Privacy Policy – ICONZON Platform

1. Scope and Acceptance

1.1 By accessing or using Iconzon, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

1.2 If you do not agree with the practices described herein, you must discontinue use of the Platform and refrain from connecting any third-party accounts.

1.3 This Policy applies to all users, including individuals, businesses, agencies, and corporate entities.

2. Information We Collect

We may collect and process the following categories of personal information:

2.1 Account Information

• Full name
• Email address
• Business details
• Profile information supplied during registration
• Connected social media or design accounts (through your direct authorization)
• Connected store or e‑commerce accounts (e.g. Shopify), including store domain and access granted by you for the Platform to read products, orders, and analytics to provide analysis and recommendations

2.2 Content, Creative, and Communication Data

Including but not limited to:

• Uploaded files, images, logos, icons, brand elements, videos, and design assets
• AI prompts and generated content
• Brand Kits, templates, and libraries created by the user
• Messages, posts, comments, scheduling data, and content managed through the Platform

We do not store user passwords for external platforms.

2.3 Technical and Usage Data

• IP address
• Device identifiers
• Operating system and browser information
• Session logs and timestamps
• Feature usage statistics
• Design export history
• Error logs and diagnostics

This information is collected to operate, secure, and optimize the Platform.

2.4 Payment Information

Subscription and checkout payments are processed by Polar (Polar.sh). We do not receive or store your full payment card number on our own servers; Polar and/or its payment partners handle card data in accordance with their policies and applicable standards (e.g. PCI-DSS scope for the processor).

We retain billing metadata needed for subscriptions, invoices, tax, and fraud prevention (e.g. transaction IDs, plan, status, last four digits where provided by the processor).

3. Legal Basis and Purpose of Processing

We process personal data solely for legitimate purposes, including but not limited to:

3.1 Providing, improving, and maintaining the functionality of Iconzon.

3.2 Operating AI-powered design tools and content creation features.

3.3 Managing Brand Kits, templates, and custom user content.

3.4 Enabling export of icons, graphics, and design assets.

3.5 Integrating with third-party platforms such as Meta or TikTok when relevant.

3.6 Ensuring system security and preventing fraud or misuse.

3.7 Complying with applicable laws and regulatory requirements.

Processing grounds include:

• User consent
• Contractual necessity
• Legitimate business interests

4. Integration with Third-Party Platforms

When you choose to integrate Iconzon with any external platform (e.g., Meta, TikTok, cloud storage, or others):

4.1 Access is granted strictly according to permissions you approve.

4.2 Data is used only to provide functionality requested by you.

4.3 We do not sell, disclose, or misuse third-party account data.

4.4 You may revoke access at any time via the respective platform.

Iconzon does not store sensitive credentials of third-party platforms.

5. Data Sharing and Disclosure

We do not sell or rent personal information.

Data may be shared only with:

5.1 Connected external platforms, as authorized by you.

5.2 Trusted service providers, solely for hosting, processing, analytics, or operational purposes.

5.3 Legal authorities, only when required by law or valid legal process.

5.4 AI processing providers, solely to generate the requested output.

All service providers are bound to strict confidentiality and data protection agreements.

5.5 Named service providers (sub-processors)

The following named categories of recipients may process personal data on our behalf, depending on which features you use and how the Platform is deployed. This list is provided for transparency; it may be updated as we change providers. For GDPR purposes, an up-to-date overview may also be referenced in our Data Processing Agreement (DPA).

When you connect third-party social or ad accounts (e.g. Meta, TikTok), those platforms also receive data according to your use of the integration and their policies.

6. Data Security, Retention and Breach Notification

6.1 We implement industry-standard administrative, technical, and physical safeguards, including encryption, monitoring systems, and strict access control.

6.2 Data is retained only for as long as necessary to fulfill the purposes outlined herein, unless a longer period is required by law. Indicative retention periods:

• Account and profile data: until you request deletion or close your account, after which we may retain minimal data as required by law (e.g. for legal claims or accounting).
• Content you create (posts, campaigns, brand kits, uploads): until you delete it or close your account.
• Session and authentication data: for the duration of your session; session logs may be retained for a limited period for security and fraud prevention (e.g. up to 12 months).
• Technical and usage logs (e.g. IP, device, diagnostics): typically up to 12 months, unless a shorter or longer period is needed for security or legal compliance.
• Payment records: as required by applicable tax and financial regulations (typically several years).
• Connected store data (e.g. Shopify: products, orders, analytics used for analysis): for the duration of the connection; after you disconnect, we cease accessing new data and delete or anonymize stored summaries within a reasonable period (e.g. 90 days) unless required longer by law.

6.3 Users may request data deletion at any time by contacting us (see Section 15).

6.4 While we employ strong security measures, no system is entirely immune to breaches. We cannot guarantee absolute data security.

6.5 In the event of a personal data breach that is likely to pose a risk to your rights, we will notify the relevant supervisory authority and, where required by law (e.g. under the GDPR), affected individuals without undue delay.

7. User Rights (including GDPR / EEA)

If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction with similar data protection laws (such as the GDPR), or under other applicable laws, you may have the right to:

7.1 Access the personal data we hold about you.

7.2 Request correction or deletion of data ("right to be forgotten").

7.3 Withdraw consent to processing.

7.4 Restrict or object to certain types of processing.

7.5 Request a copy of your data in a portable format (data portability).

7.6 File a complaint with a supervisory authority (e.g. in your country of residence).

We will respond to such requests without undue delay and in any event within 30 days where required by applicable law. To exercise these rights, contact us at the details in Section 15.

8. California residents (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Policy. Terms such as "personal information," "sell," "share," and "business purpose" are used in a manner consistent with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and their implementing regulations, where applicable.

8.1 Categories of personal information collected. We collect the categories described in Section 2 of this Policy (e.g. identifiers, commercial information, internet or network activity, content you provide, and inferences from usage).

8.2 Sources. Directly from you, from your device and browser, from integrations you authorize (e.g. social platforms), and from service providers as described in Section 5.5.

8.3 Business and commercial purposes. We use personal information for the purposes in Section 3 and related sections (providing the Platform, security, analytics, payments, AI features you request, and legal compliance).

8.4 Disclosure. We disclose personal information to the categories of recipients described in Section 5 and the named providers in Section 5.5, for business purposes. We do not sell personal information for money. Where we use analytics or advertising technologies that may constitute "sharing" for cross-context behavioral advertising under California law, you may use browser controls, opt-out signals (where we honor them), and our cookie / tracking disclosures in Section 12.

8.5 Sensitive personal information. We do not use or disclose sensitive personal information for purposes that require a "Limit the Use of My Sensitive Personal Information" choice beyond what is permitted under the CPRA for service operation, except as allowed by law.

8.6 Your California rights. Subject to exceptions, California residents may have the right to:

• Know what personal information we collect, use, disclose, and (as applicable) "share" or sell
• Request access to specific pieces and copies of personal information
• Request deletion of personal information
• Request correction of inaccurate personal information
• Opt out of "sale" or "sharing" (see 8.4)
• Limit certain uses of sensitive personal information (see 8.5)
• Not receive discriminatory treatment for exercising these rights

8.7 How to submit a request. Email support@iconzon.com from the email associated with your account, or use the contact details in Section 15. We may need to verify your identity before responding. You may designate an authorized agent in accordance with applicable law.

8.8 Retention. We retain personal information as described in Section 6.2.

8.9 Shine the Light. Under California Civil Code Section 1798.83, California residents may request certain information regarding disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes as described in that statute. Requests may be sent to support@iconzon.com.

9. International Data Transfers

Where personal data is transferred beyond your jurisdiction, we ensure compliance with applicable data transfer frameworks.

This may include:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements
• Secure hosting regions
• Additional safeguards where required

10. AI Data Usage

10.1 AI tools within Iconzon may analyze, process, or transform user-provided input.

10.2 Generated output may be based on patterns learned from broad datasets, not from individual users.

10.3 We do not use your private content to train public AI models.

10.4 You remain fully responsible for reviewing and verifying AI-generated content before use, and for ensuring that your prompts and published outputs comply with law and third-party platform rules.

10.5 You must not use AI features for illegal, harmful, deceptive, or abusive purposes. Detailed prohibited uses, including fraud, impersonation, circumvention of safety controls, and misuse of automation, are set out in the Terms of Use (Sections 5, 6, and 8) and our Acceptable Use Policy.

10.6 To protect users and comply with law, we may process related metadata (e.g. prompts, outputs, flags, moderation decisions) for security, abuse prevention, and enforcement, and may restrict or terminate access where misuse is detected.

10.7 For a plain-language overview of how AI is used on Iconzon, see our AI Disclosure. For how we enforce rules and respond to misuse, see Trust & Safety.

11. AI Safety and Content Responsibility

11.1 The Platform implements reasonable technical and organizational safeguards to reduce misuse of AI-generated content, including rate limits, automated signals, logging for security and abuse review, and human escalation for serious or repeated issues. These measures are not perfect and do not guarantee that all prohibited content will be blocked before it is created or displayed.

11.2 Users are solely responsible for ensuring that prompts, uploads, and generated content (including text, images, video, and ads) comply with applicable laws, advertising standards, and the policies of any platform where content is published. You must review outputs before publication or paid distribution where human judgment is required.

11.3 We may use moderation workflows (automated and, where appropriate, manual) to identify content or behavior that poses legal, ethical, safety, or payment-compliance risk. We may restrict generation, remove or disable access to specific content, throttle usage, suspend features, or suspend or terminate accounts consistent with our Terms of Use, Acceptable Use Policy, and Trust & Safety materials.

11.4 The Company reserves the right to monitor, restrict, or remove content that may pose legal, ethical, or compliance risks, except where prohibited by applicable law. Nothing in this Policy obligates us to pre-screen all user activity.

12. Cookies and Tracking Technologies

Iconzon may use:

• Cookies
• Pixel tags
• Local storage
• Analytics tools

These are used to:

• Improve usability
• Analyze behavior
• Remember preferences
• Enhance performance

Users may control cookie preferences through their browser settings.

13. Children's Privacy

The Platform is not intended for individuals under the age of 16.

We do not knowingly collect data from minors.

14. Policy Updates

We may revise this Privacy Policy to reflect operational, legal, or technological changes.

Updated versions will be posted with an updated "Effective Date."

Continued use of the Platform constitutes acceptance of the updated Policy.

15. Contact Information

15.1 Data protection contact. For GDPR, UK GDPR, CCPA/CPRA, and similar requests—including access, correction, deletion, portability, objection, and complaints—contact us at support@iconzon.com. We aim to respond within 30 days where required by law (and sooner when practical). Please use the email associated with your account or describe your account sufficiently for us to verify your identity.

15.2 Data Protection Officer (DPO). Under the GDPR, a DPO is mandatory only where processing meets specific thresholds (e.g. large-scale systematic monitoring of data subjects or large-scale processing of special categories). Where we are not required to appoint a DPO, privacy and data-protection matters are handled by our team at the contact above.

15.3 Supervisory authority (EEA/UK). If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority.

For general questions about this Policy, you may also use: