Last Update: April 23, 2023

Privacy Policy

1. Welcome to zenloop!

Your privacy is important to us

1.1 Who we are

zenloop (or “we”) is a business-to-business software-as-a-service platform which allows its customers to collect, analyze and “close the loop” on feedback in order to measure and boost loyalty. If you’d like to talk to us directly, our contact details (and those of our data protection officer) are at the bottom end of this Privacy Policy.

1.2 What this Privacy Policy does

This Privacy Policy describes how zenloop collects, uses, stores, shares and secures your personal data. It applies when you access, visit or use any portion of our site or service. You can retrieve this Privacy Policy from our website (www.zenloop.com/en/legal/privacy), and download, store and print it, at any time. Depending on how you use our site or service, some parts of this policy might or might not apply to you – each chapter clearly explains if it applies to you.

Please read this Privacy Policy, our Terms of Service, and our Data Processing Agreement carefully as you must agree to each in order to have permission to use our service. You will not be able to use our service if you do not agree to these policies.

1.3 What ‘Personal Data’ means

In this Privacy Policy, we’ll be talking a lot about your ‘personal data’. If you aren’t exactly sure what that means, here is how the term is defined in Article 4 of the European General Data Protection Regulation (GDPR) (and this is how we’ll be using the term for the purposes of this Privacy Policy):

“Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

1.4 Users, Survey Senders and Survey Recipients

zenloop is used by Users (people who visit our site, including general visitors who do not register for an account with us), Survey Senders (people who create and conduct surveys through our site), and Survey Recipients (people who answer those surveys). How we store and handle your data depends a lot on whether you are a User, Survey Sender, and/or Survey Recipient – so, we have split this Privacy Policy in three parts.

Click on the part that applies to you: 

2. Privacy for Users

2.1 Who is a User?

If and while you visit our site www.zenloop.com, even without registering for an account, you are a “User” of our site.

2.2 What information do we collect from Users?

We collect the following information from all of our Users in the background while they browse our site: 

  • Statistical usage data: We collect and analyze data about how you found our site, how you browse, how long you stay on it, and what you click on during your stay.
  • Device and application data: We collect data from the device (for example, if you use a laptop or smartphone) and application (for example, whether you are using Chrome or Firefox) you use to access our site. This includes your public IP address, from which we may also infer your geographic location. 
  • Referral data: If you arrive at our site from an external source (such as a link on another website or in an email), we record information about the source that referred you to us. 
  • Information from cookies and page tags: We use third party tracking services that employ cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data about visitors to our websites. This data may include usage and User statistics.

If you interact with our site in certain ways, we will also collect the following information from you:

  • Voluntary information: We may collect additional personal information or data from you if you submit it to us voluntarily in other contexts, such as testimonials or public contests.

The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the interest to enable you to visit the website and to guarantee the long-term operability and security of our systems. The legal basis for the collection of voluntary data is Art. 6 Para. 1 S. 1 lit. b DSGVO.

2.3 How do we use the information we collect from Users?

We use the information we collect from Users: 

  • To personalize your experience: Your information helps us to better respond to your individual needs. 
  • To improve our website: We continually strive to improve our website offerings based on the information and feedback we receive from you. 
  • To improve customer service: Your information helps us to more effectively respond to your customer service requests and support needs, including to help us evaluate or devise new features. 

The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.

  • Additionally, we may compile statistical and other information related to the performance, operation and use of our services. Service analyses will not incorporate your data in a form that could identify or serve to identify you. We may anonymize your personal data and perform the processing steps necessary for such anonymization. Anonymized or aggregated data are no longer considered personal data. While maintaining anonymity, zenloop may use all data created for its own purposes, such as statistical analyses, industry comparisons, benchmarking, research and development and other purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.

2.4 When and with whom do we share your information?

zenloop recognizes that you have entrusted us with safeguarding the privacy of your information. Because that trust is very important to us, we will disclose or share your information only in limited circumstances, in accordance with applicable law. In particular, we may disclose your information:

2.4.1. To zenloop companies

We may transfer your personal data to our affiliated entities for the purposes outlined in this Privacy Policy. zenloop’s companies may be located in the EEA or in jurisdictions which are considered by the European Commission to be offering an adequate level of protection for personal data. We take appropriate contractual or other steps to protect your data under applicable laws. 

zenloop’s affiliated entities:

  • zenloop Ltd., situated at 128 City Road, London EC1V 2NX, United Kingdom

2.4.2. To our service providers

zenloop uses third-party service providers who help us to provide you with our services. These including credit card and payment processors, data hosting service providers, and providers of web analytics tools. We will give these providers access to your information, but only to the extent necessary for them to perform their services for us. We also contractually bind these service providers to keep your information confidential and to use it only for the purpose of providing their services. Your data may be transferred to the jurisdictions which are considered by the European Commission to be offering an adequate level of protection for personal data and to the countries with a lower data protection standard than the European Union. We take appropriate contractual or other steps to protect your data under applicable laws, including implementing the European Commission’s standard contractual clauses. 

The third party service providers we use are:

  • “Google Analytics”: We use this web analysis service of Google, Inc. (“Google”), situated at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses so-called “cookies”, text files which are saved on your computer and enable analysis of the use of a website. Information on your use of this website (including your IP address) is generated by the cookie. Google uses this information to evaluate your use of the website in order to compile reports on website activities for the website operator, and to provide additional services related to website and Internet use. Please find more information in Google’s General Terms of Service and additionally consider Google’s privacy policy.
  • Segment Inc., situated at 55 2nd St, 4th Fl., San Francisco, CA 94105 USA. Please find more information in Segment’s General Terms of Service and their Privacy Policy.
  • Intercom Inc., situated at 55 2nd St, 4th Fl., San Francisco, CA 94105 USA. Please find more information in Intercom’s General Terms of Service and their Privacy Policy.
  • Heap Inc., situated at 460 Bryant St., Suite 300, San Francisco, CA 94107, USA. Please find more information in Heap’s General Terms of Service and their Privacy Policy.
  • Pipedrive, Paldiski mnt 80, Tallinn 10617, Estonia. Please find more information in Pipedrive’s General Terms of Service and their Privacy Policy.
  • KlentySoft Inc., 340 S Lemon Ave, #2331 Walnut, CA 91789, USA. Please find more information in Klenty’s General Terms of Service and their Privacy Policy.
  • Stripe, 510 Townsend St, San Francisco, CA 94103, USA. Please find more information in Stripe’s General Terms of Service and their Privacy Policy.
  • Zapier Inc., situated at 4548 Market St. #62411, San Francisco, CA 94104-5401, USA. Please find more information in Zapier’s General Terms of Service and Zapier’s Privacy Policy.
  • Octobat, Société par actions simplifiées, 230 rue du General Leclerc 95120 Ermont, France. Please find more information in Octobat’s General Terms of Service and Privacy Policy
  • AutopilotHQ, Inc., located at 149 New Montgomery St, Suite 631, Floor, San Francisco, CA, 94105, USA. Please find more information in Autopilot’s General Terms of Service and Autopilot’s Privacy Policy.
  • Leadfeeder, situated at Mikonkatu 17, 00100, Helsinki, Finland. Please find more information in Leadfeeder’s General Terms of Service and additionally consider Leadfeeder’s privacy policy.
  • productboard Inc., situated at 731 Market street #200, San Francisco, California  94103 US. Please find more information in this regard in Product Board’s General Terms of Service and their Privacy Policy.
  • Planhat AB, Sveavägen 98, 113 50 Stockholm, Sweden. Please find more information in Planhat’s General Terms of Service and their Privacy Policy.
  • Google Data Studio by Google, Inc., situated at 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Please find more information in Google’s General Terms of Service and additionally consider Google’s privacy policy.
  • CISION Germany GmbH, Westhafenplatz 1 60327, Frankfurt Main, Germany. Please find more information in CISION’s Terms of Service and additionally consider CISION’s Privacy Policy.
  • SorryApp Ltd., Old Station Business Park Petworth, West Sussex, United Kingdom. Please find more information in SorryApp’s Terms of Service and additionally consider SorryApp’s Privacy Policy.
  • Usercentrics GmbH, Sendlinger Straße 7, 80331 München. Please find more information in Usercentric’s Terms of Service and additionally consider Usercentric’s Privacy Policy.
  • Dreamdata, Købmagergade 22, 2nd Floor, 1150 Copenhagen, Denmark. Please, find more information in Dreamdata’s privacy policy and Dreamdata’s cookie policy.
  • LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin Ireland and LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. LinkedIn’s privacy policy.
  • Facebook Ireland Ltd. Meta Platforms Inc.,4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland / Meta Platforms Inc 1601 Willow Road Menlo Park, CA 94025 United States. Facebook’s/Meta’s privacy policy.
  • ZoomInfo Inc., 805 Broadway, Suite 900, Vancouver, WA 98660. Zoominfo’s privacy policy can be found here.
  • Okta, Inc. with offices at 100 1st Street, San Francisco, California 94105. Okta’s privacy policy can be found here.
  • If required or permitted by law. Sometimes, public authorities (such as courts, government agencies, public prosecutors, antitrust authorities and others) may require us to disclose information to them in the exercise of their duties (for example in order to investigate, prevent, or take action regarding illegal activities). We may disclose your information as required or permitted by law, including when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.
  • If there is a change in business ownership or structure at zenloop. If ownership of all or substantially all of our business changes (whether by share deal or asset deal), or we undertake a corporate reorganization (including a merger or consolidation, or any measures pursuant to the German Transformation Act), you expressly consent to zenloop transferring your information to the new owner or successor entity so that we can continue providing our services. If required, zenloop will notify the applicable data protection agency in each jurisdiction of such a transfer in accordance with the notification procedures under applicable data protection laws.
  • When we have your permission to do so. Of course, there may also be instances where, in addition to the above, you have given us your express consent to disclose your information to others. This may be the case, for example, where you provide a testimonial about your zenloop experience, or where, with your consent, we disclose your contact details to third parties in order for them to contact you for marketing purposes.

2.5 Use of Cookies and Opt-out

This website uses “cookies”. Cookies are text files that are stored on your user device for the purposes described below until they expire. However, you can delete the cookies before their expiration date. Cookies may be transmitted by us or by a third party provider. The cookies are used to enable analysis of the use of our website. The information generated by the cookie about your use of this website (including your IP address) will be transmitted to and stored by a server, some of which may be located outside the EU. Some of our service providers may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of our service providers. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. Click here to opt-out of tracking cookies. 

Types and functions of cookie: 

  • Essential cookies: certain cookies are required to enable the core functionality of our website. You cannot disable essential cookies.

Other types of cookies: we also use other types of cookies to make our website interesting and helpful to you: 

  • Functionality cookies: we want to ensure that your preferences and settings are recognized when you visit our website. Functionality cookies make our website easier to use. 
  • Analytics and statistics cookies: these cookies help us to obtain statistical information about the use of our website and to improve our website. These cookies help us to analyze and optimize our services in a pseudonymous way.
  • Marketing cookies: these technologies are used by advertisers to serve ads based on your interests.

For an overview of all cookies we use, please click here [link].

Click here to reject tracking cookies.

3. Privacy for Survey Senders

3.1 Who is a Survey Sender?

If you register with a zenloop account and subscribe to one of our subscription plans in order to conduct surveys, you are a Survey Sender.

3.2 What information do we collect from Survey Senders?

As a Survey Sender, we collect and use your information as described in chapter 2 above. Additionally, we collect the following information from you while you use our service:

  • Registration information: You need a zenloop account before you can create surveys on zenloop. When you sign up for an account on our site, we will collect the information that you provide to us when you register for an account, including your first and last name, email address, username, password, company name.
  • Billing information: If you subscribe to one of our subscription plans, we will require you to provide your billing details, including your billing name, billing address, and additional financial information depending on the payment method you chose. We will also store information about your individual subscription plan (including the date when you sign-up and dates of any renewals).
  • “My Account” settings: You can view and edit various preferences and personal details through your “My Account” settings on our platform. For example, you can set preferences such as your default language and default time zone.
  • Survey data: We collect and store all the questions and responses to the surveys you create and run through our service, including statistics or insights. Of course, on top of keeping this information secure, we also keep it confidential at all times: Only your account has access to your survey questions and responses at any time.
  • Recipient data: zenloop allows you to import your Survey Recipients’ personal information (for instance, email addresses), so that you can easily invite Survey Recipients to take surveys, and later analyze their results. We will store and process this data exclusively as data processor on your behalf and at your direction.

The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR.

3.3 How do we use the information we collect from Survey Senders?

We use Survey Senders’ information for the same purposes as any User information as described in chapter 2 above. 

Additionally, we also use Survey Senders’ information: 

  • To provide our service: We will use your registration information, billing information, “My Account” settings, and your survey and recipient data, to provide our service to you. This will include providing you with customer support, which requires us to access your information to assist you. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR. 
  • To create service analyses: We will use your information in aggregated form to create reports or benchmarks. This means that we may use your information for security and operations management, to create statistical analyses, and for research and development purposes. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service. 
  • To create service analyses, research and product development: We may compile statistical and other information related to the performance, operation and use of our services. Service analyses will not incorporate your data in a form that could identify or serve to identify you. We may anonymize your personal data and perform the processing steps necessary for such anonymization. Anonymized or aggregated data are no longer considered personal data. While maintaining anonymity, zenloop may use all data created for its own purposes, such as statistical analyses, industry comparisons, benchmarking, research and development and other purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service. 
  • To send you periodic emails: The email address you provide as part of your registration information may be used to send you information and updates pertaining to your order. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR
  • To send you feedback requests: We may send you emails to request an evaluation of zenloop and our services. These emails do not include any promotional content. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service. If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email that we send to you.
  • To contact you for marketing purposes: In addition and depending on whether you have given us your consent to do so, we may use your email address to send you occasional company news, updates, and related product or service information. If any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email that we send to you.

Please read on starting with chapter 5 below – the rest of this Privacy Policy will contain important information that will apply to you as well.

4. Privacy for Survey Recipients

4.1 Who is a Survey Recipient?

If you have been invited to participate in a zenloop survey by a Survey Sender (for example, on the Survey Sender’s website or via an email), and you visit our site to answer the survey, you are a “Survey Recipient”.

4.2 What information do we collect from Survey Recipients?

As a Survey Recipient, we collect the following information from you on behalf of the Survey Sender who invited to respond to a survey:

  • Survey responses: We collect and store the responses you give in response to the survey you are answering. Depending on the survey, that may include your name and/or other personal information. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b, Art. 28 para. 3 GDPR.
  • Email address: zenloop records your email address if the Survey Sender provides it to us in order to send you an invitation to a survey. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b, Art. 28 para. 3 GDPR. We trust that the creator has asked you for your consent beforehand. Of course, you may opt out from receiving survey invitations at any time by following the unsubscribe instructions at the bottom of each email that you receive through us.

4.3 How do we use the information we collect from Survey Recipients?

That depends on the type of information you provide to us: 

  • Survey responses: Your survey responses are owned and managed exclusively by the Survey Sender (the Survey Sender is usually the same person that invited you to the survey). Some Survey Senders may provide you with their own privacy policy at the time you take their survey, and we encourage you to review that to understand how the Survey Sender will handle your responses. Please note that zenloop is not responsible for the content of the survey in any way, so if you have any questions about a survey you are taking, please contact the Survey Sender directly. 

Other information: Other than survey responses, we use Survey Recipients’ information for the same purposes as any User information as described in chapter 2 above.

5. Data controller and data processor

zenloop is the data controller for any User and Survey Sender information that we collect. However, the data controller for the survey response data provided by Survey Respondents is the Survey Sender. The Survey Sender determines how their survey questions and responses are used. zenloop processes such data only on behalf of and in accordance with the Survey Sender’s instructions. If you have any questions about a survey you are taking, please contact the Survey Sender directly.

6. How long do we store your information?

We will store your personal data in accordance with applicable statutory retention periods. After expiration of that period, the corresponding data will be routinely deleted, as long as it is no longer necessary for the fulfillment of a contract between you and us. 

If you are a Survey Sender, when you cancel your account, all of your data and content will be deleted from our systems, as permitted by law. Please note that this content cannot be recovered once your account is cancelled. We are not liable for any loss or damage following, or as a result of, the cancellation of your account, and it is your responsibility to ensure that any content or data which you require is backed-up or replicated before cancellation. 

Notwithstanding the above, we will retain and use your information and data to comply with our legal obligations (including any statutory retention periods), resolve disputes, or enforce our agreements. We may also retain and use your information to the extent such information is incorporated in any of our statistical analyses, reports and benchmarks. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual.

7. How Users can control their information

7.1 Your rights as a data subject in general

Your rights in respect to our processing of your personal data include the following: 

  • Right of access: You may obtain from us free information about your personal data that is stored with and processed by us at any time, and a copy of this information (see chapter 7.2 below for more details).
  • Right to rectification: If you believe any of the personal data that we store or process about you is inaccurate or incomplete, you may request rectification of such incorrect or incomplete data (see chapter 7.2 below for more details).
  • Right to erasure (right to be forgotten): Where certain conditions are met, you may request erasure of your personal data at any time (see chapter 7.3 for more details).
  • Right to restriction of processing: Where certain conditions are met, you may obtain from us a restriction of processing (see chapter 7.4 for more details).
  • Right to object: At any time, you may object, on grounds relating to your particular situation, to the processing of your personal data (see chapter 7.5 for more details).
  • Right to data portability: You have the right to receive the personal data concerning you, which was provided to us, in a structured, commonly used and machine-readable format (see chapter 7.6 for more details).
  • Right to withdraw consent: Where our processing of your personal data is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of the processed based on your consent before its withdrawal (see chapter 7.7 for more details);
  • Right to lodge complaint: If you feel that any of our data processing measures or means are in violation of applicable law, you have the right to lodge a complaint with a supervisory authority (see chapter 7.8 for more details).

7.2 Can I access and correct my personal data?

Yes. By law, you have the right to review the personal information that zenloop holds about you, and you may also request us to correct, delete, restrict or block that data if required. You can exercise these rights at any time by contacting our privacy support at dpo@zenloop.com

If you are a Survey Sender, you may modify your personal information by logging in and visiting your settings on the “My Account” page and “Plan + Billing” page, following the instructions provided, or going to our “Contact Us” page. We encourage you to promptly update your personal information when it changes. 

If you are a Survey Recipient, please note that your personal data (including any personal data that may be contained in the survey responses you give) is managed and controlled exclusively by the Survey Sender – zenloop processes such data only on behalf of the Survey Sender, and in accordance with the Survey Sender’s instructions. If you would like to review, correct, delete, restrict or block your personal data or your survey responses, we ask that you please contact the Survey Sender directly.

7.3 What if I do not want my personal data to be processed?

If you do not want your personal data to be processed, you have the right to request that the data concerning you shall be erased without undue delay, provided that one of the following reasons applies and insofar the processing is not necessary: 

  • The personal data were collected for purposes or processed in any other way for which they are no longer necessary; 
  • You withdraw your consent, on which the processing is based and there is no other legal basis for processing; 
  • You object against the processing and there are no overriding legitimate grounds for the processing; 
  • The personal data have been unlawfully processed; 
  • The personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which we are subject; 
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

If the above-mentioned reasons applies and you wish to have your personal data deleted, please contact our privacy support at dpo@zenloop.com. We will then arrange for the deletion request to be complied with immediately.

7.4 Can I restrict what you do with my personal data?

Yes. You may obtain from us a so-called ‘restriction of processing’, where one of the following applies:

  • The accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of the personal data; 
  • The processing of your personal data is unlawful and you oppose the erasure of the personal data and request instead the restriction of their use; 
  • We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • You have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether our legitimate grounds override yours.

If one of the aforementioned conditions is met, and you wish to request the restriction of the processing of your personal data stored by us, you may contact us at any time to arrange for the restriction of the processing.

7.5 Can I object to the processing of my personal data?

Yes. You may at any time object, on grounds relating to your particular situation, to a processing of your personal data which is based on Article 6 (1) (e) or (f) GDPR. If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds in accordance with Article 21 (1) GDPR. 

Where we process personal data for direct marketing purposes, you also have the right to object at any time to the processing of your personal data for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes. 

Where we process personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, you may, on grounds relating to your particular situation, object to the processing of your personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.6 Can I get my data transferred to another controller?

You have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from us, provided that the processing is based on your consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means. 

Note that this transfer may be prohibited if the processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority vested in zenloop. In exercising your right to data portability, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7.7 What happens if I change my mind – can I revoke my consent?

Yes. As stated under chapter 1.2 you will need to agree to this Privacy Policy, our Terms of Service and our Data Processing Agreement in order to have permission to use our service. However if you do not want to use our service any longer, you have the right to withdraw your consent to the processing of your personal data at any time. To do so, please contact our privacy support at dpo@zenloop.com. If you withdraw your consent, you may not be able to continue using our services. Note that the withdrawal or your consent will not affect the lawfulness of the data processes based on your consent before its withdrawal.

7.8 All went wrong – what can I do?

If you feel that our data protection measures are in violation of the law, insufficient or for any other reason you see fit, you have the right to lodge a complaint with a supervisory authority, in accordance with Article 77 GDPR.

8. Data security

8.1 Where is your data stored?

The servers that we use to host and process your data and information are located in Germany, a Member State of the European Union, or another signatory to the Agreement on the European Economic Area.

8.2 How do we safeguard your data

We are committed to handling your personal information and data with the utmost care. For this purpose, we have implemented and will maintain various technical and organizational measures here at zenloop. The measures that we undertake to protect your data are set out in our Data Security Concept, which you can find in annex 1. These measures are intended to protect your data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.

8.3 Is there a risk that my data could still be viewed by third parties?

Unfortunately, yes. Regardless of the security protections and precautions we take, there is always a risk that your personal data may be viewed and used by unauthorized third parties as a result of collecting and transmitting your data through the internet. If you have any questions about the security of your personal information, please contact our customer support at the “Contact Us” page.

9. What is the legal basis for all of this?

In processing your personal data, zenloop acts in accordance with applicable law at all times. We have named the appropriate legal basis for each data processing. Below we explain what they mean. We base our data related processes on Article 6 (1) (a) GDPR, which states that data processing is allowed if the data subject grants his or her consent for one or more specific purposes. 

If the processing of personal data is necessary for the performance of a contract to which you are a party (or in order to take steps at your request prior to entering into such contract), our processing is based on Article 6 (1) (b) GDPR. Pre-contractual measures can be broadly defined and can already represent surfing on our website. 

If zenloop is subject to a legal obligation which requires a processing of personal data (such as the fulfilment of tax obligations), our processing is based on Article 6 (1) (c) GDPR. 

In very rare cases, the processing of personal data by us may be necessary to protect the vital interests of a data subject or of another natural person; in these cases, our processing is based on Article 6 (1) (d) GDPR. 

We do not currently perform any tasks in the public interest or in the exercise of official authority vested in us; however, we may do so in the future, and where we do so, our processing is based in Article 6 (1) (e) GDPR. 

Finally, our processing of personal data is based on Article 6 (1) (f) GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if the processing is necessary for the purposes of the legitimate interested pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Where our processing of personal data is based on Article 6 (1) (f) GDPR, our legitimate interests are as briefly sketched, including to operate our website, to provide our service, to ensure the stability and security of our website and services, to personalize the experience of our users and respond to their individual needs (including to continually improve our website and our customer services), and to contact you for marketing purposes (where you have given us your consent to do so).

10. Does zenloop use automated decision-making?

No. As a responsible company, zenloop does not make use of any automatic decision-making.

11. Changes to this Privacy Policy

zenloop reserves the right to make changes to this Privacy Policy at any time by giving notice of the date of change on this page or elsewhere on this website. We strongly recommend that you check this page often, referring to the date of the last modification. If you object to any of the changes to this Privacy Policy, you must cease using zenloop.

12. How to contact us

Here are our contact details (pursuant to Article 4 para. 7 of the European General Data Protection Regulation GDPR): 

SaaS.group zenloop GmbH
Attilastraße 18
12529 Schönefeld, Deutschland

mail@zenloop.com 

If you have any questions regarding our Privacy Policy or practices, please also feel free to contact our data protection officer at any time at: dpo@zenloop.com

 

Annex 1 – Privacy Policy

Technical and organizational measures to ensure the security of processing

1. Measures to ensure confidentiality

1.1. Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media. Description of physical access control:

  • Safety locks on doors 
  • Careful selection of cleaning staff 
  • Admission management: authorized personnel and scope of authorization are pre-defined 
  • Careful selection of security staff 
  • Further measures by service provider

1.2. Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws. Description of logical access control system: 

  • Limitation of the number of authorized employees 
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change) 
  • User rights are granted restrictively 
  • All log-ons / log-offs are recorded 
  • Use of central password policy

1.3. Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage. Description of data access control: 

  • Limitation of the number of authorized employees 
  • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change) 
  • All data access is logged automatically 
  • Small number of system administrators 
  • Records and log files are analyzed regularly

1.4. Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes. Description of the separation control process: 

  • Systems allow for data segregation (multi-tenancy), data is segregated by software 
  • Productive systems and test systems are separated from each other 
  • Data sets can be accessed only through those applications which have been pre-defined 
  • Database user rights are issued and managed centrally

1.5. Pseudonymization measures

Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures. Description of the pseudonymization:

  • none due to work on a central server system

2.1. Transmission and transport control

Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment. Description of the transmission and transport control: 

  • HTTPS 
  • Unnecessary printouts are terminated 
  • No use of physical data carriers 
  • Comprehensive logging procedures 
  • No use of private data carriers at work

2.2. Input control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems. Description of the input control process:

  • Logging of all system activities and keeping of these logs for at least six months 
  • Use of central rights management for entering, altering and deleting data

3. Measures to ensure availability and resilience

3.1 Availability control

Measures to ensure that personal data are protected against accidental destruction or loss. Description of the availability control system: 

  • Backups are taken on a regular basis 
  • Backup and recovery plan is in place 
  • Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers 
  • Localisation 
  • Additionally diverse measure of server service providers

3.2. Quick recovery

Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident. Description of the measures for quick recovery:

  • Data backup procedure

4. Measures for the regular testing and evaluation of the security of data processing

Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller. Description of the order control measures:

  • Involvement of external data protection officers for all data protection-related questions 
  • Formalized processes for data privacy incidents