Privacy Policy

What we collect

• Account info — your name, email address, and a hashed password (we never store your password in plain text)
• Project data — projects, cards, notes, and any content you create within Zoku
• Session data — a session cookie to keep you logged in

What we don't collect

• No tracking cookies or analytics (yet)
• No advertising data
• We don't sell or share your data with third parties

Third-party services

We use the following services to run Zoku:

• Railway — hosting and database (your data is stored on their infrastructure)
• Resend — transactional emails (verification, password reset)

These services have their own privacy policies. We only share the minimum data needed for them to function (e.g., your email address for sending verification emails).

Data retention & deletion

Your data is kept as long as your account exists. When you delete your account, all associated data is permanently deleted — projects, cards, notes, sessions, and tokens. This deletion is immediate and irreversible.

Security

Passwords are hashed with bcrypt. Sessions are managed via HTTP-only cookies. OAuth tokens are stored as SHA-256 hashes. All connections use HTTPS in production.

Your rights

You can access, update, or delete your personal data at any time through the app's settings page. If you need help with anything data-related, contact us.

Changes

If we change this policy, we'll update the date at the top and notify you via email or in-app notice for significant changes.

Contact

Questions about your privacy? Reach out at hello@zoku.dev.