Privacy Policy
Last updated: March 20, 2026 · Effective: March 20, 2026
This Privacy Policy describes how zero8 Pty Ltd (ABN [ABN NUMBER]) trading as zero8 ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use our website at zero8.ai, our application, and any related services (collectively, the "Service"). This Privacy Policy should be read alongside our Terms of Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your name, email address, and password (or authentication credentials from a third-party provider such as Google, LinkedIn, or Microsoft). We also store whether your email address has been verified and your profile image if you provide one.
1.2 Organisation Information
If you create or join an organisation, we collect the organisation name, logo, member roles, and invitation details (including the email addresses of people you invite).
1.3 Payment and Billing Information
When you subscribe to a paid plan, payment information is collected and processed by our third-party payment processor, Stripe. We store a reference to your Stripe customer ID and subscription details (plan, status, billing interval, and period dates) but do not store your full credit card number, bank account number, or other sensitive payment credentials on our servers.
1.4 Project and Content Data
We collect and store the content you create and upload through the Service, including:
- Project titles, design concepts, page layouts, style settings (colours, fonts), and page metadata (titles, descriptions, favicon).
- Files you upload (PDF, DOCX, TXT, images, and URLs), including text extracted from those files to generate your pages.
- Briefing conversation responses and brand kit information you provide during the AI-guided design process.
- Published page content hosted on zero8.live subdomains, registered domains, or your custom domains.
1.5 Domain Information
If you connect or register a domain, we store the domain name, DNS configuration, SSL certificate status, registration and expiration dates, and related technical identifiers necessary to serve your published pages.
1.6 Form Submission Data
If you enable forms on your published pages, we collect and store submissions on your behalf, including the form fields, the submitter's IP address, user agent, referrer URL, UTM parameters, country, city, device type, browser, and a session identifier. We also run basic spam detection on submissions. You are the data controller for this information — see Section 8 for more details.
1.7 Usage and Analytics Data
We automatically collect information about how you interact with the Service, including:
- Pages visited, features used, clicks, and navigation patterns.
- Credit usage (which actions consume credits and when).
- Device type, browser type, operating system, and screen resolution.
- IP address, approximate geographic location, and referring URL.
- Session recordings (with text inputs masked) to help us understand and improve user experience.
1.8 Session and Authentication Data
When you sign in, we create a session record that includes your IP address, user agent string, session token, and the organisation you are currently active in. Sessions expire automatically after a period of inactivity.
1.9 Support Interactions
If you contact us through our in-app support chat, we collect the messages you send and any associated session information to provide and improve our support.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service, including AI-powered design generation, page publishing, and domain management.
- Process payments and manage your subscription.
- Authenticate your identity and manage access to your account and organisations.
- Generate and optimise your website content using AI, based on the information and files you provide.
- Manage advertising campaigns and promotion features on your behalf, where you have enabled them.
- Send you transactional communications (account verification, password resets, billing receipts, and service notifications).
- Analyse usage patterns to improve, debug, and optimise the Service.
- Detect and prevent fraud, abuse, spam, and security threats.
- Comply with legal obligations and respond to lawful requests.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases for processing your personal data:
| Processing Purpose | Legal Basis |
|---|---|
| Providing and operating the Service (accounts, projects, publishing, domains) | Performance of contract |
| Processing payments and subscriptions | Performance of contract |
| Authentication and session management | Performance of contract |
| Transactional emails (verification, password resets, billing) | Performance of contract |
| Customer support | Performance of contract |
| Analytics and service improvement (including session recordings) | Legitimate interest |
| Fraud detection, abuse prevention, and security | Legitimate interest |
| Advertising campaign management and promotion features | Consent (you enable the feature) |
| Non-essential cookies (analytics, support) | Consent |
| Legal and regulatory compliance | Legal obligation |
4. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
4.1 Service Providers
We use third-party service providers to help operate the Service:
- Stripe — payment processing and subscription management. Stripe receives your payment details and billing information. Stripe Privacy Policy
- Cloudinary — file and image hosting. Files you upload are stored and served through Cloudinary. Cloudinary Privacy Policy
- PostHog — product analytics and session recording. PostHog collects usage data including page views, clicks, and masked session recordings to help us understand how the Service is used. PostHog Privacy Policy
- Plausible Analytics — privacy- friendly web analytics for published pages. Plausible collects aggregate visitor data (page views, referrers, device type, country) without using cookies or collecting personal data. Plausible Privacy Policy
- Crisp — customer support chat. Crisp processes messages you send through the in-app support widget. Crisp Privacy Policy
- Cloudflare — DNS management, SSL certificates, and content delivery for published pages.
- Postmark — transactional email delivery (account verification, password resets, invitations).
4.2 Authentication Providers
If you choose to sign in with a third-party provider (Google, LinkedIn, or Microsoft), that provider shares your name, email address, and profile image with us. We do not share your zero8 data back to these providers beyond what is necessary for authentication.
4.3 Advertising and Promotion Platforms
If you enable promotion features, we share relevant business and campaign information with third-party platforms such as Google Ads and Google Business Profile on your behalf. This sharing is initiated by you and governed by those platforms' respective privacy policies.
4.4 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.5 Business Transfers
If zero8 is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
5. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential cookies — required for authentication, session management, and core Service functionality. These cannot be disabled.
- Analytics cookies — used by PostHog to collect usage data and session recordings. These help us understand how the Service is used and identify areas for improvement.
- Support cookies — used by Crisp to enable the in-app support chat and maintain your conversation history.
- Preference cookies — used to remember your settings, such as your preferred theme (light or dark mode).
For visitors in the European Economic Area and United Kingdom, we obtain your consent before setting non-essential cookies (analytics and support cookies) through our cookie consent banner. You can change your cookie preferences at any time through the cookie settings link in the footer of the Service. You can also manage cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.
6. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service. Specifically:
- Account data is retained for as long as your account exists. When you delete your account, we delete your personal data and take your published pages offline within 30 days. Some data may persist in encrypted backups for up to 90 days.
- Project and content data is deleted when you delete the associated project or your account.
- Form submission data is retained until you delete it or delete the associated project. As the data controller for form submissions, you are responsible for managing retention in compliance with applicable laws.
- Analytics data is retained in aggregated or anonymised form and may persist after account deletion.
- Payment records are retained for 7 years as required by Australian tax and financial reporting obligations.
- Session and security logs are retained for up to 12 months to detect and investigate security incidents.
7. Data Security
We implement reasonable technical and organisational measures to protect your personal information, including encryption of data in transit (TLS/SSL), secure session management, and access controls. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users and relevant authorities (including the Office of the Australian Information Commissioner) as required by the Australian Privacy Act's Notifiable Data Breaches scheme and, where applicable, within 72 hours as required by the GDPR.
If you become aware of any unauthorised access to your account, please contact us immediately at [email protected].
8. Your Role as a Data Controller (Form Submissions)
When you use the form submission feature on your published pages, you are the data controller for any personal data collected from your visitors. We act as a data processor, storing and making that data available to you through the Service.
As a data controller, you are responsible for:
- Providing appropriate privacy notices to visitors of your published pages.
- Obtaining any necessary consent for data collection.
- Responding to data subject requests (access, deletion, rectification) from your visitors.
- Complying with applicable data protection laws, including GDPR, CCPA, and the Australian Privacy Act 1988.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
9.1 General Rights
- Access — you can request a copy of the personal information we hold about you.
- Correction — you can update or correct inaccurate information through your account settings or by contacting us.
- Deletion — you can delete your account at any time through your account settings. You can also request deletion of specific data by contacting us.
- Data portability — you can request your data in a structured, commonly used format.
- Objection — you can object to certain processing of your data, such as processing for analytics purposes.
- Withdraw consent — where we process your data based on consent (such as analytics cookies or promotion features), you may withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
9.2 For Users in the European Economic Area (GDPR)
If you are located in the EEA, you additionally have the right to:
- Restriction of processing — request that we limit how we use your data in certain circumstances.
- Object to automated decision-making — you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features generate design and content suggestions for your review, but do not make automated decisions that produce legal effects on you.
- Lodge a complaint — you have the right to lodge a complaint with your local data protection authority.
Our legal bases for processing your personal information are detailed in Section 3 above.
9.3 For Users in the United Kingdom (UK GDPR)
If you are located in the United Kingdom, you have equivalent rights to those described in Section 9.2 under the UK GDPR and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9.4 For Users in California (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- Right to know — you can request details about the categories and specific pieces of personal information we collect about you.
- Right to delete — you can request deletion of your personal information.
- Right to correct — you can request correction of inaccurate personal information.
- Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioural advertising. If this changes, we will provide an opt-out mechanism.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide the Service.
- Right to non-discrimination — you will not be discriminated against for exercising your CCPA/CPRA rights.
CCPA Required Disclosures
The following table summarises the categories of personal information we collect, as defined by the CCPA:
| Category | Collected | Sources | Purpose | Sold/Shared |
|---|---|---|---|---|
| Identifiers (name, email, IP address) | Yes | You, automatic collection | Service operation, authentication | No |
| Customer records (billing details, subscription info) | Yes | You, Stripe | Payment processing | No |
| Commercial information (purchases, subscriptions) | Yes | You, Stripe | Service operation, billing | No |
| Internet activity (browsing, usage, interactions) | Yes | Automatic collection | Analytics, improvement | No |
| Geolocation data (approximate, from IP) | Yes | Automatic collection | Analytics, security | No |
| Professional information (organisation, role) | Yes | You | Service operation | No |
| Inferences (usage patterns) | Yes | Derived from activity | Service improvement | No |
| Sensitive personal information | No | — | — | No |
9.5 For Users in Australia (Privacy Act 1988)
If you are located in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles (APPs), including the right to access and correct your personal information. If you believe we have breached the APPs, you may make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner if required by applicable law).
10. International Data Transfers
Your information may be transferred to and processed in countries other than Australia, including countries where our service providers operate (primarily the United States and the European Union). We ensure that appropriate safeguards are in place for any international transfers of personal data, including standard contractual clauses or other mechanisms approved by applicable data protection authorities.
11. Children's Privacy
The Service is not intended for use by anyone under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
12. AI and Your Data
The Service uses artificial intelligence to generate designs, page layouts, content suggestions, and promotional materials based on the information you provide. Your content (including briefing responses, uploaded files, and page content) is processed by AI models to deliver these features.
We do not use your content to train general-purpose AI models. Your data is used solely to provide the Service to you. Third-party AI providers we use are bound by data processing agreements that prohibit them from using your data for model training.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 14 days before the change takes effect. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
- Privacy enquiries: [email protected]
- General support: [email protected]
- Postal address: zero8 Pty Ltd, [STREET ADDRESS], [CITY STATE POSTCODE], Australia