Privacy Policy

ZeroFlag AI is a brand operated by AiLaiLe Technology Limited, a company incorporated in Hong Kong, with registered address at:

RM 102, 1/F, THE CLOUD, 111 TUNG CHAU STREET,
Tai Kok Tsui, Kowloon, Hong Kong

For purposes of this policy and applicable data protection law, ZeroFlag AI acts as the data controller for all personal data described below.

For privacy-related enquiries contact us at ailailetech@gmail.com.

2.1 Account data

• Email address — required for account creation, authentication, and transactional communications.
• Name and profile picture — obtained from OAuth providers (Google, Microsoft, GitHub) only if you use social sign-in.
• Store / company name — optionally provided during registration or in account settings.
• Phone number — optionally provided in account settings.
• Password (hashed) — stored securely by Supabase Auth if you use email/password login. We never see your plaintext password.

2.2 Listing content you submit

Product titles, descriptions, bullet points, and keywords you submit for scanning. This content is transmitted to Google Gemini API for compliance analysis and is stored as part of your scan record per §8. We process listing content solely to deliver your scan results and do not use it to build profiles, run targeted advertising, or share it with third parties except as described in §6.

2.3 Scan results and usage data

• Compliance scan results (violation records, risk levels, AI-generated rewrites) linked to your account.
• Appeal letters you generate — stored for your reference.
• ASIN / product URLs you bind to the compliance monitor.
• Scan whitelist terms you configure.
• False-positive feedback you submit.

2.4 Payment data

Handled entirely by Stripe. We store only your Stripe Customer ID and subscription status. We never receive or store credit card numbers, bank account details, or full billing addresses.

2.5 Technical and log data

• IP address and browser/device type — collected by our hosting infrastructure (Vercel) in standard server access logs, retained for up to 30 days.
• Service-delivery cookie — a browser cookie tracking your anonymous scan count before account creation (see §12).
• Session cookies — set by Supabase Auth to maintain your authenticated session.

For all personal data described in §2 — including account data and listing content submitted by individual users — ZeroFlag AI determines the purposes and means of processing and therefore acts as the data controller.

We engage third-party service providers (§6) as data processors who process data only on our instructions. If in future we offer an enterprise or API tier where a business customer controls the processing purpose, that relationship will be governed by a separate Data Processing Agreement.

For users in the EEA, United Kingdom, or Switzerland, we rely on the following bases under GDPR Article 6:

• Contract (Art. 6(1)(b)): Processing your account data and submitted listing content to provide the Service you have requested.
• Legitimate interests (Art. 6(1)(f)): Aggregated, anonymised false-positive analysis to improve scan accuracy; fraud prevention; service security. Our interests are balanced against your rights and are not overridden by them.
• Consent (Art. 6(1)(a)): Optional marketing and product update emails. You may withdraw at any time via Settings → Notifications or by emailing ailailetech@gmail.com.
• Legal obligation (Art. 6(1)(c)): Where required by law, including financial record retention obligations.

• Providing compliance scanning, AI rewriting, appeal generation, and monitoring features.
• Sending transactional emails: account verification, password reset, scan alert notifications, and welcome emails via Resend.
• Processing payments and managing subscriptions via Stripe.
• Improving scan accuracy using aggregated, anonymised feedback (individual users are not identifiable in this analysis).
• Detecting and preventing abuse, fraud, and violations of our Terms of Service.
• Complying with legal obligations and responding to lawful requests from competent authorities.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes, and we do not run targeted advertising.

We share data with the following processors under contractual safeguards:

• Google Gemini API — listing text is transmitted for AI compliance analysis under Google's API Terms of Service. Listing content is used solely to generate your compliance results and is not used for any other purpose by ZeroFlag AI.
• Supabase — database and authentication, hosted on AWS (us-east-1). Row-Level Security policies ensure users only access their own data. Supabase Privacy Policy.
• Stripe — payment processing. Stripe Privacy Policy.
• Vercel — web hosting and serverless compute. Vercel Privacy Policy.
• Resend — transactional email delivery. Resend Privacy Policy.

We do not use analytics trackers, advertising networks, or session recording tools on the Service.

The ZeroFlag AI Chrome extension is installed voluntarily. When you click the scan button on a supported seller dashboard:

• The extension reads form field values (product title, description, bullets, keywords) from the current tab's DOM. It reads only the fields needed for the scan — it does not read your browsing history, saved passwords, financial data, or other tab content.
• This listing data is transmitted to our API over HTTPS for analysis, and processed as described in §2.2.
• The extension does not interact with any page you have not explicitly triggered a scan on.
• Your auth token, daily scan count, and most recent scan result are stored in Chrome's local storage (chrome.storage.local), which remains on your device and is not synced to a server except as part of the explicit scan request.
• If you use the extension without signing in (anonymous scans), the listing text you submit is still transmitted to and stored on our servers as described in §8 (Anonymous scans). The extension's chrome.storage.local only tracks a local scan counter — it does not independently store your listing content.

We retain data for as long as necessary to deliver the Service and as described below. Retention periods reflect our current technical implementation:

• Free accounts — scan results: Scan results are stored on our servers to deliver your results within the scanning session. They are not accessible via the scan history interface for free accounts. We retain the underlying data for up to 30 days for service reliability and fraud prevention, after which it is eligible for deletion. We do not guarantee deletion within this window.
• Anonymous scans (pre-account): When you scan a listing without signing in, the full listing content (title, description, bullets, keywords) is transmitted to and stored on our servers for up to 30 days, after which it is deleted by our automated purge process. This retention is necessary for abuse prevention, rate-limit enforcement, and service reliability. No personal identifier is linked to anonymous scans — they are stored with a null user reference. Your anonymous scan count is additionally tracked via a browser cookie (§12), which contains no listing content.
• Pro accounts — scan results: Scan results and appeal letters are accessible in your scan history for 90 days from the scan date. After 90 days, records are permanently deleted from our servers by our automated daily purge process.
• Business accounts — scan results: Accessible indefinitely while the account is active.
• Account data: Retained until account deletion. When you delete your account via Settings, your personal data (email, name, profile) and linked scan records are deleted immediately (cascade delete). Full propagation across all systems (backups, logs) is completed within 30 days.
• Payment records: Stripe retains billing records per their own retention policy. We retain Stripe Customer IDs and subscription status for tax and accounting compliance for up to 7 years in anonymised form after account deletion.
• Log data: Server access logs retained for up to 30 days.

Our infrastructure is primarily in the United States. If you are in the EEA, UK, or Switzerland, we transfer your data under these safeguards:

• Supabase (AWS us-east-1): Standard Contractual Clauses (SCCs) approved by the European Commission.
• Stripe: EU-US Data Privacy Framework and Standard Contractual Clauses, where applicable.
• Vercel: Standard Contractual Clauses for EU-origin data.
• Google Gemini API: Google's EU data processing terms and applicable SCCs.

We note that the legal landscape for EU-US data transfers may change. We will update this section if the applicable transfer mechanisms change materially. Reliance on the EU-US Data Privacy Framework is subject to its continued legal validity.

If you are in the EEA, UK, or Switzerland, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate data (most profile data can be updated in Settings → Account).
• Erasure: Request deletion of your data. You can self-serve via Settings → Delete account, which deletes your data immediately.
• Restriction: Request that we temporarily stop processing your data in certain circumstances.
• Data portability: Request your scan history in machine-readable CSV format. Pro and Business account holders can export via the History page → Export CSV. Free accounts have no scan history retention; to exercise this right, email ailailetech@gmail.com and we will prepare an export of any data held on your account.
• Object: Object to processing based on legitimate interests. We will cease unless we have compelling grounds.
• Withdraw consent: For consent-based processing (marketing emails), withdraw at any time without affecting prior lawful processing.
• Lodge a complaint: You have the right to complain to your national DPA (e.g., ICO in the UK; your national authority in the EU at edpb.europa.eu).

To exercise any right, email ailailetech@gmail.com. We will respond within 30 days.

If you are a California resident, you have rights under CCPA as amended by CPRA:

Categories of personal information collected

We do not sell or share personal information for cross-context behavioural advertising.

Your CCPA rights

• Know & Access: Request the categories and specific pieces of PI collected.
• Delete: Request deletion of your PI, subject to exceptions.
• Correct: Request correction of inaccurate PI.
• Opt out of sale/sharing: We do not sell or share PI. No opt-out needed.
• Sensitive personal information: Listing content you submit may contain health or product claims; we process it only to deliver scan results and do not use it for any secondary purpose.
• Authorised agent: An authorised agent may submit requests on your behalf by emailing ailailetech@gmail.com with written proof of authorisation and identity verification.
• Non-discrimination: We will not discriminate against you for exercising these rights.

To submit a verifiable consumer request, email ailailetech@gmail.com with subject line “CCPA Request.” We will respond within 45 days.

We use a minimal set of cookies, classified as follows:

• Strictly necessary — Session cookies: Set by Supabase Auth to maintain your authenticated session. Required for the Service to function. Cannot be disabled without logging out.
• Functional / service-delivery — Anonymous scan counter cookie: A browser cookie tracking the number of scans made before account creation. This cookie is used to enforce the anonymous scan limit that is core to service delivery and abuse prevention. It contains no personal identifiers. Expires after 24 hours.

We do not use advertising cookies, third-party tracking pixels, social media trackers, or any analytics platform that places third-party cookies. If we add analytics in the future, we will update this policy and, where required, seek consent before placing cookies.

The Service is directed to business users and is not intended for children. You must be at least 16 years old to create an account. In the United States, the minimum age is 13 under COPPA, but given our B2B context we apply a minimum of 16 globally.

We do not knowingly collect personal data from anyone under 16. If you become aware that a minor has provided us with personal data, contact ailailetech@gmail.com and we will delete the data promptly.

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted at the storage layer by Supabase (AES-256).
• Row-Level Security policies ensure each user can only access their own data.
• The Supabase Service Role Key is used only server-side and is never exposed to client-side code or the Chrome extension.
• Stripe processes all payment data in a PCI-DSS-compliant environment.

No method of internet transmission is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact ailailetech@gmail.com immediately.

We may update this policy from time to time. For material changes, we will notify you by email at least 14 days before the effective date (if you have an account), or by posting a prominent notice on the Service. The “Last updated” date above reflects the most recent revision. Continued use after the effective date constitutes acceptance.

We have not appointed a formal Data Protection Officer. For all privacy questions, data subject requests, or complaints, contact our Privacy team:

Email: ailailetech@gmail.com

Postal address:
AiLaiLe Technology Limited
RM 102, 1/F, THE CLOUD
111 TUNG CHAU STREET, Tai Kok Tsui
Kowloon, Hong Kong

EEA residents may contact their national supervisory authority. A list of EU data protection authorities is at edpb.europa.eu. UK residents may contact the ICO.