Zloth icon Zloth

Privacy Policy

Last updated: May 15, 2026

This Privacy Policy describes how Zloth ("we," "us," or "our") collects, uses, and shares information when you use the Zloth Chrome extension, our website, and related services (the "Service").

Controller

The data controller responsible for processing your personal data is:

Alexander Specht
Teutoburger Str. 31
50678 Köln, Germany
Email: support@zlothai.com

Overview

  • We collect only what we need to provide summaries, sync, and credits.
  • We do not sell your data. We do not use your account or summary content from the Service for third-party advertising. If you accept analytics cookies on our website, third-party tools may measure visits and ad performance as described under "Cookies and measurement on our website."
  • We share data only with service providers and for legal, security, or business-transfer reasons.
  • You can delete summaries and folders in the extension, and request account deletion by email.

Cookies and measurement on our website

On zlothai.com we may use cookies and similar technologies if you opt in via our cookie banner:

  • Google Analytics (Google Ireland Limited / Google LLC) to understand aggregated traffic and usage of the site.
    Legal basis: Art. 6(1)(a) GDPR — your consent.
  • TikTok Pixel (TikTok Technology Limited and partners) to measure ad effectiveness and related website activity (for example page views) in connection with TikTok advertising.
    Legal basis: Art. 6(1)(a) GDPR — your consent.

If you click Decline, these tags are not loaded. You can withdraw consent at any time by clearing site data for zlothai.com in your browser (the banner will appear again on your next visit unless we add a dedicated preference center).

If you interact with promotional buttons or links on the site (for example installing the extension or starting checkout for Premium), we may send standard TikTok events such as Download and InitiateCheckout, with product-style metadata to tell those actions apart when you have accepted analytics cookies above.

For international transfers by these website vendors, see International Data Transfers below; their terms and product documentation describe further details and opt-out options where available.

Information We Collect and Legal Basis

  • Account data: Email address and basic profile details used to create and manage your account.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
  • Authentication: OAuth access and refresh tokens to keep you signed in. Tokens are stored locally on your device and used to authenticate API requests.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
  • Video data you choose to summarize: YouTube video URL, title, thumbnail, duration, prompt type, custom prompt text (if provided), folders, read status, and generated summaries.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
  • Usage and credits: Request timestamps and credit ledger events to enforce free/premium limits and show remaining credits.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
  • Service logs: IP address, user agent, timestamps, and error logs for security, debugging, and abuse prevention.
    Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in maintaining security and preventing abuse.
  • Payments: Stripe processes payment information. We do not store card numbers. We may store Stripe session/customer identifiers and plan status.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
  • Timezone: Used to localize account features such as credit resets.
    Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.

How We Use Information

  • Provide authentication, summaries, and cross-device sync.
  • Operate free and premium credit limits and show balances.
  • Process payments and manage subscriptions through Stripe.
  • Maintain security, prevent abuse, and troubleshoot issues.
  • Improve the Service using aggregate and error data.

Sharing and Disclosure

  • Service providers: Supabase (auth/database), hosting providers, Google (OAuth), Stripe (payments), and AI model providers used to generate summaries. They process data only to provide the Service. If you consent on our website, Google Analytics and TikTok may also receive technical and usage data from that site as described above.
  • Legal and safety: We may disclose information to comply with law, enforce terms, or protect rights, property, or safety.
  • Business transfers: If we enter a merger, acquisition, or asset sale, data may transfer as part of that transaction.
  • No sale: We do not sell your personal data. Measurement and ad-related processing on the website, when enabled, is based on your consent rather than sale of data.

Security

  • Data is transmitted over HTTPS.
  • Tokens are stored locally on your device; backend data is protected by our providers with appropriate controls.
  • We apply access controls and least-privilege principles to our services.

Data Retention and Deletion

  • We retain account and summary data while your account is active to provide the Service.
  • You can delete summaries and folders in the extension at any time.
  • You can request account deletion by contacting us (see Contact below). We will delete your personal data within 30 days unless retention is required by law.
  • Service logs may be retained for up to 90 days for security, fraud prevention, and legal compliance.

International Data Transfers

  • Some of our service providers (including Supabase and Stripe) may process data outside the European Economic Area (EEA), in particular in the United States.
  • Where transfers occur outside the EEA, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, or an adequacy decision by the European Commission where applicable.
  • You may request a copy of the applicable transfer safeguards by contacting us.

Automated Decision-Making and Profiling

  • We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.
  • Credit limits are enforced automatically based on usage thresholds defined in your subscription tier; this does not constitute profiling in the sense of Art. 22 GDPR.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
  • Restriction (Art. 18 GDPR): Request that we restrict processing of your data in certain circumstances.
  • Data Portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.
  • Objection (Art. 21 GDPR): Object at any time to processing based on our legitimate interests (Art. 6(1)(f) GDPR), including objection to processing of service logs for security purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@zlothai.com. We will respond within one month.

Right to Lodge a Complaint

If you believe we are processing your personal data in violation of applicable data protection law, you have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
www.ldi.nrw.de

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

Chrome Web Store "Limited Use" Commitments

  • Data and permissions are used only to provide and improve summarization, folders, credits, and sync.
  • Data is shared only with service providers, for legal compliance, or for business transfers.
  • We do not use or transfer data for personalized advertising.
  • Human access is limited to support, security, legal compliance, or aggregated/anonymized operations.

Permissions We Request (Purpose-Limited)

  • activeTab: Interact with the current YouTube tab after you click the extension.
  • tabs: Find open youtube.com tabs to send updates. We do not read general browsing history.
  • storage: Save settings, summaries, folders, and auth tokens on your device.
  • identity: Google sign-in via Supabase to authenticate your account.
  • windows: Open OAuth and Stripe checkout/billing windows.
  • Host permissions: YouTube to show the summarize button; backend/API domains for summaries and sync; Google OAuth; Stripe for payments. We request the minimum scope needed.

Data We Do Not Collect

  • We do not collect general web browsing history; only the YouTube video URLs you choose to summarize.
  • We do not collect keystrokes, mouse movements, or personal communications.
  • We do not collect health information or store payment card numbers.

Children's Privacy

  • The Service is not intended for children under 16. In the EU, we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided personal data, please contact us to have it deleted.

Changes to This Policy

  • We may update this policy and will revise the "Last updated" date above. We may provide additional notice for material changes.

Contact