeted advertising (and the sale/sharing of your personal information) via the cookie banner or the form in §17; we also honour Global Privacy Control (GPC) signals.

Your US Privacy Rights

Depending on your state of residence, you may have the right to:

  • Know what personal information is collected, used, shared, or sold.
  • Access and obtain a copy of your personal information.
  • Request correction of inaccurate personal information.
  • Request deletion of your personal information.
  • Opt-out of the sale or sharing of your personal information (including for targeted advertising).
  • Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.
  • Limit the use and disclosure of sensitive personal information (we do not collect sensitive personal information).
  • Not receive discriminatory treatment for exercising your privacy rights.

These rights are subject to certain exceptions.

We do not sell personal information for money. We do share personal information for targeted advertising as described above, from which you have the right to opt-out.

15. UPDATES TO THIS NOTICE

If we change this Privacy Policy, we will post the new version here and update the “Last updated” date. Material changes will be announced via email or in-app notice at least 14 days before they take effect.

16. HOW TO CONTACT US

Email privacy@zestscout.com or write to:

ZestScout sp. z o.o.
Nadwiślańska 11/69
30-527 Kraków, Poland

17. HOW TO EXERCISE YOUR DATA RIGHTS

Submit a request via email privacy@zestscout.com.
We may verify your identity (e.g., login, email confirmation).
If we deny your request, you may appeal by replying to our decision email. Unresolved appeals may be brought to your supervisory authority.

Account Information

You can review or change the information in your account or terminate your account at any time by logging into your account settings. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms, and/or comply with applicable legal requirements, as described in our Data Retention section (§9).

[^1]: Full mapping table available on request.