Data Handling & Privacy

Understand how Zeno collects, stores, and protects your data.

What data Zeno collects

Account information

• Email address
• Company name
• Country
• Language preference
• Timezone

Why: To create and manage your account.

Document metadata

When you upload documents, Zeno extracts and stores:

• Date
• Amount and currency
• Counterparty name
• Document type
• VAT number
• Document status (confirmed, pending, etc.)

Why: To build your registry and enable exports.

Original documents

• Stored in your Google Drive (if you use monitoring)
• Or stored in Zeno's secure cloud storage (if you upload manually)

Why: To maintain audit trail and allow you to access originals.

Usage data

• Features you use
• Pages you visit
• Errors you encounter
• Performance metrics

Why: To improve Zeno and fix bugs.

Audit logs

• Who did what and when
• Changes to documents and registry
• Access attempts
• Export history

Why: For security, compliance, and audit trail.

What data Zeno does NOT collect

• Credit card numbers: Payment processing is handled by Stripe (we never see your card details)
• Passwords: Stored encrypted, never in plain text
• Private keys: If you use crypto features, we never access your wallet keys
• Personal conversations: We don't monitor your team's internal communications

Where your data is stored

Cloud infrastructure

• Provider: Google Cloud Platform
• Region: Europe (eu-west3, Belgium)
• Compliance: GDPR-compliant

Document storage

• Google Drive monitoring: Documents stay in your Drive
• Manual uploads: Stored in Google Cloud Storage (encrypted)

Database

• Type: PostgreSQL (managed by Google Cloud SQL)
• Encryption: At rest and in transit
• Backups: Daily, retained for 30 days

Browser storage

• Local processing: Documents are processed in your browser first
• Temporary cache: Cleared when you close the browser
• No sensitive data: Only UI state and preferences

→ Local-First Processing

How your data is protected

Encryption

• In transit: TLS 1.3 for all connections
• At rest: AES-256 encryption for stored data
• Backups: Encrypted with separate keys

Access control

• Role-based: Each team member sees only what their role allows
• Tenant isolation: Your data is completely separate from other customers
• Audit logging: Every access is logged

Authentication

• Password requirements: Minimum 12 characters, complexity rules
• Two-factor authentication: Available (recommended)
• Session management: Automatic timeout after inactivity

Infrastructure security

• Firewalls: Network-level protection
• Intrusion detection: Automated monitoring
• Regular updates: Security patches applied promptly
• Penetration testing: Annual third-party security audits

Who can access your data

Your team

Only people you invite to your workspace. Access is controlled by roles:

• Owner: Full access
• Admin: Most features
• Accountant: Documents and exports
• Employee: Limited access
• Bank Viewer: Bank statements only
• Auditor: Read-only access

→ Roles & Access

Zeno employees

• Support staff: Only if you request help and grant permission
• Engineers: Only for debugging critical issues (with your permission)
• Management: Never (no backdoor access)

Third parties

• Payment processor (Stripe): Only billing information
• Cloud provider (Google): Infrastructure only, no data access
• No one else: We don't sell or share your data

Data retention

Active accounts

• Documents: Kept as long as your account is active
• Registry data: Kept as long as your account is active
• Audit logs: Retained according to compliance requirements (see below)

Closed accounts

• Grace period: 30 days to reactivate
• After grace period: All data is permanently deleted
• Exports: Download your data before closing your account

Audit logs

Retained for compliance:

• Security events: 18 months
• Access logs: 36 months
• Financial records: 7 years (or as required by your jurisdiction)
• Document confirmations: 7 years

Backups

• Retention: 30 days
• After deletion: Backups are purged within 30 days

Your rights (GDPR)

If you're in the EU, you have these rights:

Right to access

Request a copy of all data we have about you.

How: Email privacy@zeno-cy.com

Right to rectification

Correct inaccurate data.

How: Update it in Zeno settings or contact support.

Right to erasure ("right to be forgotten")

Request deletion of your data.

How: Close your account or email privacy@zeno-cy.com

Note: We may need to retain some data for legal compliance (e.g., financial records).

Right to data portability

Export your data in a machine-readable format.

How: Use Zeno's export features or request a full data export.

Right to restrict processing

Limit how we use your data.

How: Email privacy@zeno-cy.com

Right to object

Object to certain types of processing.

How: Email privacy@zeno-cy.com

Right to withdraw consent

If processing is based on consent, you can withdraw it.

How: Update settings or email privacy@zeno-cy.com

Data sharing and transfers

Within the EU

Your data stays in the EU (Google Cloud europe-west3 region).

Outside the EU

We don't transfer data outside the EU except:

• Support tools: Some support software may be US-based (with Standard Contractual Clauses)
• Your request: If you explicitly ask us to share data with a non-EU party

Third-party services

We use these services (all GDPR-compliant):

• Stripe: Payment processing (US, with adequate safeguards)
• Google Cloud: Infrastructure (EU region)
• Sentry: Error tracking (US, with Standard Contractual Clauses)

Cookies and tracking

Essential cookies

Required for Zeno to work:

• Session management
• Authentication
• Security

You can't disable these without breaking Zeno.

Analytics cookies

Help us improve Zeno:

• Page views
• Feature usage
• Error rates

You can disable these in Settings → Privacy.

No advertising cookies

We don't use cookies for advertising or sell your data to advertisers.

Data breaches

If a breach occurs

We will:

1. Investigate immediately
2. Contain the breach
3. Notify affected users within 72 hours
4. Report to authorities as required by law
5. Remediate and prevent future breaches

What you should do

If you suspect unauthorized access:

1. Change your password immediately
2. Enable two-factor authentication
3. Review audit logs
4. Contact support@zeno-cy.com

Children's privacy

Zeno is not intended for children under 16. We don't knowingly collect data from children.

If you believe a child has created an account, contact privacy@zeno-cy.com and we'll delete it.

Changes to this policy

We may update this policy. When we do:

• Minor changes: Updated on this page
• Major changes: Email notification + prominent notice in Zeno

Last updated: 2026-02-10

Contact

Questions about data handling or privacy?

Email: privacy@zeno-cy.com

Data Protection Officer: dpo@zeno-cy.com

Address:
Zeno CY Services
[Address]
Cyprus

Compliance

Zeno complies with:

• GDPR (EU General Data Protection Regulation)
• ePrivacy Directive (EU)
• Cyprus Data Protection Law

Certifications

• ISO 27001: Information security management (in progress)
• SOC 2 Type II: Security and availability (planned)

Transparency

We believe in transparency. If you have questions about how we handle data, ask us. We'll answer honestly.

What's next

• Local-First Processing - Understand local vs. cloud processing
• Audit & Compliance - Audit trail and compliance
• Roles & Access - Control who sees what
• Contact Support - Get help with privacy questions