Back to home

Privacy policy

Last updated: April 25, 2026

We treat your privacy as a product feature, not a disclaimer. This page sums up what we collect, why, where it lives, and how to delete your account. For technical details, head to the architecture page.

Data controller

The data controller is the publisher of zarev.dev, whose full identity appears in the legal notice.

Data Protection Officer (DPO) : no DPO has been appointed. The structure (sole proprietorship) does not meet the mandatory designation criteria under Article 37 of the GDPR. For any question regarding your data, contact contact@zarev.dev directly.

What we collect

We only collect the following data, with your explicit consent:

  • Email address — provided during newsletter signup or Pro account creation.
  • CLI local scan (Pro account only) — list of MCPs, Skills and Claude Code hooks detected in your project folder. Sensitive values (API keys, tokens, secrets in env vars) are stripped locally by Gitleaks (~150 patterns) BEFORE backend upload. You see the exact payload in the UI preview before each upload.
  • Brief-prompt cache (5 min) — Claude response generated for your stack, kept 5 minutes server-side to avoid duplicate calls.
  • Local audit log — history of scans/briefs, written in clear text on your disk (~/.zarev/audit.log). Never sent to the backend.
  • Pro billing data — handled by Stripe (card not stored on our side, only the Stripe customer ID).

Why we do it

Each piece of data has an explicit purpose, aligned with product features:

  • Email → newsletter delivery and Pro personalization based on your stack.
  • Stack scan → scoring/matching of relevant news, MCP/Skill recommendations, setup brief generation.
  • Stripe data → billing, renewals, fiscal compliance (10 years).
  • Local log → your personal trail, never read by us.

Where it lives

  • All user data is stored in Supabase EU region (Frankfurt). No replication outside the EU.
  • Stripe (US) stores billing data under Standard Contractual Clauses + EU-US Data Privacy Framework.
  • The CLI audit log lives only on your machine, never on the backend.

How long

  • Newsletter email: as long as you are subscribed, +30 days after unsubscription.
  • Pro profile (scan, brief cache): until account deletion; brief cache auto-expires at 5 min.
  • Billing: 10 years (French legal obligation, Code de commerce L123-22).
  • Local log: under your exclusive control, delete whenever you want (rm -rf ~/.zarev/audit.log).

How to delete your account

You can delete your account anytime from your account or by emailing contact@zarev.dev. Deletion immediately purges Supabase (RLS cascade across profiles, scans, briefs) and cancels the Stripe subscription. The local log stays on your machine — yours to delete if you want. Documented SLA: effective within 7 days (technical: immediate).

Subprocessors

To run Zarev, we rely on the following subprocessors:

  • Supabase (EU — Frankfurt) — database, authentication. privacy.
  • Anthropic (US) — Claude API for stack-aware brief generation. SCC + DPF. privacy.
  • OpenAI (US) — embeddings (text-embedding-3-small) for news matching. SCC + DPF. privacy.
  • Resend (US) — newsletter delivery. SCC + DPF. privacy.
  • Stripe (US) — Pro payments. SCC + DPF. privacy.
  • Vercel (US) — frontend hosting. SCC + DPF. privacy.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access to your data
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to data portability
  • Right to withdraw consent at any time
  • Right to restriction and objection to processing

To exercise these rights, contact us at contact@zarev.dev.

Right to lodge a complaint with the CNIL

Under Article 13.2.d of the GDPR, if you believe that the processing of your personal data does not comply with regulations, you have the right to lodge a complaint with the competent supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés):

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: 01 53 73 22 22
Website: www.cnil.fr

Cookies

This site does not use any tracking cookies or third-party analytics tools. No cookie banner is necessary.

Going further