Privacy Policy
Ziggy AI Marketing Assistant by DemandKraft
1. Introduction
This Privacy Policy describes how DemandKraft ("we," "us," or "our") collects, uses, stores, and shares information when you use Ziggy, our AI-powered marketing assistant platform (the "Service").
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
2.1 Account Information
- Email address — required for registration, login, and transactional communications.
- Password — stored exclusively as a bcrypt hash; we never store or access your plaintext password.
- Google account information (optional) — if you sign in with Google, we receive your Google user ID, email, and display name from Google's OAuth service.
2.2 Business Profile Information
During onboarding and ongoing use, you provide business details that power the AI assistant's personalized recommendations:
- Business name, description, industry vertical, founding year, employee count
- Contact information: owner name, phone, email, website, booking URL
- Physical address and service areas
- Operating hours (including emergency availability)
- Services offered
- Brand voice preferences (tone, personality, key phrases, values)
- Marketing goals, budget range, timeline, and capacity constraints
- Marketing history (past wins, failures, active platforms)
- Content preferences and competitor information
2.3 Conversation Data
- Chat messages — all messages exchanged between you and the AI assistant.
- AI-generated summaries — the Service automatically generates conversation summaries, extracts topics, action items, preferences, and facts to improve future interactions.
- Memory files — long-term memory documents maintained per business to provide continuity across conversations.
2.4 Google Business Profile Data (Optional)
If you choose to connect your Google Business Profile, we access and store:
- Business listing details (name, categories, attributes, hours, description, photos, posts)
- Customer reviews and your responses
- Performance metrics (views, calls, direction requests, website clicks)
- OAuth access and refresh tokens (encrypted at rest with Fernet symmetric encryption)
You can disconnect your Google Business Profile at any time through the Service.
2.5 Website Audit Data (Optional)
If you provide your website URL, the Service may crawl your publicly accessible website to collect page structure, content, metadata, technical details (SSL status, CMS platform, mobile-friendliness), and SEO analysis data. Our crawler identifies itself as DemandKraftBot/1.0 and respects robots.txt directives.
2.6 Billing Information
- We store your Stripe customer ID, subscription ID, plan selection, and billing status.
- We do NOT store credit card numbers, bank account details, or other payment instruments — all payment processing is handled directly by Stripe.
- Stripe webhook events (subscription changes, invoice status) are logged for billing integrity.
2.7 Technical & Usage Data
- API usage logs — token counts, estimated costs, model used, and latency for cost management (these logs do not contain message content).
- Session data — JWT token identifiers, session timestamps, and revocation status.
- Rate limiting data — request counts per hourly window.
3. How We Use Your Information
- Provide the Service — deliver personalized AI marketing advice based on your business profile, conversation history, and connected data sources.
- Maintain conversation continuity — generate summaries and memory extractions so the AI assistant remembers your context across sessions.
- Sync with Google Business Profile — pull performance data and push approved changes to your GBP listing (only when you explicitly authorize each action).
- Process payments — manage subscriptions, trials, and billing through Stripe.
- Send transactional emails — email verification, password reset, and critical account notifications only (we do not send marketing emails).
- Maintain security — authenticate users, prevent fraud, enforce rate limits, and audit access.
- Improve the Service — analyze aggregated, de-identified usage patterns to optimize performance.
4. How We Share Your Information
We do not sell your personal information. We share data with third parties only as necessary to provide the Service:
| Service Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (Claude API) | Chat messages, business profile context, conversation history, memory content | AI assistant responses and conversation summarization |
| OpenAI | Conversation summary text (for embedding generation) | Vector embeddings for knowledge retrieval |
| OAuth credentials; business profile data (bidirectional sync) | Google sign-in; Google Business Profile integration | |
| Stripe | Email, business ID, subscription details | Payment processing and subscription management |
| Resend | Email addresses, email content (verification/reset links) | Transactional email delivery |
| Railway | All application data (infrastructure provider) | Application hosting and database infrastructure |
We may also disclose information if required by law, legal process, or to protect the rights, property, or safety of DemandKraft, our users, or the public.
5. Cookies and Similar Technologies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
access_token |
JWT authentication — identifies your session | 24 hours | Strictly necessary (HttpOnly) |
session |
Signed session cookie for OAuth flow state | Browser session | Strictly necessary |
We do not use any third-party tracking cookies, analytics scripts, advertising pixels, or similar tracking technologies.
6. Data Security
We implement industry-standard security measures to protect your information:
- Passwords — hashed with bcrypt (never stored in plaintext).
- OAuth tokens — encrypted at rest with Fernet symmetric encryption.
- Authentication — JWT tokens with HMAC-SHA256 signatures and session revocation capability.
- Transport security — HTTPS/TLS encryption enforced in production.
- Cookie security — HttpOnly flag, SameSite=Lax, Secure flag in production.
- CSRF protection — cryptographically random, single-use state tokens for all OAuth flows.
- Rate limiting — enforced on authentication endpoints to prevent brute-force attacks.
- Token security — verification and password reset tokens use selector/verifier split with SHA-256 hashing and constant-time comparison.
No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while your account is active |
| Business profile | Retained while the business exists in the system |
| Conversations and messages | Retained while your account is active |
| Conversation memories and files | Retained while the business exists |
| GBP audit history and performance metrics | Retained for historical tracking while business exists |
| Website audit data | Retained while the business exists |
| Subscription and billing records | Retained while account is active; Stripe event logs retained for audit |
| Email verification tokens | 24 hours (automatically deleted) |
| Password reset tokens | 1 hour (automatically deleted) |
| OAuth state tokens | 10 minutes (consumed on use) |
| Expired sessions | Cleaned up 7 days after expiration |
| Database backups | 7 days (hot), 30 days (daily), 90 days (disaster recovery) |
8. Your Rights and Choices
- Access — view your business profile, conversation history, and connected integrations through the Service interface.
- Correction — update your business profile information at any time via the profile settings page.
- Disconnect integrations — disconnect your Google Business Profile at any time, which revokes our access to your GBP data.
- Account deletion — request deletion of your account and all associated data by contacting support. Upon deletion, we remove your user record and all linked data from our active database. Data may persist in encrypted backups for up to 90 days per our retention schedule.
- Email opt-out — we only send transactional emails required for Service operation; there are no marketing emails to opt out of.
8.1 California Residents (CCPA)
If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; and non-discrimination for exercising your privacy rights. We do not sell personal information.
8.2 EU/EEA Residents (GDPR)
If you are located in the European Economic Area, you may have additional rights including: access, rectification, erasure, restriction, and portability of your personal data; objection to processing based on legitimate interests; and the right to lodge a complaint with your local data protection authority. Our lawful bases for processing include contract performance, legitimate interests (security, service improvement), and consent (optional integrations).
9. Children's Privacy
Ziggy is a business-to-business service designed for marketing professionals and business owners. The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.
10. International Data Transfers
Your information may be processed in the United States and other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to jurisdictions that may have different data protection laws than your jurisdiction of residence. We ensure appropriate safeguards are in place with our service providers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by posting a prominent notice within the Service. The "Last Updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email: privacy@ziggysays.com