VZlyze is a Chrome extension and web service built and operated by a team of professionals based in Morocco. "VZlyze," "we," "us," and "our" all refer to this team. You can reach us at [email protected].
Account information. When you register, we store: your email, a username, a bcrypt-hashed password (or your Google account identifier if you sign in with Google), an email-verified flag, your plan tier (free, starter, pro, business), and your account creation date. Plain-text passwords are never stored.
Credit ledger and usage counters. We keep a server-side ledger of your Quick and Deep credit balances and a record of pack purchases. We also store small per-feature daily counters (for Compare and credit-pack refills) used purely for abuse prevention; these reset at UTC midnight.
Stats counters. Two integer counters — total downloads and total analyses — are incremented for your own dashboard display. We do not log per-event details (what you downloaded, what you analyzed); only the running totals.
Paddle customer ID. When you make your first purchase, Paddle returns a customer identifier that we store on your account so we can match future refund and adjustment webhooks back to you.
Screenshots sent to AI (only when you click an analysis or extraction action). When you click Quick Analysis, Deep Research, Compare, Extract Table, Extract Handwriting, or Anonymize, the screenshot is sent to our backend and forwarded to Anthropic's API. The image is processed in memory and discarded once the response is returned. We do not retain it. Anthropic does not use API inputs to train their models under their commercial terms.
Shared screenshots. If you create a share link from an analysis result, the screenshot and AI summary are stored in our database so the link recipient can view them. Shares are deleted automatically after 7 days or 50 views, whichever comes first. Don't share screenshots that contain private or sensitive content.
Payment data. Paddle handles all payments as Merchant of Record. We never see or store your card details. We receive a webhook confirming the purchase, the pack purchased, and a Paddle transaction ID used for matching refunds.
Server logs. Our backend host (Railway) records standard request logs that may include IP address and timestamp, for security and operational diagnostics. We do not use these for analytics or marketing.
Analytics. Our public marketing pages load Google Analytics to count visits and see which pages bring people to the extension. Our legal pages (Privacy, Terms, Refund) do not load any analytics. See section 06 below.
We do not use your data for advertising, profiling, or sale to third parties.
Anthropic (United States). Screenshots you submit for analysis are sent to Anthropic's API. Deep Research additionally uses Anthropic's built-in web search tool, which may send queries derived from your screenshot content to external search providers via Anthropic. We send only the image and the system prompt; no account identifiers are attached. Under Anthropic's commercial terms, API inputs are not used to train their models. Governed by Anthropic's privacy policy.
Paddle (United States & United Kingdom). Processes all payments as Merchant of Record. Your payment data is governed by Paddle's privacy policy.
MongoDB Atlas (cluster region: European Union). Our database provider. Stores account data, the credit ledger, order records, and active share links.
Railway (United States). Our backend hosting provider. Server logs may include IP addresses.
Netlify (United States). Hosts our public marketing and legal pages (vzlyze.com).
Resend (United States). Sends our transactional emails (verification, password reset, purchase confirmation). Your email address and the email body pass through Resend. Governed by Resend's privacy policy.
Google (United States). If you choose to sign in with Google, your Google account identifier and email are exchanged through Google's OAuth service, subject to Google's own privacy terms. Our public marketing pages also load Google Analytics (see section 06).
Where data leaves the EU/UK, transfers rely on the provider's published Standard Contractual Clauses or equivalent safeguards. We do not transfer personal data to any subprocessor not listed here.
Strictly necessary (authentication). When you sign in, our backend issues a signed JSON Web Token (JWT) that the extension stores and presents on subsequent requests to identify your session. Depending on the flow, this token is held in extension storage or in an httpOnly cookie scoped to api.vzlyze.com. This token is required for the service to function — without it, we cannot authenticate your credit balance or load your account. No consent prompt is required for strictly-necessary cookies under EU law.
Analytics (marketing pages only). Our public marketing and pricing pages load Google Analytics (gtag.js) so we can count visits and understand which pages bring people to the extension. GA sets cookies and assigns each visitor a randomized client ID. We do not pass your email, name, or any account identifier to GA.
Our legal pages (Privacy, Terms, Refund) do not load Google Analytics at all. The extension itself does not load Google Analytics.
To opt out of Google Analytics across the web, install Google's official Opt-out Browser Add-on, enable Do Not Track in your browser, or use a content blocker. We do not use any other tracking, advertising, or behavioral profiling tools.
Account data is retained for as long as your account is active. When you delete your account, the deletion is immediate and cascades across our database: your User record, all of your active Shares, all of your Order/purchase records, and any pending checkout tokens are removed in the same operation. Any remaining unused credits are forfeited on deletion, as set out in our Terms of Service.
Shared screenshots are deleted automatically after 7 days or 50 views, whichever comes first. Deletion is enforced at the database level by a TTL index.
Checkout tokens created when you click "Buy" are deleted automatically 5 minutes after creation, whether the checkout completes or not.
Webhook event IDs received from Paddle are retained for 30 days for replay-attack prevention. These records contain only the Paddle event ID and a processed-at timestamp; they are not linked to your account and are not affected by account deletion.
Server logs that contain IP addresses are retained by our hosting provider for operational and security purposes and rotated on their schedule.
Account deletion (self-serve). You can permanently delete your account directly from the extension's Account settings. Deletion runs immediately and cascades across our database as described in section 07.
Data export (self-serve). You can download a complete copy of your account data — profile, share history, and order history — as a JSON file from the extension's Account settings. This satisfies the GDPR right to data portability.
By email. For correction, access in another format, or any other data-related request, email [email protected]. We respond within 10 business days.
Passwords are hashed with bcrypt and never stored in plain text. All API traffic uses HTTPS. Credit operations are validated server-side; client-side values are never trusted for authorization.
We may update this policy from time to time. Changes are posted on this page with an updated date. Continued use of the service after a change constitutes acceptance.
If you are in the EU or UK, the following additional rights apply under the GDPR and equivalent UK law.
Legal basis for processing. We process your personal data on the basis of contractual necessity: your email and account information are required to provide the service you signed up for. Transactional emails are sent on the same basis. Analytics on our public marketing pages is processed on the basis of legitimate interest in understanding aggregate site usage.
Your rights:
We do not transfer personal data to third countries outside services covered by adequate data protection agreements. Anthropic, Paddle, MongoDB Atlas, Railway, Resend, and Google all operate under GDPR-compliant terms.
To exercise any of these rights, email [email protected]. We respond within 10 business days. If you believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection authority.
The VZlyze Chrome extension requests the following permissions, declared in its manifest.json. Each is used solely for the purpose listed below; none are used for tracking, advertising, or profiling.
activeTab — lets the extension capture the visible area of the tab you are currently viewing when you click the capture button or trigger a keyboard shortcut. The permission is granted only for the tab you activate and expires when you leave it.storage — lets the extension save your local screenshot history, editor state, plan/credit info, and user preferences inside your browser's local storage. This data stays on your device.downloads — lets the extension save screenshots as PNG or PDF files to your computer when you click Export.scripting — lets the extension inject the selection overlay into the current page so you can drag a rectangle to crop a region of the screen.identity — used solely to support "Sign in with Google." The extension exchanges an OAuth token with Google's identity service so we can verify your email. No other Google APIs are called.notifications — used to show non-blocking system notifications when long-running actions complete (for example, "Deep Research finished"). You can disable notifications system-wide in your OS without breaking the extension.host_permissions: https://api.vzlyze.com/* — restricts the extension's network access to our own backend domain. The extension does not have permission to read or modify any other website you visit.We do not request tabs, webNavigation, cookies, history, bookmarks, broad host permissions (<all_urls>), or any other permission not listed above.
VZlyze is not intended for children. You must be at least 18 years old to create an account and use the service. We do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, email [email protected] and we will delete the account and any associated data.
Because we enforce an 18+ age requirement, the U.S. Children's Online Privacy Protection Act (COPPA) does not apply to our service.