PRIVACY Policy

1. Data Controller & Contact Details

The data controller responsible for processing your personal data is:

You can contact us with any privacy questions, data requests, or concerns using the contact information above. We aim to respond to all inquiries within 30 days.

2. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with GDPR requirements. The DPO is available to answer questions about our processing activities and to assist with your rights requests.

3. What Personal Data We Collect

We collect personal data only when necessary to provide our services, improve your experience, and comply with legal obligations. Below are the types of data we collect:

3.1 Contact Form Submissions

When you submit our contact form on the website, we collect:

• Name — to address you appropriately
• Email address — to respond to your inquiry
• Message content — to understand and address your request
• Timestamp — to track when the submission occurred

3.2 Newsletter Subscriptions

When you subscribe to our newsletter, we collect:

• Email address — to send you curated AI and ecommerce insights
• Subscription date — to manage your subscription
• Engagement data — which emails you open or click (optional, analytics)

3.3 Website Usage & Analytics Data

When you visit our website, we automatically collect:

• Pages visited — which sections of our site you browse
• Time on site — how long you spend on each page
• Device information — browser type, operating system, device model
• IP address — to understand your general location (city/country level)
• Referral source — how you arrived at our site (search engine, social media, etc.)
• Clicks and interactions — which buttons, links, and features you engage with

3.4 Cookie Data

Cookies and similar tracking technologies collect data about your browsing behavior. See Section 10: Cookie Policy for full details.

3.5 ZestIQ Sales Agent Product Data

If you use ZestIQ Sales Agent on your ecommerce store, the product collects and processes:

• Customer queries — messages customers send to the AI agent
• Conversation history — dialogue context for improved responses
• Product catalog data — product names, descriptions, prices from your store
• Customer behavior — browsing patterns, purchase intent, product interactions
• Store metrics — conversion rates, engagement statistics, performance data

This data is processed on behalf of your store (the data controller) to provide AI-powered customer service. You retain full control and responsibility for this data.

4. Legal Basis for Processing

Under GDPR Article 6, we only process your data where we have a legal basis. Here's our basis for each type of data:

5. How We Use Your Data

We use collected personal data only for the following purposes:

Customer Service & Support

• Respond to your inquiries and support requests
• Troubleshoot issues with our products
• Follow up on contact form submissions

Marketing & Communications

• Send newsletter emails with curated insights
• Inform you about product updates and new features
• Share relevant case studies and resources
• Deliver personalized recommendations (with your consent)

Product Improvement

• Analyze usage patterns to enhance user experience
• Identify features that need refinement
• Conduct A/B testing on website designs
• Gather feedback for future product roadmaps

Site Security & Analytics

• Detect and prevent fraud and abuse
• Monitor website performance and uptime
• Debug technical issues
• Analyze traffic patterns and user engagement

Sales Agent Service Delivery

• Train and improve the AI model based on conversation data
• Provide performance metrics and analytics to store owners
• Ensure compliance with your store's policies

6. Who We Share Data With

We do not sell, rent, or trade your personal data to third parties. However, we may share data with trusted partners who help us provide services, subject to strict data protection agreements:

Service Providers (Data Processors)

• Cloud hosting providers — to store data securely (e.g., AWS, Google Cloud)
• Analytics platforms — to understand site usage (e.g., Google Analytics, Segment)
• Email service providers — to deliver newsletters (e.g., Mailchimp, SendGrid)
• Payment processors — to handle subscriptions and billing (e.g., Stripe)
• CRM tools — to manage customer relationships professionally

All service providers are bound by Data Processing Agreements (DPAs) ensuring they process data only on our instruction and maintain equivalent security measures.

Legal & Regulatory Requirements

We may disclose personal data if required by law, court order, or government request. We will notify you of such requests unless legally prohibited.

Business Transfers

If ZestIQ is acquired, merged, or sold, your data may be transferred as part of that transaction. We will provide notice of such changes and any choices you may have regarding your data.

7. International Data Transfers

ZestIQ operates globally, and your data may be transferred to, stored in, or processed in countries outside the European Union. When we transfer data internationally, we ensure adequate safeguards:

EU-US Data Transfers

For transfers to the United States, we rely on:

• Standard Contractual Clauses (SCCs) — legally binding agreements that impose GDPR-equivalent protections
• Data Processing Agreements (DPAs) — contracts with all our processors
• Adequacy decisions — where applicable (e.g., UK-EU arrangements)

Your Rights During Transfers

You have the right to know where your data is being transferred and the safeguards in place. You can request information about our data transfer mechanisms at any time by contacting our DPO.

8. Data Retention Periods

We retain personal data only as long as necessary to fulfill the purposes for which it was collected. Once data is no longer needed, we securely delete or anonymize it.

After the retention period, data is deleted or irreversibly anonymized. You can request earlier deletion at any time (subject to legal obligations).

9. Your Rights Under GDPR

Under GDPR Articles 12-22, you have the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you, including:

• A human-readable copy of your data
• Information about how we're processing your data
• Details about our processing purposes and legal basis

How to exercise: Email [email protected] with subject "Data Access Request."

Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you can request correction. We will update your data and notify relevant third parties (where applicable).

How to exercise: Email [email protected] with subject "Data Correction Request" and details of what needs to be updated.

Right to Erasure ("Right to Be Forgotten") (Article 17)

You can request deletion of your personal data, except where we have a legal obligation to retain it (e.g., for tax/billing purposes). Upon your request, we will:

• Delete your data from our active systems
• Instruct third-party processors to delete your data
• Retain only data necessary for legal compliance

How to exercise: Email [email protected] with subject "Right to Erasure Request."

Right to Restrict Processing (Article 18)

You can ask us to pause our use of your data while you dispute its accuracy, or while you exercise other rights. We will store your data but not actively process it.

How to exercise: Email [email protected] with subject "Data Processing Restriction Request."

Right to Data Portability (Article 20)

You can request your data in a portable, machine-readable format (e.g., CSV) to transfer to another service. We will provide this within 30 days.

How to exercise: Email [email protected] with subject "Data Portability Request."

Right to Object (Article 21)

You can object to processing based on legitimate interest or direct marketing. Upon objection, we will:

• Stop marketing emails immediately (if applicable)
• Review any other processing and cease where possible
• Keep only data necessary for legal obligations

How to exercise: Email [email protected] with subject "Data Processing Objection" or click "Unsubscribe" in any marketing email.

Right to Withdraw Consent (Article 7)

If you consented to marketing emails or cookies, you can withdraw that consent at any time. We will honor your withdrawal immediately.

How to exercise: Click "Unsubscribe" in marketing emails, adjust cookie settings, or email [email protected].

Right to Lodge a Complaint (Article 77)

If you believe we are not complying with GDPR, you have the right to lodge a complaint with your local data protection authority:

• EU residents: Contact your national data protection authority (e.g., CNIL in France, ICO in UK)
• UK residents: Information Commissioner's Office (ICO) — www.ico.org.uk
• Others: Contact the authority in your jurisdiction

10. Cookie Policy

Cookies and similar tracking technologies (pixels, local storage) help us deliver and improve our website. We use four categories of cookies:

1. Essential/Necessary Cookies

Required for basic website functionality. These cannot be disabled without breaking site features.

• Session cookies — maintain your login session
• Security cookies — prevent fraud and protect your data
• Preference cookies — remember your language and theme choices

Legal basis: Legitimate interest in site security and functionality.

2. Analytics Cookies

Help us understand how visitors interact with our site so we can improve it.

• Google Analytics — track page views, user behavior, conversion events
• Hotjar — record user interactions and heatmaps (optional)
• Segment — aggregate analytics across platforms

Legal basis: Consent (we ask before setting these).

3. Marketing/Retargeting Cookies

Allow third parties to show you personalized ads based on your browsing history.

• Facebook Pixel — Facebook and Instagram retargeting
• Google Ads — Google Search and Display retargeting
• LinkedIn Pixel — LinkedIn retargeting (B2B)

Legal basis: Consent (we ask before setting these).

4. Functional Cookies

Enhance your experience by remembering preferences and enabling advanced features.

• Chat widget cookies — remember support chat state
• Form preferences — auto-fill fields if you choose
• Video player cookies — remember playback preferences

Legal basis: Legitimate interest in improving user experience.

Managing Your Cookie Preferences

When you first visit our site, we display a cookie consent banner. You can:

• Accept all — enable all non-essential cookies
• Reject all — disable all non-essential cookies (only essential remain)
• Customize — toggle specific cookie categories
• Change preferences later — click the cookie settings link in the footer

11. Children's Privacy

Our website and products are not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16 without verifiable parental consent.

If you are under 16: Do not submit personal information through our contact forms or newsletter signup. If you believe we have collected data from a child under 16 without consent, please contact us immediately.

Parental rights: Parents or guardians can request access to, or deletion of, their child's data by contacting [email protected] with proof of guardianship.

12. Security & Data Protection

We implement technical and organizational measures to protect your data from unauthorized access, alteration, or loss:

• Encryption in transit: All data transmitted to/from our servers uses TLS 1.2+ encryption (HTTPS)
• Encryption at rest: Data stored on servers is encrypted with AES-256
• Access controls: Only authorized staff can access personal data, on a need-to-know basis
• Regular audits: We conduct annual security audits and vulnerability assessments
• Data processing agreements: All third-party processors sign Data Processing Agreements (DPAs)
• Incident response: We have a documented breach response plan and notify authorities within 72 hours (GDPR requirement)

However, no system is 100% secure. We encourage you to use strong passwords and report any security concerns to [email protected].

13. Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if you're a subscriber or customer
• Request your consent for significant changes affecting your rights
• Provide a summary of what changed in the update

Your continued use of our website after changes indicates your acceptance of the updated policy. If you do not agree with changes, you can request deletion of your data.