Privacy Policy

Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up through a third-party provider (such as Google), we receive basic profile information (name, email, profile picture, and provider account ID) from that provider.

Workflow & Integration Data

To power your automations, we process the workflow configurations you create and the data that flows through your connected services. This includes OAuth access tokens and refresh tokens for the third-party services you connect, the inputs and outputs of each step you run, and the trigger events that start your workflows.

Data From Connected Google Services

When you connect a Google account, Zigease accesses Google user data only as needed to perform the actions and triggers you have explicitly configured in your workflows (for example, sending a Gmail message, reading a row from Google Sheets, or creating a Calendar event). This data is processed transiently to execute your workflow and only persisted in your run history when needed for debugging and re-runs, subject to the retention limits in Section 6.

Usage Data

We automatically collect information about how you interact with Zigease, including pages visited, features used, workflow run logs, and performance metrics.

Device & Technical Data

We collect browser type, operating system, IP address, and device identifiers to ensure security and improve our service.

We use the information we collect to:

• Provide, maintain, and improve the Zigease platform
• Run the workflows you build and process the data that flows through them
• Send you service-related communications (such as security alerts and product updates)
• Monitor for and prevent fraud, abuse, and security threats
• Analyze aggregated, de-identified usage patterns to improve the product
• Provide customer support and respond to your requests

Zigease’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You can review the policy at https://developers.google.com/terms/api-services-user-data-policy.

Scopes We Request and Why

We request only the minimum Google OAuth scopes needed to power the actions and triggers you choose to use:

• gmail.modify (Gmail) — to read incoming messages for your trigger filters, send and reply to email, apply labels, and archive messages on your behalf when your workflow includes a Gmail step.
• spreadsheets (Google Sheets) — to read rows for triggers and to add, update, or find rows in the spreadsheets you select inside a workflow step.
• drive (Google Drive) — to list your existing files and folders so you can pick them inside the Zigease editor, watch a folder you choose for new files, and create folders or text files at locations you select. We do not browse, download, or modify Drive files outside of these workflow steps.
• documents (Google Docs) — to create new Google Docs and append text to documents you select inside a workflow step.
• calendar.events (Google Calendar) — to read events for triggers and to create, update, or find events in the calendars you select inside a workflow step. We do not access calendar settings or sharing permissions.
• forms.body.readonly (Google Forms) — to list your existing forms and read their field structure so you can configure a response-triggered workflow inside the Zigease editor.
• forms.responses.readonly (Google Forms) — to receive responses submitted to a form you have selected as a workflow trigger.
• Basic profile (email, name, profile picture) — only used when you sign in to Zigease with Google.

Limited Use Commitments

We make the following binding commitments about data we receive from Google APIs:

• We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models.
• We do not transfer Google user data to third parties except as needed to provide or improve the user-facing features of Zigease, comply with applicable law, or as part of a merger, acquisition, or asset sale where the acquirer continues to honor this policy.
• We do not use or transfer Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
• We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or the data has been aggregated and is used for internal operations in line with applicable privacy laws.

Disconnecting and Deleting Google Data

You can disconnect any Google account at any time from your Zigease connections page; this revokes our stored access and refresh tokens. You can also revoke access directly at https://myaccount.google.com/permissions. Once disconnected, we delete the associated tokens immediately and remove related run history within 30 days. To request deletion of all Google user data we hold about you, email privacy@zigease.com.

We do not sell your personal information and we do not share Google user data except as described in Section 3. We share other data only in the following circumstances:

• With the third-party services you explicitly connect to your workflows, only as needed to perform the actions you have configured.
• With the service providers (subprocessors) listed below, who help us operate Zigease under written data processing agreements that require confidentiality and equivalent security standards.
• When required by law, legal process, or to protect the rights, property, or safety of Zigease, our users, or the public.
• In connection with a merger, acquisition, or sale of assets, with advance notice and continuing privacy protections.

Subprocessors

We currently rely on the following subprocessors to operate Zigease:

• Supabase (PostgreSQL database, authentication, file storage) — India (Mumbai).
• Vercel (frontend application hosting and edge delivery) — United States.
• Railway (backend application hosting and job queue) — United States.
• Resend (transactional email delivery) — United States.
• Polar (subscription billing and merchant of record for paid plans) — United States. Polar processes your billing details (name, billing address, payment method, transaction history) and issues invoices and receipts on our behalf. We do not store full credit card numbers ourselves.
• OpenAI, Anthropic, and Google (Gemini) — invoked only when your workflow includes an AI step you have configured. The data you choose to send to that step is processed by the selected provider to generate the step output. These providers act as subprocessors only for workflows that explicitly include an AI step. We do not use Google user data to train AI models, and our AI providers do not retain inputs for training under their default API terms.

Analytics & Advertising Partners

We use a small set of third-party tools to understand how the product is used and to measure marketing campaigns. These tools never receive Google user data — see Section 3 for our Limited Use commitments.

• Microsoft Clarity (session analytics and replay) — runs on our marketing pages and inside the authenticated product. We configure Clarity to mask form inputs and dynamic content that may contain personal data or data from your connected services. Clarity stores recordings on Microsoft infrastructure in the United States.
• Google Analytics 4 (aggregate product and site analytics) — runs on our marketing pages and inside the authenticated product. IP addresses are anonymized.
• Google Tag Manager (tag container) — used to load the tags listed in this section on our marketing pages. Tag Manager itself does not collect personal data.
• Meta Pixel (advertising conversion and retargeting for Facebook and Instagram ads) — runs only on our public marketing pages (zigease.com landing pages, pricing, blog). It does not run inside the authenticated product and does not receive any data from your connected services or your workflow runs.

We protect your data with industry-standard administrative, technical, and physical safeguards:

• All data is encrypted in transit using TLS 1.2 or higher.
• Data at rest in our database and backups is encrypted using AES-256.
• OAuth access tokens and refresh tokens are encrypted at the application layer with a separate key before being stored.
• Access to production systems is restricted by role, requires multi-factor authentication, and is logged and reviewed.
• We follow a secure software development lifecycle that includes mandatory peer code review, automated dependency vulnerability scanning, secret scanning, and authenticated vulnerability scans of the application.
• We maintain a documented incident response plan and will notify affected users without undue delay if a confirmed breach materially affects their data.

We retain different categories of data for different periods:

• Account data — retained for as long as your account is active.
• OAuth tokens for connected services — retained until you disconnect the service or delete your account; deleted immediately on disconnect.
• Workflow run history (including any Google user data captured during a run) — retained for 90 days by default, then automatically deleted.
• Application logs and security logs — retained for up to 30 days.
• Billing records — retained for the period required by tax and accounting law (typically 7 years).

When you delete your account, we delete or anonymize your personal data within 30 days, except where we are legally required to retain specific records.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data, including any Google user data
• Export your data in a portable format
• Opt out of non-essential communications
• Withdraw consent for data processing where applicable

To exercise any of these rights, email privacy@zigease.com and we will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you specific rights regarding your personal information, in addition to the rights described in Section 7:

• Right to Know — request the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions (such as completing a transaction or complying with a legal obligation).
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — Zigease does not sell personal information and does not share personal information for cross-context behavioral advertising. There is nothing to opt out of, but you may submit a request at any time.
• Right to Limit Use of Sensitive Personal Information — Zigease does not use sensitive personal information for purposes beyond what is necessary to provide the service, so this right is functionally satisfied by default.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any California rights, email privacy@zigease.com with the subject line "California Privacy Request." We will verify your identity through your account email before fulfilling the request and will respond within 45 days. We do not have a financial incentive program subject to California Civil Code §1798.125, and we have not knowingly disclosed personal information for direct-marketing purposes under California Civil Code §1798.83 ("Shine the Light") in the preceding 12 months.

Zigease does not engage in automated decision-making, including profiling, that produces legal effects concerning you or that similarly significantly affects you. Workflow execution is driven by the configurations you author and the triggers you connect, not by algorithmic decisions made by us about you.

Zigease is operated from Israel, and our subprocessors may process your data in the United States and India. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms to protect personal data that leaves your country.

We use cookies and similar technologies in three categories:

• Essential cookies — keep you signed in and maintain session state. These are required for the product to function.
• Analytics cookies — set by Microsoft Clarity and Google Analytics 4 to help us understand how the product and our marketing site are used. Clarity also records masked session replays inside the authenticated product so we can debug usability issues; we configure it to mask form inputs and dynamic content that may contain personal data or data from your connected services.
• Advertising cookies — set by Meta Pixel only on our public marketing pages (zigease.com landing pages, pricing, blog) so we can measure the effectiveness of Facebook and Instagram ad campaigns and retarget visitors who have not yet signed up. Advertising cookies are not set inside the authenticated product, and we do not use Google user data, ever, to serve advertising.

You can manage cookie preferences through your browser settings, opt out of Google Analytics with the official browser add-on at https://tools.google.com/dlpage/gaoptout, opt out of Clarity recordings via your browser settings, and adjust Meta ad personalization in your Facebook account settings. If you are in a region that requires opt-in consent (such as the EEA, UK, or Switzerland), non-essential cookies will only fire after you have given consent through our cookie banner.

When you connect a third-party service to Zigease, that service has its own privacy policy that governs how it handles your data on its side. We encourage you to review the privacy policies of any service you connect. We always request the minimum permissions necessary for your workflows to function.

Zigease is not directed at children under 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the product at least 14 days before they take effect. Continued use of Zigease after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, or if you want to exercise any of your rights, reach out to us at privacy@zigease.com. For written correspondence by post, contact us first by email to request our registered postal address.