Privacy Policy
Last updated: 2026-05-31
This Privacy Policy explains how Musannef, operating as Zenya AI (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use https://zenyaai.co and the Zenya AI service (the “Service”).
We act as the data controller for personal data of people who sign up for the Service, and as a data processor for data that Shopify merchants give us about their customers (rare; see §4).
1. Who we are
- Controller: Musannef (Dutch eenmanszaak)
- Registered: Dutch Chamber of Commerce (KvK), number 42070030. The natural person operating Musannef and acting as data controller is publicly identifiable via the KvK register using this number, or on request via the privacy contact below.
- VAT: Pending registration (BTW)
- Address: 7776 BA, The Netherlands
- Contact for privacy questions: zenyaai@outlook.com
2. What data we collect
2.1 Data you give us directly
- Account data: email address, password (stored hashed by Supabase), full name (optional).
- Payment data: handled by Stripe. We never see or store your card number, CVC, or bank details. We receive a customer ID, last 4 digits of the card, country, and subscription status.
- Content you create: business briefs, product URLs you submit for scraping, theme designs you generate.
- Support correspondence: emails you send us.
2.2 Data collected automatically
- Technical data: IP address, browser type, device type, OS, referring URL, timestamps. Used for security and abuse prevention.
- Usage data: features used, themes generated, generation count (for free-tier quota enforcement).
- Cookies and similar: see our Cookie Policy.
2.3 Data we get from Shopify (only if you connect a store)
- Shop domain, shop owner email, shop owner name.
- Product data (title, description, images, price) — read to generate themes that match your catalog.
- Theme data — read/write to install generated themes.
We do not read or store Shopify customer data (orders, customer profiles, addresses). Our scopes areread_products, read_themes, write_products, write_themes.
3. Why we use your data (legal bases under GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Provide the Service (account, theme generation, hosting) | Contract (Art. 6(1)(b)) |
| Process payments and billing | Contract + legal obligation (tax law) |
| Security, abuse prevention, fraud detection | Legitimate interest (Art. 6(1)(f)) |
| Service emails (e.g. password reset, receipts) | Contract |
| Marketing emails (only if you opt in) | Consent (Art. 6(1)(a)) |
| Analytics / improving the product | Consent (cookie banner) |
| Comply with legal obligations (e.g. tax retention) | Legal obligation (Art. 6(1)(c)) |
4. Who we share data with (subprocessors)
We share only what’s necessary, only with vetted providers. Full list with versions and locations: Subprocessors. Summary:
- Supabase (Ireland, EU) — database, authentication, file storage.
- Vercel (USA, with EU edge) — hosting, CDN.
- Stripe (USA, EU subsidiary) — payment processing.
- OpenAI (USA) — AI generation of theme content (sends your business brief; does not use your data for model training per their API terms).
- ScraperAPI (USA) — product-page scraping (sends the URL you submitted).
- Shopify (Canada) — only if you connect a store.
For transfers outside the EU/EEA we rely on the EU Commission’s Standard Contractual Clauses and (for US providers) the EU–U.S. Data Privacy Framework.
We never sell your personal data. We do not share it for advertising.
5. How long we keep your data
- Account data: while your account is active, then deleted within 30 days of account deletion.
- Generated themes & designs: deleted with your account; you can delete individual themes at any time.
- Payment records / invoices: retained for 7 years to comply with Dutch tax law (Algemene wet inzake rijksbelastingen art. 52).
- Backups: rolling 30-day backup window, after which deletions propagate.
- Logs (security, error): 90 days.
6. Your rights under GDPR
You have the right to:
- Access your personal data and get a copy (Art. 15).
- Rectify incorrect data (Art. 16).
- Erase your account and data (Art. 17) — self-service in Settings → Delete Account.
- Restrict processing (Art. 18).
- Portability — export your themes as JSON (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time (e.g. unsubscribe, revoke cookie consent).
- Lodge a complaint with your local data protection authority. For the Netherlands: Autoriteit Persoonsgegevens.
To exercise any right, email zenyaai@outlook.com. We respond within 30 days.
7. Security
- All traffic is TLS-encrypted (HTTPS).
- Passwords are hashed with bcrypt (handled by Supabase Auth).
- Database access uses Postgres Row-Level Security; users can only see their own rows.
- Secrets stored encrypted at rest in Vercel.
- We follow the principle of least privilege for staff access.
If you discover a security vulnerability, please email zenyaai@outlook.com with subject “Security”. We do not currently run a bug bounty but we’ll acknowledge responsible disclosure.
8. Data breaches
In the event of a personal data breach, we will notify the Dutch Autoriteit Persoonsgegevens within 72 hours where required, and affected users without undue delay if there is a high risk to your rights.
9. Children
The Service is not intended for users under 16. If you believe a child has provided us personal data, contact us and we will delete it.
10. AI processing
When you request a generated theme, we send your business brief and any related text to OpenAI’s API. Per OpenAI’s API data usage policy, this data is not used to train models and is retained for up to 30 days for abuse-prevention only. We do not send your name, email, or any account identifiers to OpenAI.
11. Changes to this policy
If we make material changes, we will email registered users and update the “Last updated” date above. Continued use after changes means you accept the updated policy.
12. Contact
- Privacy questions: zenyaai@outlook.com
- General support: zenyaai@outlook.com
- Postal: 7776 BA, The Netherlands