Privacy Notice

Last updated: April 2026

This notice explains what personal data zStudios Ltd collects about you, why we collect it, who we share it with, and how long we keep it. We've written it in plain English so it's easy to understand. If you have any questions, email us at jonzohar@zstudiosltd.com.

Who we are

zStudios Ltd is the data controller for the personal data you provide through this website. We are registered in the United Kingdom.

What data we collect and why

Account & licence management

  • Email address — to create your account, send licence keys, and contact you about your subscription.
  • Password (hashed) — to authenticate you when you sign in with email and password. We never store your password in plain text. If you sign in via OAuth (Google, GitHub, or Facebook) no password is stored.
  • OAuth identity — if you sign in with Google, GitHub, or Facebook we store the provider name, your unique ID from that provider, and your display name. We do not store OAuth access tokens.
  • Licence details — licence key, licence type, number of permitted seats, expiry date, and Stripe subscription ID — to issue and enforce your licence.
  • Device fingerprint (hashed) — a one-way hash of device characteristics (e.g. OS, hardware identifiers) recorded each time you activate a licence seat. We store only the hash — never the raw fingerprint — to enforce your seat limit and detect misuse.

Lawful basis: Performance of a contract — we need this data to provide the service you signed up for.

Payments

  • Payment details — handled entirely by Stripe. We never see or store your full card number. Stripe may retain billing name, last-4 digits of your card, and billing address as required by payment regulations. We store the Stripe subscription ID and Stripe customer ID to manage your subscription.

Lawful basis: Performance of a contract and Legal obligation (payment regulations).

AI image generation (optional feature)

  • AI credit balance and transaction history — we record credit purchases, credits spent per generation, and running balance to operate the credit system.
  • Prompts and images you submit for generation — when you use the AI generation feature, your text prompt and any source image you upload are transmitted to third-party AI providers (Leonardo AI, Google Gemini, or OpenAI) to produce the generated image. We do not retain copies of your prompts or source images on our servers after the request completes. Please review each provider's own privacy policy before use.

Lawful basis: Performance of a contract (providing the AI generation service you purchased credits for).

Website and server logs

  • IP address and browser information — automatically collected by our hosting infrastructure to keep the service secure and diagnose errors.

Lawful basis: Legitimate interests — we have a legitimate interest in keeping the website secure and functioning correctly.

Who we share your data with

We only share your data with trusted third parties where necessary to run our service:

  • Stripe (stripe.com) — payment processing. Stripe is PCI-DSS compliant and may process your data in the USA and EU under Standard Contractual Clauses.
  • Supabase (supabase.com) — our PostgreSQL database is hosted on Supabase. Data is stored in the EU (West Europe region). Supabase acts as a data processor on our behalf.
  • Render (render.com) — our API server is hosted on Render. Render acts as a data processor on our behalf.
  • Resend (resend.com) — transactional email delivery (welcome emails, licence confirmations, password resets). Resend receives your email address solely to deliver these messages.
  • Leonardo AI (leonardo.ai), Google (cloud.google.com), and OpenAI (openai.com) — AI image generation providers. Your prompts and source images are transmitted to whichever provider you select when using the AI feature. Each provider's own privacy policy governs how they handle that data.
  • Google / GitHub / Facebook — if you choose to sign in via OAuth, the relevant provider authenticates you and shares your profile ID and display name with us. We do not share your data back to them beyond the standard OAuth flow.

We do not sell your personal data. We do not use it for advertising.

How long we keep your data

  • Account data — kept for as long as your account is active. If you close your account, we delete your personal data within 30 days, except where we are legally required to keep it (e.g. financial records for 6 years under UK tax law).
  • Licence session records (device fingerprints) — retained for the lifetime of the licence, then deleted when the account is closed.
  • AI credit transactions — retained for the lifetime of your account for billing reconciliation purposes, then deleted when the account is closed.
  • Server logs — retained for up to 90 days for security and debugging purposes.
  • Payment records — kept for 7 years as required by UK financial regulations.

Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention requirements.
  • Restriction — ask us to limit how we use your data.
  • Portability — receive your data in a common machine-readable format.
  • Object — object to processing based on legitimate interests.

To exercise any of these rights, email jonzohar@zstudiosltd.com. We will respond within 30 days.

Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Changes to this notice

We may update this notice from time to time. When we do, we will update the "last updated" date at the top. Significant changes will be notified by email.