Privacy Policy

This Privacy Policy (“Policy”) governs the processing of personal data by ZysCo (“Zysco”, “we”, “us”, or “our”) through the website ZysCompany.com and all associated products and services. Zysco is the publisher of this Policy and, where applicable, the data controller or data processor of personal data as defined below.

By accessing, downloading, installing, or using any Zysco product or service, you acknowledge that you have read, understood, and accepted this Policy. If you do not agree, you must not use our services.

1. Data Controller / Processor Identity

Zysco’s role depends on the context of data processing:

1.1 Zysco as Data Processor

When Zysco’s mobile applications, SaaS platforms, APIs, and cloud services are used by a business customer or organization (“Client”), the Client is the Data Controller with respect to personal data relating to its employees, end users, customers, contractors, or third parties. Zysco acts strictly as the Data Processor and processes such data only on documented instructions from the Client, pursuant to a Data Processing Agreement (“DPA”) that supplements this Policy.

1.2 Zysco as Data Controller

Zysco acts as a Data Controller only for data strictly necessary to operate, secure, and improve its services, including:

  • Account creation and lifecycle management

  • Authentication, access control, and identity management

  • Billing, invoicing, and financial record-keeping

  • Customer support, bug reports, and service requests

  • Security monitoring, audit logging, and incident response

  • Fraud prevention and abuse detection

  • Compliance with legal and regulatory obligations

  • Service performance measurement and reliability engineering

1.3 Commitments in All Cases

Regardless of role, Zysco:

  • Does not sell, rent, or trade personal data

  • Does not run targeted or behavioral advertising

  • Does not perform marketing profiling of end users

  • Does not use personal data to train public or third-party AI models

2. Scope

This Policy applies to all personal data processed through:

  • Zysco mobile applications, including iOS, iPadOS, Android, Apple TV (tvOS), watchOS, macOS, Android TV, and any future mobile or device platforms

  • Zysco cloud and SaaS platforms, including web applications, dashboards, administration portals, backend services, and hosted infrastructure

  • Zysco APIs, SDKs, and developer tools

  • Zysco websites, including ZysCompany.com and any subdomains

  • Associated digital and professional services, including onboarding, support, and consulting

  • All distribution channels, including Apple App Store, Google Play, Microsoft Store, progressive web apps (PWAs), and direct enterprise distribution

This Policy does not cover third-party websites, applications, or services that may link to or integrate with Zysco. Users should review the privacy policies of such third parties independently.

3. Categories of Data Processed

Depending on the service and configuration, Zysco may process the following categories of data, primarily on behalf of Clients:

  • Professional identification data: name, role, function, employer, work email, work phone

  • Account and authentication data: user IDs, hashed credentials, session tokens, MFA data

  • Operational or business data entered in or generated by the application

  • User-generated content: photos, videos, audio recordings, notes, annotations, files, drawings, scans

  • Geolocation data (only where expressly enabled and necessary for the service)

  • Technical and device metadata: IP address, device model, operating system, app version, language, time zone, crash logs, session duration, feature usage

  • Communications data: support tickets, in-app messages, feedback submissions

3.1 Client and User Responsibility

Clients and their end users are solely responsible for the data they input, upload, capture, or transmit through Zysco services. Zysco does not monitor, pre-screen, or verify the nature, accuracy, legality, or appropriateness of user-submitted content. Clients must:

  • Ensure they have a valid legal basis to collect and process all data they submit

  • Provide all required notices to data subjects

  • Obtain all required consents, including for any sensitive or special-category data

  • Comply with data minimization, accuracy, and storage-limitation principles

  • Ensure their end users comply with acceptable-use requirements

3.2 Prohibited and Sensitive Data

Unless (i) expressly permitted by the applicable service plan and DPA, (ii) legally authorized, and (iii) accompanied by appropriate safeguards, Clients and users must not upload, transmit, or process through Zysco services:

  • Health, medical, or genetic data

  • Biometric data used for unique identification

  • Racial, ethnic origin, religious, or philosophical beliefs

  • Political opinions or trade-union membership

  • Sexual orientation or sex-life data

  • Data relating to criminal convictions or offenses

  • Government-issued identification numbers beyond what is strictly required

  • Payment card data outside of approved billing flows

  • Data relating to children under the minimum age permitted by applicable law (see Section 14)

Zysco reserves the right, but has no obligation, to suspend processing or remove content that it reasonably believes violates this Policy, applicable law, or the service agreement.

4. Purposes of Processing

Personal data is processed strictly for:

  • Providing, operating, maintaining, and securing the services

  • Executing operational workflows and structuring Client data as configured

  • Logging, audit trails, and documentation of actions performed

  • Customer support, troubleshooting, and incident resolution

  • Security, fraud detection, abuse prevention, and integrity monitoring

  • Billing, contract administration, and legal compliance

  • Service improvement through aggregated, anonymized analytics (see Section 6)

4.1 AI-Powered Features

Where AI-powered features are activated by the Client or user:

  • Data is used only to provide the requested analysis, generation, or assistive output

  • No secondary reuse, resale, or repurposing occurs

  • Output is returned to the requesting user and not retained beyond what is necessary

  • AI features are decision-support tools only and do not constitute automated decision-making with legal or similarly significant effects

  • Zysco does not use Client or user data to train its own or third-party public foundation models

4.2 No Monetization

Zysco does not:

  • Sell, rent, license, or trade personal data

  • Share personal data with advertisers, ad networks, data brokers, or targeting platforms

  • Embed third-party advertising SDKs in its applications

  • Use behavioral tracking for marketing

  • Combine Client data across Clients for commercial purposes

5. Legal Basis for Processing

5.1 When Zysco is Processor

The Client, as Data Controller, determines the legal basis for processing (e.g., consent, contract performance, legal obligation, legitimate interest, public interest).

5.2 When Zysco is Controller

Zysco relies on the following legal bases:

  • Performance of a contract — to deliver services you or your organization have subscribed to

  • Legal obligation — to comply with tax, accounting, security, and regulatory duties

  • Legitimate interest — to secure our systems, prevent fraud, improve reliability, and protect our rights, provided such interests are not overridden by the rights and freedoms of data subjects

  • Consent — where specifically required (e.g., optional analytics or AI features)

6. Aggregated and Anonymized Data

Zysco may create aggregated, de-identified, or irreversibly anonymized datasets derived from processed data. Such datasets:

  • Cannot reasonably be used to identify any individual

  • Are no longer considered personal data under applicable law

  • Remain the property of Zysco

Zysco may use such datasets for analytics, product improvement, research and development, capacity planning, security research, and industry benchmarking. No identifiable personal data is ever commercialized.

7. Artificial Intelligence

7.1 Nature of AI Features

AI features provided within Zysco services are assistive and advisory. They:

  • Do not produce automated decisions with legal or similarly significant effects on data subjects

  • Do not replace human judgment, professional expertise, or regulatory duties

  • May produce incomplete, inaccurate, or misleading outputs, which must be reviewed by a qualified human before being acted upon

Users are solely responsible for the outputs they accept, adopt, or act upon.

7.2 Data Transmitted to AI Providers

When AI features are used, only the data strictly necessary to fulfill the requested operation is transmitted, such as:

  • Free-text descriptions entered by the user

  • Structured inputs (forms, fields, parameters)

  • Contextual images, documents, or media required by the feature

  • Limited technical metadata required for routing and quality control

The following are never transmitted to AI providers as input:

  • Authentication credentials, passwords, or API tokens

  • Full personal identifiers (names, emails) unless directly part of the user’s intentional input

  • Payment card or banking data

  • System-level secrets or encryption keys

7.3 AI Sub-Processors

AI service providers engaged by Zysco:

  • Act strictly as sub-processors under contractual data-protection obligations

  • Process data only to fulfill the specific request

  • Have no independent rights over submitted data

  • Are contractually prohibited from using submitted data to train their public or general-purpose models

  • Are prohibited from reusing data for their own purposes

7.4 User Control and Consent

  • AI features are disabled by default where user-level activation applies

  • Activation requires an explicit action by the Client administrator or user

  • Users or administrators may disable AI features at any time from the service settings

  • Zysco cannot technically prevent users from entering personal or sensitive data into free-text fields; the Client remains responsible for internal policies and user training

8. Sub-Processors

Zysco engages trusted third-party providers to deliver hosting, storage, infrastructure, security, monitoring, payment processing, customer support tooling, and AI services. All sub-processors:

  • Operate under written contracts containing data-protection clauses equivalent to those in this Policy and in the DPA

  • Are bound by strict confidentiality and security obligations

  • Have no independent rights over the data processed

  • Are regularly assessed for compliance

An up-to-date list of sub-processors is available upon request to Clients. Zysco will provide reasonable advance notice of material changes to its sub-processor list in accordance with the applicable DPA.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or other jurisdictions with data-export restrictions, Zysco implements appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK IDTA

  • Transfer impact assessments where legally required

  • Supplementary technical measures, including encryption in transit and at rest, access controls, and pseudonymization where feasible

  • Contractual commitments from sub-processors to uphold equivalent protections

10. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law:

  • Client-controlled data: retained for the duration of the service agreement and then deleted or returned according to the Client’s documented instructions, typically within thirty (30) days after termination, subject to any legal retention obligations

  • Account and billing records: retained for the duration required by tax, accounting, and commercial law (generally up to ten years)

  • Security and audit logs: retained for a period proportionate to security needs, typically between six months and two years

  • Support and communications records: retained as long as necessary to address the matter and demonstrate compliance

  • Backups: encrypted backups may persist for technical reasons for a limited period before rotation and deletion

11. Data Security

Zysco implements and maintains technical and organizational measures appropriate to the risks presented by processing, including:

  • Encryption of data in transit (TLS) and at rest

  • Strict role-based access controls and principle of least privilege

  • Multi-factor authentication for privileged access

  • Network segmentation, firewalling, and intrusion monitoring

  • Vulnerability management, patching, and independent security assessments

  • Secure software development lifecycle practices

  • Employee confidentiality obligations, onboarding security training, and background checks where permitted

  • Incident response and business continuity procedures

11.1 No Absolute Security

No method of electronic transmission or storage is completely secure. While Zysco strives to protect personal data using commercially reasonable measures, Zysco cannot guarantee absolute security. Clients and users are responsible for maintaining the confidentiality of their credentials and for configuring their use of the services appropriately.

11.2 Personal Data Breaches

In the event of a personal data breach affecting Client data, Zysco will notify the affected Client without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, providing available information to enable the Client to comply with its own notification obligations.

12. Data Subject Rights

Depending on applicable law, individuals have the right to:

  • Access their personal data

  • Request rectification of inaccurate data

  • Request erasure (“right to be forgotten”)

  • Restrict or object to processing

  • Request data portability

  • Withdraw consent where processing is based on consent

  • Lodge a complaint with a supervisory authority

Requests must generally be directed to the Client (Data Controller). Zysco will assist Clients in responding to such requests as required by the DPA, at reasonable cost where applicable. Where Zysco receives a request directly from a data subject, it will forward the request to the relevant Client and acknowledge receipt.

For data for which Zysco is the Controller (Section 1.2), requests may be submitted directly to contact@zyscompany.com.

13. Cookies and Similar Technologies

Zysco websites and web applications may use cookies and similar technologies strictly necessary for:

  • Authentication and session management

  • Security and fraud prevention

  • Load balancing and service reliability

  • Remembering user preferences

Where optional analytics or functional cookies are used, Zysco obtains consent through a cookie banner in accordance with applicable law. Zysco does not use advertising, marketing, or cross-site tracking cookies.

14. Children’s Privacy

Zysco services are intended for professional and business use and are not directed to children. Zysco does not knowingly collect personal data from children under the age of sixteen (16), or such other minimum age defined by applicable law (including the age of thirteen (13) in the United States under COPPA). If you become aware that a child has provided personal data to Zysco, please contact contact@zyscompany.com so that the data can be deleted.

15. Limitation of Liability

To the maximum extent permitted by applicable law, and without limiting any express contractual obligations to the Client under the service agreement or DPA:

  • Zysco’s services are provided “as available” for the purposes of this Policy

  • Zysco is not liable for personal data submitted by Clients or end users in violation of this Policy, applicable law, or the service agreement

  • Zysco is not liable for unauthorized access, disclosure, or use of data resulting from the acts or omissions of the Client, its users, or third parties outside Zysco’s reasonable control

  • Zysco is not liable for content produced by AI features that is acted upon without appropriate human review

  • Zysco’s aggregate liability arising from or relating to this Policy is governed by the limitations set forth in the applicable service agreement

Nothing in this Policy excludes or limits liability that cannot lawfully be excluded or limited, including under applicable data-protection law.

16. Indemnification by Client

The Client agrees to indemnify and hold Zysco harmless from and against any claims, damages, liabilities, fines, penalties, costs, and expenses (including reasonable legal fees) arising out of or relating to:

  • The Client’s or its users’ breach of this Policy or of applicable data-protection law

  • Data submitted by the Client or its users in violation of Section 3

  • The Client’s failure to obtain required consents or to provide required notices to data subjects

  • Decisions or actions taken by the Client or its users based on AI-generated output

This Section survives termination of the service agreement.

17. Governing Law and Jurisdiction

This Policy is governed by the laws specified in the applicable service agreement between Zysco and the Client. In the absence of such specification, this Policy is governed by the laws of California, USA, without regard to conflict-of-laws principles. Any dispute arising from or relating to this Policy is subject to the exclusive jurisdiction of the competent courts of California, USA, without prejudice to mandatory consumer-protection or data-protection rights.

18. Privacy Contact

Zysco Privacy Contact

📧 contact@zyscompany.com

For Clients with a designated Data Protection Officer or privacy contact under the DPA, please use the channels specified in that agreement.

19. Policy Updates

Zysco may update this Policy from time to time to reflect:

  • Changes in applicable law or regulatory guidance

  • Evolution of products, features, or infrastructure

  • Changes in sub-processors or data-flow architecture

  • Operational, security, or organizational improvements

Material changes will be communicated through the services, by email to Client administrators, or by posting a notice on ZysCompany.com. The Last updated date at the top of this Policy reflects the most recent revision. Continued use of the services after the effective date of an updated Policy constitutes acceptance of the changes.

20. Acceptance

By downloading, installing, accessing, or using any Zysco mobile application, cloud service, website, or API, the Client and its users acknowledge that they have read, understood, and agreed to this Privacy Policy. Clients are responsible for making this Policy available to their end users.

© ZysCo. All rights reserved.

Connect

Innovative app solutions for your business needs.

NEWSLETTER

© 2024. All rights reserved.