Privacy Policy

Last updated: April 3, 2026  |  Effective date: April 3, 2026

ZoloNet Limited (“ZoloNet,” “we,” “our,” or “us”) operates the website zolonet.com and the ZoloNet AI-powered marketing platform (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit our website, create an account, or use any of our products and services. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

When you register for a ZoloNet account, subscribe to a plan, or interact with our team, we may collect:

• Identity Data: Full name, username, job title, company name
• Contact Data: Email address, phone number, mailing address
• Financial Data: Payment card details and billing address (processed and stored securely by our payment processor, Airwallex; we do not store full card numbers on our servers)
• Account Data: Username, encrypted password hash, account preferences, workspace settings
• Communication Data: Support tickets, chat messages, email correspondence, feedback, and survey responses
• Content Data: Any content you create, upload, or manage through the platform including marketing copy, blog posts, email templates, images, videos, product listings, and landing pages

1.2 Information Collected from Third-Party Platform Integrations

A core feature of ZoloNet is the ability to connect and manage your accounts on third-party advertising and social media platforms. When you authorize a connection through our Integrations page, we access and process the following data on your behalf:

Google Ads & Google Services

• Campaign structure, ad groups, keywords, ad creatives, and extensions
• Performance metrics: impressions, clicks, conversions, cost, CPC, CTR, CPA, ROAS
• Audience segments, demographics, and remarketing lists
• Conversion tracking and attribution data
• Bid strategies and automated rules
• Billing summary and account spend
• Quality Score, ad rank, and auction insights
• Google Analytics data (traffic, behavior, conversions) when connected
• Google Search Console data (search queries, indexing, site performance) when connected

All Google Ads data is accessed via the Google Ads API using OAuth 2.0 authorization that you explicitly grant. You can revoke this access at any time.

Facebook & Instagram (Meta Platforms, Inc.)

When you connect a Facebook or Instagram account to ZoloNet via the Meta Login OAuth flow, we request the following permissions (“scopes”). For each scope we explain what data we read or write, and why it is necessary for the ZoloNet feature you choose to use:

• public_profile — Your name, profile picture, and Meta user ID. Used to identify the connecting account inside ZoloNet.
• email — The email address on your Meta account. Used to associate the connection with your ZoloNet workspace.
• pages_show_list — The list of Facebook Pages you manage. Used to let you choose which Page ZoloNet should operate on.
• pages_read_engagement — Page metadata, posts, reactions, comments, and Page Insights. Used to display analytics inside ZoloNet’s dashboards.
• pages_manage_posts — Permission to publish, schedule, edit, and delete posts on the Pages you select. Used by ZoloNet’s Composer.
• pages_manage_metadata — Page-level settings such as name, category, description. Used only when you explicitly request a Page-info update.
• pages_read_user_content — User-generated content (comments, messages, reviews) on your Pages. Used to display unified inbox and engagement views.
• instagram_basic — Your Instagram Business profile, media, and basic insights. Used to surface Instagram alongside Facebook in ZoloNet’s Social view.
• instagram_content_publish — Permission to publish photos, videos, carousels, Stories, and Reels to your Instagram Business account. Used by ZoloNet’s Composer.
• business_management — Read access to the Meta Business Managers you administer plus their owned Pages, Ad Accounts, Pixels, and Catalogs. Used to attach an entire Business Manager to your workspace.
• ads_read — Read access to your Meta Ad Accounts, campaigns, ad sets, ads, and insights. Powers ZoloNet’s Ads dashboard.
• ads_management — Permission to create, edit, pause, resume, and delete Meta ad campaigns, ad sets, ads, and creatives. Used by ZoloNet’s Create Campaign wizard.

All access tokens are stored encrypted at rest, scoped to the workspace that requested the connection, and never shared between workspaces. We do not sell, lease, or transfer Meta-derived data to any third party. You may revoke ZoloNet’s access at any time from Facebook → Business Integrations or from the ZoloNet Integrations page; both actions trigger immediate token revocation and removal of stored Meta data.

ZoloNet’s use of information received from the Meta APIs adheres to the Meta Platform Terms and Developer Policies, including the Limited Use requirements and the prohibition on transferring data to data brokers, ad networks, or analytics services unrelated to providing the integration you authorized.

Pinterest

• Account profile information (username, business name, website)
• Boards: names, descriptions, pin counts, cover images
• Pins: images, titles, descriptions, links, engagement metrics
• Analytics: impressions, pin clicks, outbound clicks, saves, audience demographics
• Ad campaign data when Pinterest Ads API is connected

TikTok

• Business account information and profile data
• Video content metadata, captions, and engagement metrics
• TikTok Ads Manager: campaigns, ad groups, ads, budgets, performance data
• Audience analytics and follower demographics

Additional Platforms

• LinkedIn: Company page data, post analytics, campaign performance, lead gen form submissions, InMail metrics
• Tumblr: Blog information, posts, follower counts, engagement data, reblog analytics
• WordPress & WooCommerce: Site content (pages, posts, media), products, orders, customer data, plugin configurations, and theme settings accessed via the ZoloNet Connector plugin
• Email Platforms (Postal, Listmonk, Resend): Email lists, subscriber data, campaign content, open/click rates, bounce data, and delivery metrics
• Domain & DNS Providers: Domain registration data, DNS records, SSL certificate status
• Payment Processors (Airwallex, Stripe): Transaction data, invoice history, subscription status

1.3 Information Collected Automatically

When you access our Service, we automatically collect certain technical information:

• Device Data: IP address, browser type and version, operating system, device type, screen resolution
• Usage Data: Pages visited, features used, buttons clicked, time spent on each page, navigation patterns
• Log Data: Server access logs, error logs, timestamps, referring URLs
• Location Data: Approximate geographic location derived from IP address (we do not collect precise GPS location)
• Performance Data: Page load times, API response times, error rates

1.4 Cookies and Similar Technologies

We use cookies, local storage, and similar tracking technologies to operate and improve our Service:

• Essential Cookies: Required for authentication, session management, security (CSRF protection), and core platform functionality. Cannot be disabled.
• Preference Cookies: Remember your settings such as language (English, Hebrew, Spanish, Dutch, Chinese), theme (dark/light), workspace selection, and UI preferences
• Analytics Cookies: Help us understand how users interact with our platform. We use self-hosted analytics (Umami) to minimize third-party data sharing
• Integration Cookies: Required for OAuth authentication flows when connecting third-party platforms (Google, Facebook, Pinterest, TikTok, etc.)

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will prevent you from using the platform.

2. How We Use Your Information

We process your personal information for the following lawful purposes:

• Service Delivery: Provide, operate, and maintain all ZoloNet platform features including CRM, email marketing, SEO tools, PPC campaign management, website builder, social media management, affiliate tracking, dropshipping, video creation, and AI agent services
• Advertising Campaign Management: Display, create, edit, optimize, pause, activate, and report on your advertising campaigns across Google Ads, Facebook Ads, Instagram Ads, Pinterest Ads, TikTok Ads, LinkedIn Ads, and other connected platforms
• AI-Powered Features: Generate content recommendations, campaign optimization suggestions, SEO audits, competitor analysis, keyword research, and automated marketing strategies through our six AI agents: ZOLO (orchestration), WUSHI (content & growth), CIPHER (intelligence & analytics), KINMIK (marketing & revenue), PRISM (creative & technology), and VOGATOX (operations & CRM)
• Voice AI Services: Process voice interactions for our Voice AI feature, including speech-to-text transcription (via Deepgram) and text-to-speech responses
• Email Marketing: Send and manage email campaigns, newsletters, and transactional emails through our integrated email infrastructure (Postal for self-hosted SMTP, Listmonk for campaign management, Resend for transactional delivery)
• Website Management: Build, edit, and optimize client websites through our website builder and WordPress management tools, including Elementor page editing, SEO optimization, and performance monitoring
• E-commerce & Dropshipping: Manage WooCommerce stores, process product imports (CJ Dropshipping), track orders, manage inventory, and optimize product listings
• Domain & DNS Management: Register domains (via Namecheap, INWX), manage DNS records (via Cloudflare), provision SSL certificates, and configure email routing
• Analytics & Reporting: Generate dashboards, reports, and insights across all connected platforms and services. Track key metrics including traffic, conversions, revenue, engagement, and ROI
• Billing & Payments: Process subscription payments, generate invoices, manage billing cycles, and handle refunds through Airwallex
• Communications: Send transactional notifications (account confirmations, password resets, security alerts, invoice receipts) and marketing communications (product updates, tips, offers) with your opt-in consent
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance via email, live chat, and Telegram bot
• Security & Fraud Prevention: Monitor for suspicious activity, unauthorized access attempts, click fraud in PPC campaigns, and other security threats
• Platform Improvement: Analyze aggregated usage patterns to improve features, fix bugs, optimize performance, and develop new capabilities
• Legal Compliance: Comply with applicable laws, regulations, court orders, and legal processes

3. Google Ads API — Limited Use Disclosure

In full compliance with Google’s policies, ZoloNet commits to the following:

• We only request access to Google Ads API scopes that are necessary for the specific advertising management features you use within the ZoloNet platform
• We access your Google Ads data solely through OAuth 2.0 authorization that you explicitly grant during the integration setup process
• We use your Google Ads data exclusively to provide, display, and improve the advertising management, analytics, and optimization features you have requested
• We do not sell, lease, rent, sublicense, or otherwise commercially transfer your Google Ads data to any third party
• We do not use your Google Ads data for serving advertisements to you that are unrelated to the advertising management services you use
• We do not use your Google Ads data for credit scoring, lending decisions, insurance underwriting, employment decisions, or any purpose unrelated to advertising campaign management
• We do not transfer Google Ads data to any third-party artificial intelligence or machine learning tool that is not directly part of the ZoloNet platform’s campaign management and optimization features
• We store all Google Ads API data securely with encryption at rest and in transit (TLS 1.2+)
• We implement strict workspace-level data isolation ensuring that each client’s Google Ads data is completely separate from and inaccessible to other users or workspaces
• You may revoke ZoloNet’s access to your Google Ads data at any time by disconnecting the Google Ads integration from your Integrations settings page, or by revoking access through your Google Account at myaccount.google.com/permissions
• Upon disconnection or account deletion, all cached Google Ads data and OAuth tokens are permanently and irreversibly deleted within 30 days
• Our internal access to Google Ads data is limited to authorized engineers for debugging and support purposes only, under strict access controls and audit logging

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties for their marketing purposes. We share information only in the following limited circumstances:

• Service Providers & Sub-processors: We work with trusted third-party companies to operate our platform: Hostinger and 20i (hosting infrastructure), Airwallex (payment processing), Cloudflare (DNS, CDN, security), Supabase (database), Postal (email delivery), Resend (transactional email), Deepgram (speech-to-text), ElevenLabs (text-to-speech), Anthropic/Claude (AI processing), and fal.ai (image/video generation). Each provider only accesses data strictly necessary to perform their service and is contractually bound to protect it.
• Connected Advertising & Social Platforms: When you use ZoloNet to manage campaigns, publish content, or schedule posts on third-party platforms (Google, Facebook, Instagram, Pinterest, TikTok, LinkedIn, Tumblr, etc.), we transmit data to those platforms solely to execute the actions you have requested. Each platform’s own privacy policy governs their handling of that data.
• AI Model Providers: Your campaign data and content may be processed by AI language models (primarily Claude by Anthropic, with fallback to Grok, Gemini, Groq, DeepSeek, or GPT-4o) to generate marketing recommendations, write content, and provide analytics insights. This processing occurs in real-time API calls; we do not bulk-upload your data to any AI provider for training purposes.
• Legal Requirements: We may disclose your information if required by applicable law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice to affected users before their personal information becomes subject to a different privacy policy.
• With Your Consent: We may share information with third parties when you have given us explicit consent to do so.

5. Data Security

We implement comprehensive technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. All API communications with third-party platforms use HTTPS.
• Encryption at Rest: Sensitive data including OAuth tokens, API keys, passwords, and payment credentials are encrypted before storage using industry-standard encryption algorithms
• Workspace Isolation: Each workspace’s data is completely isolated through Row-Level Security (RLS) policies at the database level. No user or workspace can access another workspace’s data, tokens, campaigns, contacts, or any other information. This was architecturally enforced and security-audited.
• Authentication & Access Control: Role-based access controls (RBAC) limit user permissions. Multi-factor authentication support. Secure session management with automatic expiration.
• Infrastructure Security: Servers hosted on professionally managed infrastructure (Hostinger VPS) with firewalls, DDoS protection via Cloudflare, automated security updates, and regular vulnerability scanning
• Credential Management: Third-party OAuth tokens are stored encrypted per-workspace and are never exposed in API responses, logs, or to other workspaces
• Monitoring & Alerting: Automated monitoring for suspicious login attempts, unusual API usage patterns, and potential security anomalies
• Incident Response: We maintain a documented incident response plan. In the event of a data breach affecting your personal information, we will notify you and relevant supervisory authorities within 72 hours of discovery, as required by applicable law
• Employee Access: Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis, protected by SSH key authentication, and subject to audit logging

6. Data Retention

We retain different categories of data for different periods:

• Account Data: Retained for as long as your account is active. After account deletion, personal data is purged within 90 days, except where retention is required by law.
• Campaign & Platform Data: Performance data from connected advertising and social platforms is cached in our database for display and analytics purposes. This cache is refreshed regularly from source platforms. When you disconnect an integration, cached data for that platform is deleted within 30 days.
• OAuth Tokens & Credentials: Stored encrypted for as long as the integration is active. Permanently deleted immediately upon disconnection of the integration.
• Billing & Transaction Records: Retained for 7 years as required for accounting, tax compliance, and audit purposes under applicable financial regulations.
• Server & Access Logs: Automatically deleted after 90 days.
• Email Campaign Data: Subscriber lists, campaign content, and delivery/engagement metrics are retained for as long as the workspace is active.
• Support Communications: Support tickets and correspondence are retained for 2 years after resolution for quality assurance and reference purposes.
• Marketing Consent Records: Records of consent and withdrawal are retained indefinitely for regulatory compliance.
• AI Conversation Data: Chat interactions with AI agents are retained for 30 days for context continuity, then automatically purged.

7. Your Rights

Depending on your jurisdiction, including under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws, you have the following rights:

• Right of Access: Request a copy of all personal data we hold about you, including data from connected platforms
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”). Note: this may require disconnecting all platform integrations and closing your account.
• Right to Restriction: Request that we restrict processing of your personal data under certain circumstances
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Object: Object to processing of your personal data based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing
• Right to Revoke Platform Access: Disconnect any third-party platform integration at any time through your Integrations settings page in the ZoloNet dashboard
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights (CCPA requirement)
• Right to Opt-Out of Sale: We do not sell personal information. If this ever changes, we will provide a clear opt-out mechanism (CCPA requirement).

To exercise any of these rights, contact us at marketing@zolonet.com. We will verify your identity and respond within 30 days (or within the timeframe required by applicable law). If we cannot fulfill your request, we will explain why.

8. International Data Transfers

ZoloNet Limited is registered in Hong Kong. Our infrastructure spans multiple jurisdictions:

• Primary Servers: Hostinger VPS located in the European Union
• Database: Supabase (AWS infrastructure, US/EU regions)
• CDN & DNS: Cloudflare (global edge network)
• Payment Processing: Airwallex (global, with regional compliance)
• AI Processing: Anthropic (US), Google (US), xAI (US)

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all sub-processors
• Supplementary technical measures (encryption, pseudonymization) where appropriate
• Regular assessment of third-country legal frameworks

9. Third-Party Links and Services

The ZoloNet platform integrates with numerous third-party services and may contain links to external websites. These include but are not limited to: Google, Facebook/Meta, Instagram, Pinterest, TikTok, LinkedIn, Tumblr, YouTube, WordPress, WooCommerce, Shopify, CJ Dropshipping, Cal.com, Deepgram, ElevenLabs, HeyGen, Creatomate, Pexels, and various domain registrars and hosting providers. Each of these services has its own privacy policy governing how they handle your data. We encourage you to review those policies. We are not responsible for the privacy practices of third-party services.

10. Children’s Privacy

ZoloNet is a business-to-business (B2B) marketing platform intended for use by businesses and professionals. Our Service is not directed at individuals under the age of 18. We do not knowingly collect, use, or disclose personal information from children under 18. If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete that information. If you believe we may have collected information from a minor, please contact us immediately at marketing@zolonet.com.

11. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals. Because there is no uniform standard for interpreting DNT signals, our Service does not currently respond to DNT signals. However, you can manage your privacy preferences through cookie settings and platform opt-outs as described in this policy.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out: You have the right to opt out of the “sale” or “sharing” of personal information. We do not sell personal information. We share data with third-party platforms only at your direction to provide the services you have requested.
• Authorized Agent: You may designate an authorized agent to make requests on your behalf.

In the past 12 months, we have collected the categories of information described in Section 1. We have not sold personal information to third parties. To exercise your CCPA/CPRA rights, contact marketing@zolonet.com.

13. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, new features, legal requirements, or industry standards. When we make material changes:

• We will update the “Last updated” date at the top of this page
• We will post a prominent notice on the ZoloNet platform dashboard
• For significant changes, we will send an email notification to all registered users at least 14 days before the changes take effect
• We will maintain an archive of previous versions of this policy available upon request

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.

14. Meta Platforms Data Practices & Deletion

This section consolidates the information required by the Meta Platform Terms regarding our handling of data received from the Meta APIs (Facebook, Instagram, Threads, WhatsApp Business, Messenger).

14.1 Data Controller

ZoloNet Limited acts as a data processor on your behalf when ZoloNet uses the Meta APIs to operate features you have configured. Meta Platforms, Inc. is the source of the underlying data and remains the original controller for the Meta-side records. You are the controller of the assets connected to ZoloNet and decide which scopes to grant.

14.2 Retention

Meta access tokens are retained only while the connection is active. Cached metadata (Page lists, Ad Account lists, recent post metrics) is retained for up to 30 days for performance, then refreshed from Meta on demand. Logs of API calls are retained for up to 90 days for debugging and abuse prevention. When you disconnect Meta from a workspace, all tokens and cached metadata for that workspace are deleted immediately.

14.3 Data Deletion Requests

You can request deletion of all Meta-derived data ZoloNet holds about you in any of the following ways:

• Inside ZoloNet: Integrations page → Facebook tile → Disconnect. ZoloNet revokes the access token at Meta and deletes cached data within minutes.
• Inside Facebook: Settings & Privacy → Apps and Websites → ZoloNet → Remove. Meta notifies ZoloNet via our Deauthorize Callback and we delete all data associated with that user ID.
• By callback URL: ZoloNet exposes a Meta Data Deletion Callback at https://api.srv1358079.hstgr.cloud/api/meta/data-deletion. Submitted requests return a confirmation code for status tracking.
• By email: contact privacy@zolonet.com. We confirm receipt within 7 days and complete deletion within 30 days as required by GDPR Article 17.

14.4 Limited Use Disclosure (Meta Platform Terms)

ZoloNet’s use of information received from the Meta APIs adheres to the Meta Platform Terms, including the Limited Use requirements. We use Meta-derived data only to provide the user-facing features you have authorized; we do not transfer it to data brokers, ad networks, or analytics services that have not signed equivalent Limited Use commitments; we do not use it for retargeting outside the workspace; and we do not sell it. Aggregated, de-identified analytics derived from Meta data may be used to improve ZoloNet’s service for all users, only when the underlying data cannot be re-identified.

14.5 Reporting Abuse

If you believe ZoloNet has misused Meta-derived data, email privacy@zolonet.com. You may also report concerns to Meta via facebook.com/help/contact.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights, please contact us:

If you are located in the European Economic Area and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).