Jiminy Privacy Policy

1. DATA CONTROLLER

The data controller responsible for processing your personal data is Zhero Tech SRL, Via Ticino 30, 20900 Monza (MB), Italy. You can reach us at admin@zhero.tech.

2. PERSONAL DATA WE COLLECT

• Account Data: name, email address, password hashes, authentication tokens (including Google Sign-In identifiers).
• Chat Sessions: transcripts, prompts, user messages, AI responses and related metadata (e.g., timestamps, language, sentiment, usage statistics).
• Uploaded Content: files, documents and URLs you provide to train or enrich your AI agents.
• Billing Data: company details, VAT/ tax IDs, billing address, payment card last 4 digits and transaction identifiers (processed via our payment provider; we never store full card numbers).
• Technical Data: IP address, device and browser type, operating system, referral URLs, session duration and related logs generated when you access the Service.
• Cookies & Similar Technologies: preference cookies, authentication cookies and analytics cookies as described in Section 7.

3. HOW & WHY WE USE YOUR DATA

We process your personal data for the following purposes and legal bases:

• Provide and operate the Service (Art. 6 (1)(b) GDPR – contract performance).
• Authenticate users and secure accounts(Art. 6 (1)(b) & (f) GDPR).
• Generate AI responses and improve our language models by sending prompts to third-party AI providers such as OpenAI (Art. 6 (1)(b) & (f) GDPR).
• Analyse usage to improve and personalise the Service and develop new features (Art. 6 (1)(f) GDPR – legitimate interest).
• Process payments, detect fraud and issue invoices (Art. 6 (1)(b) & (c) GDPR).
• Comply with legal obligations such as tax and accounting rules (Art. 6 (1)(c) GDPR).
• Send you service-related communicationsand, where you have opted-in, marketing updates (Art. 6 (1)(b) or (a) GDPR).

4. DATA SHARING & SUB-PROCESSORS

We do not sell your personal data. We share it only when necessary to operate the Service, comply with the law or with your consent. Key service providers include:

• Supabase – database, authentication and object storage (EU data centres).
• Vercel – hosting for the web application (EU edge network).
• OpenAI LLC – natural-language processing to generate responses and embeddings (USA, Standard Contractual Clauses in place).
• Stripe Payments Europe Ltd – payment processing (Ireland).
• Amazon Web Services (EU-Central-1) – supplementary object storage and backups.
• Usercentrics – consent-management platform for cookies.

All sub-processors are bound by data-processing agreements to protect your information.

5. GOOGLE WORKSPACE API COMPLIANCE

For users who choose to connect their Google Calendar to our Service, we access and process Google Calendar data through the Google Calendar API to provide calendar integration features such as meeting scheduling and availability checking.

Specifically, we:

• Do not use Google user data for AI model training: Google Calendar data is used solely for providing calendar integration features to you and is not used to create, train, or improve any foundational machine learning or artificial intelligence models.
• Limit data access: We only request and access the minimum Google Calendar data necessary to provide the requested calendar integration features.
• Secure data handling: Google Calendar data is encrypted in transit and at rest, and access is limited to authorized personnel for technical support purposes only.
• No unauthorized transfers: We do not sell, transfer, or share your Google Calendar data with third parties except as necessary to provide the Service or as required by law.
• User control: You can disconnect Google Calendar integration at any time from your chatbot settings, which will immediately revoke our access to your Google Calendar data.

Our Google Calendar integration is designed to enhance your chatbot's functionality while maintaining strict compliance with Google's data usage policies and your privacy rights.

6. INTERNATIONAL TRANSFERS

Where we transfer personal data outside the European Economic Area, we rely on adequacy decisions (e.g., EU-US Data Privacy Framework) or Standard Contractual Clauses approved by the European Commission.

7. DATA RETENTION

We retain personal data for as long as your account is active or as required to fulfil the purposes described in this Policy. Chat transcripts and uploaded content can be deleted by you at any time from the dashboard. Back-ups are automatically purged after 30 days. Legal and accounting records are kept for up to 10 years.

8. COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies to: (i) authenticate sessions, (ii) remember preferences, (iii) measure audience analytics, and (iv) manage consent via Usercentrics. You can manage cookie preferences at any time through the cookie banner.

9. DATA SECURITY

We implement appropriate technical and organisational measures, including encryption in transit and at rest, least-privilege access controls, regular penetration testing and continuous monitoring, to protect personal data against unauthorised access, alteration and loss.

10. YOUR RIGHTS UNDER THE GDPR

Subject to certain conditions, you have the right to:

• Access the personal data we hold about you;
• Request rectification of inaccurate data;
• Request erasure or restriction of processing;
• Data portability;
• Object to processing based on our legitimate interests;
• Withdraw consent at any time (without affecting prior processing);
• Lodge a complaint with your local supervisory authority;

To exercise your rights, please contact us at admin@zhero.tech.

11. CHILDREN'S PRIVACY

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we learn that we have inadvertently obtained such information, we will delete it promptly.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the current version. Material changes will be notified via email or in-app notice.

13. CONTACT