Legal document

Privacy Policy

Version: 1.0 Effective date: 15 June 2026 Scope: zephyrselixir.com website and the Zephyr's Elixir application
πŸ›‘οΈ GDPR β€” Reg. EU 2016/679 πŸ€– AI Act β€” Reg. EU 2024/1689 πŸ’³ Whop Β· OpenAI

Contents

  • 1. Data controller
  • 2. Data we process
  • 3. Purposes & legal bases
  • 4. International transfers
  • 5. Retention
  • 6. Your rights
  • 7. Cookies & technologies
  • 8. Security
  • 9. AI systems (AI Act)
  • 10. Minors
  • 11. Contact & complaints
  • 12. Changes
πŸ”’

In short. Zephyr's Elixir runs locally on your PC and operates on the connected Android device over ADB. Most data never leaves your computer. We transmit only the minimum necessary: license validation data (to Whop), the Android package names when you use the optional AI analysis (to OpenAI), and the ordinary technical metadata of network requests. No profiling, no advertising, no sale of data.

1. Data controller

The controller of your personal data is blast752 (the "controller", "we", or the "developer"), established in Italy.

Privacy contact & exercise of rights
zephyrselixir@gmail.com
Data Protection Officer (DPO)
Not appointed. A DPO is not mandatory under Art. 37 GDPR, as our core activity does not consist of large-scale processing of special categories of data or large-scale systematic monitoring.

2. Categories of data we process

We process only the data listed below, which corresponds to features actually present in the software. We do not process special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10).

2.1 Data transmitted to us or to third parties

  • Device fingerprint. A value derived via (truncated) SHA‑256 hash from technical parameters of your Windows installation (machine name, system user name, processor count, OS version, system directory, architecture). It is a pseudonymous identifier used to bind a license to a single device. We cannot reconstruct your identity from it.
  • License key and application / Pro module version, sent to the license service for activation and periodic validation.
  • Technical connection data: IP address and User-Agent, unavoidably processed for every network request (license validation, update check, Pro module and scrcpy downloads).
  • Android package names (e.g. com.example.app) installed on the connected device, transmitted only if you use the optional AI analysis to assess removal risk. Your user name, personal content and files are never sent.
  • Buyer's email address: collected by Whop at purchase and used to deliver your license key (via the Resend transactional email service). We may view it in the Whop admin panel for management and support.
  • Anonymous website statistics (see Β§7), collected only with your consent, in aggregate and cookieless form.
  • Server technical logs for the APIs (see Β§5).

2.2 Data processed only locally on your PC (never transmitted)

The following data stays on your computer, under your sole control, and is never sent to us:

  • the license cache (encrypted with Windows DPAPI), in %LocalAppData%\ZephyrsElixir;
  • the downloaded Pro module, stored encrypted (AES‑256‑GCM);
  • the uninstall history (history.json): package names, device serial number, icons, dates and APK backup paths;
  • the daily counter of free-tier AI analyses;
  • the APK backups, screenshots and screen recordings in %Documents%\ZephyrsElixir;
  • the diagnostic log, kept in memory only (max 150 entries, automatically scrubbed of emails, IPs, serial numbers and paths) and exportable only by you;
  • the connected Android device data (serial number, brand, model, battery level, app list), read over ADB to operate the tool.

3. Purposes & legal bases

Processing activities, purposes and legal bases under Art. 6 GDPR.
DataPurposeLegal basis
Device fingerprint, key & versionLicense activation/validation, "1 device" binding, abuse and piracy preventionArt. 6(1)(b) β€” performance of the license contract; Art. 6(1)(f) β€” legitimate interest in anti-fraud
IP address, User-AgentDelivering API responses, distributing updates and modules, network securityArt. 6(1)(b) and Art. 6(1)(f)
Android package namesOptional AI analysis of app removal riskArt. 6(1)(b) β€” feature you request by starting the scan
Buyer emailDelivery of the license key; supportArt. 6(1)(b)
Website statistics (Plausible)Aggregate, anonymous audience measurementArt. 6(1)(a) β€” consent (revocable)
Server logsOperation, diagnostics and security of the servicesArt. 6(1)(f) β€” legitimate interest
Management data on WhopAdministrative, accounting and support managementArt. 6(1)(b); Art. 6(1)(c) β€” legal obligations; Art. 6(1)(f)

Providing license data is necessary to use the Pro features; refusal means they cannot be activated. AI analysis is optional: if you do not start a scan, no package name is transmitted.

4. Recipients & international transfers

Data may be disclosed to the parties below, acting as processors (Art. 28 GDPR) or as independent controllers, solely for the stated purposes. Transfers to the United States are subject to appropriate safeguards under Art. 46 GDPR.

Third-party providers and safeguards for international transfers.
PartyRoleDataCountrySafeguard (Art. 46)
Whop (Whop Inc.)Seller / merchant of record and license manager β€” independent controller for payment dataEmail, payment data, key, device fingerprint, versionUSAStandard Contractual Clauses (SCC) and Whop's privacy policy
OpenAI (OpenAI Ireland Ltd / OpenAI, L.L.C.)Processor β€” AI model providerAndroid package namesEU β†’ USASCC in the OpenAI DPA; not used for training; retention max 30 days
Resend (Resend, Inc.)Processor β€” transactional emailBuyer email, license email contentUSASCC in the Resend DPA
Vercel (Vercel, Inc.)Processor β€” website hosting and serverless functionsAll data in transit to the APIs, technical logsUSAEU-US Data Privacy Framework and/or SCC
GitHub (GitHub, Inc.)Processor/source β€” scrcpy downloadIP, User-AgentUSAEU-US Data Privacy Framework and/or SCC
Plausible (Plausible Insights OÜ)Processor β€” anonymous statisticsAggregate navigation data (cookieless)EU (Estonia/EU)No extra-EU transfer
βœ…

The website fonts are self-hosted on our servers: no data is sent to Google Fonts or any third-party CDN when you visit the site.

You may ask us at any time for the up-to-date list of processors and a copy of the safeguards applied, by writing to zephyrselixir@gmail.com.

5. Retention period

  • License data / Whop metadata (e.g. bound device, last seen): for the duration of the contractual relationship and, thereafter, up to 24 months for accounting and defence purposes; further retention by Whop per its policy.
  • Server logs (Vercel): for the technically necessary time and in any case no longer than 30 days, according to the platform configuration.
  • Package names sent to OpenAI: retained by OpenAI for up to 30 days for security/abuse purposes only, then deleted; not used to train models.
  • Plausible statistics: aggregate, anonymous data only; no personal data retained.
  • Local data (license cache, history, backups, diagnostic log): kept until you delete it, including by uninstalling the application. The diagnostic log is volatile and clears when the program closes.

6. Your rights

As a data subject you may exercise at any time the rights under Arts. 15‑22 GDPR:

  • Access (Art. 15) β€” obtain confirmation and a copy of the data processed;
  • Rectification (Art. 16) β€” correct inaccurate data;
  • Erasure / "right to be forgotten" (Art. 17);
  • Restriction (Art. 18) and objection (Art. 21) to processing;
  • Portability (Art. 20) β€” receive the data in a structured format;
  • Withdrawal of consent (Art. 7) at any time, without affecting processing already carried out (e.g. website statistics).

How to exercise them in practice

  • Local data: you can delete it yourself by uninstalling the app or removing the %LocalAppData%\ZephyrsElixir and %Documents%\ZephyrsElixir folders.
  • License and device: use Settings β†’ License β†’ Deactivate in the app to release the device binding.
  • Whop / email data: write to zephyrselixir@gmail.com; we will respond within 30 days (Art. 12 GDPR). For payment data you may also contact Whop as independent controller.

You also have the right to lodge a complaint with a supervisory authority (see Β§11).

7. Cookies & tracking technologies

The website uses no profiling cookies, hosts no advertising and shares no data with advertising platforms. In line with the Italian DPA guidance of 10 June 2021 and the EDPB guidelines, the tools used are:

Cookies and local storage used.
NameTypePurposeDurationConsent
ze_consentlocalStorage (technical)Stores your choice on the bannerPersistent (until removed)Not required (technical)
plausible_ignorelocalStorage (technical)Disables statistics if you reject themPersistentNot required (technical)
Plausible AnalyticsStatistical, cookielessAggregate, anonymous visit countingNo persistent data on the deviceRequired (loaded only after "Accept")

Plausible is a privacy-friendly analytics tool, hosted in the EU, that uses no cookies and collects no identifying personal data, nor shares it. Although it could rely on legitimate interest, we have chosen to load it only after your consent. You can change your preferences at any time via the "Cookie Preferences" link in the footer.

8. Security measures

We apply appropriate technical and organisational measures (Art. 32 GDPR), including:

  • Encryption at rest of the license cache via Windows DPAPI (current-user scope);
  • AES‑256‑GCM encryption of the Pro module, with a key derived via HKDF‑SHA256 and bound to the device;
  • Integrity verification with SHA‑256 hashing and strong-name (public-key token) checks of the signed module;
  • Encryption in transit via TLS/HTTPS for all network communications;
  • HMAC‑SHA256 signing of license responses to prevent tampering;
  • Minimisation: email addresses, IPs, serial numbers and paths are masked in both local diagnostic logs and server logs;
  • Restricted access to management data (only via the Whop panel, by the controller).

9. Use of Artificial Intelligence (AI Act)

The app removal-risk analysis feature uses an AI model provided by OpenAI. Under Regulation (EU) 2024/1689 (the "AI Act"), this use qualifies as a minimal/limited-risk AI system: it is neither a prohibited practice (Title II) nor a high-risk system (Annex III).

  • Transparency (Art. 50): we expressly inform you that the assessment is generated by an AI system.
  • Data sent: only the technical package names (e.g. com.example.app); nothing that identifies you.
  • Advisory nature: the output (score and warning) is purely informational. The decision to uninstall or disable an app is always yours and requires your explicit confirmation. There is no automated decision producing legal or similarly significant effects within the meaning of Art. 22 GDPR.
  • Roles: OpenAI is the model provider; the controller is the deployer.

10. Minors

The software and services are not intended for persons under 18 and presuppose use by adults, also given the advanced technical nature of the tools (device control over ADB) and the paid purchase. We do not knowingly collect data from minors; if you believe this has occurred, contact us for prompt deletion.

11. Contact & complaints

For any request regarding the processing of your data or to exercise your rights, write to zephyrselixir@gmail.com.

You also have the right to lodge a complaint with the competent supervisory authority β€” your local Data Protection Authority, or, for Italy (the controller's place of establishment), the Garante per la protezione dei dati personali β€” www.garanteprivacy.it, Piazza Venezia 11, 00187 Rome.

12. Changes to this policy

We may update this policy to reflect legal or functional developments. For significant changes we will give notice on the website and/or in the application. The effective date at the top indicates the latest revision.

By using Zephyr's Elixir you acknowledge that you have read and understood this Privacy Policy.