How does Zocto protect editorial accounts?

Editorial tools sit behind a sign-in. Role-based access controls and Row-Level Security in the database limit what each account can read or modify.

What reader data does Zocto collect?

Newsletter email addresses for subscribers, editorial content metadata, and aggregated operational logs. No tracking cookies beyond what is needed to run the site.

How do I report a security vulnerability?

Email hello@zocto.in with details. We respond to reports as quickly as possible and credit responsible disclosure.

Trust Center

Trust & Security

This page is maintained by the Zocto Pulse team to answer common security and privacy questions about our newsroom platform. It describes the controls currently enabled in the app — it is editable content, not an independent certification or audit.

Shared responsibility

Zocto Pulse is built on the Lovable platform, which provides the underlying hosting, database, authentication, and storage primitives. Zocto Pulse is responsible for how those primitives are configured and how reader and staff data are handled inside the app. This page focuses on the second part.

Accounts & access

Public reader pages do not require an account. Editorial tools live behind a sign-in at /auth and are restricted to invited staff and admins. Roles are stored server-side and enforced by row-level security; the browser is never trusted to assert its own privileges.

Provider API keys (for AI writing and image generation) are stored server-side and are never returned to the browser. The admin UI shows only whether a key is configured.

Data we collect

Newsletter subscribers: when you submit your email address, we store it together with the source of the form and a timestamp so we can send you the newsletter. We do not sell or share this list. You can unsubscribe at any time and we will not re-add an unsubscribed address from a public form.

Editorial content: articles, categories, media, and site settings are authored by Zocto staff or generated by our automation pipeline from public RSS feeds.

Operational logs: standard request and error logs are retained for a short period to keep the site reliable. They are not used for advertising.

Subprocessors

We rely on a small set of vendors to operate the site: the Lovable platform (hosting, database, authentication, storage), and AI providers configured by our editors for article drafting and cover-image generation. We do not embed third-party advertising trackers.

Storage & transport

Traffic to Zocto Pulse is served over HTTPS. Editorial media is kept in a private storage bucket and surfaced through signed URLs rather than as public objects.

Reporting a security issue

If you believe you have found a vulnerability or a privacy issue, please email hello@zocto.in with steps to reproduce. Please do not publicly disclose the issue until we have had a chance to investigate and respond.

Privacy requests

To request access to, correction of, or deletion of personal data we hold about you (for example, your newsletter subscription), email hello@zocto.in from the address concerned.

This page describes app-visible controls and Zocto Pulse practices. It is not a certification, audit report, or legal commitment. Specific compliance language can be added on request once approved by the Zocto Pulse team.