Zelect
Create free storefront

Legal

Privacy Policy

Last updated: 19 May 2026.

1. Who we are

Zelect is an affiliate storefront builder. In this policy, "Zelect", "we" and "our" refer to the controller of the personal data processed on the platform. For questions or to exercise your rights, contact us at support@zelect.io.

2. Data we collect

We collect the following categories of personal data:

  • Account data: email address and password (stored as a bcrypt hash, never in plain text).
  • Usage data: pages visited, products created, store settings and platform interactions.
  • Technical data: IP address, browser user-agent, device identifiers and access logs.
  • Payment data: subscription information processed by Stripe. We do not store credit card data — it stays exclusively with Stripe.
  • Attribution metadata (consent-gated): UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term), Meta click identifier (fbclid) and the sign-up origin URL. Collected only when the user consents to advertising data use.

3. Purposes of processing

  • Service provision: account creation, authentication and platform operation.
  • Security: fraud prevention, detection of unauthorised access and account protection.
  • Operational communications: sending verification codes (OTP), account notifications and support.
  • Service improvement: aggregated usage analysis to enhance features.
  • Advertising (consent-gated only): measuring the effectiveness of Meta (Facebook and Instagram) advertising campaigns and ad optimisation. This purpose is only activated with explicit consent given during sign-up.

4. Legal basis

  • Performance of contract: processing necessary to deliver the contracted service.
  • Legal obligation: when required by applicable law or regulation.
  • Legitimate interests: security, fraud prevention and operational communications.
  • Consent: marketing cookies, Meta Pixel, Meta Conversions API and attribution metadata storage. Consent is always voluntary, specific and may be withdrawn at any time.

5. Advertising tracking (Meta Pixel and Conversions API)

With your consent, we use the following Meta Platforms, Inc. technologies:

  • Meta Pixel (browser-side): a JavaScript snippet that records page visits and conversion events. It sets cookies _fbp (browser identifier, valid 90 days) and _fbc (ad click identifier, valid 90 days) on the .zelect.io domain. Only activated after consent is given in the cookie banner or sign-up form.
  • Meta Conversions API (server-side): complements the Pixel by sending events directly from our server to Meta for more accurate attribution. Data sent includes: SHA-256-hashed email (never in plain text), SHA-256-hashed internal user identifier, click identifier (fbclid, when available) and IP address. Only activated when the user consents to marketing tracking during sign-up.

Events tracked: CompleteRegistration (sign-up completed) and Purchase (paid plan subscription). No event is sent without explicit consent.

To withdraw marketing consent, visit your account settings or email support@zelect.io. Withdrawal prevents future transmissions but does not delete events already recorded at Meta — for that, refer to Meta's Privacy Policy.

6. Data sharing

  • Stripe, Inc. (USA): payment processing and subscription management.
  • Meta Platforms, Inc. (USA) — consent-gated: attribution data and conversion events for ad campaign optimisation.
  • Infrastructure providers: hosting, storage and transactional email delivery (e.g. Mailgun), strictly necessary for operations.
  • Competent authorities: when required by law, court order or applicable regulation.

We do not sell personal data to third parties.

7. International data transfers

Data shared with Stripe and Meta is transferred to servers in the United States. These transfers occur on the basis of standard contractual clauses and the privacy policies of those providers, which adhere to the EU-U.S. Data Privacy Framework and adopt equivalent protection measures. You can review the privacy policies of Stripe and Meta for more information.

8. Data retention

  • Account data: retained while the account is active. After closure, retained for up to 5 years to meet legal and tax obligations.
  • Attribution and marketing metadata (UTMs, fbclid): retained while the account is active. Deleted together with the account upon deletion request.
  • Access logs: retained for up to 6 months as required by law.
  • Payment data: retained in accordance with Stripe's policy and applicable tax requirements.

9. Security

We apply technical and organisational controls to protect your data: TLS encryption in transit, bcrypt password hashing, deterministically-encrypted email storage, two-factor authentication by default (OTP), network-restricted database access and internal access auditing.

10. Your rights

You have the right to:

  • Confirmation that your data is being processed and access to it;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymisation, blocking or deletion of unnecessary data or data processed unlawfully;
  • Data portability to another service provider;
  • Deletion of data processed on the basis of consent;
  • Information about third parties with whom data has been shared;
  • Withdrawal of consent at any time;
  • Objection to processing in the event of non-compliance.

To exercise any right, contact us at support@zelect.io. We will respond within 15 business days.

11. Data Protection Officer

Our Data Protection Officer can be contacted at support@zelect.io.

12. Changes to this policy

We may revise this Policy periodically. Material changes will be communicated by email or in-platform notification at least 15 days in advance. The current version will always be published on this page with the effective date.

Terms of UseCookie Policy
Privacy Policy | Zelect