Privacy Policy

1. Who we are

Zenpage (“we,” “us,” “our”) is a free platform that lets authors create professional websites. This policy explains how we collect, use, and protect your information when you use zenpage.io and any site hosted on *.zenpage.io or a custom domain through our service.

2. Information we collect

Account information. When you sign up, we collect your email address. We use passwordless authentication (magic links), so we never store passwords.

Website content. Any content you add to your author site (bio, book details, blog posts, images, ebook files) is stored to provide the service.

Uploaded files. Headshots and cover images are processed server-side (resized, converted to WebP) and stored on Cloudflare R2. Ebook files (PDF, EPUB) are stored privately on Cloudflare R2 and are only accessible via time-limited, authenticated download links.

Usage data. We collect basic server logs (IP address, browser type, pages visited) for security and debugging. We do not use third-party analytics trackers.

Cookies. We use a single HTTP-only session cookie to keep you logged in (30-day expiry). We use a CSRF cookie for form security. We do not use advertising or tracking cookies.

Newsletter data. If you connect a newsletter provider, we securely store your encrypted API key (AES-256-GCM) to proxy subscriber signups on your behalf. We never read or use your subscriber data for any purpose other than passing it to your chosen provider.

Stripe Connect data. If you connect a Stripe account to sell ebooks, we store your Stripe account identifier (a non-sensitive public ID). We never store or have access to your Stripe credentials, bank account details, or payout information. Stripe handles all sensitive financial data.

Ebook purchase data. When a reader purchases an ebook from an author site, Stripe processes the payment. We receive and store the customer's email address, the purchase amount, and a transaction reference to fulfill the delivery. We do not receive or store credit card numbers or billing details.

3. How we use your information

• To provide, maintain, and improve the Zenpage service
• To send transactional emails (magic links, ebook delivery emails, critical service updates)
• To publish your author website as you configure it
• To proxy newsletter signups to your chosen provider
• To facilitate ebook sales and deliver purchased ebooks to buyers
• To detect and prevent fraud, abuse, and security incidents

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Third-party services

We use a limited set of third-party services to operate Zenpage:

• Cloudflare: CDN, DNS, DDoS protection, image and file storage (R2), and bot detection (Turnstile). Cloudflare Privacy Policy
• Resend: Transactional email delivery (magic links, ebook purchase confirmations). Resend Privacy Policy
• Stripe: Payment processing for ebook sales via Stripe Connect. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
• Newsletter providers: When authors connect a newsletter provider (Mailchimp, Kit, Beehiiv, Brevo, MailerLite, Substack), subscriber signups are proxied through our servers to the author's chosen provider. Each provider has its own privacy policy.

5. Data retention

We retain your account data and website content for as long as your account is active. If you delete your account, all associated data (your website, content, images, ebook files, and blog posts) is permanently deleted. Server logs are retained for no more than 90 days.

Ebook purchase records are retained for as long as needed to fulfill download obligations and comply with legal requirements (tax reporting, dispute resolution). Download links expire after 72 hours.

Newsletter API keys are encrypted at rest and permanently deleted when the integration is removed or the account is deleted.

6. Your rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing of your data in certain circumstances

GDPR (EU/EEA): We process your data based on contractual necessity (providing the service) and legitimate interest (security, fraud prevention). You may lodge a complaint with your local data protection authority.

CCPA (California): We do not sell personal information. You have the right to know what data we collect, request deletion, and not be discriminated against for exercising your rights.

7. Data security

We protect your data with encryption in transit (TLS), hashed authentication tokens (SHA-256), HTTP-only cookies, server-side input validation, rate limiting, encrypted API key storage (AES-256-GCM), and private file storage with time-limited access. Payment processing is handled entirely by Stripe (PCI DSS Level 1). While no system is perfectly secure, we take reasonable measures to protect your information.

8. Children's privacy

Zenpage is not intended for children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. Continued use of Zenpage after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or to exercise your rights, email us at [email protected].