Zrelic
Sign in
Back to home

Legal

Privacy policy

Last updated: June 2026

Zrelic is operated by [Your registered business name and address] (“we”, “us”, “our”). This policy explains what personal data we collect when you use Zrelic, why we collect it, and your rights under UK GDPR, the Data Protection Act 2018, PECR, and (where applicable) the California Consumer Privacy Act / CPRA.

Zrelic helps independent freelancers and studios run branded client portals. The service is not directed at children under 18; if you are under 18 please do not create an account.

1. Data we collect and why

Account data

When you register we collect your email address, name, studio name, and a hashed password (we never store your password in plain text). We also store the Stripe customer ID and subscription ID linked to your account.

Lawful basis: performance of the contract between you and us (UK GDPR Art 6(1)(b)).

Project content you add

When you create a portal you may add client names, client email addresses, files, comments, approval records, and invoice links. This content is yours — you control it entirely, and we process it only to provide the service to you.

Lawful basis: performance of contract / legitimate interests (providing the service you asked for).

Transactional email

We send account and portal-related emails (for example, invitation links and subscription receipts) from the zrelic.co.uk domain via Resend.

Lawful basis: performance of contract / legitimate interests in administering your account.

Payment data

Payments are handled by Stripe. Zrelic never sees or stores your card number or full payment details — only the Stripe customer and subscription identifiers needed to manage your plan.

Lawful basis: performance of contract.

2. How client access works

Your clients access portals via a private, unguessable magic link — no client account is created and no client password is stored. Anyone who holds the link can view that single portal. Treat portal links as confidential; if you believe a link has been compromised you can regenerate it from your dashboard.

3. Cookies and tracking

We use only strictly-necessary cookies: a session cookie (managed by NextAuth) and a CSRF token. No advertising, analytics, or tracking cookies are set. Because these cookies are strictly necessary for the service to function, they do not require your consent under PECR. See our Cookie statement for full details.

4. Sub-processors

We share data with the following processors only to the extent needed to run the service:

  • Neon — Postgres database (data stored in the region specified during provisioning; currently [insert Neon hosting region, e.g. eu-west-1]).
  • Vercel — application hosting and Blob file storage (servers in the US and globally via CDN).
  • Resend — transactional email delivery.
  • Stripe — payment processing and subscription management.

Each processor is contractually bound to use your data only for the purpose we specify. Where processors are US-based, transfers are protected by Standard Contractual Clauses or equivalent safeguards as required under UK GDPR Chapter V.

5. Retention and deletion

You can delete any project — along with all its files, comments, and approvals — from your dashboard at any time. Deletion is immediate and permanent.

Your account data is retained while your account is active and for a reasonable period thereafter to comply with legal obligations (for example, financial records). To delete your account, email hello@zrelic.com and we will action the request within 30 days. Where self-serve account deletion is available in your account settings, you may use that instead.

6. Your rights (UK)

Under UK GDPR you have the right to: access the personal data we hold about you; correct inaccurate data; request erasure; restrict or object to processing; receive your data in a portable format; and withdraw consent where processing is based on consent.

To exercise any of these rights, email hello@zrelic.com. We will respond within one calendar month. If you are unsatisfied with our response you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

7. Your rights (California — CCPA/CPRA)

If you are a California resident you have the right to know what personal information we collect, to request deletion, and to correct inaccurate information. You also have the right to opt out of the “sale” or “sharing” of personal information. Zrelic does not sell or share your personal information for cross-context behavioural advertising. To exercise your CCPA rights, email hello@zrelic.com.

8. Security

We use TLS/HTTPS for all data in transit, bcrypt password hashing, parameterised database queries, and scoped magic-link tokens. See our Security statement for more detail.

9. Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay (and within 72 hours where feasible). Where the breach poses a high risk to you we will also notify you directly.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or by a notice in the dashboard. Continued use of Zrelic after changes take effect constitutes acceptance of the updated policy.

11. Contact and controller

The data controller is [Your registered business name], [registered address].

For any privacy enquiry email hello@zrelic.com.