Privacy Policy

Information We Collect

We collect information you provide directly to us, including:

• Account information (name, email address, password)
• Survey content you create and publish
• Survey responses collected through your surveys
• AI chat prompts you submit when generating or refining surveys, and the inferred profile we derive from them (industry, audience, intents) to personalize the product. You can opt out of this profiling at any time in your account settings.
• Usage data and analytics about how you interact with our service
• Payment information when you subscribe to a paid plan (processed securely by Stripe)
• Communications you send to us (support requests, feedback)

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and manage your account
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent or unauthorized activity
• Personalize and improve your experience, including generating tailored survey suggestions based on your prompt history, the surveys you have published, and any onboarding profile you provide. You can opt out of this personalization at any time in your account settings without losing access to the rest of the service.
• We do not use your survey content, respondent data, or AI chat prompts to train AI models. AI features (including survey suggestions, response analysis, and translations) process your data on demand only via Mistral AI under a signed Data Processing Agreement, and do not feed into any model training pipeline.

Data Sharing & Disclosure

We do not sell your personal information. We may share information in the following situations:

• With your consent or at your direction
• With service providers who assist in operating our platform (hosting, analytics, payment processing)
• When required by law or to respond to legal process
• To protect the rights, property, and safety of Zolvi, our users, or the public
• In connection with a merger, acquisition, or sale of assets

Data Processors & Third-Party Services

We use the following third-party service providers to operate our platform. Your data may be processed by these providers in accordance with their respective privacy policies and our data processing agreements:

• Stripe Inc. (San Francisco, USA) — Payment processing — Legal basis: EU-US Data Privacy Framework
• Mistral AI (Paris, France) — AI-powered survey generation, response analysis, translations, and personalized survey suggestions (industry/audience/intent inference from your prompt history). Legal basis: EU-based processor under Mistral's standard Data Processing Addendum (https://legal.mistral.ai/terms/data-processing-addendum), incorporated by reference into our commercial agreement; international transfers covered by SCCs Module 4. Your prompts and survey data are never used to train Mistral's models (opt-out toggle confirmed disabled at the workspace level). Sub-processors: see https://trust.mistral.ai/subprocessors.
• Resend Inc. (San Francisco, USA) — Transactional email delivery — Legal basis: Data Processing Agreement
• Neon Inc. (Frankfurt, Germany, EU) — Database hosting — Legal basis: EU-based processor
• Vercel Inc. (San Francisco, USA) — Application hosting, CDN, Web Analytics, and Speed Insights. Legal basis: EU-US Data Privacy Framework. Web Analytics + Speed Insights are anonymous-by-design (no cookies, no user IDs) but additionally gated by your cookie banner consent in EEA/UK/Switzerland.
• Upstash (EU region) — Rate limiting and caching — Legal basis: Data Processing Agreement
• Sentry (San Francisco, USA) — Error monitoring, performance tracing, and Session Replay (gated by EEA consent; Replay is configured to mask all text and block all media). Legal basis: EU-US Data Privacy Framework + Data Processing Agreement.
• PostHog Inc. (US-incorporated, hosted on PostHog's EU region — Frankfurt, Germany) — Product analytics, session-level event capture, and survey funnel tracking. Legal basis: EU-US Data Privacy Framework + Data Processing Agreement; gated by user consent in EEA/UK/Switzerland — the PostHog SDK does not load until you explicitly grant analytics_storage via our cookie banner.

Your Rights

Depending on your location, you may have the following rights:

• Access and receive a copy of your personal data
• Rectify inaccurate or incomplete personal data
• Request deletion of your personal data
• Restrict processing of your personal data
• Data portability — receive your data in a structured format
• Object to processing of your personal data
• Withdraw consent at any time, where processing is based on your consent (e.g. analytics cookies) — this does not affect the lawfulness of processing carried out before the withdrawal
• Lodge a complaint with a data protection supervisory authority — for users in the EU/EEA, the authority in your country of residence; in Germany, the Landesbeauftragte für den Datenschutz of the competent federal state

Data Security

We implement industry-standard security measures to protect your information, including encryption in transit and at rest, regular security audits, and access controls. However, no method of transmission over the Internet is 100% secure. Your survey data is stored and processed in the EU. Some of our sub-processors are US-incorporated and process EU data under EU Standard Contractual Clauses (and, where applicable, the EU–US Data Privacy Framework). See our sub-processor list for details.

Data Retention

We retain your information for as long as your account is active or as needed to provide you services. You can request deletion of your account and associated data at any time through your account settings.

Cookies & Tracking

We use essential cookies required for the service to function (authentication session, language preference, CSRF protection) — no consent is required for these under GDPR. We also use analytics cookies and localStorage entries via PostHog to understand product usage; in EEA/UK/Switzerland these are disabled by default and only set after you explicitly grant consent through our cookie banner. You can revoke that consent at any time via the "Cookie preferences" link in the footer. We do not use any third-party advertising, marketing, or retargeting cookies.

Children's Privacy

Our service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us immediately.

Brazilian Users — LGPD Compliance

If you are located in Brazil, you are protected by the Lei Geral de Proteção de Dados (LGPD — Law 13.709/2018). Under LGPD, you have the right to: access your personal data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary or excessive data; data portability; information about third parties with whom your data has been shared; and the right to revoke consent at any time. Zolvi stores survey data in Frankfurt, Germany (EU); some operational sub-processors are US-incorporated and process data under agreements with appropriate safeguards (EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework). We do not transfer your data outside of these compliant frameworks. To exercise your LGPD rights, contact us at contact@zolvi.app.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have any questions about this Privacy Policy, please contact us at contact@zolvi.app or by mail: Gabriel Marchesan Almeida, Wiener Str. 37, 76344 Eggenstein-Leopoldshafen, Germany.