Privacy at zigzag: Our Privacy Policy Explained

Most privacy policies are written so the company can satisfy legal requirements. That makes them important, but not always easy to read. This guide is the plain-English version of what zigzag's Privacy Policy means in practice.

If you are using zigzag, you are not just sharing an email address. You are often putting early-stage startup ideas, customer insights, fundraising materials, and strategic thinking into the platform. It is reasonable to want a clear answer to a simple question: what happens to that information?

The short version is that zigzag uses your data to provide the service you signed up for, gives you direct control over key privacy choices, and is intentionally conservative about tracking. The rest of this guide explains the details behind that summary.

Zigzag collects the basic account data you would expect: things like your name, email address, authentication details, subscription and billing records, and messages you send to support. It also stores the business information you put into the product so the platform can generate canvases, validation frameworks, brand assets, MVP requirements, and other outputs.

If you actively connect Google, we may also access the specific Google Workspace permissions needed to create or edit files on your behalf - for example Google Slides for pitch decks, Google Docs for business documents, Google Sheets for financial models, and limited Google Drive access to organize the files zigzag creates.

What matters here is intentionality. Zigzag is not trying to ingest everything about you. It is collecting the information required to authenticate you, operate the product, generate the outputs you asked for, and keep the service running.

We use your data to do the obvious platform work: authenticate your account, generate content, process payments, store project data, and send service communications such as security notices or support responses. Some anonymized or aggregated usage data is also used to improve the product.

There are also clear things zigzag says it does not do. It does not sell your personal data. It does not share Google user data for third-party marketing. It does not use Google user data for advertising. And it does not use your business data to train zigzag's own AI models.

That last point matters because founders often worry that using an AI product means feeding the model that powers it. Zigzag's stated position is the opposite: your business inputs are used to generate the work you asked for, not to build a future model off your startup.

When you use AI-powered features, the business inputs relevant to that feature are sent to OpenAI's API for processing. According to the policy and trust materials, zigzag does not send your name, email address, or other directly identifying personal information to OpenAI as part of that content generation flow.

OpenAI API inputs are processed under data processing terms and, according to zigzag's materials, are not used to train OpenAI's models. They may be retained for a limited period for abuse monitoring and then deleted. That is different from a public chatbot workflow where prompts may be retained or used differently.

Google integrations follow the same principle of minimum necessary use. If you connect Google, the access is there so zigzag can create or edit Slides, Docs, Sheets, and Drive files for you. Zigzag stores tokens securely, does not store your Google password, and says you can revoke that access from your Google account or by deleting your zigzag account.

Zigzag distinguishes between strictly necessary cookies and optional analytics. Strictly necessary cookies are the ones required to keep you signed in and operate the application. Those do not rely on a marketing-style consent model because the service would not work without them.

Everything else is treated more cautiously. Optional first-party analytics only run if you explicitly accept them. If you decline, zigzag says it disables non-essential tracking immediately. The policy and trust materials are also unusually direct about what is not present: no Google Analytics, no Facebook Pixel, and no third-party advertising or tracking cookies.

If you do accept optional analytics, the idea is still restraint rather than surveillance. The trust materials describe first-party analytics collected through zigzag's own systems and limited Sentry replay sampling with text masked and media blocked to help diagnose errors.

Not all data is retained for the same length of time. Account and project data are generally kept for the life of the account and then deleted after a short post-closure window. Security logs and monitoring data are kept for much shorter periods. Billing records stay much longer because tax law requires it.

The practical point is that zigzag does not treat "we keep it forever" as the default. The privacy and trust materials spell out retention periods for categories such as account data, support communications, logs, marketing consent records, and Google OAuth tokens. They also say that some operational data is automatically purged by scheduled retention jobs.

You do not have to email support to exercise the most common controls. The profile area includes self-service data export, account deletion, marketing consent management, and cookie preference management. If you delete your account, zigzag says it will remove your personal data except where law requires specific records to be retained.

If you are in the UK or EU, the familiar GDPR rights apply: access, portability, rectification, erasure, restriction, objection, and the ability to withdraw consent for consent-based processing. Zigzag states that most of these can be exercised directly from the product rather than through a slow manual process.

The policy also points you to the Trust Centre when you want the operational details behind the headline promises. The Privacy Policy tells you what data is collected and what your rights are. The Trust Centre explains things like lawful bases, international transfer safeguards, retention schedules, security measures, and breach handling in more detail.

That separation is useful. The policy is the legal baseline. The Trust Centre is the evidence page. If your question is "what do you collect and what can I do about it?", start with the Privacy Policy. If your question is "how do you actually run this responsibly?", the next guide is the right place.