Privacy Policy
Last updated: June 11, 2026
This Privacy Policy describes how Zloth ("we," "us," or "our") collects, uses, and shares information when you use the Zloth Chrome extension, our website, and related services (the "Service").
Controller
The data controller responsible for processing your personal data is:
Alexander Specht
Teutoburger Str. 31
50678 Köln, Germany
Email: support@zlothai.com
Overview
- We collect only what we need to provide summaries, sync, and credits.
- We do not sell your data. We do not use your account or summary content from the Service for third-party advertising. If you accept analytics cookies on our website, third-party tools may measure visits and ad performance as described under "Cookies and measurement on our website."
- We share data only with service providers and for legal, security, or business-transfer reasons.
- You can delete summaries and folders in the extension, and request account deletion by email.
Cookies and measurement on our website
On zlothai.com we may use cookies and similar technologies if you opt in via our cookie banner:
- Google Analytics (Google Ireland Limited / Google LLC) to understand aggregated traffic and usage of the site.
Legal basis: Art. 6(1)(a) GDPR — your consent. - TikTok Pixel (TikTok Technology Limited and partners) to measure ad effectiveness and related website activity (for example page views) in connection with TikTok advertising.
Legal basis: Art. 6(1)(a) GDPR — your consent.
If you click Decline, these tags are not loaded. You can withdraw consent at any time by clearing site data for zlothai.com in your browser (the banner will appear again on your next visit unless we add a dedicated preference center).
Independently of the cookie banner, we use PostHog (EU cloud) on this website in a cookieless mode to count page visits, clicks on key buttons and links (for example install, upgrade, or demo buttons), and the campaign parameters in the page URL (for example UTM tags), so we can see which marketing content brings visitors to the site and which parts of it are used. To estimate visitor numbers, PostHog derives a short-lived, irreversible identifier on its servers from technical request data (IP address, browser information, and our domain) using a key that changes daily, so repeat visits can only be recognized within the same day. This mode does not store cookies or other information on your device, and we do not use it to identify you or build cross-site profiles.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in measuring aggregate site traffic and marketing effectiveness.
If you interact with promotional buttons or links on the site (for example installing the extension or starting checkout for Pro), we may send standard TikTok events such as Download and InitiateCheckout, with product-style metadata to tell those actions apart when you have accepted analytics cookies above.
For international transfers by these website vendors, see International Data Transfers below; their terms and product documentation describe further details and opt-out options where available.
Information We Collect and Legal Basis
- Account data: Email address and basic profile details used to create and manage your account.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you. - Feedback and customer research: We may occasionally use your account email to ask for product feedback or invite you to customer-research conversations. You can object or opt out at any time by replying "unsubscribe" to a feedback email or emailing support@zlothai.com. Promotional or product-update emails are separate and require your explicit opt-in where offered.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in improving the Service with user feedback, balanced against your opt-out rights. - Authentication: OAuth access and refresh tokens to keep you signed in. Tokens are stored locally on your device and used to authenticate API requests.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you. - Video data you choose to summarize: YouTube video URL, title, thumbnail, duration, prompt type, custom prompt text (if provided), folders, read status, and generated summaries.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you. - Usage and credits: Request timestamps and credit ledger events to enforce free/pro limits and show remaining credits.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you. - Product analytics: Privacy-aware product events such as sign-in, the steps you take (or skip) in the post-install setup flow, summary request/completion/failure, credit views, upgrade clicks, and checkout starts. If you remove the extension, your browser also opens a page on our servers that records an "uninstalled" event so we can count uninstalls; this carries only an internal account or device id, not your email or any content. We use an internal user id for analytics and do not send summary text, transcripts, OAuth tokens, refresh tokens, payment card details, or raw email addresses as analytics event properties.
Legal basis: Art. 6(1)(f) GDPR - our legitimate interest in understanding activation, reliability, and upgrade funnel performance so we can improve the Service. - Service logs: IP address, user agent, timestamps, and error logs for security, debugging, and abuse prevention.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in maintaining security and preventing abuse. - Payments: Stripe processes payment information. We do not store card numbers. We may store Stripe session/customer identifiers and plan status.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you. - Timezone: Used to localize account features such as credit resets.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
How We Use Information
- Provide authentication, summaries, and cross-device sync.
- Operate free and pro credit limits and show balances.
- Process payments and manage subscriptions through Stripe.
- Maintain security, prevent abuse, and troubleshoot issues.
- Improve the Service using aggregate and error data.
- Occasionally ask for product feedback or customer research participation, unless you opt out.
Sharing and Disclosure
- Service providers: Supabase (auth/database), hosting providers, Google (OAuth), Stripe (payments), PostHog (product analytics), and AI model providers used to generate summaries. They process data only to provide and improve the Service. If you consent on our website, Google Analytics and TikTok may also receive technical and usage data from that site as described above.
- Legal and safety: We may disclose information to comply with law, enforce terms, or protect rights, property, or safety.
- Business transfers: If we enter a merger, acquisition, or asset sale, data may transfer as part of that transaction.
- No sale: We do not sell your personal data. Measurement and ad-related processing on the website, when enabled, is based on your consent rather than sale of data.
Security
- Data is transmitted over HTTPS.
- Tokens are stored locally on your device; backend data is protected by our providers with appropriate controls.
- We apply access controls and least-privilege principles to our services.
Data Retention and Deletion
- We retain account and summary data while your account is active to provide the Service.
- You can delete summaries and folders in the extension at any time.
- You can request account deletion by contacting us (see Contact below). We will delete your personal data within 30 days unless retention is required by law.
- Service logs may be retained for up to 90 days for security, fraud prevention, and legal compliance.
International Data Transfers
- Some of our service providers (including Supabase and Stripe) may process data outside the European Economic Area (EEA), in particular in the United States.
- Where transfers occur outside the EEA, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, or an adequacy decision by the European Commission where applicable.
- You may request a copy of the applicable transfer safeguards by contacting us.
Automated Decision-Making and Profiling
- We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.
- Credit limits are enforced automatically based on usage thresholds defined in your subscription tier; this does not constitute profiling in the sense of Art. 22 GDPR.
Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
- Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18 GDPR): Request that we restrict processing of your data in certain circumstances.
- Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.
- Objection (Art. 21 GDPR): Object at any time to processing based on our legitimate interests (Art. 6(1)(f) GDPR), including objection to processing of service logs for security purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
- Feedback email opt-out: You can opt out of feedback/customer-research emails at any time by replying "unsubscribe" to a feedback email or contacting support@zlothai.com.
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@zlothai.com. We will respond within one month.
Right to Lodge a Complaint
If you believe we are processing your personal data in violation of applicable data protection law, you have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
www.ldi.nrw.de
You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
Chrome Web Store "Limited Use" Commitments
- Data and permissions are used only to provide and improve summarization, folders, credits, and sync.
- Data is shared only with service providers, for legal compliance, or for business transfers.
- We do not use or transfer data for personalized advertising.
- Human access is limited to support, security, legal compliance, or aggregated/anonymized operations.
Permissions We Request (Purpose-Limited)
- activeTab: Interact with the current YouTube tab after you click the extension.
- tabs: Find open
youtube.comtabs to send updates. We do not read general browsing history. - storage: Save settings, summaries, folders, and auth tokens on your device.
- identity: Google sign-in via Supabase to authenticate your account.
- windows: Open OAuth and Stripe checkout/billing windows.
- Host permissions: YouTube to show the summarize button; backend/API domains for summaries and sync; Google OAuth; Stripe for payments. We request the minimum scope needed.
Data We Do Not Collect
- We do not collect general web browsing history; only the YouTube video URLs you choose to summarize.
- We do not collect keystrokes, mouse movements, or personal communications.
- We do not collect health information or store payment card numbers.
Children's Privacy
- The Service is not intended for children under 16. In the EU, we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided personal data, please contact us to have it deleted.
Changes to This Policy
- We may update this policy and will revise the "Last updated" date above. We may provide additional notice for material changes.
Contact
- Email: support@zlothai.com