Privacy Policy

Effective date: 13 May 2026. Last updated: 13 May 2026.

1. Who We Are

LeadLegend LTD (“we”, “us”, “our”), trading as ZeroTraceAI, is the data controller for the personal information described in this policy. We are registered in England and Wales, with our registered address at: 63-66 Hatton Garden, Fifth Floor, Suite 23, London, EC1N 8LE.

For any questions or requests relating to this policy, please contact us at support@leadlegend.org.

2. Information We Collect

We collect the following categories of information when you use ZeroTraceAI.

Account information

  • Email address (collected for both Google sign-in and email/password accounts).
  • Name (collected via Google sign-in only).
  • Password hash (email accounts only). Passwords are never stored in plaintext. We store only a one-way bcrypt hash.
  • OAuth provider information (for accounts created via Google Sign-In).

Subscription information

  • Stripe customer identifier. We do not store credit card details ourselves. All payment information is handled directly by Stripe.
  • Subscription plan and billing status.

Usage information

  • API request metadata: timestamp, number of characters processed, number of modifications made, HTTP status code.
  • We do not store the content of text submitted for cleaning. Text is processed in memory and discarded immediately after the response is returned.

Technical information

  • IP address (used for rate limiting and security purposes).
  • User agent and basic request headers.
  • Authentication session tokens.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and maintain the Service.
  • To process payments and manage subscriptions (via Stripe).
  • To authenticate accounts and prevent unauthorised access and fraud.
  • To send essential service communications, including billing notifications and security alerts.
  • To analyse and improve the Service using aggregated, non-identifiable usage patterns.

We do not sell your personal data. We do not use your data for advertising or profiling.

4. Legal Bases for Processing (UK GDPR and EU GDPR)

Where the UK GDPR or EU GDPR applies, we process your personal data on the following legal bases:

  • Contract: processing that is necessary to provide the Service you have requested (account creation, authentication, billing, API access).
  • Legitimate interests: fraud prevention, account security, and aggregate service improvement, where these interests are not overridden by your rights.
  • Consent: we may rely on consent for optional communications. We do not currently send marketing communications.
  • Legal obligation: retention of billing and tax records as required by UK law.

5. Cookies and Tracking

We use the following types of cookies and tracking technologies:

  • Essential cookies: authentication session tokens and security tokens. These are required for the Service to function. Without them, you cannot sign in or access paid features.
  • Payment cookies: set by Stripe during the checkout process. These are necessary to complete a transaction securely.
  • Analytics: we use Vercel Web Analytics, which collects aggregated, anonymised page view data. No individual user is tracked across sessions. No cookies are set by Vercel Analytics.

You can disable cookies in your browser settings, but doing so will prevent the Service from functioning correctly. Essential cookies cannot be opted out of if you wish to use the Service.

6. Data Sharing and Subprocessors

We share your data only with the following third-party subprocessors, each engaged to provide a specific function in operating the Service. All are subject to appropriate data protection agreements.

  • Vercel (United States): hosting, serverless function execution, and aggregated analytics.
  • Neon (United States): database hosting for account and usage data.
  • Stripe (United States, Ireland): payment processing and subscription management.
  • Google (worldwide): authentication via Google Sign-In, used only where you elect to create or log in with a Google account.

A full list of our subprocessors, including links to their privacy policies, is available at zerotraceai.com/legal/subprocessors.

We do not share your personal data with any other third parties except as required by law or with your explicit consent.

7. International Data Transfers

Some processing of your data occurs outside the United Kingdom and the European Economic Area, primarily in the United States, where our hosting and payment providers operate.

Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under UK GDPR and EU GDPR.

8. Data Retention

We retain your data for the following periods:

  • Account information: retained for the duration of your account, plus 90 days following account deletion or termination, to allow for dispute resolution.
  • API usage logs: retained for 90 days after creation, then permanently deleted.
  • Subscription and billing records: retained for 7 years to comply with UK tax and accounting law.
  • Authentication session tokens: retained for the duration of your session, with a maximum lifetime of 30 days.

Content submitted for cleaning is never retained. It is processed in memory and discarded immediately.

9. Your Rights (UK GDPR and EU GDPR)

If you are located in the United Kingdom or the European Economic Area, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data (the “right to be forgotten”), subject to legal retention requirements.
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Portability: request a copy of your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdrawal of consent: where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@leadlegend.org. We will respond within 30 days of receiving your request.

If we are unable to resolve your concerns, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local data protection authority.

10. Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child under 16, please contact us and we will delete it promptly.

11. Security

We take reasonable technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using bcrypt with an industry-standard cost factor. Plaintext passwords are never stored.
  • Sessions are protected by signed tokens with a maximum 30-day lifetime.
  • Data in transit is protected by TLS encryption.
  • Access to the database is restricted to application-level queries only.

No system is perfectly secure. If you suspect a security issue involving your account or our systems, please report it to support@leadlegend.org promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the revised policy at zerotraceai.com/privacy-policy with an updated effective date. For material changes, we will notify active subscribers by email before the changes take effect.

We encourage you to review this policy periodically.

13. Contact

For questions, requests, or concerns relating to this Privacy Policy or our data practices:

Email: support@leadlegend.org

LeadLegend LTD
63-66 Hatton Garden, Fifth Floor, Suite 23
London, EC1N 8LE
United Kingdom