Privacy Policy

1. What we collect

We collect data in three ways: data you give us directly, data generated by your use of the service, and data from third-party sources.

Data you give us

• Account data: name, work email address, company name, phone number, job title, and billing address, collected when you sign up for a trial or paid plan.
• Payment data: billing name and address. Card numbers are processed directly by Stripe and are never stored on Zinye servers.
• Support data: messages, attachments, and conversation history submitted through our help desk or email.
• Survey and feedback data: responses to optional satisfaction surveys and feature requests.

Data generated by your use

• Usage data: which modules you use, when, and how often. This is collected in aggregate and is not tied to individual keystrokes or document content.
• Log data: IP address, browser type, operating system, referring URL, and pages visited on zinye.com. These logs are retained for 30 days for security and debugging purposes.
• Tenant business data: the records you create inside Zinye, invoices, contacts, transactions, payroll entries, and similar, are your data. We process them to provide the service and do not use them for any other purpose.

Data from third parties

• Payment processors: Stripe confirms successful payments and provides transaction identifiers that we store against your account.
• Authentication providers: if you sign in via Google or Microsoft SSO, we receive your name and email address from the identity provider.

2. How we use your data

We use personal data only for the purposes listed below. We do not sell your data. We do not use your tenant business data for advertising or model training.

• Providing the service: provisioning your tenant, running backups, sending transactional emails (invoices, password resets, security alerts).
• Billing: creating and managing your subscription, issuing invoices, processing refunds.
• Support: responding to help requests and diagnosing technical issues.
• Security: detecting and preventing fraud, unauthorized access, and abuse.
• Product improvement: aggregate, anonymized usage analytics to understand which features to invest in. No individual profiling.
• Legal compliance: retaining records as required by applicable law (tax, accounting, anti-money-laundering).
• Marketing (with consent): sending product news, case studies, and event invitations to contacts who have opted in. You can unsubscribe at any time via the link in any email.

Our lawful basis under GDPR is: contract performance for provisioning and billing, legitimate interest for security and aggregate analytics, legal obligation for compliance records, and consent for marketing emails.

3. Cookies and tracking

Plausible Analytics

We use Plausible Analytics to measure traffic on zinye.com. Plausible is a privacy-first analytics tool: it does not use cookies, does not set any persistent identifiers in your browser, does not track you across websites, and does not build individual profiles. All data is aggregated. Plausible is GDPR compliant and is listed as a cookieless analytics solution by several EU data protection authorities. No cookie consent banner is required for Plausible.

Session cookies (application)

When you are signed in to the Zinye application (app.zinye.com), we set a session cookie to keep you authenticated. This cookie is strictly necessary for the service to function. It expires when you sign out or after 30 days of inactivity.

Meta Pixel

We may run the Meta Pixel on zinye.com to measure conversions from Meta advertising campaigns. The pixel only fires if the environment variable META_PIXEL_ID is configured, which means it may not be active on all versions of the site. If active, Meta receives your IP address, browser user-agent, and page URL and may set a cookie in your browser. You can opt out via the Meta Cookie Policy or using a browser extension such as uBlock Origin.

No other tracking

We do not use Google Analytics, Hotjar, Intercom, Drift, or any session-recording software. We do not fingerprint browsers.

4. Third-party processors

We share personal data only with the sub-processors needed to operate the service. A full sub-processor list is published at zinye.com/security and updated quarterly. Key processors include:

A note on Google Fonts: the font files for Instrument Serif, Figtree, and JetBrains Mono are served from Google's CDN. Each page load sends your IP address to Google as part of the HTTP request. Google's use of this data is governed by the Google Privacy Policy. If you prefer not to send your IP to Google, you can use a browser-level font override or a content blocker.

5. Data retention

• Account and billing data: retained for the duration of your subscription plus 7 years, as required by accounting regulations in most jurisdictions.
• Tenant business data: retained while your account is active. After cancellation, we hold a backup for 60 days to allow for re-activation or export, then permanently delete it.
• Support messages: retained for 3 years after the last interaction.
• Marketing consent records: retained until you withdraw consent, plus 1 year for audit purposes.
• Server logs: retained for 30 days, then automatically purged.
• Anonymized analytics: retained indefinitely (no personal data is stored).

You can request deletion of your personal data at any time (see Your rights below). Deletion requests are completed within 30 days, subject to any legal hold obligations.

6. Your rights

GDPR rights (EEA, UK, Switzerland)

• Access: request a copy of all personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your personal data, subject to legal retention obligations.
• Restriction: ask us to pause processing while a dispute is resolved.
• Portability: receive your data in a machine-readable format (CSV or JSON).
• Objection: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: for any processing based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.

CCPA rights (California residents)

• Know what personal information is collected and how it is used.
• Delete personal information we hold about you.
• Opt out of the sale of personal information. (We do not sell personal information, so this right is not triggered.)
• Non-discrimination: exercising any CCPA right will not affect the price or quality of service you receive.

LGPD rights (Brazil)

• Confirmation that your data is being processed, and access to that data.
• Correction of incomplete, inaccurate, or out-of-date data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Portability to another service or product provider.
• Deletion of data processed with your consent.
• Information about third parties with whom data has been shared.

To exercise any of these rights, email [email protected]. We respond to all requests within 30 days. We may ask you to verify your identity before fulfilling a request. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

7. International data transfers

Zinye operates infrastructure in three primary regions: EU (Frankfurt), US (Virginia), and APAC (Singapore). Your tenant is provisioned in the region you select at signup, and your business data does not leave that region without your written consent.

Some sub-processors (Stripe, Postmark, Linear) are based in the United States. Transfers to these processors are covered by the EU-US Data Privacy Framework (DPF) and, where applicable, Standard Contractual Clauses (SCCs). A copy of our Data Processing Addendum (DPA), which incorporates SCCs, is available at zinye.com/security or on request from [email protected].

8. Security

We protect your data with:

• AES-256 encryption at rest and TLS 1.3 in transit.
• Encrypted snapshots every 6 hours, retained for 30 days.
• SOC 2 Type II certification, renewed annually.
• ISO 27001 and ISO 27018 certification.
• Annual third-party penetration testing.
• Role-based access controls and mandatory MFA for Zinye staff with production access.

If we discover a security incident that affects your personal data, we will notify you within 72 hours of becoming aware of it, as required by GDPR Article 33. A written post-mortem will follow within 14 days. For full details see our security page at zinye.com/security.

9. Children's data

The Zinye service is designed for business use by adults. We do not knowingly collect personal data from children under 16 (or a higher age if required by local law). If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will delete it promptly.

10. Changes to this policy

We may update this policy as the service evolves or as regulations change. When we make material changes, we will:

• Update the effective date at the top of this page.
• Email all account holders at least 14 days before the change takes effect.
• Display an in-app notice for 30 days after the change.

Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact us

Zinye Technologies Ltd is the data controller for personal data collected on zinye.com and through the Zinye service.

For GDPR-related requests, you also have the right to file a complaint with the supervisory authority in your EU member state.