ZEMERS PRIVACY POLICY
Zemers is operated by VINCITUS MK S.R.L. (Romania), CUI 42840739, doing business as Zemers. Registered address: Str. Iosif Vulcan, Bistrița, Bistrița-Năsăud, Romania. Contact: hello@zemers.com
Welcome to the website (the "Site") of VINCITUS MK S.R.L., CUI 42840739, dba Zemers ("Zemers," "we," "us," or "our"). Zemers is a multi-tenant platform that allows content creators ("Creators") to monetize their digital goods, content, and services ("Creator Content") through their own storefronts, allows their customers ("Customers") to purchase such Creator Content, allows third parties to promote Creator products as affiliates ("Affiliates"), and allows Creators to invite collaborators ("Team Members") to help run their stores. The Zemers website, the storefront pages hosted under /@{username}, the ZemersAI tools (including ZemersAI for LinkedIn and ZemersAI for Instagram), the Affiliate dashboard, the Client area, and all related applications are collectively referred to as the "Service."
This Privacy Policy explains the personal information we collect from Creators, Team Members, Customers, Affiliates and visitors (collectively, "you") through the Service, how we use and share that information, and your choices and rights concerning our information practices.
VINCITUS MK S.R.L. is the data controller responsible for the processing of personal data described in this Privacy Policy under the General Data Protection Regulation (EU Regulation 2016/679, "GDPR") and applicable Romanian and EU data protection laws. The competent supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — https://www.dataprotection.ro.
Creators who sell products or services through Zemers act as independent data controllers with respect to personal information they collect from their own Customers through their storefronts, products, marketing tools, communications, and any tracking technologies (such as Google Analytics, Meta Pixel, X Pixel, TikTok Pixel or Google Tag Manager containers) that they activate. Zemers acts as a processor for those Creator-controlled activities, processing personal data on the Creator's behalf to deliver the requested platform functionality (content delivery, billing, support, analytics rendering). Zemers is not responsible for how Creators process personal data outside the functionality of the platform.
Information about how we use cookies and similar technologies is described in our Cookie Policy.
We collect personal information in three ways:
information you provide directly to us;
information collected automatically when you use the Service;
information received from third parties (such as Stripe, our payment processor, or connected platforms).
The categories of personal information we collect depend on the role in which you interact with the Service.
When you create an account on Zemers we collect your email address (mandatory), and depending on your role and choices: first name, last name, optional phone number, profile photo, username/handle, business name (for Creators), and other information you choose to include in your profile.
Zemers uses passwordless authentication: we send a one-time verification code by email, or you may sign in with Google or Apple. We do not store account passwords. We maintain a session "sign-in fingerprint" (browser and device characteristics) to detect access from a new device and notify you by email when this occurs, as a security measure.
If you register as a Creator, we additionally process:
your storefront handle (/@{username}), branding configuration (colors, fonts, layout), your own Terms and Privacy text where you choose to provide them;
your Stripe Connect account onboarding status (details_submitted, charges_enabled, payouts_enabled) — the underlying KYC, identity and bank-account data is collected and held by Stripe;
your platform subscription status, plan, billing history and platform invoices (issued through Oblio);
records of your acceptance of the platform's terms (timestamp).
If you are invited as a Team Member by a Creator, we process your email address (to deliver the invite), the role granted to you (Admin, Manager, Editor, Viewer), the timestamp at which you accepted or declined the invitation, and the audit trail of your actions within the Creator's tenant. Team Members have access to personal data of the Creator's Customers; such access is governed by the Creator's instructions.
If you purchase from a Creator's storefront, we collect: email, first and last name, optionally phone number, billing address and tax fields (VAT/CIF, company name) where the Creator has enabled them on checkout, your unique client handle, your purchase history, subscription status, access entitlements to the Creator's content, course/lesson progress where applicable, and the support messages you send.
If you register as an Affiliate, we additionally process:
your tax identity: natural person or legal entity, entity type (e.g. SRL, SA, GmbH, Ltd), tax country (ISO 3166-1 alpha-2), name of legal representative, full registered address, VAT/VIES number and VIES validation timestamp where applicable;
your acceptance of the Affiliate Agreement and your explicit consent to self-billing under Article 319 of the Romanian Fiscal Code (timestamps and originating IP address are stored as legal evidence);
your Stripe Connect account status for payouts;
your affiliate referral codes, attribution events, commission ledger entries, payout requests, the AFL (self-billed) and ZAF (intermediation-fee) invoices issued through Oblio, and any invoice submissions you upload as an alternative to self-billing.
Payments on the Service are processed by our payment processor Stripe, Inc. ("Stripe"). Stripe collects and processes the financial information necessary to complete transactions, such as payment-card details, billing information, bank-account details (for Connect payouts) and transaction data. Zemers does not store full payment-card numbers and card data never passes through Zemers servers; tokenization and card-data storage are handled entirely by Stripe. Your financial data is processed in accordance with Stripe's privacy policy and services agreement.
For invoicing, we use Oblio, a Romanian invoicing service, which generates and stores the PDF invoices and assigns invoice series and numbers required by Romanian law.
We retain information about the Creator Content you view, purchase or interact with through the Service: page views (ProductPageView, deduplicated per random session identifier), checkout sessions started and completed, waitlist sign-ups, course-lesson progress, promotional codes used, refunds, and chargebacks.
We collect information when you contact us through support channels, when you respond to surveys, when you exchange messages with a Creator's support widget, and when emails we send you generate delivery, open, or click events. Providing communication data is optional.
When you visit and use the Service, our systems automatically record certain technical information, including: IP address (used to derive a broad geolocation, typically country/region), browser type and settings, operating system, device type, the time of the request, the page requested, referrer, navigation pattern, whether the request appears to come from a bot, and security-related events (IpEvent) such as repeated requests for verification codes, used for abuse prevention.
Please see our Cookie Policy for the full list of cookies used by Zemers, including strictly necessary cookies (such as next-auth.session-token, next-auth.csrf-token, sv_impersonate used for support impersonation, and zemers_gdpr_consent storing your consent preferences for 365 days), functionality cookies (such as sv_affiliate_ref used to attribute affiliate referrals), analytics cookies (Google Analytics, Google Tag Manager) and marketing cookies (Meta Pixel, X Pixel, TikTok Pixel) loaded only after you give consent for the corresponding category.
Our transactional and marketing emails may contain tracking pixels that allow us to measure whether emails are opened and whether links are clicked. This information helps us improve our communications and ensure deliverability. Where required by law, such tracking is used only for marketing emails and only with your consent.
Some Creator storefronts or product pages include analytics tools or tracking technologies configured by the Creator (such as advertising pixels, GA4, GTM containers, or other analytics scripts). In such cases, the Creator acts as an independent data controller for data collected through those technologies, and the Creator's own privacy policy applies in addition to this one.
We process personal information for the purposes set out below and rely on the legal bases provided by Article 6 GDPR.
We use personal information to provide the Service you request, create and manage accounts and tenants, deliver the Creator's digital products to Customers, manage access entitlements (CreatorAppAccess), process subscriptions and renewals, send transactional emails (verification codes, order confirmations, access links), and provide support.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interests in operating and maintaining the platform (Art. 6(1)(f) GDPR).
We use personal information to process payments through Stripe, to operate Stripe Connect for Creators and Affiliates, to compute affiliate commissions in the append-only ledger (AffiliateLedgerEntry), to generate AFL self-billing and ZAF intermediation-fee invoices via Oblio, and to maintain platform invoices for Creator subscriptions.
Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with Romanian fiscal and accounting law including the Fiscal Code (Art. 319 for self-billing) and the Accounting Law (Art. 6(1)(c)).
We use personal information to analyze how the platform is used, to improve functionality, to personalize the user experience, to detect and prevent fraud, abuse, account takeover, and unauthorized access, and to investigate security incidents.
Legal basis: our legitimate interests in maintaining and securing the Service (Art. 6(1)(f) GDPR).
ZemersAI use artificial intelligence to help you generate and improve content. When you submit text, prompts or content, we process such information through third-party AI providers (currently OpenAI).
Purpose. Your content is used only to generate outputs for you and to provide the requested AI functionality.
Training. Your content is not used to train general AI models, in accordance with our agreement with our AI provider.
Human review. We do not manually review your prompts or outputs, except where strictly necessary to investigate abuse, ensure safety or comply with the law.
Accuracy. AI outputs are generated automatically and may contain inaccuracies; you remain responsible for reviewing them before publication.
Legal basis: performance of a contract when providing AI functionality you request (Art. 6(1)(b)) and our legitimate interest in improving the Service (Art. 6(1)(f)).
We may process personal information to comply with applicable laws, regulations and legal process, including responding to subpoenas or requests from competent authorities, performing tax and accounting record-keeping, protecting our and others' rights, privacy, safety and property, auditing compliance with our terms, and managing access to our infrastructure to prevent or investigate cyber-attacks, fraud and identity theft.
Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR) and our legitimate interests in protecting our rights and the security of the platform (Art. 6(1)(f) GDPR).
We may use your personal information to contact you about products or services we believe may be of interest to you. You can opt out of marketing emails at any time by using the unsubscribe link in each email or by updating your notification preferences in your account. We will continue to send you transactional and administrative messages (such as security alerts, billing notices and policy changes) which are not optional.
Legal basis: your consent (Art. 6(1)(a)) for marketing emails where required, and our legitimate interest in promoting our Service (Art. 6(1)(f)) where permitted by applicable law.
When a visitor arrives through an affiliate link containing a ?ref= parameter, we set a first-party cookie (sv_affiliate_ref) to attribute the eventual purchase to the correct Affiliate, calculate the commission, and record it in the ledger.
Legal basis: performance of a contract with the Affiliate and our legitimate interest in operating the affiliate program (Art. 6(1)(b) and 6(1)(f)).
It is in our legitimate business interest to use personal information to develop, analyze and improve the Service. We may create or use aggregated, de-identified or anonymized data derived from personal information. We may share such anonymized data with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
Legal basis: our legitimate interests (Art. 6(1)(f)).
We may use your personal information, when it is in our legitimate business interests, in the context of a merger, financing, acquisition, reorganization, bankruptcy, sale or transfer of all or part of our business or assets.
Legal basis: legitimate interests (Art. 6(1)(f)).
We share personal information only with the categories of recipients described below, and only to the extent necessary for the stated purposes.
When you purchase or access products or services offered by a Creator, certain information is shared with that Creator to enable delivery of the purchased content or services. This includes your email address, name, the additional checkout fields the Creator has enabled (such as phone, company, VAT, shipping address), the products you have purchased, your subscription status, refunds, and your interactions with the Creator's content. The Creator may contact you regarding the products or services you purchased from them, subject to applicable data-protection and marketing laws. Creators act as independent data controllers with respect to personal information they receive through the Service. We encourage you to review the privacy policy of each Creator from whom you purchase.
When a Creator invites Team Members, those Team Members will have access to Customer data of that Creator's tenant in accordance with the role assigned to them. Team Members do not have access to data belonging to other Creators.
We share personal information with service providers that help us operate the platform and provide the Service. These providers process personal information on our behalf, under written agreements that restrict them to processing data only for the purposes for which we engaged them. Our typical sub-processors are:
Sub-processor
Purpose
Location
Stripe, Inc.
Payment processing, Stripe Connect for Creators and Affiliates, KYC
EU / US (SCCs)
Oblio
Invoice generation (platform and self-billing)
Romania
MXroute
Transactional and marketing email delivery
US (SCCs)
OpenAI
AI processing for ZemersAI features
US (SCCs, enterprise DPA)
Hosting / cloud infrastructure provider
Hosting of the Service
EU / US (SCCs as required)
Object storage provider
Storage of uploaded media, course content, affiliate invoice submissions and GDPR export packages
EU / US (SCCs as required)
Google (where activated)
Google Tag Manager, Google Analytics 4 — when activated by a Creator on their storefront
EU / US (SCCs)
Meta, X, TikTok (where activated)
Advertising pixels when activated by a Creator on their storefront
US (SCCs)
Our third-party AI providers (currently OpenAI) are contractually restricted to processing your prompts and content solely for the purpose of providing the requested service, and are not permitted to use the data to train general AI models.
We may share personal information with our professional advisors (lawyers, accountants, auditors) where necessary to obtain their services.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider (a "Transaction"), your personal information may be shared with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction.
We may disclose personal information if required by law or in the good-faith belief that doing so is necessary to (i) comply with a legal obligation, (ii) protect and defend our rights or property, (iii) prevent fraud, (iv) act in urgent circumstances to protect the personal safety of users or the public, or (v) protect against legal liability.
We may share aggregated or statistical information relating to the general behavior of users of the Service with prospective business partners or other third parties for research, marketing or development purposes.
When you purchase or interact with a Creator's storefront, pages or checkout, your information may be shared with that Creator in order to enable delivery of the purchased content or services. This may include your username, email address, name, phone, billing/shipping fields enabled on checkout and transaction details. Creators may contact you regarding the products or services you purchased, subject to applicable data-protection and marketing laws.
Creators operate independently from Zemers and act as independent data controllers with respect to personal information they receive through the Service. Zemers is not responsible for how Creators use or process personal data outside of the functionality of the platform.
We encourage you to review the privacy policies of individual Creators before providing personal information or purchasing their products or services.
We retain personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy, including to comply with legal, accounting, or regulatory requirements. The principal retention periods are:
Data category
Retention
Active account profile and settings
For the lifetime of the account
Deactivated account
30 days grace period, then permanent deletion (deleted_at set, personal fields wiped or anonymized)
Transactional, billing, accounting records and invoices (platform invoices, AFL/ZAF self-billing)
10 years (Romanian Accounting Law)
Affiliate ledger entries and tax-relevant records
10 years
Consent records (cookie banner preferences and DB log)
Cookie 365 days; DB log retained as evidence for the duration of legal obligations
Security event logs (IpEvent, sign-in fingerprints)
Up to 12 months
Email queue records
Up to 90 days after delivery
GDPR export packages (DataExportRequest)
Download token expires after a limited time; package deleted shortly afterwards
Aggregated / anonymized analytics
No fixed limit (no longer personal data)
When personal information is no longer required and is not subject to a legal retention obligation, we securely delete or anonymize it.
Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:
Access — obtain confirmation of whether we process personal data about you and a copy of that data;
Rectification — correct inaccurate or incomplete personal information (most fields can be edited from your account settings);
Erasure — request deletion of your personal data, subject to legal retention obligations (for example, we cannot erase invoices required to be kept for 10 years under Romanian law);
Restriction — request that we restrict the processing of your personal data in certain circumstances;
Data portability — receive the personal data you have provided to us in a structured, commonly used, machine-readable format. You can trigger a self-service GDPR export from your account; we generate a JSON package (DataExportRequest) and provide a time-limited download token;
Objection — object to processing based on our legitimate interests, including profiling;
Withdraw consent — where processing is based on consent (e.g., marketing emails, optional cookies, AI features you trigger), you can withdraw consent at any time without affecting the lawfulness of prior processing;
Not be subject to automated decision-making producing legal or similarly significant effects — Zemers does not make automated decisions of this kind;
Lodge a complaint with a data protection supervisory authority.
You can exercise most of these rights directly from your account settings (rectify your profile, deactivate your account, withdraw marketing consent, manage cookie preferences, request a GDPR export, cancel subscriptions). For other requests, please contact us at hello@zemers.com. We may require verification of your identity before responding to a request, to protect your personal data.
In some cases your rights may be limited where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with legal obligations and enforce our legal rights.
You may withdraw your consent to marketing communications at any time by using the unsubscribe link in our emails, by updating your notification preferences in your account, or by contacting us directly.
You may limit online tracking using the tools described in our Cookie Policy, including the in-product consent banner, your browser's cookie settings, privacy-focused browsers and privacy plug-ins, and Google's analytics opt-out browser plug-in (https://tools.google.com/dlpage/gaoptout). We do not respond to "Do Not Track" browser signals, but we honor the choices you make through the cookie banner.
The Service is not directed to individuals under the age of 16. Zemers does not knowingly collect personal information from children under the age of 16. If you believe that a child under the age of 16 has provided personal information to us, please contact us and we will take steps to delete such information.
The Service may contain links to other websites that are not operated or controlled by Zemers, including social media services, Creator-configured external links and Stripe-hosted checkout pages ("Third-Party Sites"). Information that you share with Third-Party Sites is governed by their own privacy policies and terms, not by this Privacy Policy. By providing these links we do not endorse them. Please review their privacy practices before sharing information with them.
You use the Service at your own risk. We implement commercially reasonable technical, administrative and organizational measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration or destruction. These include: encryption in transit (TLS), passwordless authentication, sign-in fingerprinting and new-device email alerts, role-based access control for Team Members, separation of payment data so that card information never reaches our servers, audit logs of administrative actions, and abuse-prevention logging.
However, no Internet or e-mail transmission is ever fully secure or error-free. Please take care in deciding what information you send to us via the Service or e-mail.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Zemers will investigate the incident and notify affected users and the competent supervisory authority where required by applicable law (within 72 hours of becoming aware, in accordance with Art. 33 GDPR).
Zemers is based in Romania, a member of the European Union. Personal information is primarily processed within the European Economic Area (EEA).
In some cases, we transfer personal information to service providers located outside the EEA (for example Stripe, MXroute, OpenAI, or certain hosting and storage providers in the United States). When such transfers occur, we ensure appropriate safeguards are in place as required by GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers under adequacy decisions where available. A copy of the safeguards relied on for a specific transfer can be requested at hello@zemers.com.
The Service and our business may change from time to time. As a result we may update this Privacy Policy at any time. When we do, we will post the updated version on this page and update the "Date of Last Revision" above. For material changes that affect your rights, we will provide an additional notice (such as an email or an in-product notification) where required by applicable law. By continuing to use the Service or providing us with personal information after we have posted an updated Privacy Policy, you consent to the revised Privacy Policy and the practices described in it.
If you have any questions about this Privacy Policy or our data practices, you may contact us at:
VINCITUS MK S.R.L. Str. Iosif Vulcan, Bistrița, Bistrița-Năsăud, Romania CUI: 42840739 Email: hello@zemers.com
If you believe that your personal data has been processed in violation of applicable data protection laws, you have the right to lodge a complaint with your local data protection supervisory authority. For users located in Romania, the competent authority is:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania https://www.dataprotection.ro
If you are based elsewhere in the EEA, you may contact your national supervisory authority. If you are based in the United Kingdom, your regulator is the Information Commissioner's Office (ICO).
Last updated: May 31, 2026