Zero Ops Oy · Y-tunnus 3606514-8
Privacy Policy
Effective date: 6 March 2026 · Canonical URL: https://microcorp.dev/privacy
1. Definitions
In this Policy, the following terms have the meanings set out below.
| Term | Meaning |
|---|---|
| "We", "Us", "Our" | Zero Ops Oy (Zero Ops Ltd), Business ID 3606514-8, a private limited company incorporated in Finland, the data controller for all Services. |
| "Services" | All websites, web applications, APIs, browser extensions, plugins, and related software operated by Zero Ops Oy, as listed in the introduction above. |
| "User", "You" | Any natural person or legal entity that accesses or uses any Service. |
| "Personal Data" | Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1). |
| "Content Data" | Text, images, URLs, or other material that You submit to a Service for processing (e.g., content submitted to Quillstone for brand compliance analysis, affiliate URLs submitted to Affiguard). |
| "Usage Data" | Technical data generated automatically when You interact with a Service, including IP addresses, browser type, device identifiers, pages visited, and API request metadata. |
| "GDPR" | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. |
| "EEA" | The European Economic Area. |
2. Data Controller
The data controller in respect of all Services is:
Zero Ops Oy (Zero Ops Ltd)
Business ID: 3606514-8
Incorporated in Finland
Email: [email protected]
A Data Protection Officer is not mandatorily required at our current scale of processing under GDPR Art. 37. You may direct all privacy enquiries to the privacy contact above.
3. Data We Collect
3.1 Data You Provide Directly
- Account registration data: email address, name, and password (stored as a salted hash) when you create an account via Supabase Auth.
- Profile data: optional display name, avatar URL, and organisation name.
- Content Data: any text, URLs, documents, brand guidelines, or other material you submit to a Service for processing.
- Support communications: messages you send to Us by email or via any in-app support channel.
- Voting and reaction data: choices and reactions you submit on interactive platform Services (PlotTwist, Reakt.click).
3.2 Data Collected Automatically
- Usage Data: IP address (truncated after 24 hours for analytics), HTTP request method and path, response status, request duration, User-Agent string, and referring URL.
- API usage metadata: API key identifier (never the key itself), endpoint called, token consumption, and timestamp — used for rate limiting, billing, and abuse prevention.
- Authentication tokens: short-lived JSON Web Tokens (JWTs) issued by Supabase, stored in memory or a secure HttpOnly cookie, never in localStorage.
3.3 Data from Third Parties
- OAuth identity providers: if you choose to log in with GitHub or Google, we receive your name, email address, and provider user ID from the OAuth exchange. We do not receive your password.
- Paddle (billing): Paddle acts as Merchant of Record for all paid Services. Paddle shares with us a customer ID, subscription status, plan identifier, and billing country. We do not receive or store full payment card data.
3.4 Inferred and Derived Data
- Usage tier and billing status: derived from Paddle subscription events.
- Brand guidelines and compliance profiles: aggregated from Content Data you submit to Quillstone; used solely to improve your brand compliance results and not shared with other Users.
4. How We Use Your Data
We process Personal Data only for the purposes listed below. For each purpose we identify the applicable lawful basis under GDPR Art. 6.
| Purpose | Data categories used | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Providing and operating the Services you have requested | Account data, Content Data, API usage metadata, authentication tokens | Art. 6(1)(b) — Performance of a contract |
| Managing your subscription, processing payments, and issuing invoices | Account data, Paddle customer ID, billing country | Art. 6(1)(b) — Performance of a contract; Art. 6(1)(c) — Legal obligation (Finnish Accounting Act, Ch. 2) |
| Security monitoring, fraud detection, rate limiting, and abuse prevention | Usage Data, API usage metadata, IP address | Art. 6(1)(f) — Legitimate interests (security of the Services and Users) |
| Sending transactional communications (account confirmations, password resets, approval notifications, billing receipts) | Account data, Usage Data | Art. 6(1)(b) — Performance of a contract |
| Sending product update and feature announcement emails | Account data | Art. 6(1)(f) — Legitimate interests (informing existing customers of material changes to Services they use); or Art. 6(1)(a) — Consent where required |
| Improving, debugging, and developing the Services | Usage Data, anonymised aggregations of API usage metadata | Art. 6(1)(f) — Legitimate interests (product improvement; data is anonymised or aggregated before use for this purpose) |
| Complying with legal obligations (tax records, supervisory authority requests) | Account data, billing data | Art. 6(1)(c) — Legal obligation |
AI model training requires your separate, explicit consent. Content you submit to any Service for processing (e.g., brand compliance audits, affiliate link checks) is processed transiently to deliver the result of your request. We will not use your Content Data to build, fine-tune, or benchmark machine learning models unless you have given explicit, freely-given, informed, and revocable consent for that specific purpose, separate from your acceptance of these terms and any other consent.
Where we offer an optional AI training contribution programme (for example, contributing anonymised brand-compliance examples to improve the Quillstone model), participation will be: (a) strictly opt-in via a dedicated consent toggle in your account settings; (b) described with specificity as to what data is used, for which model, and for how long; and (c) revocable at any time, with cessation of use of your data for new training runs within 30 days of withdrawal. Withdrawal of consent does not affect data already incorporated into a deployed model where technical removal is not feasible — this limitation will be disclosed clearly at the point of consent.
The lawful basis for any such processing is Art. 6(1)(a) GDPR (consent). Consent records are retained for the duration of your account plus 3 years to demonstrate compliance.
5. How We Share Your Data
We do not sell your Personal Data. We do not share your Personal Data with third parties for their own marketing or advertising purposes.
We share Personal Data with the following categories of recipients, solely to the extent necessary to operate the Services:
| Recipient | Role | Data shared | Location |
|---|---|---|---|
| Cloudflare, Inc. | Data processor — hosting, edge compute (Workers), database (D1), storage (R2), DNS, and DDoS protection | All data processed in the course of operating the Services transits or is stored on Cloudflare infrastructure | USA (EU-US Data Privacy Framework participant) |
| Supabase, Inc. | Data processor — user authentication and identity management | Account registration data, OAuth identity tokens, session data | USA / EU region (EU-US Data Privacy Framework participant; EU region selected where available) |
| Paddle.com Market Ltd | Merchant of Record — payment processing and subscription management | Account email, billing country, subscription data; Paddle independently collects payment card data | United Kingdom (UK adequacy decision in force) |
| Telegram Messenger Inc. | Data processor — delivery of in-app approval and notification messages via Telegram bot | Your Telegram chat ID (if you configure Telegram notifications) and the content of notification messages | UAE / international infrastructure |
| GitHub, Inc. (Microsoft) | Data processor — source code hosting and automated content deployment via GitHub Actions | Content committed to repositories you connect; no account Personal Data unless you link a GitHub OAuth account | USA (EU-US Data Privacy Framework participant) |
We may also disclose Personal Data to competent authorities, courts, or regulators where required by applicable law, or to protect the rights, safety, or property of Us, our Users, or third parties.
In the event of a merger, acquisition, or sale of substantially all of our assets, Personal Data may be transferred to the successor entity, subject to equivalent protection obligations.
6. International Transfers
Zero Ops Oy is incorporated in Finland and operates within the EEA. However, several of our data processors are located in the United States or other third countries.
Transfers of Personal Data to the United States are made on the basis of:
- The EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) for recipients certified thereunder (Cloudflare, Supabase, GitHub/Microsoft); and
- Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where DPF certification is not applicable or has lapsed.
Transfers to Paddle.com Market Ltd in the United Kingdom are made on the basis of the Commission's adequacy decision for the UK in force as of the effective date of this Policy.
Transfers to Telegram Messenger Inc. are made under Standard Contractual Clauses. You may opt out of Telegram notifications at any time in your account settings, which ceases Personal Data transfer to Telegram.
7. Cookies and Tracking Technologies
We use a minimal set of cookies. We do not use advertising cookies, tracking pixels, or cross-site behavioural tracking of any kind.
| Cookie name / type | Purpose | Duration | Required? |
|---|---|---|---|
| Session authentication cookie (HttpOnly, Secure) | Maintains your authenticated session in dashboard interfaces. Set by Supabase Auth. | Session / 7 days (persistent login) | Yes — functional; no consent required |
| CSRF token cookie | Protects authenticated requests against cross-site request forgery. | Session | Yes — functional; no consent required |
| Cloudflare cookies (_cf_bm, cf_clearance) | Bot management and DDoS protection set by Cloudflare at the network layer. | 30 minutes / 24 hours | Yes — functional; no consent required |
Public-facing marketing pages (microcorp.dev, macrocorp.dev) do not set any cookies unless you initiate an authenticated session.
8. Data Retention
| Data category | Retention period | Basis |
|---|---|---|
| Account data (email, name, hashed password) | Duration of your account, plus 30 days after account deletion to allow recovery requests | Performance of contract |
| Content Data submitted for Service processing | Retained only for the duration necessary to deliver the requested result; purged within 24 hours of processing unless you have explicitly saved it to your account | Performance of contract |
| API usage logs (endpoint, token count, timestamp, API key ID) | 90 days (rolling), then automatically deleted by scheduled cleanup | Legitimate interests (abuse prevention, billing verification) |
| Billing records and invoices | 7 years from the date of the transaction | Legal obligation — Finnish Accounting Act (Kirjanpitolaki, 1336/1997), Ch. 2 § 10 |
| Security and access logs (IP address, HTTP status, timestamp) | 30 days, after which IPs are truncated and logs are retained in anonymised form for a further 60 days | Legitimate interests (security) |
| Support correspondence | 3 years from last communication, unless a legal claim is pending | Legitimate interests (service quality, legal defence) |
| Soft-deleted account data | 30 days post-deletion, then permanently purged | Performance of contract / Legitimate interests |
9. Your Rights
9.1 Rights Under GDPR (EEA and UK Users)
If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR and UK GDPR respectively:
- Right of access (Art. 15): to obtain confirmation of whether we process your Personal Data and a copy of it.
- Right to rectification (Art. 16): to correct inaccurate or incomplete Personal Data.
- Right to erasure (Art. 17): to request deletion of your Personal Data where the legal basis for processing no longer applies.
- Right to restriction of processing (Art. 18): to request that we restrict processing of your Personal Data in certain circumstances.
- Right to data portability (Art. 20): to receive your Personal Data in a structured, machine-readable format where processing is based on consent or contract performance.
- Right to object (Art. 21): to object to processing based on legitimate interests; we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint (Art. 77): to lodge a complaint with the Finnish data protection supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), PO Box 800, FI-00531 Helsinki, Finland, tietosuoja.fi. You may also lodge a complaint with the supervisory authority of your place of habitual residence.
To exercise any of the above rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
9.2 Rights for California Residents (CCPA / CPRA)
If you are a consumer resident in California, you have the following additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
- Right to know: to request disclosure of the categories of Personal Information collected, the sources from which it is collected, the purposes for which it is used, and the categories of third parties to whom it is disclosed.
- Right to delete: to request deletion of Personal Information we have collected, subject to certain exceptions.
- Right to correct: to request correction of inaccurate Personal Information.
- Right to opt out of sale or sharing: We do not sell or share Personal Information with third parties for cross-context behavioural advertising. No opt-out mechanism is required.
- Right to limit use of sensitive Personal Information: we do not collect sensitive personal information as defined under CPRA beyond what is strictly necessary for account authentication.
- Right to non-discrimination: we will not discriminate against you for exercising any CCPA/CPRA right.
To exercise California rights, contact [email protected] with "California Privacy Request" in the subject line. We will respond within 45 days.
10. AI-Generated Content Disclosure
Several Services operated by Zero Ops Oy involve the generation of content by artificial intelligence, including but not limited to: EditorInChief.io (AI journalist personas Jake and Anna), Quillstone.dev (AI content correction and generation), and PlotTwist.io (AI-authored story chapters).
In compliance with Article 50 of Regulation (EU) 2024/1689 (the EU AI Act), content produced by AI systems that could be mistaken for human-authored content will carry a clear disclosure at the point of publication. Specifically:
- Articles published on Semitruth.com and AlphaDog.vc by AI journalist personas will be labelled as AI-assisted or AI-generated.
- Story chapters generated by AI on PlotTwist.io will be identified as AI-authored.
- No AI persona operated by Zero Ops Oy is designed to impersonate a real, existing individual.
Personal Data you submit for processing by AI features within our Services is processed as Content Data under Section 3.1 above and is not used to train AI models.
11. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. The minimum age for creating an account with any Service is 16 years.
If you are a parent or guardian and believe your child under 16 has provided Personal Data to us, contact us at [email protected] and we will delete that data promptly.
12. Security
We implement technical and organisational measures appropriate to the risk of processing, including:
- TLS 1.3 encryption for all data in transit.
- Encryption at rest for all data stored in Cloudflare D1 and R2.
- API keys stored as SHA-256 hashed values; full key values are displayed only at the time of generation.
- Passwords stored as bcrypt-hashed values via Supabase Auth; we never store plaintext passwords.
- Cloudflare Access (Zero Trust) protecting all internal administrative interfaces.
- Principle of least privilege applied to all service-to-service bindings.
No transmission over the internet can be guaranteed to be 100% secure. If you become aware of a security vulnerability or data breach involving our Services, please contact [email protected] immediately.
13. Changes to This Policy
We may update this Policy from time to time. The effective date at the top of this page reflects the date of the most recent revision. For material changes — those that affect how we process Personal Data in a manner adverse to you — we will provide at least 30 days' advance notice via email to the address associated with your account or via a prominent notice on the relevant Service.
If you disagree with a material change, you may terminate your account before the change takes effect; continued use of any Service after the notice period constitutes acceptance of the revised Policy.
A version history is maintained at github.com/microcorp/legal (planned).
14. Contact and Supervisory Authority
Privacy Contact
Zero Ops Oy (Zero Ops Ltd)
Business ID: 3606514-8
Email: [email protected]
Finnish Supervisory Authority
Office of the Data Protection Ombudsman
(Tietosuojavaltuutetun toimisto)
PO Box 800, FI-00531 Helsinki, Finland
tietosuoja.fi
Zero Ops Oy · Business ID 3606514-8 · Incorporated in Finland
This Privacy Policy was last updated on 6 March 2026.