Privacy Policy
Last updated: April 2026
1. Who We Are
Zorah ("we", "us", "our") is a SaaS subscription management platform built and operated in Europe. We help companies track, manage, and optimise their software spend. Zorah is the data controller for the personal data processed through our platform.
2. Data We Collect
Account data
Name, email address, company name, and role — collected during sign-up via our authentication provider (Clerk).
Subscription data
Tool names, costs, billing cycles, renewal dates, departments, owners, and tags — entered by you manually or imported via CSV.
Payment data
Subscription payments to Zorah are processed by Stripe. We do not store credit card numbers. Stripe's privacy policy applies to payment processing.
Usage data
Feature usage, page views, and interaction events within the app, collected for product improvement. We use PostHog(EU-hosted) for product analytics. See Section 11 (Cookies & Analytics) for details on consent.
3. Legal Basis for Processing (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Processing your account, subscription, and transaction data to provide the Zorah service.
- Legitimate interest (Art. 6(1)(f)): Product analytics within the dashboard (via PostHog) for product improvement; fraud prevention; security monitoring.
- Consent (Art. 6(1)(a)): Analytics on our public website (PostHog) — only activated after you accept cookies via our consent banner.
- Legal obligation (Art. 6(1)(c)): Retaining billing records as required by tax and accounting regulations.
4. How We Use Your Data
- Provide and maintain the Zorah platform
- Send renewal alerts, trial notifications, and team invitation emails
- Detect duplicate and wasteful subscriptions via AI-powered analysis
- Process subscription payments via Stripe
- Improve our product based on aggregated, anonymised usage data
We do not sell, rent, or share your data with third parties for marketing or advertising purposes.
5. Third-Party Processors
We use the following sub-processors to deliver the service. All are bound by data processing agreements:
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database hosting (PostgreSQL) | EU |
| Vercel | Application hosting | EU edge |
| Clerk | Authentication & session management | US (SCCs in place) |
| Stripe | Payment processing | US (SCCs in place) |
| Berget AI | AI analysis of subscription data | EU (Sweden) |
| Resend | Transactional email delivery | US (SCCs in place) |
| PostHog | Product analytics | EU |
6. AI Processing
When you use the AI Assistant or import transactions, relevant data (subscription names, costs, merchant names) is sent to Berget AI (an EU-based AI provider hosted in Sweden) for analysis. Data is processed under Berget AI's terms and is not used for model training.
- No personal identifiers (name, email) are included in AI requests
- AI requests contain only merchant names, amounts, and dates
- Data is not retained by Berget AI beyond the API request lifecycle
7. Data Security
- Encryption at rest: Sensitive data is encrypted using AES-256-GCM with a dedicated encryption key
- Encryption in transit: All connections use TLS 1.2 or higher
- Authentication: Handled by Clerk with support for multi-factor authentication
- Access control: Role-based permissions (admin, manager, member) restrict who can view and modify data
- Security headers: HSTS, CSP, X-Frame-Options, and other headers are enforced on all requests
- Rate limiting: API endpoints are rate-limited to prevent abuse
- Infrastructure: Hosted on SOC 2 Type II certified providers (Vercel, Supabase)
9. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access (Art. 15): Request a copy of all your personal data — available in Settings → Privacy → Export my data
- Rectification (Art. 16): Update or correct your data at any time in Settings
- Erasure (Art. 17): Request permanent deletion of your account and all associated data — Settings → Privacy → Delete my account
- Portability (Art. 20): Export your data in machine-readable JSON format
- Restriction (Art. 18): Request restriction of processing by contacting us
- Objection (Art. 21): Object to processing based on legitimate interest
To exercise any of these rights, use the self-service tools in Settings or contact us at privacy@zorah.app. We will respond within 30 days as required by GDPR.
10. Data Retention
- Active accounts: Data is retained for as long as your account is active
- Account deletion: All data is permanently and irreversibly deleted upon request (immediate for application data, up to 30 days for backups)
- Audit logs: Retained for 1 year on Enterprise plans, configurable per company
- Billing records: Retained for 7 years as required by EU tax regulations
11. Cookies & Analytics
Essential cookies
Authentication and session cookies (via Clerk) are required for the Service to function. These are set automatically and do not require consent.
Product analytics (PostHog)
When you are logged in and using the Zorah dashboard, we collect product usage data (feature usage, page views, interactions) via PostHog, an EU-hosted analytics provider. This data is processed under our legitimate interest (Art. 6(1)(f)) to improve the product and does not require separate cookie consent. PostHog data is hosted in the EU and is not shared with third parties.
Public website analytics (PostHog)
On our public website (outside the dashboard), PostHog analytics are only activated after you give explicit consent via our cookie banner. If you decline, no analytics data is collected on the public website. You can change your preference at any time by clearing your cookies and revisiting the site.
We do not use advertising pixels, retargeting trackers, or sell analytics data to third parties.
12. International Data Transfers
Our primary database is hosted in the EU (Supabase, Frankfurt region). Some sub-processors (Clerk, Stripe, Resend) are based in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.
13. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top of this page indicates the most recent revision.
14. Contact & Data Protection
For privacy-related inquiries, data access requests, or to report a concern:
- Email: privacy@zorah.app
- Response time: Within 30 days (as required by GDPR)
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.