Legal document

Zaply.me Privacy Policy

This Privacy Policy explains what data we process in connection with Zaply.me, why we process it, who receives it, and what rights users have.

Last updated: 14 April 2026

Data controller

Controller
Piotr Feder operating under the piotrfeder.pl - Piotr Feder brand and developing the Zaply.me service.
Service scope
A platform for local online visibility workflows, review handling, content publishing, business profile auditing, and competitor analysis.
Address
96-300 Żyrardów, ul. Sowińskiego 13/9
Privacy contact email
contact@zaply.me
1

What data we process

The data scope depends on the features you use. We primarily process account data, service settings, and data related to analytics and integrations.

We may also process business-related data such as your company name, address, Google listing data, review content, suggested replies, post content, media assets, and workflow preferences.

  • identification and contact data such as name, surname, email address, and external account identifiers,
  • login and security data including encrypted integration tokens, session metadata, and account activity details,
  • service settings such as industry, tone of voice, SEO keywords, business profile URLs, and connected accounts,
  • business and operational data including reviews, audits, generated content, competitor data, and ranking campaign data,
  • technical and analytics data related to cookies, consent settings, and service usage.
2

Data sources

We receive data directly from users when they register, complete their profile, enter business details, connect integrations, or use specific modules.

Some data comes from third-party services that the user connects to Zaply.me or that are required to deliver selected features.

  • Google OAuth and Google Business Profile when the user chooses sign-in or listing connection,
  • Meta/Facebook when the user uses an available social login or integration,
  • DataForSEO and other SEO or competitor data sources used to analyze visibility,
  • analytics and security tools when consent is given or when the data is necessary to protect the service.
3

Purposes and legal bases

We process data mainly to perform the electronic service agreement, operate the account, deliver requested product features, and protect application security.

Depending on the context, the legal basis may also be user consent, a legal obligation, or the controller's legitimate interest.

  • contract performance: registration, sign-in, account administration, feature delivery, and settings storage,
  • consent: electronic marketing and analytics or marketing cookies when accepted by the user,
  • legitimate interest: security, abuse prevention, product improvement, error diagnostics, and legal defense,
  • legal obligation: retaining documentation or data where required by law.
4

Recipients and processors

We use technology vendors that process data on our behalf or act as separate controllers depending on the nature of the service. The scope shared with each provider is limited to what is necessary for the relevant function.

Data may be transferred outside the European Economic Area if a selected provider operates global infrastructure. In such cases we rely on appropriate compliance mechanisms required by applicable law.

  • Google: OAuth sign-in, Google Business Profile, Google Analytics, Google Cloud Storage, Cloud Run, and other cloud infrastructure components,
  • Supabase: PostgreSQL database hosting and maintenance of the application's data layer,
  • Stripe: checkout processing, subscriptions, one-time payments, billing events, and payment administration,
  • Google Vertex AI: content analysis and recommendation or content generation support,
  • DataForSEO: visibility, competitor, ranking, and review-source data retrieval,
  • Meta/Facebook: social sign-in or integrations enabled by the user where available,
  • technical vendors for hosting, monitoring, error handling, security, and maintenance support.
The detailed transfer scope depends on the features actually activated by the user and on the current product version. For Stripe-related processing, shared billing data may include billing email, full name, company name, tax ID/VAT ID, billing address fields, and technical transaction identifiers required to complete or document the payment flow.
5

Billing and payment data

When the user chooses paid access, Zaply.me processes billing profile data and payment-related metadata required to create checkout sessions, prepare billing records and manually issued invoices, and operate subscription or one-time purchase flows.

Zaply.me does not store full payment card details in its own database. Card and local payment method details are collected and processed by Stripe according to Stripe's own terms and privacy rules.

At the initial stage of the service, invoices are issued manually by the provider based on billing and payment data available in the system.

  • billing profile fields may include billing email, full name, company name, tax ID/VAT ID, street, postal code, city, and country,
  • payment and invoice records may include amount, currency, status, issued/paid timestamps, and provider transaction identifiers,
  • data related to paid access is used to deliver billing functionality, support legal accounting obligations, detect abuse, and defend against claims.
6

AI features and automated analysis

Zaply.me uses AI features to analyze reviews, draft responses, generate content, and support operational recommendations. For this purpose, AI modules may receive review text, business context, tone preferences, and other data needed to perform the requested task.

We do not use AI output as the sole basis for decisions producing legal effects for users. Users should independently assess the correctness and suitability of generated content before publishing it.

7

Retention periods

We keep data for as long as necessary to fulfill the purpose for which it was collected and then for the period required by law or needed to defend against claims.

After account deletion, data is removed from operational systems without undue delay. Backup copies may still store data for up to 30 days, after which they are overwritten or permanently deleted according to the backup cycle.

  • account and settings data: until account deletion or until the purpose no longer exists,
  • billing and invoice data: for the period required by accounting and tax regulations and for claim defense,
  • consent, security, and log data: for the period needed for accountability, security, and legal defense,
  • cache and helper data: for a limited technical period depending on the relevant service and infrastructure configuration.
Inactive Free or Trial accounts may be removed under periodic retention and data minimization processes if continued storage is no longer necessary for the service purpose, security, or legal obligations.
8

User rights

You may request access to your data, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interest where applicable under law.

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.

  1. 1Contact the controller using the privacy contact address rodo@zaply.me
  2. 2You can delete your account in your profile, in the account settings section.
  3. 3Specify which right you want to exercise and provide details enabling account identification.
  4. 4You also have the right to lodge a complaint with the Polish Data Protection Authority if you believe processing breaches the GDPR.
9

Cookies and similar technologies

Zaply.me uses cookies and similar technologies to maintain sessions, remember language preferences, operate consent management, and enable analytics or marketing where the user consents.

Some cookies are necessary for the service to function and cannot be disabled without affecting core features. Other categories can be accepted or rejected through the consent banner or later settings.

  • necessary cookies: sign-in, session continuity, security, and language preferences,
  • analytics cookies: traffic measurement and product event tracking after consent,
  • marketing cookies: advertising or remarketing activity where activated and accepted by the user.
10

Data security

We apply technical and organizational safeguards designed to protect data, including encryption of selected database fields, authentication controls, access management, input validation, abuse prevention, and security monitoring.

Application data is stored in a hosted PostgreSQL database provided by Supabase, and selected sensitive fields are encrypted at the application layer.

No IT system can guarantee absolute security. Users should therefore use strong passwords, protect their devices, and grant third-party permissions carefully.

11

Contact and policy updates

This Privacy Policy may be updated if the service scope, technology vendors, legal requirements, or processing methods change. Material updates will be communicated within a reasonable time via the service or another customary communication channel.

Questions related to privacy, security, or user rights should be sent to the controller's contact address contact@zaply.me.