Data handling & privacy
This page is the long version of what Zeno CY stores, where it lives, and who can see it. It pairs with Local-first processing, which describes the path documents take before any data lands in the workspace.
What Zeno CY collects
Account information
- Email address.
- Display name and organization name.
- Country and language preference.
- Time-zone setting.
Why: to create and manage your account.
Document metadata
When you process a document, the workspace stores the structured fields extracted from it:
- date,
- amount and currency,
- counterparty name,
- document type,
- VAT number,
- document lifecycle status.
Why: to build the Registry and enable exports. The original document is not stored — see Local-first processing.
Usage data
- Pages you visit inside the product.
- Features you use.
- Errors you encounter.
- Performance metrics.
Why: to improve Zeno CY and fix bugs faster.
Audit logs
- Who did what and when.
- Document status and registry changes.
- Access attempts.
- Export history.
Why: security, compliance, and a defensible audit trail.
What Zeno CY does NOT collect
- Credit card numbers — payment handling is delegated to Stripe; the workspace never sees card details.
- Passwords — stored only as salted hashes, never in plain text.
- Private keys or recovery phrases — Zeno CY never asks for them and would never accept them.
- Internal communications — the product does not read your team's chats, emails, or messages.
Where data is stored
Cloud infrastructure
- Provider: Google Cloud Platform.
- Regions: EU regions where available.
- Framework: GDPR-conscious by design.
Document originals
- Stay on your device by default. Source files do not get uploaded to Zeno CY's storage in the local-first path.
- If you bind a Google Drive folder, the originals stay in your Drive — under your Google access controls.
Database
- Managed PostgreSQL on Google Cloud SQL.
- Encrypted in transit and at rest.
Browser storage
- Local processing reads documents into browser memory only.
- Temporary cache is cleared when you close the browser.
- No raw document bytes are persisted client-side.
For the full picture: Local-first processing.
How data is protected
Encryption
- In transit: TLS for every connection.
- At rest: standard cloud-provider encryption (AES-256 family).
Access control
- Role-based: each role only sees what it should — see Roles & access.
- Tenant isolation: your workspace data is isolated from other workspaces.
- Audit logging: access events are recorded in the audit log.
Authentication
- Password and Google sign-in supported.
- Session management with automatic timeout on inactivity.
Who can access your data
Your team
Only people you invite to your workspace, scoped by their role:
- Owner — full access.
- Admin — operational management.
- Accountant — documents and registry.
- Auditor — read-only compliance view.
- Bank — narrow external read scope.
See Roles & access for what each role can do.
Zeno CY
During the pilot phase, only the founder has any access — and only when you explicitly request help. There is no separate support team, no engineering shadow access. If a debugging session requires looking at something specific, I will ask and you decide.
Third parties
- Stripe — payment processing only, sees billing information, never documents.
- Google Cloud — infrastructure provider, no access to workspace contents beyond what is required to keep the service running.
That is the entire list. Your data is not sold or shared.
Data retention
Active accounts
- Document metadata stays for as long as the workspace is active.
- Audit logs are retained per the categories below.
Closed accounts
- 30-day grace period to reactivate.
- After the grace period, workspace data is deleted.
- Export your data before closing if you want to keep it.
Audit logs
- Security events: 18 months.
- Access logs: 36 months.
- Financial records: 7 years, or as required by your jurisdiction.
Backups
- Retention: 30 days.
- After deletion, backups are purged within 30 days.
Your rights (GDPR)
If you are in the EU, you have these rights:
Right to access
Request a copy of the data we hold about you. How: email maxim.viazov@zeno-cy.com.
Right to rectification
Correct inaccurate data. How: update it in your settings or write to me.
Right to erasure
Request deletion of your data. How: close the account or write to me. Note: some data may be retained where legally required (financial records, audit trail).
Right to data portability
Export your data in a machine-readable format. How: use the in-product export, or request a full data export by email.
Right to restrict processing
Limit how your data is used. How: email me.
Right to object
Object to processing based on legitimate interest. How: email me.
Right to withdraw consent
Where processing is based on consent, you can withdraw it at any time. How: adjust the relevant setting or email me.
Data transfers
Inside the EU
Workspace data is processed in EU Google Cloud regions.
Outside the EU
Data is not transferred outside the EU as a normal matter of operation. Where a sub-processor is US-based (for example, parts of Stripe), the transfer happens under Standard Contractual Clauses.
Third-party services
- Stripe — payment processing (US sub-processor, SCCs).
- Google Cloud — infrastructure (EU regions).
Cookies and analytics
Essential cookies
Required for the product to function — session, authentication, security. These cannot be disabled without breaking the product.
Analytics
Used to understand how the product is used during the pilot. The full list of analytics tools (Firebase Analytics, Google Tag Manager, Microsoft Clarity), what they collect, and how to opt out is in the main Privacy Policy on zeno-cy.com.
We do not use advertising cookies. We do not sell data to advertisers.
In case of a data breach
If a breach occurs:
- The cause is investigated immediately.
- The breach is contained.
- Affected users are notified within 72 hours.
- Authorities are notified as required by GDPR.
- The root cause is fixed and the lesson is documented.
If you suspect unauthorized access to your workspace, change your password immediately and write to maxim.viazov@zeno-cy.com.
Children's privacy
Zeno CY is built for accounting and audit professionals. It is not intended for use by children under 16, and we do not knowingly collect data from anyone under 16.
Policy changes
When this policy changes:
- minor edits are made directly on this page,
- material changes are announced by email and in the product.
Last updated: May 15, 2026.
Contact
Questions about how data is handled?
Email: maxim.viazov@zeno-cy.com
During the pilot, this is the only contact channel and it goes directly to the founder. No support tier ladder, no escalation queue.
Compliance
Zeno CY operates with reference to:
- GDPR — EU General Data Protection Regulation.
- ePrivacy Directive — EU.
- Cyprus Data Protection Law — applicable to the Cyprus market the product is built for.