Zeeder AB — Privacy Policy
Last updated: 25 April 2026
Company: Zeeder AB (org.nr 559568-8630), Stockholm, Sweden
Contact: privacy@zeeder.co
This Privacy Policy explains how Zeeder AB (“Zeeder”, “we”, “us”) processes personal data when you visit our site, create an account, use the Zeeder platform, or interact with us. It sits alongside our Terms & Conditions. Brands that require a Data Processing Addendum (DPA) can request one at privacy@zeeder.co.
1) Who this policy covers
GDPR protects natural persons. That means two groups on Zeeder have full GDPR rights:
- Creators — the individual people who sign up to receive products.
- Brand users — the individual people (founders, marketers, assistants) who log in and run a brand account on Zeeder.
Brand company data (company name, organisation number, product catalogue, billing records) is not personal data under GDPR. It is still protected by our Terms and by confidentiality obligations in our contracts.
2) Controller vs processor
- Zeeder is the controller for data it collects to run, secure, and improve the service: accounts, sign-in, platform analytics, support, marketing.
- Zeeder acts as a processor for a brand when that brand instructs us to create orders and shipments on its e-commerce system, or to message a creator on its behalf. The brand is the controller for that data. If you are a creator and want to exercise rights over data a specific brand controls, contact the brand first; we support their response as processor.
3) Plain-English summary
- We collect identity, contact, shipping, social-profile, and usage data to run Zeeder.
- We use that data to provide the service, prevent fraud, enable shipments, measure results, and — with your consent where required — send product updates.
- We share data with a small list of sub-processors (hosting, billing, email, analytics) and with the e-commerce platforms and carriers a brand chooses. The current named list is available on request to privacy@zeeder.co.
- We do not sell your personal data. We do not send marketing SMS.
- You have GDPR rights (access, rectify, erase, restrict, portability, object, withdraw consent) — exercise them by emailing privacy@zeeder.co.
- Creators must be at least 13. Creators aged 13–17 must provide a signed parental or guardian consent document before their account is approved.
4) Data we collect
4.1 Categories and examples
| Category | Examples |
|---|---|
| Account & identity | First name, last name, email, profile photo, role (creator/brand user), date of birth, gender, language preference. For sign-in we also store the provider you used (Google, Apple, email+password, or one-time email code). |
| Contact & delivery (creators) | Email, phone number (required for delivery notifications), shipping address. |
| Social presence (creators) | Public TikTok/Instagram profile link, YouTube handle, manually entered Instagram handle, follower and engagement metrics, and audience insights returned by TikTok and Instagram when you connect via OAuth. The specific fields are governed by the scopes you approve during the OAuth flow. |
| Parental consent (creators aged 13–17) | Signed parental/guardian consent document (PDF upload) and the language of the form used. |
| Interests | Product categories you select during onboarding (creators) or your brand category (brands). |
| Brand account data | Brand name, slug, logo, description, category, website, social handles, public-profile flag, verification status. |
| Billing (brands) | Customer and subscription identifiers held by our billing processor, and the subscription details needed to run a brand account (status, billing period, plan). Card details are handled by our PCI-compliant payment processor and never touch Zeeder servers. |
| Store integration data (brands) | Connected store domain and access credentials, product catalogue (products, variants, inventory), order and fulfilment metadata, tracking status. |
| Post tracking (creators) | After a product is delivered, we monitor public posts and stories that mention the brand for a limited period, and store post URLs, captions, thumbnails, engagement metrics, and a tracking status. |
| Communications | Messages sent via the platform, contact-form submissions, feedback submitted to us. |
| Usage & device | IP address, device/browser, timestamps, feature-level event logs, crash logs. |
| Marketing preferences | Email opt-in state, cookie consent choice, unsubscribe flags. |
4.2 Special categories and children
- We do not intentionally collect special-category data (health, religion, political views, etc.) or criminal-offence data. Please do not submit such data.
- The service is open to creators aged 13 and over. Creators aged 13–17 must upload a signed parental or guardian consent document before their account is approved for product shipments. We do not knowingly collect personal data from children under 13; if we learn we have, we delete it promptly.
5) What brands see about a creator
When a creator applies to a brand's zeed, the brand can see identity and contact details the creator has shared publicly (name, profile photo, country, connected social handles), engagement and activity signals derived from their connected social accounts, and their history on the Zeeder platform. Brands can filter applications by age range; we derive age from date of birth and do not display the date of birth itself.
Once a brand accepts a creator for a zeed, the brand additionally sees the shipping details needed to fulfil the order: full shipping address, email, and phone number for delivery. After delivery, the brand can see public posts we detect about their product and the associated engagement metrics.
Brands are contractually restricted from using this data for any purpose other than running the zeed on Zeeder.
6) Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Running the service: creating accounts, authenticating you, matching creators to zeeds, supporting shipments and post-tracking. | Contract 6(1)(b) |
| Creating orders and fulfilments on a brand's connected store at the brand's instruction. | Contract 6(1)(b) (creator↔brand); Zeeder acts as processor for the brand. |
| Security, fraud prevention, abuse detection, incident response. | Legitimate interests 6(1)(f) & Legal obligation 6(1)(c) |
| Measuring product usage to improve the service. | Consent 6(1)(a) for optional analytics cookies; otherwise legitimate interests 6(1)(f) using aggregated data. |
| Operational emails about your account (sign-in, shipping updates, billing receipts). | Contract 6(1)(b) & Legitimate interests 6(1)(f) |
| Marketing emails (product updates, onboarding tips, new features). | Consent 6(1)(a). You can unsubscribe at any time. |
| Bookkeeping, tax, and legal compliance. | Legal obligation 6(1)(c) |
Where we rely on legitimate interests, we balance those interests against your rights. You can object to processing based on legitimate interests by emailing privacy@zeeder.co.
7) Cookies and similar technologies
We use a small number of cookies and similar technologies:
- Strictly necessary — sign-in session, CSRF protection, cookie-consent choice. These are always set because the product cannot function without them.
- Analytics — we use Google Analytics 4 with IP anonymisation to understand which pages and features are used. Analytics cookies load only if you click “Accept” on our cookie banner.
We do not run advertising cookies, retargeting pixels, or third-party trackers beyond Google Analytics.
Our cookie banner presents a binary Accept/Decline choice. We store your answer under the key zeeder_cookie_consent in both a cookie and your browser’s local storage for zeeder.co. You can change your answer by clearing cookies and site data for zeeder.co in your browser settings; the banner reappears on your next visit.
8) Where data comes from
- Directly from you (forms, profile, messages, support requests).
- Automatically from your device when you use the service (logs, telemetry).
- From brands (about creators who apply to their zeeds) and from creators (about brand representatives they interact with).
- From third-party platforms you connect (social and e-commerce), within the scopes you approve during the OAuth flow.
9) Who we share data with
We share personal data with a limited set of sub-processors that help us run Zeeder, across the following categories:
- Database and backend hosting
- Web hosting and edge delivery
- Billing and subscription management (brands)
- Transactional and marketing email delivery
- Usage analytics (consent-gated, IP-anonymised)
- Social sign-in providers (OAuth)
- Connected social platforms for creator profile and post metrics
- E-commerce platforms a brand connects for order and fulfilment creation
A current list of the named vendors in each category, together with their processing regions, is available on request to privacy@zeeder.co. Each sub-processor is bound by a written contract (a data processing agreement or equivalent enterprise terms) that obliges them to protect personal data and process it only on our instructions.
We may also share personal data with:
- Carriers and fulfilment partners a brand chooses to ship a product to a creator.
- Professional advisers (legal, accounting) and public authorities where required by law.
- Corporate transactions: if Zeeder restructures, merges, or sells assets, personal data may transfer to the successor entity under equivalent protections.
We do not sell personal data. We do not share personal data with advertisers.
10) International transfers
Some of our sub-processors are based outside the EEA (primarily in the United States). When we transfer personal data outside the EEA/UK/CH we rely on the EU Standard Contractual Clauses and, where relevant, the UK Addendum and Swiss Addendum, plus appropriate technical and organisational safeguards.
11) How long we keep data
We keep personal data only as long as necessary for the purposes in Section 6. Our guidelines:
- Account data — while your account is active, plus a limited period after deletion to handle disputes and legal claims (typically up to 24 months).
- Activity logs and telemetry — typically up to 24 months.
- Billing records and invoices (brands) — at least 7 years as required by Swedish bookkeeping law (bokföringslagen).
- Backups — deleted records remain in backups for a short period before being overwritten in the normal backup rotation.
- Support conversations — kept while relevant to help us assist you, then archived or deleted.
We may keep limited data longer to establish, exercise, or defend legal claims. We are actively building automated enforcement of these guidelines; today, retention is reviewed periodically rather than on a fixed schedule.
12) Security
We apply technical and organisational measures appropriate to the risks, including:
- Encryption in transit (HTTPS) and at rest with our sub-processors.
- Role-based access controls and the principle of least privilege for Zeeder staff.
- Secrets stored in managed secret stores, not in source code.
- Automatic session expiry and protection against cross-site request forgery.
- Logging and monitoring of production systems.
- Regular backups held by our database provider.
12.1 Admin support access
Authorised Zeeder staff may access a brand account to provide support or investigate issues. Access is limited to what is needed for the task, audited, and never used for creator accounts.
13) Your GDPR rights
If you are an individual (creator or brand user) based in the EEA/UK/CH you have the right to:
- access the personal data we hold about you;
- correct it if it is inaccurate;
- ask us to erase it;
- restrict or object to processing;
- receive your data in a portable format;
- withdraw any consent you gave us (without affecting prior processing);
- lodge a complaint with a supervisory authority.
How to exercise: email privacy@zeeder.co and tell us what you want. We aim to respond within 30 days. For data a brand controls (for example, an order placed on the brand's store), we will redirect you to the brand and support their response as processor.
Supervisory authority (Sweden): Integritetsskyddsmyndigheten (IMY), imy.se.
14) Automated decisions and profiling
Zeeder does not use fully automated decision-making that produces legal or similarly significant effects on you under GDPR Article 22. If you believe an automated process has materially affected you, email privacy@zeeder.co and we will review it.
15) Marketing emails
We send two kinds of email:
- Operational — sign-in codes, shipping updates, billing receipts, important product notices. These are required to run the service.
- Marketing — product updates, onboarding tips, occasional announcements. We send these only where we have consent or where permitted by e-privacy rules, and every message includes an unsubscribe link.
We do not send marketing SMS or text messages.
16) Connected social platforms
When you connect TikTok or Instagram via OAuth we access public account information, follower and engagement metrics, and audience insights returned by those platforms within the scopes you approve. We use this to match creators with relevant zeeds and to show metrics inside the product. After a gifted product is delivered, we monitor public posts and stories that mention the brand so the brand can see the resulting content. We do not read your private messages on those platforms. You can disconnect a social account at any time from your Zeeder settings. When you disconnect, we immediately revoke and delete the OAuth tokens and the connected account record, and stop pulling new data. Historical posts and metrics that we already collected while the account was connected remain in our systems until you ask us to delete them (email privacy@zeeder.co) or we delete them under the retention guidelines in Section 11.
17) Brand store integrations
When a brand connects its store platform and asks Zeeder to create orders and shipments for creators:
- The brand is the controller of the customer, order, and shipping data sent to its store.
- Zeeder acts as the brand's processor for that flow.
- The store platform and carriers act under their own terms as independent controllers or processors.
Creators who want to exercise rights over data held on a brand's store (for example, asking the brand to delete an order record) should contact the brand first. We support the brand's response.
18) Changes to this policy
We may update this policy to reflect legal, technical, or business changes. We post updates with a new “Last updated” date at the top and, for material changes, notify active account holders by email. Your continued use of Zeeder after an update means you accept the revised policy.
19) Contact
Zeeder AB (org.nr 559568-8630)
Stockholm, Sweden
privacy@zeeder.co