Privacy Policy
Last updated June 2, 2026
This Privacy Policy explains how VSLzen, Inc. ("VSLzen", "we", "us", "our") collects, uses, shares, and protects information when you use https://www.vslzen.com, the VSLzen application, and related services (collectively, the "Service"). VSLzen is an AI-powered VSL funnel builder and appointment booking platform. By using the Service you agree to this Policy.
1. Who we are and how to contact us
Data controller: VSLzen, Inc., [Company registered address — update in src/lib/legal/vslzen-legal.ts], United States.
For any privacy question, data subject request, or to reach our Data Protection Officer, email privacy@vslzen.com. For general support, email support@vslzen.com.
2. Google API Services Data Use (Limited Use)
VSLzen's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
VSLzen accesses your Google Calendar only to create, update, and delete appointment events that you or your prospects book through our platform, and to add Google Meet video conferencing links to those events. We do not sell, share, or use your Google Calendar data for advertising, and we do not transfer this data to any third party except as strictly necessary to provide the calendar sync feature you have enabled.
We request only the minimum Google OAuth scope required for this feature (https://www.googleapis.com/auth/calendar.events), and you can disconnect your Google account at any time from Settings, which revokes our access and stops any further reads or writes to your calendar.
3. Information we collect
We collect the following categories of information:
- Account data: name, email, password hash, profile photo, role, workspace and team membership.
- Billing data: subscription plan, billing email, invoices, last four digits of payment method (full card details are processed by our payment processor and never stored on our servers).
- Funnel content: text, images, video URLs, scripts, branding, custom domain settings, and any other content you upload or generate inside the Service.
- Lead data: contact information (name, email, phone), answers to qualifying questions, UTM parameters, IP address, user agent, referral source, and behavioral events captured by your funnels. You are the controller of lead data you collect; we act as a processor on your behalf.
- Calendar tokens: OAuth access and refresh tokens for Google Calendar, only the calendar(s) you select, and the events we read or write on your behalf to schedule meetings.
- Messaging metadata: phone numbers, message bodies, delivery receipts, and provider IDs for SMS, WhatsApp, and email messages sent through your account.
- Domain & infrastructure data: hostnames you add, DNS records we provision via Cloudflare for SaaS on your behalf, SSL certificate status.
- Usage & device data: pages viewed, features used, browser and device characteristics, approximate location (city/country) derived from IP, and crash/diagnostic logs.
- Cookies and similar technologies: see Section 9.
4. How we use information
- Provide, operate, secure, and improve the Service.
- Generate AI content you request (scripts, headlines, follow-up messages) by sending your prompts to AI model providers via the Lovable AI Gateway (which proxies Google, OpenAI, and Anthropic models).
- Schedule and confirm appointments via Google Calendar and Google Meet.
- Send transactional notifications (booking confirmations, reminders, password resets, billing receipts) by email and SMS.
- Send marketing messages — only with your explicit opt-in, and you can withdraw consent at any time.
- Process payments and manage subscriptions.
- Comply with legal obligations (tax, anti-fraud, lawful requests).
- Detect, investigate, and prevent abuse, security incidents, and ToS violations.
5. Legal bases (GDPR)
- Performance of a contract — to deliver the Service you signed up for.
- Legitimate interests — to secure the platform, prevent fraud, and improve the product, balanced against your rights.
- Consent — for optional cookies, marketing emails, and AI features that process content you provide.
- Legal obligation — to comply with tax, accounting, and lawful requests.
6. AI-generated content & model providers
When you use AI features (copy generation, email drafting, popup writing, qualification scoring), the prompts you submit — which may include funnel content you authored and, in some cases, lead context you choose to include — are transmitted to AI providers through the Lovable AI Gateway. Current providers include Google, OpenAI, and Anthropic. Providers do not train their foundation models on your content under their commercial API terms.
AI outputs are generated probabilistically and may be inaccurate, biased, or unsuitable. You are responsible for reviewing AI output before publishing or sending it to any third party.
7. Subprocessors
We use the following subprocessors. We require each to provide adequate safeguards for your data.
- Supabase (managed Postgres, auth, storage) — primary data hosting.
- Cloudflare (CDN, DNS, Cloudflare for SaaS) — custom-domain SSL provisioning and edge delivery.
- Google (OAuth, Calendar, Meet) — calendar sync when you connect a Google account.
- Twilio (SMS, WhatsApp) — message delivery for booking notifications.
- SMTP2GO (transactional email) — email delivery for confirmations, reminders, and sequences.
- Lovable AI Gateway, Google Cloud (Gemini), OpenAI, Anthropic — AI inference.
- Stripe and/or Paddle — payment processing (if/when enabled).
8. Sharing & disclosures
- With service providers (above) only to the extent needed to deliver the Service.
- With third parties you instruct us to share with (e.g. webhooks you configure, pixels you install, calendars you connect).
- To comply with law, lawful requests, court orders, or to enforce our Terms.
- In a merger, acquisition, or asset sale — with notice to you.
- We do not sell personal information for cash. We do not share personal information for cross-context behavioral advertising unless you enable third-party tracking pixels on your own funnels.
9. International transfers
We are based in the United States and our subprocessors operate globally. Where personal data is transferred outside the EEA/UK, we rely on the EU Standard Contractual Clauses (and the UK Addendum) plus supplementary measures as required by applicable law.
10. Cookies & tracking
We use a small number of strictly-necessary cookies to keep you signed in and to operate the app. We do not set advertising cookies on this site.
Your funnels may include tracking pixels you configure (Meta, Google, TikTok, LinkedIn, Twitter, Snapchat). When you enable them, those providers receive data directly from your funnel visitors under their own policies. You are responsible for any required cookie consent banner on your funnel — VSLzen provides a built-in banner toggle in the funnel settings.
11. Data retention
- Account data: kept while your account is active and for up to 12 months after deletion for audit and legal hold purposes.
- Leads & funnel content: kept while the workspace exists. You can export or delete leads at any time.
- Calendar tokens: kept until you disconnect the Google account; deleted within 30 days of disconnect.
- Messaging logs & audit logs: 12 months by default.
- Backups: rolling 30-day encrypted backups.
12. Your rights (GDPR / UK GDPR)
You have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data, and to withdraw consent at any time.
- Email privacy@vslzen.com from the address on your account to exercise any right.
- We respond within 30 days. You may also lodge a complaint with your local supervisory authority.
13. Your rights (CCPA / CPRA — California)
- Right to know what personal information we collect and how it's used.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information — we do not sell or share for cross-context behavioral advertising.
- Right to non-discrimination for exercising these rights.
- To exercise a right, email privacy@vslzen.com. We verify identity via the email on file.
14. Security
We use industry-standard safeguards including encryption in transit (TLS 1.2+) and at rest, row-level security in our database, scoped OAuth tokens, secret rotation, role-based access control for staff, and audit logs. No system is perfectly secure; if we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
15. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.
16. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email or in-app. The "last updated" date at the top reflects the latest revision.
17. Contact
Questions, complaints, or data subject requests: privacy@vslzen.com. Postal: VSLzen, Inc., [Company registered address — update in src/lib/legal/vslzen-legal.ts].