Privacy Notice — Zentora

This Privacy Notice explains how Zentora Digital. (“Zentora”, “we”, “us”) collects, uses, shares, protects, and retains information when you access our apps, dashboards, websites, APIs, and services (collectively, the “Services”). We follow a “privacy by design” approach aligned with GDPR (EU), and other applicable laws.

• We minimize data, collect only what’s necessary, and apply layered security controls.
• Some data is inherently public on blockchains and cannot be altered or erased by Zentora.
• You can exercise privacy rights described below; we respond in accordance with applicable law.

“Personal Data” means any information related to an identified or identifiable natural person. “Processing” means any operation performed on data (e.g., collection, storage, use, disclosure). “Controller” determines purposes and means of processing; “Processor” handles data on behalf of a controller; “Sub-processor” is a processor engaged by another processor.

Data You Provide

• Registration data: name, email, phone (optional), country/region.
• Compliance data (KYC/AML): identity documents, liveness checks, sanctions screening results.
• Support data: messages, tickets, attachments, feedback.
• Marketing preferences: newsletter opt-ins, referral codes.

Data Collected Automatically

• Device and usage data: IP address, OS, browser type, device IDs, timestamps, pages/events.
• Telemetry and diagnostics: performance metrics, crashes, errors, latency, API usage.
• Security signals: auth events, anomaly detections, rate limits, abuse indicators.

Data from Third Parties

• KYC/AML vendors, sanctions lists, adverse media checks.
• Marketing/attribution partners (if enabled) and referrer information.

We process personal data only where we have a valid legal basis and a defined purpose.

Purposes & Legal Bases

• Provide and operate Services — contract performance; legitimate interests.
• Compliance (KYC/AML/sanctions) — legal obligation; substantial public interest.
• Security & fraud prevention — legitimate interests; legal obligation.
• Analytics & product improvement — legitimate interests; consent where required.
• Marketing communications — consent (opt-in) and/or legitimate interests with opt-out.
• Support — contract performance; legitimate interests.

Minimization & Compatibility

We collect the minimal data necessary and avoid incompatible reuse. Where a new purpose arises, we assess compatibility and, if needed, request fresh consent or provide appropriate notice.

Public blockchains are immutable ledgers. Transactions you initiate may be permanently recorded and visible to anyone.Zentora cannot edit, delete, or obscure data stored on a public chain. Wallet addresses can be personal data when combined with other identifiers.

• We discourage embedding personal data in on-chain memos or metadata.
• We may use chain analytics for compliance, risk, and anti-abuse purposes.

We use cookies, SDKs, pixels, and similar technologies to enable core functionality, security, preferences, performance, and measurement. You can manage preferences in our in-app Privacy Center where available.

Categories

• Strictly Necessary (authentication, load balancing, fraud prevention).
• Preferences (language, theme, privacy opt-ins).
• Performance (telemetry, crash reports).
• Analytics/Attribution (usage, funnels, campaign effectiveness).
• Marketing (only with consent where required by law).

We may use analytics to understand feature adoption, debug issues, and enhance user experience. We favor privacy-respecting configurations (e.g., IP truncation, aggregated reporting) where supported.

De-identification

We employ aggregation and pseudonymization where feasible. De-identified data will not be re-identified except for security or compliance reasons.

With your consent (where required) we may send updates, newsletters, or offers. You can unsubscribe at any time via the link provided in emails or using in-app preferences.

Referrals

Referral programs may process limited recipient data to deliver invitations. Do not share contacts without permission.

We may use automated scoring and risk signals to detect fraud/abuse, enforce limits, or prioritize reviews. These systems affect product eligibility and abuse prevention but do not make solely automated decisions with legal or similarly significant effects without human review where required by law.

We share data with service providers under contractual safeguards (confidentiality, security, and data protection terms). We do not sell personal data. Categories of recipients include:

• KYC/AML & sanctions screening providers.
• Cloud hosting, storage, and CDN providers.
• Security, fraud, and risk analytics vendors.
• Product analytics and telemetry services.
• Customer support and ticketing platforms.
• Payment and crypto infrastructure providers.
• Professional advisors (legal, accounting) under duty of confidentiality.

Sub-processors

We maintain an up-to-date roster of sub-processors upon request. Material changes will be communicated via reasonable notice where required.

Where data is transferred outside your jurisdiction, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms, combined with technical and organizational measures proportionate to risk.

We retain personal data only as long as necessary for the purposes described or as required by law (e.g., finance, audit, AML). When retention ends, we securely delete or irreversibly anonymize data.

Illustrative Periods

• Account records: while active and for a limited period after closure.
• AML/KYC artifacts: per statutory minimums applicable in the relevant jurisdiction.
• Telemetry logs: short rolling windows unless required for security investigations.

We implement layered security: encryption in transit and at rest (where applicable), secrets management, access controls (least privilege), hardened CI/CD, infrastructure auditing, and vendor due diligence.

What You Can Do

• Use strong, unique passwords and enable 2FA where available.
• Keep devices updated and avoid sharing credentials.
• Beware of phishing; verify official domains and support handles.

The Services are not directed to children. Do not use the Services if you are under the age of majority in your jurisdiction. We will delete accounts that we learn belong to ineligible users.

Some browsers offer “Do Not Track”. Our Services respond through the in-app Privacy Center and consent tools where available. You can adjust analytics/marketing preferences at any time; strictly necessary cookies cannot be disabled.

We may update this Privacy Notice to reflect changes in law, technology, or our Services. Material updates will be communicated via in-app notice or other reasonable means. Continued use after the effective date indicates acceptance.