Privacy Policy

1. Introduction

Zentativ operates a multi-tenant Hybrid AI + Human Customer Care SaaS platform at zentativ.com. This Privacy Policy explains how we collect, use, store, share, and protect information — including Google user data obtained through OAuth — when you use our services.

By accessing or using Zentativ, you agree to the practices described in this policy.

2. Data We Collect

2.1 Account and Profile Data

• Full name and email address (from sign-up or Google OAuth)
• Company / organisation name
• Phone number (optional, for voice integrations)
• Profile avatar (optional upload)
• Role within your organisation (admin, agent, etc.)

2.2 Google User Data (OAuth)

When you sign in via Google OAuth, we request the following scopes:

• openid — to verify your identity via Google OpenID Connect.
• email — to retrieve your Google account email for account creation and login identification.
• profile — to retrieve your display name and profile picture to pre-fill your Zentativ profile.

We do NOT request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service beyond the three scopes listed above.

2.3 Usage and Platform Data

• Support ticket content (messages between customers and AI / agents)
• Knowledge base documents uploaded by your organisation
• Widget configuration settings (colours, welcome messages)
• Credit usage and payment transaction records
• Agent status events and queue activity
• API request logs and error logs
• IP address, browser type, and device metadata

3. How We Use Your Data

3.1 Google User Data — Specific Use

Google user data (name, email, profile picture) is used exclusively to:

• Authenticate you and create or link your Zentativ account.
• Pre-populate your account profile to reduce manual entry.
• Send transactional notifications (credit alerts, ticket escalations) to your email.

We do NOT use Google user data to serve advertising, train AI models, build behavioural profiles, or sell to third parties. Our use of Google API data complies fully with the Google API Services User Data Policy, including the Limited Use requirements.

3.2 General Platform Data

• Provide and operate the Zentativ platform
• Process AI-powered and human-agent customer support conversations
• Route, escalate, and resolve support tickets
• Generate analytics and usage reports for your organisation
• Process payments and manage credit balances
• Send service notifications, security alerts, and billing updates
• Investigate fraud, enforce our Terms of Service, and comply with law

4. Data Sharing with Third Parties

We do NOT sell, rent, or trade your personal data or Google user data. We share data only with the following service providers:

All sub-processors are contractually required to maintain data confidentiality and handle data only as instructed by Zentativ.

5. Data Storage and Protection

• All data is stored in Supabase (PostgreSQL) on AWS EU (eu-west-1), protected by TLS in transit and AES-256 encryption at rest.
• Google OAuth tokens are handled by Supabase Auth as encrypted session cookies; we do not store raw OAuth refresh tokens in our own database.
• Production data access is restricted to authorised Zentativ engineers via role-based access controls and enforced MFA.
• API keys and secrets are stored in environment variables, never in source code or client-side bundles.
• We conduct periodic security reviews and promptly address discovered vulnerabilities.

6. Data Retention and Deletion

• Account data — retained for your active subscription, deleted within 30 days of account closure.
• Support ticket and message data — retained for 24 months for audit and analytics. Admins may request earlier deletion.
• Google user data (name, email, profile picture) — deleted when your account is deleted. No Google user data is retained beyond account closure.
• Payment records — retained for 7 years to comply with financial regulations.
• Server/access logs — retained for 90 days then automatically purged.

Requesting Deletion

To request deletion of your personal data or Google user data, email privacy@zentativ.com with subject line Data Deletion Request. We will confirm within 5 business days and complete deletion within 30 days, providing written confirmation upon completion.

7. Cookies and Tracking

We use strictly necessary cookies only:

• Session cookies — managed by Supabase Auth to maintain your authenticated session. These expire when you sign out or after 7 days of inactivity.

We do not use advertising cookies, cross-site tracking, or analytics fingerprinting.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate personal data.
• Erasure — request deletion of your personal data.
• Portability — receive your data in a machine-readable format.
• Withdraw consent — disconnect Google OAuth at any time via your Google Account settings at myaccount.google.com/permissions.

To exercise any right, contact privacy@zentativ.com.

9. Children Privacy

Zentativ is a B2B platform for organisations and their employees. We do not knowingly collect personal data from individuals under 18. Contact us at privacy@zentativ.com if you believe a minor has provided data and we will promptly delete it.

10. International Data Transfers

Our infrastructure is hosted primarily in the EU. Where data is processed outside your jurisdiction, appropriate safeguards are in place, including Standard Contractual Clauses with EU/EEA sub-processors.

11. Changes to This Policy

We will notify you of material changes via email or an in-app banner at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us