Universal Form AI — zenmysoul.com

Privacy Policy

Last updated: 2025-09-29

This Privacy Policy explains how we collect, use, disclose, and protect information when you use Universal Form AI on zenmysoul.com (the “Service”). The Service helps users digitize and fill complex forms using OCR and AI assistance.

1. Information We Collect

Category	Examples	Source
Account & Contact	Name, email, organization, role	You
Authentication	Hashed passwords or OAuth/SSO identifiers	You / SSO
Content You Upload	Forms, PDFs, images, passports/IDs, immigration/employment/financial details in your documents	You
Processing Outputs	OCR text, extracted fields, AI suggestions, field coordinates, version history	Derived
Usage & Device	IP, device/browser metadata, pages/actions, timestamps, approximate geolocation	Automatic
Payments	Billing name, email, last4, transaction IDs (processed by third parties)	Payment provider
Support	Tickets, messages, attachments, diagnostics	You

2. Sensitive Personal Information

Your documents may include sensitive data (e.g., government IDs, financial/health data if present in scans). We process such data only as necessary to provide the Service, with enhanced safeguards (encryption in transit/at rest, strict access controls, limited retention). Do not upload data you are not authorized to share.

3. How We Use Information

Provide, operate, and improve the Service (OCR, field extraction, autofill, validation, export).
Secure accounts, prevent fraud/abuse, debug, and ensure reliability.
Respond to inquiries and provide support.
Analyze usage to improve accuracy, performance, and UX.
Comply with legal obligations and enforce terms.

4. Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, our legal bases include: performance of a contract, legitimate interests (e.g., security, improvement), consent (for optional analytics/marketing or processing you explicitly request), and legal obligations.

5. Automated Processing & AI

We use OCR/AI to extract fields and suggest entries. You remain in control and can review/edit results.
Model Providers: OpenAI / Anthropic for LLM inference; AWS Textract and/or open-source OCR.
Training: We do not use your documents to train third-party models. We may use de-identified/aggregated metrics to improve our templates and algorithms.
Controls: You can override AI outputs and download or delete your data as described below.

6. Sharing of Information

We do not sell personal information. We share data only with:

Processors/Service Providers: hosting, storage, authentication, OCR/LLM inference, analytics, email delivery, payments — under contract and only as needed.
Legal/Compliance: when required by law or to protect rights, safety, and security.
Business Transfers: in mergers, acquisitions, or asset sales, with safeguards.

7. Processors We Commonly Use

Processor	Purpose	Data Types	Main Location
Cloudflare (Pages/Workers)	Hosting, DNS, security	IP/usage, site content	Global
Supabase	Auth, database, storage	Account data, documents, outputs	Region you select
AWS (Textract)	OCR	Uploaded documents & images	Selected AWS region
OpenAI / Anthropic	LLM inference	Prompts and extracted text needed for output	As per regional endpoints
Payment provider (Stripe/Paddle/Razorpay)	Billing	Customer & transaction data	As per provider
Email provider (SendGrid/Postmark)	Transactional email	Account & email metadata	As per provider
Analytics (optional)	Product analytics	Usage/telemetry	As configured

Note: Exact processors/regions depend on configuration and may change; we will update this list as needed.

8. International Transfers

Data may be processed in countries other than your own. Where required, we use safeguards such as Standard Contractual Clauses and regional hosting choices (e.g., Supabase/AWS region selection).

9. Retention

Default: We retain uploaded documents and outputs only as long as necessary to provide the Service.
Short-term processing: Temporary artifacts (e.g., OCR/LLM prompts) are stored briefly and then deleted.
Configurable deletion: You can delete projects, documents, and outputs at any time. Enterprise plans can enable automated purges (e.g., within 72 hours) via settings or contract.
Minimal records (billing, audit logs) may be retained as required by law.

10. Your Rights

Depending on your location (EEA/UK, California, Canada, etc.), you may have rights to access, correct, delete, or port your data; to object to or restrict processing; and to withdraw consent. To exercise rights, contact privacy@zenmysoul.com. We may need to verify your identity.

11. Cookies

We use essential cookies for sign-in and security. With your consent, we may use analytics cookies. You can manage cookies in your browser settings; blocking essential cookies may affect functionality.

12. Security

Encryption in transit (HTTPS) and at rest for stored data.
Role-based access controls, audit logging, least-privilege access.
Backups and disaster recovery appropriate to plan tier.

13. Organization-Controlled Data

For multi-tenant or enterprise accounts, your organization is the controller for workspace content (documents and outputs). We act as processor on their instructions.

14. Children’s Privacy

The Service is not directed to children under 13 (or the applicable age in your region). We do not knowingly collect data from children. If you believe a child provided data, contact us to delete it.

15. Region-Specific Disclosures

EEA/UK (GDPR/UK GDPR): You can lodge a complaint with your local supervisory authority.
California (CPRA): We do not “sell” personal information. Limited “sharing” for analytics/ads occurs only with consent (if enabled). Contact us to exercise CPRA rights.
Canada (PIPEDA/Provincial): Contact us for access/correction. Storage/processing may occur outside Canada; contractual/technical safeguards apply.

16. Contact

Privacy questions or requests: privacy@zenmysoul.com

17. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date reflects the latest version. If material changes occur, we’ll provide reasonable notice.