In short. Zephyr's Elixir runs locally on your PC and operates on the connected Android device over ADB. Most data never leaves your computer. We transmit only the minimum necessary: license validation data (to Whop), the Android package names when you use the optional AI analysis (to OpenAI), and the ordinary technical metadata of network requests. No profiling, no advertising, no sale of data.
1. Data controller
The controller of your personal data is blast752 (the "controller", "we", or the "developer"), established in Italy.
2. Categories of data we process
We process only the data listed below, which corresponds to features actually present in the software. We do not process special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10).
2.1 Data transmitted to us or to third parties
- Device fingerprint. A value derived via (truncated) SHAβ256 hash from technical parameters of your Windows installation (machine name, system user name, processor count, OS version, system directory, architecture). It is a pseudonymous identifier used to bind a license to a single device. We cannot reconstruct your identity from it.
- License key and application / Pro module version, sent to the license service for activation and periodic validation.
- Technical connection data: IP address and
User-Agent, unavoidably processed for every network request (license validation, update check, Pro module and scrcpy downloads). - Android package names (e.g.
com.example.app) installed on the connected device, transmitted only if you use the optional AI analysis to assess removal risk. Your user name, personal content and files are never sent. - Buyer's email address: collected by Whop at purchase and used to deliver your license key (via the Resend transactional email service). We may view it in the Whop admin panel for management and support.
- Anonymous website statistics (see Β§7), collected only with your consent, in aggregate and cookieless form.
- Server technical logs for the APIs (see Β§5).
2.2 Data processed only locally on your PC (never transmitted)
The following data stays on your computer, under your sole control, and is never sent to us:
- the license cache (encrypted with Windows DPAPI), in
%LocalAppData%\ZephyrsElixir; - the downloaded Pro module, stored encrypted (AESβ256βGCM);
- the uninstall history (
history.json): package names, device serial number, icons, dates and APK backup paths; - the daily counter of free-tier AI analyses;
- the APK backups, screenshots and screen recordings in
%Documents%\ZephyrsElixir; - the diagnostic log, kept in memory only (max 150 entries, automatically scrubbed of emails, IPs, serial numbers and paths) and exportable only by you;
- the connected Android device data (serial number, brand, model, battery level, app list), read over ADB to operate the tool.
3. Purposes & legal bases
| Data | Purpose | Legal basis |
|---|---|---|
| Device fingerprint, key & version | License activation/validation, "1 device" binding, abuse and piracy prevention | Art. 6(1)(b) β performance of the license contract; Art. 6(1)(f) β legitimate interest in anti-fraud |
| IP address, User-Agent | Delivering API responses, distributing updates and modules, network security | Art. 6(1)(b) and Art. 6(1)(f) |
| Android package names | Optional AI analysis of app removal risk | Art. 6(1)(b) β feature you request by starting the scan |
| Buyer email | Delivery of the license key; support | Art. 6(1)(b) |
| Website statistics (Plausible) | Aggregate, anonymous audience measurement | Art. 6(1)(a) β consent (revocable) |
| Server logs | Operation, diagnostics and security of the services | Art. 6(1)(f) β legitimate interest |
| Management data on Whop | Administrative, accounting and support management | Art. 6(1)(b); Art. 6(1)(c) β legal obligations; Art. 6(1)(f) |
Providing license data is necessary to use the Pro features; refusal means they cannot be activated. AI analysis is optional: if you do not start a scan, no package name is transmitted.
4. Recipients & international transfers
Data may be disclosed to the parties below, acting as processors (Art. 28 GDPR) or as independent controllers, solely for the stated purposes. Transfers to the United States are subject to appropriate safeguards under Art. 46 GDPR.
| Party | Role | Data | Country | Safeguard (Art. 46) |
|---|---|---|---|---|
| Whop (Whop Inc.) | Seller / merchant of record and license manager β independent controller for payment data | Email, payment data, key, device fingerprint, version | USA | Standard Contractual Clauses (SCC) and Whop's privacy policy |
| OpenAI (OpenAI Ireland Ltd / OpenAI, L.L.C.) | Processor β AI model provider | Android package names | EU β USA | SCC in the OpenAI DPA; not used for training; retention max 30 days |
| Resend (Resend, Inc.) | Processor β transactional email | Buyer email, license email content | USA | SCC in the Resend DPA |
| Vercel (Vercel, Inc.) | Processor β website hosting and serverless functions | All data in transit to the APIs, technical logs | USA | EU-US Data Privacy Framework and/or SCC |
| GitHub (GitHub, Inc.) | Processor/source β scrcpy download | IP, User-Agent | USA | EU-US Data Privacy Framework and/or SCC |
| Plausible (Plausible Insights OΓ) | Processor β anonymous statistics | Aggregate navigation data (cookieless) | EU (Estonia/EU) | No extra-EU transfer |
The website fonts are self-hosted on our servers: no data is sent to Google Fonts or any third-party CDN when you visit the site.
You may ask us at any time for the up-to-date list of processors and a copy of the safeguards applied, by writing to zephyrselixir@gmail.com.
5. Retention period
- License data / Whop metadata (e.g. bound device, last seen): for the duration of the contractual relationship and, thereafter, up to 24 months for accounting and defence purposes; further retention by Whop per its policy.
- Server logs (Vercel): for the technically necessary time and in any case no longer than 30 days, according to the platform configuration.
- Package names sent to OpenAI: retained by OpenAI for up to 30 days for security/abuse purposes only, then deleted; not used to train models.
- Plausible statistics: aggregate, anonymous data only; no personal data retained.
- Local data (license cache, history, backups, diagnostic log): kept until you delete it, including by uninstalling the application. The diagnostic log is volatile and clears when the program closes.
6. Your rights
As a data subject you may exercise at any time the rights under Arts. 15β22 GDPR:
- Access (Art. 15) β obtain confirmation and a copy of the data processed;
- Rectification (Art. 16) β correct inaccurate data;
- Erasure / "right to be forgotten" (Art. 17);
- Restriction (Art. 18) and objection (Art. 21) to processing;
- Portability (Art. 20) β receive the data in a structured format;
- Withdrawal of consent (Art. 7) at any time, without affecting processing already carried out (e.g. website statistics).
How to exercise them in practice
- Local data: you can delete it yourself by uninstalling the app or removing the
%LocalAppData%\ZephyrsElixirand%Documents%\ZephyrsElixirfolders. - License and device: use Settings β License β Deactivate in the app to release the device binding.
- Whop / email data: write to zephyrselixir@gmail.com; we will respond within 30 days (Art. 12 GDPR). For payment data you may also contact Whop as independent controller.
You also have the right to lodge a complaint with a supervisory authority (see Β§11).
7. Cookies & tracking technologies
The website uses no profiling cookies, hosts no advertising and shares no data with advertising platforms. In line with the Italian DPA guidance of 10 June 2021 and the EDPB guidelines, the tools used are:
| Name | Type | Purpose | Duration | Consent |
|---|---|---|---|---|
ze_consent | localStorage (technical) | Stores your choice on the banner | Persistent (until removed) | Not required (technical) |
plausible_ignore | localStorage (technical) | Disables statistics if you reject them | Persistent | Not required (technical) |
| Plausible Analytics | Statistical, cookieless | Aggregate, anonymous visit counting | No persistent data on the device | Required (loaded only after "Accept") |
Plausible is a privacy-friendly analytics tool, hosted in the EU, that uses no cookies and collects no identifying personal data, nor shares it. Although it could rely on legitimate interest, we have chosen to load it only after your consent. You can change your preferences at any time via the "Cookie Preferences" link in the footer.
8. Security measures
We apply appropriate technical and organisational measures (Art. 32 GDPR), including:
- Encryption at rest of the license cache via Windows DPAPI (current-user scope);
- AESβ256βGCM encryption of the Pro module, with a key derived via HKDFβSHA256 and bound to the device;
- Integrity verification with SHAβ256 hashing and strong-name (public-key token) checks of the signed module;
- Encryption in transit via TLS/HTTPS for all network communications;
- HMACβSHA256 signing of license responses to prevent tampering;
- Minimisation: email addresses, IPs, serial numbers and paths are masked in both local diagnostic logs and server logs;
- Restricted access to management data (only via the Whop panel, by the controller).
9. Use of Artificial Intelligence (AI Act)
The app removal-risk analysis feature uses an AI model provided by OpenAI. Under Regulation (EU) 2024/1689 (the "AI Act"), this use qualifies as a minimal/limited-risk AI system: it is neither a prohibited practice (Title II) nor a high-risk system (Annex III).
- Transparency (Art. 50): we expressly inform you that the assessment is generated by an AI system.
- Data sent: only the technical package names (e.g.
com.example.app); nothing that identifies you. - Advisory nature: the output (score and warning) is purely informational. The decision to uninstall or disable an app is always yours and requires your explicit confirmation. There is no automated decision producing legal or similarly significant effects within the meaning of Art. 22 GDPR.
- Roles: OpenAI is the model provider; the controller is the deployer.
10. Minors
The software and services are not intended for persons under 18 and presuppose use by adults, also given the advanced technical nature of the tools (device control over ADB) and the paid purchase. We do not knowingly collect data from minors; if you believe this has occurred, contact us for prompt deletion.
11. Contact & complaints
For any request regarding the processing of your data or to exercise your rights, write to zephyrselixir@gmail.com.
You also have the right to lodge a complaint with the competent supervisory authority β your local Data Protection Authority, or, for Italy (the controller's place of establishment), the Garante per la protezione dei dati personali β www.garanteprivacy.it, Piazza Venezia 11, 00187 Rome.
12. Changes to this policy
We may update this policy to reflect legal or functional developments. For significant changes we will give notice on the website and/or in the application. The effective date at the top indicates the latest revision.
By using Zephyr's Elixir you acknowledge that you have read and understood this Privacy Policy.