Legal
Privacy Policy
Last updated May 2026
This Privacy Policy explains what information Zaffa ("Zaffa", "we", "us") collects when you use zaffa.ai or any related service, why we collect it, who we share it with, and the choices you have. It applies to clients planning an event, planners and vendors offering their services, and visitors to our public pages. By using Zaffa you accept the practices described here.
Who we are
Zaffa is operated from Paris, France. For privacy questions, data subject requests, or to reach our designated privacy contact, email privacy@zaffa.ai. If we work with a separate data protection officer in your jurisdiction, we will name them in this section.
Information we collect
We collect three categories of information: information you give us directly, information generated as you use the platform, and information from third parties that help us run it.
- Account details: name, email, phone, profile photo, role (client / planner / vendor), preferred language, time zone, and — for professionals — business name, license / commercial registration numbers, bank or wallet details used for payouts.
- Event details you create: title, type, date, venue, budget, guest count, style preferences, AI prompts, and any uploaded inspiration, mood boards, or generated designs.
- Payment information: amounts, currency, payer, payee, payment schedule, refund and dispute history, and Stripe identifiers (customer, payment intent, charge, refund). Card numbers, CVV, and bank details are handled by Stripe under its own privacy policy and are never stored on Zaffa servers.
- Messages, files, and proposals exchanged through the platform between clients, planners, and vendors. We may scan messages for fraud, spam, and policy violations.
- Usage and device data: pages visited, features used, referrer, approximate IP-based location, browser and device metadata, crash reports, and timestamps. We collect this through Vercel Analytics, Vercel Speed Insights, PostHog (product analytics, feature flags, optional session replay), and — when enabled — Sentry (error monitoring).
- Cookies and similar technologies: a strictly necessary session cookie for authentication, a small set of preference cookies (language, theme), and analytics cookies. Where required by law, non-essential cookies only run after consent.
How we use information
We use the information described above only for the purposes set out below. The legal bases we rely on are contract performance (to provide what you signed up for), our legitimate interest (to keep the platform safe and to improve it), legal obligation (tax, accounting, anti-fraud), and your consent (for optional emails, AI processing of sensitive prompts, and non-essential cookies).
- To connect clients with planners and vendors that match the event brief, including AI-assisted matching, design generation, and prospect qualification.
- To process payments, payouts, refunds, and disputes through Stripe, and to keep accurate financial records.
- To prevent fraud, abuse, account takeovers, and unauthorized access, and to enforce our Terms of Service.
- To send transactional emails about your account, events, payments, and messages. Marketing or product update emails are sent only if you opt in and you can unsubscribe from any email footer or from the in-app notification preferences page.
- To understand how the product is used, A/B test changes, prioritise improvements, and reproduce bugs. Aggregated, non-identifying analytics may be retained indefinitely.
AI processing
Some features (venue designer, mood boards, prompt suggestions, vendor outreach drafts) send the prompts and reference images you provide to AI providers, currently OpenAI and — for video — fal.ai or compatible providers, under agreements that prohibit the provider from training their models on your data. Generated outputs are stored against your account and can be deleted from the relevant page. Do not enter information you would not want included in a generated design.
Who we share data with
We share the minimum amount of data needed to operate the service. Sharing falls into four buckets:
- Service providers who process data on our instructions: Supabase (database, authentication, realtime), Stripe (payments and refunds), Cloudinary (image and video storage), Resend (transactional email), Upstash (rate-limiting, queues, cache), OpenAI and OpenRouter (AI generation), Vercel (hosting, analytics, speed insights), PostHog (product analytics, feature flags), Sentry (error monitoring), and Cloudflare (edge proxy). Each is bound by a data processing agreement.
- Other users you choose to interact with: a planner you message, a vendor you engage, an admin reviewing a dispute. We never share your private contact details outside the platform without your action.
- Authorities and legal counsel when we are required to comply with law, a valid court order, or to protect our rights, your safety, or the safety of others.
- A successor entity in the unlikely event of a merger, acquisition, or asset sale. We will notify users and give them a chance to opt out where the law requires it.
We do not sell personal information and do not share it for cross-context behavioural advertising.
International transfers
Some of our processors are located outside the European Economic Area — primarily in the United Kingdom and the United States. Where we transfer personal data outside your country we rely on the recipient's adequacy status, Standard Contractual Clauses, or another approved transfer mechanism, and apply additional technical safeguards (encryption in transit and at rest).
How long we keep data
We keep account data for as long as your account is active. When you delete your account we mark it for deletion immediately and remove personal data within 30 days, except where we are required to retain it for legal, tax, accounting, or anti-fraud reasons (typically completed payment records for up to 10 years). Server logs are retained for up to 90 days. Anonymised analytics may be kept indefinitely.
Security
We protect data with TLS in transit, encryption at rest where supported, role-based access controls, audit logs on admin tools, regular dependency upgrades, and least-privilege secrets management. No system is perfectly secure — if you believe your account has been compromised, contact security@zaffa.ai immediately.
Your rights
Depending on where you live (notably under the EU/UK GDPR or similar laws) you may have the right to access the personal data we hold about you, correct it, delete it, restrict or object to its processing, withdraw consent, receive a portable copy, and lodge a complaint with your local data protection authority — for users in France, the CNIL (cnil.fr). You can exercise most of these rights yourself: profile updates and account deletion live in Settings, and any email contains an unsubscribe link. For other requests, email privacy@zaffa.ai and we will respond within 30 days.
Children
Zaffa is not directed at people under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@zaffa.ai and we will delete it.
Changes to this policy
We will update this policy as the product evolves. Material changes will be highlighted on this page and, where appropriate, notified by email or in-app banner before they take effect. The "last updated" date at the top always reflects the most recent revision.
Contact
Privacy questions: privacy@zaffa.ai. General support: hello@zaffa.ai. Postal address available on request.