Privacy Policy
Last updated: March 15, 2026
ZenBuild ("we," "our," or "us") operates zenbuild.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
1. Information We Collect
Information You Provide
- Account information: Name, email address, and password when you create an account.
- Payment information: Billing details processed securely by Stripe. We do not store credit card numbers on our servers.
- Form data: Form schemas, field configurations, and settings you create using our form builder.
- Submission data: Responses collected through forms you create and publish. You are the data controller for submission data collected from your end users.
- PDF files: Documents you upload, create, edit, or convert using our PDF tools.
- Signatures: Electronic signatures captured through our e-signature feature, including signature images and audit trail metadata (IP address, timestamp, user agent).
- Communications: Messages you send to us for support or feedback.
Information Collected Automatically
- Usage data: Pages visited, features used, actions taken, and timestamps.
- Device information: Browser type, operating system, screen resolution, and device identifiers.
- Log data: IP address, access times, referring URLs, and server logs.
- Cookies: We use cookies for authentication, session management, preferences (such as dark mode), and referral tracking. See Section 6 for details.
Information from Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google.
- Google Sheets integration: If you connect Google Sheets, we access your Google account to create and write to spreadsheets on your behalf. We store encrypted OAuth tokens to maintain this connection.
- Stripe: Payment confirmation details, subscription status, and customer identifiers.
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service.
- Process payments and manage subscriptions.
- Send transactional emails (account verification, password resets, billing receipts, form submission notifications, signing requests, referral notifications).
- Enforce plan limits and usage quotas.
- Generate anonymous, aggregated analytics to improve our tools.
- Detect and prevent fraud, abuse, and security incidents.
- Respond to support requests.
We do not sell your personal information to third parties. We do not use your form submission data or PDF files to train machine learning models.
3. How We Share Your Information
We share your information only with the following categories of service providers, solely to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Name, email, billing details, subscription status |
| Cloudflare (R2) | File storage | Uploaded files, PDF documents, signatures |
| Neon | Database hosting | All application data (encrypted at rest) |
| Vercel | Application hosting | Server logs, request data |
| Resend | Transactional email | Email addresses, notification content |
| Google APIs | Google Sheets integration, OAuth sign-in | OAuth tokens, spreadsheet data |
| Inngest | Background job processing | Job metadata, webhook payloads |
We may also disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4. Data Retention
- Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion.
- Form submissions: Retained until you delete them, or until your account is deleted.
- PDF files (temporary): Files processed through public PDF tools are processed client-side in your browser and are not uploaded to our servers unless explicitly saved. Temporary server-side files (batch operations) are deleted within 24 hours.
- Signed documents: Retained for the lifetime of the associated form or until you delete them.
- Audit logs: If applicable, retained for a minimum of 3 years.
- Server logs: Retained for up to 90 days.
5. Data Security
We implement industry-standard security measures, including:
- HTTPS/TLS encryption for all data in transit.
- Encrypted database connections with connection pooling.
- AES-256 encryption for sensitive stored credentials (OAuth tokens).
- SHA-256 hashing for API keys (we never store raw API keys).
- Timing-safe comparison for password-protected forms.
- Rate limiting on public endpoints to prevent abuse.
- Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy).
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
6. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication and login state | Browser session |
| Theme preference | Dark/light mode setting | Persistent |
| Referral cookie (zb_ref) | Tracks referral attribution | 30 days |
We do not use third-party advertising or tracking cookies.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your account and associated data.
- Export your data (form submissions can be exported as CSV or JSON via the dashboard or API).
- Object to or restrict certain processing.
- Withdraw consent for optional data processing.
To exercise any of these rights, contact us at the email address below. We will respond within 30 days.
8. International Data Transfers
Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. By using the Service, you consent to this transfer.
9. Children’s Privacy
The Service is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it.
10. Your Responsibilities as a Form Creator
When you collect data from your end users through forms you create on ZenBuild, you are the data controller for that data. You are responsible for:
- Providing your own privacy notice to your end users.
- Obtaining any necessary consents for data collection.
- Complying with applicable data protection laws (including GDPR, CCPA, and others).
- Responding to data subject requests from your end users.
ZenBuild acts as a data processor on your behalf for submission data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Email: privacy@zenbuild.io