Privacy Policy

1. About This Policy

1.1 Who We Are

The Service is operated by Zendocs America Inc., a Delaware corporation with its registered address at 2093 Philadelphia Pike #7179, Claymont, DE 19703, United States. The Zendocs Platform is the website, applications, and related interfaces through which the Service is delivered on any device.

1.2 Scope

This Policy applies to all Users of the Service globally, to all data-collection methods, to all Service features and functionalities, and to all Platform versions. It also applies to individuals whose personal data we receive indirectly from Users, such as recipients of documents shared through the Service, subject to the particular rules in Sections 2.5, 3.3, and 6.3.

1.3 Key Terms

Personal Data: any information relating to an identified or identifiable natural person.

Processing: any operation performed on Personal Data (collection, storage, use, disclosure, deletion, and so on).

Data Controller: the entity that determines the purposes and means of Processing. Zendocs is the Data Controller of User Personal Data.

Data Processor: a third party that Processes Personal Data on our behalf under our instructions.

Cookie: a small text file stored on your device that holds information about your use of the Platform.

2. Personal Data We Collect

We collect the categories of Personal Data set out below. Some data you provide to us directly, some is collected automatically when you use the Service, and some may be provided to us by third parties.

2.1 Information You Provide

(a) Account data

• Email address (required for authentication).
• Name (typically collected during payment processing).
• Unique account identifiers and last sign-in timestamp.
• Phone number, if provided through a payment processor.
• User preferences, settings, and communication preferences.

(b) Payment data

We do not store full payment-card numbers. From our payment processors we receive:

• Tokenised payment-method identifiers.
• The first six and last four digits of the payment card.
• Card expiration date.

2.2 Information Collected Automatically

(a) Usage data

• Features accessed and time spent on the Platform.
• Navigation patterns and interaction events.

(b) Device and connection data

• Operating system and version, browser type and version.
• Device type, model, screen resolution, and language preferences.
• IP addresses, network information, connection type, time-zone settings, and general location derived from IP.

(c) Performance data

• Page and feature load times, error messages.
• System-performance metrics, network latency, and application response times.

2.3 Information from Third Parties

We may receive limited Personal Data about you from our payment processors, our analytics and infrastructure providers, and other Users who share documents with you through the Service.

2.4 Cookies and Similar Technologies

The Service uses cookies and similar technologies to operate the Platform, remember your preferences, secure your session, analyse usage, and where you have provided any required consent, support marketing and personalisation.

2.5 Document-Sharing Recipients

This section applies to individuals whose Personal Data we receive indirectly because a User has shared a document with them (Article 14 GDPR notice). The categories of data subject are:

• registered Users who initiate document sharing;
• individuals whose email addresses are provided to us by Users for delivering a shared document.

When a User shares a document, we process the following recipient data:

• the recipient email address used to deliver the transactional share email;
• metadata including IP address, delivery timestamp, open timestamp, and interaction logs;
• tracking data associated with the shared-document landing page.

3. How and Why We Use Personal Data

We Process Personal Data only for specific, documented purposes and only where we have a lawful basis to do so.

3.1 Primary Purposes

(a) Providing the Service

We Process Personal Data to create and manage Accounts, authenticate Users and secure sessions, provide access to features and customisation, respond to support requests, and optimise Service performance.

Lawful basis: performance of a contract (GDPR Art. 6(1)(b)).

(b) Payments

We Process Personal Data to manage subscriptions, authorise payments, prevent fraud, maintain transaction records, and support billing inquiries.

Lawful basis: performance of a contract (Art. 6(1)(b)), compliance with legal obligations (Art. 6(1)(c)), and legitimate interests in fraud prevention (Art. 6(1)(f)).

(c) Service communications

We Process Personal Data to send service updates, security alerts, product information, support responses, and legal notices.

Lawful basis: performance of a contract (Art. 6(1)(b)) and legitimate interests in keeping Users informed (Art. 6(1)(f)).

3.2 Secondary Purposes

(a) Service improvement and analytics

We analyse usage patterns to optimise features, monitor performance, enhance user experience, identify and fix bugs, and develop new features.

Lawful basis: legitimate interests in improving the Service (Art. 6(1)(f)), with safeguards including aggregation and de-identification where feasible.

(b) Marketing and optional features

We may Process Personal Data to provide marketing communications, optional features, third-party integrations, analytics participation, and feature testing.

Lawful basis: consent (Art. 6(1)(a)), which you can withdraw at any time as described in Section 7.

(c) Compliance, safety, and security

We Process Personal Data to comply with legal obligations and to protect the safety, integrity, and security of the Service, our Users, and the public.

Lawful basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

3.3 Document-Sharing Recipients - Purpose Limitation

For document-sharing features, we Process recipient Personal Data on the basis of our legitimate interests (GDPR Art. 6(1)(f)) to enable user-requested collaboration and secure delivery of shared documents, specifically for:

• sending transactional share emails and delivery notifications;
• maintaining technical logs needed for reliability, security, and abuse prevention;
• recording limited interaction events to confirm delivery and investigate misuse.

Where marketing content is displayed on a shared-document landing page, any marketing-related tracking or follow-up is performed only after the recipient has given consent under GDPR Art. 6(1)(a).

We do not use recipient email addresses for direct marketing without explicit consent.

Recipients may object at any time to Processing based on legitimate interests, and we will assess and honour valid objections in accordance with applicable law.

4. How We Share Personal Data

We do not sell Personal Data. We disclose Personal Data only as described in this Section, in accordance with applicable law, and subject to appropriate contractual safeguards.

4.1 Analytics and Infrastructure Providers

We use the following providers to operate, monitor, and improve the Platform:

• Google Tag Manager - managing analytics and marketing tags.
• Google Analytics - user-behaviour analysis and Service optimisation.
• Mixpanel - user-interaction tracking and feature-usage analysis.
• Google BigQuery - large-scale data analysis and reporting.
• Sentry - error monitoring, performance tracking, and session recording.
• Cloudflare - performance analytics and security monitoring.

Session recording safeguards

• automatic masking of all user inputs;
• no collection of personally identifiable information;
• exclusion of all data-entry fields;
• anonymisation of all user interactions;
• use limited to bug investigation and performance optimisation.

Data collected by these providers

These services may collect usage patterns, feature-interaction data, performance metrics, error information, anonymised user flows, and aggregate statistics.

4.2 Advertising Partners

We work with Facebook, Google, Snapchat, TikTok, Taboola, Outbrain, AppLovin, and Pinterest.

Subject to any consent required in your jurisdiction, these partners may receive anonymous identifiers, email addresses (for advertising purposes), usage data, device information, and interaction metrics.

They may use this information to track interactions, measure and optimise advertising performance, create audience segments, and analyse campaign effectiveness.

4.3 Shared-Document Landing Pages

Shared-document landing pages may display product and marketing content. Core delivery and security events are processed as transactional service data; marketing analytics and personalisation are performed only where required consent is given.

4.4 Other Recipients

We may also disclose Personal Data to the following recipients, only as necessary for the purposes described in this Policy:

• Service providers, including payment processors, hosting and infrastructure providers, support tools, and email-delivery services.
• Public authorities, law-enforcement, and other third parties where disclosure is required by law or necessary to protect rights and safety.
• Counterparties, advisers, and acquirers in corporate transactions, subject to confidentiality obligations.
• Any other recipient you specifically direct or authorise.

5. Security

We implement physical, technical, and organisational safeguards designed to protect Personal Data against unauthorised access, accidental loss, destruction, and disclosure.

5.1 Authentication and Access

• Passwordless authentication by email with single-use, time-limited verification codes, and multi-factor authentication capability.
• Automatic session termination and session-management controls.
• Role-based access control and principle of least privilege.
• Access logging, monitoring, regular access reviews, and automated access termination.

5.2 Data Protection

• SOC 2 Type 2 compliance.
• AES-256 encryption for data at rest.
• TLS encryption for all data in transit.

5.3 System and Infrastructure Security

• DDoS protection via Cloudflare.
• Intrusion-detection systems and real-time security monitoring.
• Regular security patching and structured change-management procedures.
• Continuous compliance monitoring and performance tracking.

5.4 Payment Security

• PCI DSS compliant payment processing.
• Tokenised storage of payment-method identifiers; no access to complete card numbers.
• Encrypted transmission of all payment data.

5.5 Backups and Business Continuity

• Regular automated, encrypted backups.
• Documented disaster-recovery and business-continuity plans.
• Geographic redundancy and defined data-restoration procedures.

5.6 Data-Breach Notification

If we confirm a personal-data breach, we will:

• initiate our incident-response plan and contain and remediate the incident;
• assess the nature, scope, and risk to affected individuals and document the incident;
• notify affected Users by email within 72 hours of breach confirmation where feasible and legally required;
• notify relevant supervisory authorities and cooperate with investigations;
• conduct a post-incident review and update security controls accordingly.

User notifications include a description of the incident, categories of data affected, potential impact, actions taken, recommended user actions, and contact details.

6. Data Retention and Deletion

6.1 Retention Principles

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including compliance, dispute resolution, and enforcement of our agreements. When data is no longer needed, we delete or anonymise it.

6.2 Standard Retention Periods

• Account data: for the duration of the Account; inactive Accounts for 365 consecutive days may be deleted.
• Payment records: for the period required by applicable tax and financial-record laws.
• Analytics data: for the period needed to support Service improvement, in aggregated or de-identified form where feasible.
• Communications records: 2 years.
• Security logs: 13 months.

6.3 Document-Sharing Retention

Recipient email addresses and related sharing metadata are deleted after 30 days where no Account is created and no legal hold applies. Limited security and anti-abuse logs may be retained longer where required for incident investigation or legal obligations.

6.4 Deletion Procedures

• Account deletion is processed within 30 days of a verified request.
• Data removal follows a documented systematic process with verification checks.
• Data in backups is overwritten according to the backup cycle and, in any event, within 90 days.

7. Your Rights and Choices

7.1 Universal Rights

Regardless of your location, you may:

• access the Personal Data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of your data, subject to legal limits;
• object to Processing based on legitimate interests;
• request data portability;
• withdraw any consent previously given.

7.2 How to Exercise Your Rights

Submit a privacy-rights request through any official contact channel listed in Section 10.2.

To protect your privacy, we may need to verify your identity before acting on a request.

• Initial verification: email confirmation and, where applicable, Account authentication.
• Additional verification for sensitive or authorised-agent requests: government-issued ID, proof of authority, and additional security checks where reasonably necessary.

Response timelines:

• Initial acknowledgement: within 72 hours (within 10 days for California residents where required).
• Standard response: within 30 days of a verified request.
• Maximum extension: an additional 45 days where reasonably necessary, with prior notice.
• Appeal decisions: within 30 days of appeal.

Data delivery for access/portability requests:

• machine-readable format (CSV or JSON) with a complete inventory;
• provided via encrypted transmission.

7.3 Appeals

If you are not satisfied with our response, you may appeal within 30 days.

• Submit the appeal by replying to our response with your reason and any additional information.
• We will provide a decision within 30 days.
• EU/UK data subjects may also lodge a complaint with their local supervisory authority.

8. International Data Transfers

8.1 Storage Location

Personal Data is primarily stored in secure data centres located in the European Union and transmitted globally using encrypted channels.

8.2 Transfer Safeguards

Where Personal Data is transferred outside the jurisdiction in which it was collected, we use appropriate safeguards that may include:

• the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum;
• technical and organisational security measures (encryption and access controls);
• regular compliance monitoring and assessments;
• continuous evaluation of transfer mechanisms against current regulatory guidance.

If you would like more information about these transfer mechanisms, please contact us using the details in Section 10.2.

9. Children's Privacy

The Service is not directed to, and we do not knowingly collect Personal Data from, individuals under the age of 18. If we become aware that we have collected Personal Data from a minor, we will delete the data and terminate the relevant Account.

10. Changes, Contact, and Dispute Resolution

10.1 Changes to This Policy

We may update this Policy from time to time. Changes fall into two categories:

• Material changes will be notified by email at least 5 days before they take effect.
• Non-material changes may be implemented immediately and reflected on the Platform without advance notice.

10.2 Contact Us

For any privacy-related question, request, or complaint:

Email: [email protected]

Help Centre: https://zendocs.com/help/contact-zendocs-support

Correspondence address: 2093 Philadelphia Pike #7179, Claymont, DE 19703, United States.

10.3 Dispute Resolution and Governing Law

Before initiating formal legal proceedings, contact us at [email protected].

Unresolved matters may be escalated to [email protected].

Following escalation, the parties will attempt to resolve the dispute through good-faith negotiation for a further 30 days.

If unresolved informally, the matter is governed by Delaware law and resolved through binding arbitration administered by the American Arbitration Association under Section 9 of our Terms and Conditions.

• For matters exempt from arbitration, you consent to the personal jurisdiction of Delaware state and federal courts.
• Section 9 of the Terms and Conditions also sets out the class-action waiver, carve-outs, arbitration rules, and six-month time bar.

Appendix A - Regional Privacy Rights

This Appendix supplements Section 7 and describes additional rights that apply to Users in specific jurisdictions.

A.1 EU/EEA/UK (GDPR / UK GDPR)

• Rights include access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
• You may object to Processing based on legitimate interests and to direct marketing.
• You have the right to be informed about Processing.
• You may lodge a complaint with your local supervisory authority.

A.2 California (CCPA / CPRA)

• Rights include knowing categories/pieces of personal information, sources, purposes, and sharing recipients.
• Rights include deletion, correction, opt-out of sale/sharing, limiting sensitive personal information use, and non-discrimination.
• We acknowledge opt-out preference signals such as Global Privacy Control where required by law.

A.3 Australia (Privacy Act 1988)

• Rights include collection notification, access, correction, and transparency about use/disclosure.
• You may complain to the Office of the Australian Information Commissioner.

A.4 Canada (PIPEDA and provincial laws)

• Rights include access, correction, consent withdrawal (subject to legal/contractual restrictions), and transparency of purposes.
• You may complain to the Office of the Privacy Commissioner of Canada or applicable provincial commissioner.