Legal

Privacy Policy

Last updated: May 17, 2026

Zawiya ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. It applies to all users of the Zawiya platform — Photographers and their Clients.

1. Information We Collect

Account information. When you sign up we collect your name, email address, and a hashed password. Photographers may also provide a profile photo, bio, and website URL.

Payment information. We do not store your credit card or bank details. Payment processing is handled entirely by Paddle. We receive transaction records including amounts, dates, and Paddle-assigned identifiers.

Content you upload. Photographers upload photos and gallery metadata (titles, descriptions, settings). This content is stored on Cloudinary's infrastructure.

Client data. When a Client views or purchases from a gallery, we may collect their email address (provided voluntarily) and purchase records.

Usage data. We automatically collect analytics events such as gallery views, page interactions, and feature usage. This data is associated with your account and used to improve the platform.

Technical data. We collect standard server logs including IP addresses, browser type, and referring URLs for security and debugging purposes.

2. How We Use Your Information

  • Provide, operate, and improve the Zawiya platform.
  • Process payments and send receipts via Paddle.
  • Send transactional emails (account confirmations, gallery share links, billing receipts).
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.
  • Send product updates and announcements (you can opt out at any time).

3. Third-Party Services

We share data with the following trusted third parties to operate the service:

  • Supabase — authentication and database hosting (EU region).
  • Cloudinary — image storage, processing, and delivery.
  • Paddle — payment processing and Merchant of Record services. Paddle handles all payment card data and is PCI DSS compliant.
  • Vercel — hosting and edge delivery of the web application.

We do not sell your personal data to third parties or use it for advertising purposes.

4. Cookies

We use essential cookies to manage your login session and keep you authenticated. We do not use third-party advertising or tracking cookies. You can disable cookies in your browser settings, but doing so will prevent you from logging in.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data and galleries are scheduled for deletion within 30 days. Transaction records may be retained for up to 7 years to comply with financial regulations.

6. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (right to be forgotten).
  • Export your data in a portable format.
  • Object to certain types of processing.

To exercise any of these rights, contact us at privacy@zawiya.app. We will respond within 30 days.

7. Data Security

We use industry-standard security measures including HTTPS encryption, hashed passwords, row-level security in our database, and regular security reviews. However, no system is completely secure and we cannot guarantee absolute security.

8. Children's Privacy

Zawiya is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or in-app notice. Continued use of Zawiya after changes constitutes acceptance.

10. Contact

Privacy questions or requests: privacy@zawiya.app