Payments & Security

All payments on Zacha — including customer memberships and business onboarding fees — are handled by Stripe, a globally trusted payment platform. Stripe is PCI DSS compliant and used by millions of businesses worldwide.

Zacha never sees or stores your full card number, CVV, or any sensitive payment credentials. This information is entered directly into Stripe's secure payment forms and never passes through Zacha's servers.

Zacha stores only what is necessary to manage your account and billing:

• Your Stripe customer ID — a reference that lets us link your account to your Stripe billing record
• Your subscription status — whether your membership is active, cancelled, or past due
• Your subscription renewal dates — so we can show you accurate billing information
• Onboarding payment status — for business partners, whether the onboarding fee has been paid

We do not store your card number, expiry date, CVV, or bank account details.

To manage your payment method, view invoices, or cancel a subscription, you are redirected to the Stripe Customer Portal. This is a secure Stripe-hosted page — Zacha does not have access to the card details you enter or update there.

Zacha has two separate billing flows:

• Customer memberships (Plus) — billed monthly at £3.99 through Stripe Subscriptions
• Business Growth/Premium memberships — billed through Stripe Subscriptions for business partners
• Business onboarding fee — a one-time payment processed through a Stripe Checkout session, separate from any subscription

These are completely separate billing records. Paying a business onboarding fee does not activate a business subscription, and a customer membership is entirely separate from business billing.

Zacha uses the following security measures to protect your account and data:

• HTTPS/TLS encryption for all data in transit
• Row-level security (RLS) in our database — you can only access your own data
• Passwords are hashed and never stored in plain text
• Authentication is managed through Supabase Auth with secure session tokens
• Admin and partner data is access-controlled and not visible to regular customers

If you notice unusual activity on your account, or if you believe there has been a security issue, please contact us immediately at hello@zacha.co.uk. We take all security reports seriously and will investigate promptly.

Zacha uses Stripe webhooks to receive real-time updates about payment events (for example, a successful payment or a subscription cancellation). These webhook events are verified using Stripe's signature system to ensure they are genuine. No payment data is exposed in these events — they contain only status updates.