Privacy Policy

Effective 2026-05-12

This Privacy Policy explains how Zorbl ("we") collects, uses, and protects personal data when you use Zorbl. It applies to visitors, registered users, and paid subscribers.

1. Who We Are

Zorbl is the data controller for personal data processed through Zorbl. You can reach us at legal@zorbl.com.

2. What We Collect

Account data. Your name, email, password hash, profile information, and any login provider identifiers (for example, your Google account ID if you sign in with Google).

Content you create. Crosswords, clues, comments, ratings, favorites, contest entries, and support tickets.

Solve data. Puzzle attempts, solve times, progress snapshots (so we can sync your place across devices), and completion records.

Billing data. If you subscribe to a paid plan, Stripe processes your payment. We store your Stripe customer ID, plan, status, and a redacted card brand and last-four. We do not see or store your full card number.

Technical data. IP address, browser user agent, device type, language, timestamps, and pages requested. We use this to run the service securely and diagnose issues.

Communications. If you contact us — through support, email, or in-app forms — we keep that correspondence to respond and to improve the service.

3. How and Why We Use It

We use personal data for the following purposes, with the corresponding legal basis under the UK GDPR and EU GDPR shown in brackets:

  • To create and operate your account, deliver the service, and provide customer support [contract performance].
  • To process payments and renewals through Stripe [contract performance].
  • To secure the service against fraud, abuse, and unauthorized access, including rate limiting and audit logs [legitimate interest].
  • To send service emails — receipts, security alerts, password resets, and material changes to these policies [contract performance / legal obligation].
  • To send product update emails. You can opt out at any time from notification preferences [legitimate interest, or consent where required].
  • To improve the service by analyzing aggregate, non-identifying usage patterns [legitimate interest].
  • To comply with legal obligations, including tax, accounting, and lawful requests from authorities [legal obligation].

Where we rely on consent (for example, optional analytics cookies in regions that require it) you can withdraw that consent at any time through the cookie preferences link in the footer.

4. Who We Share It With

We share personal data only with vendors that help us run the service, under contracts that require them to protect your data and use it only on our instructions:

  • Stripe — payment processing and subscription billing.
  • Google — for users who sign in with Google (we receive your name, email, and Google account ID).
  • Anthropic — when you use AI clue or autofill features, the necessary grid pattern or target word is sent to generate output. Anthropic does not train on this data per our agreement.
  • Our hosting and email providers (for example, Laravel Cloud and our transactional email service) — to run the platform and deliver emails.

We may also share data if required by law, court order, or to protect the rights, safety, or property of users or the public. We never sell your personal data.

5. Cookies and Similar Technologies

We use a small number of cookies to keep you logged in, remember your preferences, and protect against cross-site request forgery. See our Cookie Policy for the full list and your choices.

6. International Transfers

Our service and several of our vendors are based in the United States. If you access Zorbl from outside the US, your personal data will be transferred to and processed in the US and in countries where our vendors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission and UK ICO.

7. How Long We Keep It

We keep personal data only as long as we need it for the purposes described in this policy:

  • Account data: until you delete your account. When you click "Delete account" we cancel any active subscription, revoke API tokens, and remove your profile, puzzles, attempts, clues, comments, favorites, support tickets, and other personal records from active systems. Routine backups age out within 90 days.
  • Billing records: kept for seven years to meet tax and accounting law.
  • Support tickets: kept for two years after the last interaction.
  • Security logs: kept for up to 12 months.

8. Your Rights

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar laws, you have the right to:

  • access the personal data we hold about you;
  • have it corrected if it is wrong or out of date;
  • have it deleted (also called the "right to be forgotten");
  • export it in a machine-readable format (data portability);
  • restrict or object to processing based on legitimate interest, including direct marketing;
  • withdraw any consent you have given, without affecting prior processing; and
  • lodge a complaint with your local data protection authority — for example, the UK ICO or your national supervisory authority in the EEA.

To exercise these rights, email legal@zorbl.com or use your account settings, where many actions (download your data, delete your account, change notification preferences) are available self-serve. We will respond within one month.

California residents have similar rights under the CCPA / CPRA — including the right to know, delete, correct, and opt out of any "sale" or "sharing" of personal information. We do not sell personal information.

9. Children

Zorbl is not directed to children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us at legal@zorbl.com and we will delete it.

10. Security

We use industry-standard safeguards including TLS for data in transit, encrypted backups, hashed passwords, optional two-factor authentication, and least-privilege access for our team. No system is perfectly secure, but we work hard to keep your data safe and to investigate and disclose incidents quickly when they happen.

11. Changes to This Policy

We may update this Privacy Policy as the service evolves. When we do, we update the "Effective" date above and, for material changes, notify you by email or an in-app banner before they take effect.

12. Contact

Questions, requests, or complaints can be sent to legal@zorbl.com.