Funnel Builder

Create personalized funnels

Analytics & Insights

Track performance metrics

Attribution

Attribution data to your ad platforms

Monetization

Maximize revenue per user

Experimentation

A/B testing and optimization

Fintech

Qualify users before KYC

Subscription Apps

In-app onboarding flows

Telehealth

Pre-qualify patients

Ecommerce

Conversion funnels

Careers

Join our team

Changelog

Product updates and releases

Privacy & Cookie Policy

Last Updated: 14 March 2026

This Privacy & Cookie Policy ("Policy") describes how ZF Solutions AB (reg. no. 559439-8116), trading as Zellify ("Zellify", "we", "our", "us"), collects, uses, stores, shares, and protects personal data when you use our website at zellify.app and the Zellify platform (collectively, the "Service").

Registered address: Minkvägen 46, 191 39 Sollentuna, Sweden

We comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Swedish Data Protection Act, the California Consumer Privacy Act ("CCPA"), the Health Insurance Portability and Accountability Act ("HIPAA"), and other applicable privacy laws. By using the Service, you acknowledge that you have read and understood this Policy.

For a detailed overview of our security controls, compliance certifications, and subprocessors, visit our Trust Center.

1. Data We Collect

We collect the following categories of personal data:

1.1 Account & Profile Data

Information you provide when creating an account or updating your profile:

  • Full name
  • Email address
  • Company or organisation name
  • Hashed password (we never store passwords in plain text)

1.2 Usage & Device Data

Information collected automatically when you interact with the Service:

  • IP address
  • Browser type and version
  • Operating system and device type
  • Pages visited, session duration, clicks, and interactions
  • Referring URL

1.3 Payment & Billing Data

Payment information is processed securely by our third-party payment providers (Stripe, Paddle). We do not store full credit card numbers. We may receive and store:

  • Billing name and address
  • Transaction history and subscription status
  • Last four digits of payment method

1.4 Communication Data

Information you provide when contacting us:

  • Support tickets and messages
  • Feedback and survey responses
  • Contact form submissions

1.5 Third-Party Advertising Platform Data

When you connect advertising platform accounts to Zellify, we access and collect data from those platforms via their APIs. The data collected varies by platform but generally includes:

  • Account information: Ad account name, ID, status, and associated business details.
  • Campaign data: Campaign names, objectives, statuses, budgets, schedules, and bid strategies.
  • Ad set / ad group data: Targeting settings (demographics, interests, behaviors, locations, custom audiences), placements, optimisation goals, and delivery status.
  • Ad data: Ad creatives (images, videos, copy, headlines, descriptions), format, preview links, and status.
  • Performance metrics: Impressions, reach, clicks, click-through rates, conversions, cost-per-result, return on ad spend (ROAS), frequency, and other reporting metrics.
  • Audience data: Custom audience names, sizes, and types (excluding the underlying user-level data within those audiences).
  • Page data: Page names and IDs associated with your ad account (where applicable).

Meta (Facebook / Instagram): We access data through the Meta Marketing API with the following permissions: ads_read, ads_management, business_management, pages_show_list, pages_read_engagement, and public_profile, as well as Ads Management Standard Access.

TikTok Ads: We access campaign, ad group, ad, and performance data through the TikTok Marketing API.

Google Ads: We access campaign and performance data through Google's advertising APIs.

1.6 Attribution Data We Send to Platforms

Zellify sends real-time conversion and attribution events (such as sign-ups, purchases, and subscription events) from your published funnels back to your connected advertising platforms. This allows the platforms to optimise ad delivery and accurately report on campaign performance. Data sent may include event type, event time, transaction value, and anonymised user identifiers. This data flows to:

  • Meta via the Conversions API (CAPI).
  • TikTok via the TikTok Events API.
  • Google via Google Analytics / Google Tag Manager.

1.7 End User Data (Funnel Visitors)

When end users interact with funnels you have published through Zellify, we collect data on your behalf as a data processor. This may include:

  • Form and quiz responses: Answers, selections, and inputs provided by end users during funnel flows.
  • Device and browser data: IP address, browser type, operating system, screen resolution, and referring URL.
  • Funnel interaction data: Pages viewed, drop-off points, time on page, and button clicks.
  • Payment data: When end users make purchases through your funnels, payment is processed by your connected Stripe or Paddle account. Zellify receives transaction confirmation data (amount, currency, subscription status) but does not receive or store full payment card details of your end users.

You, as the funnel owner, are the data controller for this end user data. You are responsible for providing appropriate privacy disclosures and obtaining any necessary consents from your end users.

1.8 Data Collected via Cookies and Tracking

See Section 8 — Cookies and Tracking Technologies for details on data collected through cookies, Google Analytics, and PostHog.

2. How We Use Your Data

We process your personal data for the following purposes:

PurposeData categories used
Providing and operating the Service (funnel builder, editor, hosting, publishing)Account data, usage data, your content
Hosting and serving your published funnels to your end usersYour content, end user data
Displaying and analysing advertising performance across connected platforms (Meta, TikTok, Google)Advertising platform data
Performing ad management actions on your behalf (creating, editing, pausing campaigns, modifying budgets, changing ad creatives)Advertising platform data, account data
Sending real-time attribution and conversion events to your connected ad platformsEnd user data (anonymised), advertising platform data
Running A/B tests and experiments on your funnelsEnd user data, usage data
Processing payments from your end users through your Stripe or Paddle accountEnd user payment data (transaction confirmations only)
AI-powered analysis, funnel generation, and advertising insightsAdvertising platform data, your content, usage data
Syncing subscription entitlements with RevenueCatEnd user subscription data
Sending data to your connected CRM and marketing tools (Klaviyo, Mailchimp)End user data, account data
Routing events to your connected analytics and workflow tools (Amplitude, Zapier, Segment)End user data, usage data
Billing, invoicing, and subscription management for your Zellify accountPayment data, account data
Communicating with you about service updates, security alerts, and supportAccount data, communication data
Improving and optimising the ServiceUsage data, device data
Preventing fraud, abuse, and ensuring platform securityUsage data, account data, IP address
Complying with legal and regulatory obligationsAll categories as required

3. Legal Bases for Processing (GDPR)

Under the GDPR, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — Processing necessary to provide you with the Service, including hosting your funnels, accessing and managing your connected advertising accounts as you instruct, processing attribution events, and running A/B tests.
  • Legitimate interests (Art. 6(1)(f)) — Product improvement, fraud prevention, platform security, and analytics. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)) — For non-essential cookies, marketing communications, newsletters, and the use of AI-powered analysis features. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — Where processing is required to comply with tax, accounting, or other regulatory requirements.

4. Meta Platform Data — Special Provisions

This section specifically addresses data collected from the Meta platform in accordance with Meta's Platform Terms and Developer Policies.

4.1 What We Do with Meta Data

We use data obtained from the Meta Marketing API to:

  • Display your ad account performance data within the Zellify dashboard.
  • Execute campaign management actions you initiate through Zellify (creating, editing, pausing, or deleting campaigns, ad sets, and ads; adjusting budgets and schedules; updating ad creatives).
  • Generate AI-powered insights and recommendations to help you optimise your advertising performance.

4.2 AI Processing of Meta Data

We use Anthropic's Claude AI models to analyse your Meta advertising data and provide insights, recommendations, and summaries. When your data is sent to Anthropic for processing:

  • Data is transmitted securely via encrypted connections.
  • Anthropic processes the data solely to generate responses for your use within Zellify.
  • We do not permit Anthropic to use your data to train their AI models.
  • Only aggregated campaign and performance data is sent — we do not send personal information of individuals within your audiences.

4.3 Data Storage and Retention

  • Meta platform data is stored on our servers to provide the Service.
  • Some data is fetched and displayed in real time directly from Meta's API; other data is cached or stored to enable historical analysis and reporting.
  • Meta data is retained for as long as your account is active and your Meta account remains connected, unless you request deletion (see Section 7).
  • When you disconnect your Meta account from Zellify, we stop fetching new data from Meta. Previously stored data is retained until you request its deletion.

4.4 No Sale of Meta Data

We do not sell, license, or otherwise commercially distribute any data obtained from the Meta platform to third parties. Meta platform data is used exclusively to provide the Service to you.

5. Data Sharing and Third-Party Processors

We share personal data only with the following categories of recipients, and only to the extent necessary:

RecipientPurposeData shared
Meta Platforms, Inc.Ad management and attribution (Conversions API)Campaign instructions, conversion events
TikTokAttribution (Events API)Conversion events, anonymised user identifiers
GoogleAttribution (Analytics / Tag Manager)Conversion events, anonymised browsing data
AnthropicAI-powered analysis, funnel generation, and insightsAggregated campaign/performance data, funnel content
Amazon Web Services (AWS)Cloud infrastructure and data storageAll categories (encrypted)
SupabaseDatabase hosting and authenticationAccount data, platform data
VercelApplication hosting and deploymentUsage data, access logs
PlanetScaleDatabase servicesAccount data, platform data
GitHubCode hosting and build securityNo customer personal data
Stripe / PaddlePayment processing (your account and your end users')Payment and billing data
RevenueCatSubscription entitlement sync (when connected by you)End user subscription status
Klaviyo / MailchimpCRM and email marketing (when connected by you)End user data, event data
AmplitudeAnalytics (when connected by you)End user interaction data
Zapier / SegmentWorkflow automation and data routing (when connected by you)Event data as configured by you
CalendlyAppointment scheduling (when embedded in funnels)End user name, email, booking data
PostHogProduct analyticsAnonymised usage data
Google AnalyticsWebsite analytics (landing page)Anonymised browsing data
Law enforcement / regulatorsCompliance with legal obligationsAs legally required

We never sell your personal data.

All third-party processors are bound by data processing agreements (DPAs) that require them to protect your data in accordance with applicable laws. Where processors handle protected health information (PHI), Business Associate Agreements (BAAs) are in place as required by HIPAA.

A full, up-to-date list of our subprocessors is available on our Trust Center.

6. Data Retention

We retain your personal data according to the following principles:

  • Account data: Retained for as long as your account is active. After account deletion, data is removed within 30 days, except where retention is required by law (e.g., tax records may be retained for up to 7 years under Swedish law).
  • Advertising platform data (Meta, TikTok, Google): Retained for the duration of your account and platform connection. Stored data is not automatically deleted when you disconnect a platform — you must request deletion (see Section 7).
  • End user data: Retained for as long as your account is active. You may request deletion of end user data at any time.
  • Funnel content: Your funnels, pages, and components are retained for as long as your account is active.
  • Usage and analytics data: Retained in anonymised form for up to 24 months.
  • Payment data: Retained as required by tax and accounting regulations.
  • Communication data: Retained for up to 24 months after last interaction, unless a longer period is required for legal proceedings.

7. Data Deletion

7.1 Requesting Deletion

You have the right to request deletion of your personal data at any time. To make a request, contact us at:

Email: [email protected]

Please include your account email address and specify what data you would like deleted (e.g., your full account, Meta platform data only, or specific categories). We will process your request within 30 days.

7.2 What Happens When You Delete

When you request full account deletion:

  • Your account and all associated personal data will be permanently deleted.
  • All stored advertising platform data (Meta, TikTok, Google) linked to your account will be permanently deleted.
  • All end user data collected through your funnels will be permanently deleted.
  • Your funnels, pages, and components will be permanently deleted.
  • Payment records may be retained where required by Swedish tax law.
  • Anonymised, aggregated data that can no longer identify you may be retained.

7.3 Disconnecting a Third-Party Platform

When you disconnect any third-party platform (Meta, TikTok, Google, or other integrations) from Zellify without deleting your Zellify account:

  • We immediately stop accessing and fetching new data from that platform.
  • API access tokens for that platform are revoked and deleted.
  • Previously stored data from that platform remains available in your Zellify account unless you request its deletion.

7.4 Platform-Initiated Deletion Requests

If you submit a data deletion request through a connected platform (e.g., via Facebook Settings or TikTok Privacy Settings), we will process the request in accordance with that platform's terms and delete all data derived from that platform associated with your account.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service.

8.1 What Are Cookies

Cookies are small text files stored on your device that allow us to recognise your browser, remember preferences, and analyse how the Service is used.

8.2 Types of Cookies We Use

TypePurposeExamples
EssentialRequired for the site to function (authentication, security tokens, session management)Login session, CSRF tokens
AnalyticsHelp us understand how users interact with the ServicePostHog (in-app), Google Analytics (landing page)
FunctionalRemember your preferences and settingsLanguage, theme, dashboard layout

8.3 Consent

When you first visit our site, you will be asked to consent to non-essential cookies. You can change your preferences at any time through the cookie settings or your browser settings.

Essential cookies cannot be disabled as they are strictly necessary for the Service to function.

8.4 Google Analytics

We use Google Analytics on our landing page to understand website traffic and visitor behaviour. Google Analytics uses cookies to collect anonymised data such as pages visited, time on page, and referral source. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

8.5 PostHog

We use PostHog for product analytics within the Zellify application. PostHog collects anonymised interaction data to help us improve the user experience.

9. International Data Transfers

ZF Solutions AB is based in Sweden (EU). Some of our processors and infrastructure providers are located outside the European Economic Area ("EEA"), including in the United States.

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the European Commission has determined that the receiving country provides adequate data protection.
  • Additional technical and organisational measures where necessary (e.g., encryption in transit and at rest).

10. HIPAA Compliance

Zellify is compliant with the Health Insurance Portability and Accountability Act (HIPAA). We maintain administrative, physical, and technical safeguards to protect electronic protected health information (ePHI) in accordance with the HIPAA Security Rule and Privacy Rule.

10.1 Safeguards

Our HIPAA compliance programme includes 74 security controls spanning:

  • Administrative safeguards: Information security policies, security roles and responsibilities, workforce training (including ePHI privacy training), incident response procedures, and risk management with annual risk assessments.
  • Physical safeguards: Secure workstation configuration, removable media controls, visitor management, and cloud provider physical access reviews.
  • Technical safeguards: Encryption at rest and in transit, multi-factor authentication, production access management, intrusion detection, centralized log collection and monitoring, vulnerability scanning, and web application firewall protection.

10.2 Business Associate Agreements

Where third-party processors handle ePHI on our behalf, we enter into Business Associate Agreements (BAAs) that require them to implement appropriate safeguards, report breaches within required timelines, and comply with HIPAA requirements.

10.3 Breach Notification

In the event of a breach of unsecured ePHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and (where applicable) the media, in accordance with the HIPAA Breach Notification Rule.

10.4 Emergency Access and Continuity

We maintain business continuity and disaster recovery plans, including emergency ePHI access procedures, backup and restore testing, and emergency operations continuity.

For detailed information about our HIPAA controls and compliance status, visit our Trust Center.

11. Data Security

We implement comprehensive technical and organisational measures to protect your personal data, maintained and monitored through our compliance programme:

  • Encryption: All data is encrypted at rest and in transit (TLS 1.2+). Production encryption keys are managed through secure key management practices.
  • Authentication: Multi-factor authentication is enforced for production systems. Password policies and infrastructure authentication controls are in place.
  • Access control: Production access is restricted on a need-to-know basis, with quarterly access reviews and immediate revocation upon termination.
  • Monitoring: Centralized log collection, login attempt monitoring, intrusion detection systems, and continuous capacity and performance monitoring.
  • Secure development: Source code access controls, code change approval processes, environment separation, and secure development procedures.
  • Vulnerability management: Regular vulnerability scanning and remediation, patch management, and periodic penetration testing.
  • Network security: Firewall rule management, secure connection requirements, and web application firewall (WAF) protection.
  • Endpoint security: Anti-malware protection, removable media controls, and secure workstation configuration.
  • Incident response: Documented incident response procedures, security incident logging, and breach notification processes.
  • Personnel: Employee background checks, confidentiality agreements, security awareness training, and a documented disciplinary process.

Meta API access tokens are stored securely and encrypted. All credentials and secrets are managed through secure storage mechanisms.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. If you discover a security vulnerability, please report it to [email protected].

12. Your Rights

12.1 Rights Under GDPR (EU/EEA/UK Residents)

If you are in the EU, EEA, or UK, you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — Request deletion of your personal data.
  • Right to restrict processing — Request that we limit how we use your data.
  • Right to data portability — Receive your data in a structured, machine-readable format.
  • Right to object — Object to processing based on legitimate interests.
  • Right to withdraw consent — Withdraw consent at any time where processing is based on consent.
  • Right to lodge a complaint — File a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se or your local data protection authority.

12.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete your personal information.
  • Opt out of sale — We do not sell personal information. No action is required.
  • Non-discrimination — We will not discriminate against you for exercising your privacy rights.

12.3 Rights Under HIPAA

If your data includes electronic protected health information (ePHI), you have the right to:

  • Access your ePHI that we maintain.
  • Request amendments to your ePHI if you believe it is inaccurate or incomplete.
  • Receive an accounting of disclosures of your ePHI.
  • Request restrictions on certain uses and disclosures of your ePHI.
  • Request confidential communications through alternative means or at alternative locations.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR/HIPAA) or 45 days (CCPA).

13. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email or an in-app notification where appropriate.

We encourage you to review this Policy periodically.

15. Contact Us

For any questions, concerns, or data requests, contact:

ZF Solutions AB Minkvägen 46, 191 39 Sollentuna, Sweden

Email: [email protected]