Zoēs Legal

Policies and Terms

Understand how Zoēs works, how we protect your data, and the terms that apply when you use our services.

Privacy Policy

Effective Date: December 30, 2025

Last Updated: December 30, 2025

This Privacy Policy explains how Zoēs collects, uses, shares, and protects information when you use our Website, Extension, and Services.

Introduction

Welcome to Zoēs AI Email Security ("Zoēs", "we", "us", or "our"). We do not sell personal data (including Google user data). We only collect and use data necessary to provide security analysis, improve reliability, and operate the service.

Key Points (Summary)

  • Google data: If you connect Gmail, we access Gmail data only to provide security scanning and user-requested explanations.
  • Sharing: We share data with specific service providers (listed below) to host the service, process payments, deliver AI analysis, store data, and monitor reliability.
  • Security: We use TLS in transit, encryption at rest where supported, access controls, secret management, monitoring, and data-minimization.
  • Your control: You can revoke Google access at any time in your Google Account settings, and you can delete your Zoēs account in account settings.

1. Information We Collect

1.1 Account and Profile

  • Account identifiers: email address, name (optional), profile image (optional).
  • Authentication data: if you sign in with Google, we receive your basic profile information (such as email address, name, and profile image). We never receive your Google password.

1.2 Gmail / Google User Data

Important: If you connect Gmail, Zoēs accesses and processes Gmail data only to provide security analysis and features you request.

  • Message identifiers: Gmail message ID / legacy ID and related metadata used for deduplication and caching.
  • Email headers and metadata: sender/from, reply-to, subject, date, authentication results (SPF/DKIM/DMARC) if present.
  • Content used for analysis: to detect threats (e.g., phishing links, impersonation), the Extension may extract visible text and links from the email content and send them to our Services for scanning.

We do not store raw email bodies. We retain only the minimal derived indicators and scan results needed to provide the service.

1.3 Payment and Billing

If you purchase a subscription, payments are processed by Stripe. We do not store your full payment card details.

1.4 Usage, Diagnostics, and Service Logs

We collect limited service logs to operate the service, prevent abuse, and troubleshoot reliability issues. We do not log email contents.

  • Device and app data: browser type, extension version, and general diagnostics.
  • Log data: request IDs, timestamps, and performance metrics. We do not log email bodies or message content.

2. How We Use Information

  • Provide email threat scanning and show trust scores and warnings.
  • Provide optional AI explanations and security education when you request "Explain Why?".
  • Operate, maintain, debug, and improve the Services.
  • Prevent fraud, abuse, and security incidents.

3. Google API Services User Data Policy (Limited Use)

Zoēs's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, train, or improve generalized AI/ML models. If we send limited data to third-party AI providers to perform analysis, they act as service providers and may process data according to their privacy terms; where available, we configure privacy settings to reduce retention and training.

4. Data Sharing and Disclosure

We may share personal information (including Google user data) with the parties below to operate Zoēs. We do not sell your data.

Service Providers (Subprocessors)

These providers help us host, secure, and operate Zoēs.

OpenRouter (and model providers)
AI email analysis and on-demand explanations. OpenRouter may route requests to underlying model providers.
Derived email text/links you submit for analysis, scan signals, and request metadata.
Upstash (Redis, QStash)
Caching, deduplication, and background tasks.
Scan cache keys, task payloads, and operational metadata.
Supabase (Postgres database)
Primary data storage.
Account data, scan results, extracted indicators, and settings.
Vercel (hosting)
Hosting and infrastructure for web and API.
Requests and operational logs necessary to serve the app.
Stripe (payments)
Payment processing and subscription billing.
Billing details and transaction metadata.
Sentry (error monitoring)
Error tracking and performance monitoring.
Diagnostic data; we aim to avoid sensitive email content.
PostHog / Amplitude (analytics)
Product analytics to improve usability and reliability.
Event metrics and usage data (not your Gmail message bodies).

Other Disclosures

  • Legal: We may disclose information if required by law or valid legal process, or to protect the rights, safety, and security of users and Zoēs.
  • Business transfers: If Zoēs is involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction subject to appropriate protections.

5. Data Protection and Security

We apply administrative, technical, and organizational safeguards designed to protect sensitive data, including Google user data. These include:

  • Encryption in transit: HTTPS/TLS for data sent between the Extension, Website, and our Services.
  • Encryption at rest: Where supported by our infrastructure and storage providers.
  • OAuth token protection: Access and refresh tokens are stored server-side with restricted access and are not exposed to the Extension UI.
  • Access controls: Least-privilege access and role-based controls for internal systems.
  • Secrets management: Sensitive credentials are stored in managed environment variables and access is limited.
  • Logging minimization: We do not log email content. Logs are used only to diagnose and secure the service.
  • Monitoring: We monitor for abuse and security issues and may use alerting to respond to incidents.

No method of transmission or storage is 100% secure. We work to continuously improve our safeguards.

6. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

If you disconnect Gmail or delete your Zoēs account, we will delete or de-identify associated Google OAuth tokens and related connection data within a reasonable time, subject to legal requirements and legitimate operational needs.

7. Your Choices

  • Revoke Google access: You can revoke Zoēs's access to your Google Account at any time via Google Account settings.
  • Account deletion: You can delete your Zoēs account in account settings.

8. Contact Us

If you have questions or requests related to privacy or Google user data, contact us:

Email: v.culic@mail.com

Website: https://zoes.one

© 2026 Zoēs. All rights reserved.