Our commitment in plain English: We collect only what we need to run the service. We don't sell your data. We don't track your general browsing. The extension only activates on Google Search. You can request deletion of your data at any time. If you're in the EU/UK, your GDPR rights are fully respected.
Introduction
This Privacy Policy explains how Zerpify ("Zerpify," "we," "us," or "our") collects, uses, stores, and protects personal information when you use our Chrome Extension, website, and related services (collectively, the "Service").
We are committed to protecting your privacy and handling your data with transparency and care. This policy is written to be clear and readable — not to obscure what we actually do with your information.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
Who We Are
Zerpify is the data controller for personal information processed through this Service. We are the entity responsible for deciding how and why your data is used.
For any data protection queries, you can reach us at:
- Email: admin@zerpify.com
- Product: Zerpify Chrome Extension & Web Platform
- Website: zerpify.com
Data We Collect
We collect the minimum data necessary to provide the Service. The following table describes every category of data we collect and why:
| Data Type | What We Collect | Why |
|---|---|---|
| Account Data | Email address, hashed password (SHA-256 + salt), plan tier, registration date, email verification status | To create and manage your account, verify identity, and deliver the Service |
| Session Data | Cryptographic session tokens (256-bit random), session creation timestamps | To keep you securely logged in without requiring repeated authentication |
| Usage Data | Feature usage counts (e.g., AI summaries per day), scan counts per month, bulk keyword request counts | To enforce free-tier limits and improve the Service |
| Search Queries | Keywords you actively submit for analysis within the extension or website | To perform the requested SERP analysis and return results to you |
| Saved Projects | Project names, associated keywords, analysis results you choose to save | To provide project storage as part of the Service |
| Device & Technical Data | IP address (for rate limiting only), extension version, selected geo/country setting | To enforce rate limits, prevent abuse, and deliver geo-accurate data |
| On-Page Scan Data | When you run a page scan: page title, meta description, H1 content, word count, link counts, schema types, canonical URL — extracted from the page you are actively viewing | To perform the on-page SEO audit you requested |
| Communication Data | Email address used for transactional emails (verification codes, account notices) | To deliver account verification and important service notifications |
| Newsletter Preference | Whether you opted in to receive SEO tips and product updates (optional, opt-in only) | To send you relevant product updates only if you consented |
We do not collect: your general browsing history, the content of pages you visit outside of active scans, your search history on Google outside of the query present when you trigger an analysis, payment card details (handled entirely by our payment processor), or any biometric data.
How We Use Your Data
We use the data we collect for the following purposes only:
- Providing the Service: Processing your analysis requests, returning keyword data, generating AI summaries, and storing saved projects
- Account management: Creating and maintaining your account, verifying your email, managing your subscription tier
- Security and abuse prevention: Rate limiting, detecting and preventing fraudulent or abusive behaviour, and protecting the integrity of the Service
- Service improvement: Aggregate, anonymised usage analytics to understand which features are most used and where the product can be improved — we do not build individual profiles for this purpose
- Communications: Sending transactional emails (verification codes, password resets) and, if you opted in, occasional product update emails
- Legal compliance: Meeting our obligations under applicable law and responding to lawful requests from authorities
We do not use your data for: advertising, building profiles for sale to third parties, training AI models on your personal data, or any purpose not listed above.
Legal Basis (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined by the UK GDPR and EU GDPR:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — including account creation, running analyses, and managing subscriptions
- Legitimate interests (Art. 6(1)(f)): Security monitoring, rate limiting, fraud prevention, and aggregate analytics — where our interests in operating a safe, functional service do not override your rights
- Consent (Art. 6(1)(a)): Sending optional marketing emails or product updates — only where you have explicitly opted in at registration
- Legal obligation (Art. 6(1)(c)): Where we are required by law to process or retain certain data
Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent for marketing emails, contact admin@zerpify.com.
Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
- DataForSEO: When you request keyword analysis, the keyword text and your selected geo are sent to DataForSEO's API to retrieve search volume, CPC, and difficulty data. No personal account information is shared.
- Brevo: Your email address is shared with Brevo solely to deliver transactional emails (e.g., verification codes). They act as a data processor on our behalf under a Data Processing Agreement.
- Cloudflare: Our infrastructure provider. Your data is stored in Cloudflare KV and D1 databases. Cloudflare acts as a data processor under appropriate agreements including Standard Contractual Clauses where applicable.
- Legal requirements: We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Zerpify, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of all or part of our assets, user data may be transferred as part of that transaction. We will notify affected users via email and/or a notice on our website.
Cookies & Storage
The Zerpify website uses minimal storage. We do not use tracking cookies or advertising cookies of any kind.
- localStorage (website): We store your session token and basic user profile (email, plan tier) in your browser's localStorage to keep you logged in across sessions. This data stays on your device and is transmitted to our server only when making authenticated API requests.
- chrome.storage.local (extension): The Chrome Extension stores your session token, user profile, geo preference, saved projects, and settings locally using the Chrome extension storage API. This data never leaves your browser except when you explicitly make an API request.
- Session cookies: We may use a single, strictly necessary session cookie for maintaining your authenticated state on the website. This cookie is essential and cannot be opted out of while using an authenticated session.
We do not use Google Analytics, Meta Pixel, or any other third-party tracking scripts on our website or within the extension.
Extension Data Practices
The Zerpify Chrome Extension is designed with a minimal-data, minimal-injection philosophy. Here is exactly how it works:
- Activation scope: The SERP overlay content script only activates on
google.com/search*pages. It does not inject code on any other website. - On-page scanning: The on-page scanner runs on any website, but only when you click "Scan This Page." It reads page structure (titles, headings, links, schema) and sends a summary to our server for scoring. Raw page content is not transmitted.
- No passive monitoring: The extension does not run in the background monitoring pages you visit. It does not record which websites you browse. It does not track your navigation history.
- API calls are user-triggered: All requests to our server are initiated by explicit user actions (running an analysis, clicking scan, submitting a keyword). The extension never autonomously sends data.
- Permissions used:
activeTab(read the active tab's URL),storage(local settings),tabs(query current tab). No broad host permissions beyond Google Search and our own API.
Bottom line: The extension knows you are on a Google Search page and what you are searching for — but only when you choose to trigger an analysis. It has no visibility into anything else you do online.
Data Retention
We retain your data only for as long as necessary to provide the Service and comply with our legal obligations:
- Account data: Retained for the lifetime of your account. Deleted within 30 days of a verified account deletion request.
- Session tokens: Automatically expire after 30 days of inactivity. Deleted immediately upon sign-out.
- Search query cache: Keyword analysis results are cached for up to 30 minutes to improve performance, then automatically expired.
- Usage counters: Monthly usage limits reset at the start of each calendar month and are not retained beyond 60 days.
- IP addresses (rate limiting): Stored for 5–60 minutes within rate-limit windows only. Not retained beyond this period.
- Saved projects: Retained until you delete them or delete your account.
- Email communications: Brevo may retain delivery logs for up to 30 days per their data retention policy.
To request earlier deletion of any data, email admin@zerpify.com with the subject "Data Deletion Request."
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security practices include:
- Passwords stored using SHA-256 hashing with a unique 16-byte random salt per account (we never store plaintext passwords)
- Session tokens are cryptographically random 256-bit values — not predictable or guessable
- All data in transit is protected by TLS 1.3 encryption
- Data at rest is stored within Cloudflare's encrypted infrastructure
- Rate limiting on all authentication endpoints (10 attempts per 5 minutes per IP) to prevent brute force attacks
- Origin validation on all API requests — only requests from the Zerpify Chrome Extension are accepted
- No sensitive data is logged in plain text in server logs
While we take security seriously, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to notifying affected users without undue delay in the event of a data breach that affects your rights and freedoms, as required by applicable law.
Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to verified requests within 30 days (UK/EU GDPR standard):
To exercise any of these rights, email admin@zerpify.com with the subject "Privacy Rights Request" and specify which right you wish to exercise. We may need to verify your identity before processing the request.
International Transfers
Zerpify uses Cloudflare for infrastructure. Cloudflare operates data centres globally. Your data may be processed in the United States, European Economic Area, or other regions depending on Cloudflare's routing.
For transfers of personal data from the EEA or UK to third countries (including the US), we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Cloudflare's and Brevo's participation in recognised data transfer frameworks
- The UK International Data Transfer Agreement (IDTA) where applicable
If you have concerns about international data transfers, you can contact us for more information about the specific safeguards in place.
Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at admin@zerpify.com and we will promptly delete the information.
By creating an account, you represent that you are at least 16 years old.
Changes to Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an email notification to registered users if the changes materially affect how we use your data
- Where required by law (e.g., GDPR), seek fresh consent before processing your data in new ways
We encourage you to review this policy periodically. The current version is always available at zerpify.com/privacy.
Contact & DPA
For all privacy-related queries, data subject requests, or to obtain a copy of our Data Processing Agreement with any of our sub-processors, please contact us:
Data Protection Enquiries
Zerpify · Privacy & Data Team
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk. In the EU, contact your national Data Protection Authority.
© 2026 Zerpify. All rights reserved. · Terms of Use · Privacy Policy