Last Update: April 23, 2023
1. Welcome to zenloop!
Your privacy is important to us
1.1 Who we are
1.3 What ‘Personal Data’ means
“Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
1.4 Users, Survey Senders and Survey Recipients
Click on the part that applies to you:
2. Privacy for Users
2.1 Who is a User?
If and while you visit our site www.zenloop.com, even without registering for an account, you are a “User” of our site.
2.2 What information do we collect from Users?
We collect the following information from all of our Users in the background while they browse our site:
- Statistical usage data: We collect and analyze data about how you found our site, how you browse, how long you stay on it, and what you click on during your stay.
- Device and application data: We collect data from the device (for example, if you use a laptop or smartphone) and application (for example, whether you are using Chrome or Firefox) you use to access our site. This includes your public IP address, from which we may also infer your geographic location.
- Referral data: If you arrive at our site from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.
- Information from cookies and page tags: We use third party tracking services that employ cookies and page tags (also known as web beacons or web bugs) to collect aggregated and anonymized data about visitors to our websites. This data may include usage and User statistics.
If you interact with our site in certain ways, we will also collect the following information from you:
- Voluntary information: We may collect additional personal information or data from you if you submit it to us voluntarily in other contexts, such as testimonials or public contests.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the interest to enable you to visit the website and to guarantee the long-term operability and security of our systems. The legal basis for the collection of voluntary data is Art. 6 Para. 1 S. 1 lit. b DSGVO.
2.3 How do we use the information we collect from Users?
We use the information we collect from Users:
- To personalize your experience: Your information helps us to better respond to your individual needs.
- To improve our website: We continually strive to improve our website offerings based on the information and feedback we receive from you.
- To improve customer service: Your information helps us to more effectively respond to your customer service requests and support needs, including to help us evaluate or devise new features.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.
- Additionally, we may compile statistical and other information related to the performance, operation and use of our services. Service analyses will not incorporate your data in a form that could identify or serve to identify you. We may anonymize your personal data and perform the processing steps necessary for such anonymization. Anonymized or aggregated data are no longer considered personal data. While maintaining anonymity, zenloop may use all data created for its own purposes, such as statistical analyses, industry comparisons, benchmarking, research and development and other purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.
2.4 When and with whom do we share your information?
zenloop recognizes that you have entrusted us with safeguarding the privacy of your information. Because that trust is very important to us, we will disclose or share your information only in limited circumstances, in accordance with applicable law. In particular, we may disclose your information:
2.4.1. To zenloop companies
zenloop’s affiliated entities:
- zenloop Ltd., situated at 128 City Road, London EC1V 2NX, United Kingdom
2.4.2. To our service providers
zenloop uses third-party service providers who help us to provide you with our services. These including credit card and payment processors, data hosting service providers, and providers of web analytics tools. We will give these providers access to your information, but only to the extent necessary for them to perform their services for us. We also contractually bind these service providers to keep your information confidential and to use it only for the purpose of providing their services. Your data may be transferred to the jurisdictions which are considered by the European Commission to be offering an adequate level of protection for personal data and to the countries with a lower data protection standard than the European Union. We take appropriate contractual or other steps to protect your data under applicable laws, including implementing the European Commission’s standard contractual clauses.
The third party service providers we use are:
- If required or permitted by law. Sometimes, public authorities (such as courts, government agencies, public prosecutors, antitrust authorities and others) may require us to disclose information to them in the exercise of their duties (for example in order to investigate, prevent, or take action regarding illegal activities). We may disclose your information as required or permitted by law, including when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.
- If there is a change in business ownership or structure at zenloop. If ownership of all or substantially all of our business changes (whether by share deal or asset deal), or we undertake a corporate reorganization (including a merger or consolidation, or any measures pursuant to the German Transformation Act), you expressly consent to zenloop transferring your information to the new owner or successor entity so that we can continue providing our services. If required, zenloop will notify the applicable data protection agency in each jurisdiction of such a transfer in accordance with the notification procedures under applicable data protection laws.
- When we have your permission to do so. Of course, there may also be instances where, in addition to the above, you have given us your express consent to disclose your information to others. This may be the case, for example, where you provide a testimonial about your zenloop experience, or where, with your consent, we disclose your contact details to third parties in order for them to contact you for marketing purposes.
Types and functions of cookie:
- Essential cookies: certain cookies are required to enable the core functionality of our website. You cannot disable essential cookies.
Other types of cookies: we also use other types of cookies to make our website interesting and helpful to you:
- Functionality cookies: we want to ensure that your preferences and settings are recognized when you visit our website. Functionality cookies make our website easier to use.
- Analytics and statistics cookies: these cookies help us to obtain statistical information about the use of our website and to improve our website. These cookies help us to analyze and optimize our services in a pseudonymous way.
- Marketing cookies: these technologies are used by advertisers to serve ads based on your interests.
For an overview of all cookies we use, please click here [link].
Click here to reject tracking cookies.
3. Privacy for Survey Senders
3.1 Who is a Survey Sender?
If you register with a zenloop account and subscribe to one of our subscription plans in order to conduct surveys, you are a Survey Sender.
3.2 What information do we collect from Survey Senders?
As a Survey Sender, we collect and use your information as described in chapter 2 above. Additionally, we collect the following information from you while you use our service:
- Registration information: You need a zenloop account before you can create surveys on zenloop. When you sign up for an account on our site, we will collect the information that you provide to us when you register for an account, including your first and last name, email address, username, password, company name.
- Billing information: If you subscribe to one of our subscription plans, we will require you to provide your billing details, including your billing name, billing address, and additional financial information depending on the payment method you chose. We will also store information about your individual subscription plan (including the date when you sign-up and dates of any renewals).
- “My Account” settings: You can view and edit various preferences and personal details through your “My Account” settings on our platform. For example, you can set preferences such as your default language and default time zone.
- Survey data: We collect and store all the questions and responses to the surveys you create and run through our service, including statistics or insights. Of course, on top of keeping this information secure, we also keep it confidential at all times: Only your account has access to your survey questions and responses at any time.
- Recipient data: zenloop allows you to import your Survey Recipients’ personal information (for instance, email addresses), so that you can easily invite Survey Recipients to take surveys, and later analyze their results. We will store and process this data exclusively as data processor on your behalf and at your direction.
The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b GDPR.
3.3 How do we use the information we collect from Survey Senders?
We use Survey Senders’ information for the same purposes as any User information as described in chapter 2 above.
Additionally, we also use Survey Senders’ information:
- To provide our service: We will use your registration information, billing information, “My Account” settings, and your survey and recipient data, to provide our service to you. This will include providing you with customer support, which requires us to access your information to assist you. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.
- To create service analyses: We will use your information in aggregated form to create reports or benchmarks. This means that we may use your information for security and operations management, to create statistical analyses, and for research and development purposes. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.
- To create service analyses, research and product development: We may compile statistical and other information related to the performance, operation and use of our services. Service analyses will not incorporate your data in a form that could identify or serve to identify you. We may anonymize your personal data and perform the processing steps necessary for such anonymization. Anonymized or aggregated data are no longer considered personal data. While maintaining anonymity, zenloop may use all data created for its own purposes, such as statistical analyses, industry comparisons, benchmarking, research and development and other purposes. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service.
- To send you periodic emails: The email address you provide as part of your registration information may be used to send you information and updates pertaining to your order. The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR
- To send you feedback requests: We may send you emails to request an evaluation of zenloop and our services. These emails do not include any promotional content. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on the legitimate interest in increasing the attractiveness of our service. If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email that we send to you.
- To contact you for marketing purposes: In addition and depending on whether you have given us your consent to do so, we may use your email address to send you occasional company news, updates, and related product or service information. If any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email that we send to you.
4. Privacy for Survey Recipients
4.1 Who is a Survey Recipient?
If you have been invited to participate in a zenloop survey by a Survey Sender (for example, on the Survey Sender’s website or via an email), and you visit our site to answer the survey, you are a “Survey Recipient”.
4.2 What information do we collect from Survey Recipients?
As a Survey Recipient, we collect the following information from you on behalf of the Survey Sender who invited to respond to a survey:
- Survey responses: We collect and store the responses you give in response to the survey you are answering. Depending on the survey, that may include your name and/or other personal information. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b, Art. 28 para. 3 GDPR.
- Email address: zenloop records your email address if the Survey Sender provides it to us in order to send you an invitation to a survey. The legal basis for the collection of data is Art. 6 para. 1 sentence 1 lit. b, Art. 28 para. 3 GDPR. We trust that the creator has asked you for your consent beforehand. Of course, you may opt out from receiving survey invitations at any time by following the unsubscribe instructions at the bottom of each email that you receive through us.
4.3 How do we use the information we collect from Survey Recipients?
That depends on the type of information you provide to us:
Other information: Other than survey responses, we use Survey Recipients’ information for the same purposes as any User information as described in chapter 2 above.
5. Data controller and data processor
zenloop is the data controller for any User and Survey Sender information that we collect. However, the data controller for the survey response data provided by Survey Respondents is the Survey Sender. The Survey Sender determines how their survey questions and responses are used. zenloop processes such data only on behalf of and in accordance with the Survey Sender’s instructions. If you have any questions about a survey you are taking, please contact the Survey Sender directly.
6. How long do we store your information?
We will store your personal data in accordance with applicable statutory retention periods. After expiration of that period, the corresponding data will be routinely deleted, as long as it is no longer necessary for the fulfillment of a contract between you and us.
If you are a Survey Sender, when you cancel your account, all of your data and content will be deleted from our systems, as permitted by law. Please note that this content cannot be recovered once your account is cancelled. We are not liable for any loss or damage following, or as a result of, the cancellation of your account, and it is your responsibility to ensure that any content or data which you require is backed-up or replicated before cancellation.
Notwithstanding the above, we will retain and use your information and data to comply with our legal obligations (including any statutory retention periods), resolve disputes, or enforce our agreements. We may also retain and use your information to the extent such information is incorporated in any of our statistical analyses, reports and benchmarks. Please note that these analyses, reports and benchmarks will not incorporate your information in a form that could identify or reasonably serve to identify any individual.
7. How Users can control their information
7.1 Your rights as a data subject in general
Your rights in respect to our processing of your personal data include the following:
- Right of access: You may obtain from us free information about your personal data that is stored with and processed by us at any time, and a copy of this information (see chapter 7.2 below for more details).
- Right to rectification: If you believe any of the personal data that we store or process about you is inaccurate or incomplete, you may request rectification of such incorrect or incomplete data (see chapter 7.2 below for more details).
- Right to erasure (right to be forgotten): Where certain conditions are met, you may request erasure of your personal data at any time (see chapter 7.3 for more details).
- Right to restriction of processing: Where certain conditions are met, you may obtain from us a restriction of processing (see chapter 7.4 for more details).
- Right to object: At any time, you may object, on grounds relating to your particular situation, to the processing of your personal data (see chapter 7.5 for more details).
- Right to data portability: You have the right to receive the personal data concerning you, which was provided to us, in a structured, commonly used and machine-readable format (see chapter 7.6 for more details).
- Right to withdraw consent: Where our processing of your personal data is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of the processed based on your consent before its withdrawal (see chapter 7.7 for more details);
- Right to lodge complaint: If you feel that any of our data processing measures or means are in violation of applicable law, you have the right to lodge a complaint with a supervisory authority (see chapter 7.8 for more details).
7.2 Can I access and correct my personal data?
Yes. By law, you have the right to review the personal information that zenloop holds about you, and you may also request us to correct, delete, restrict or block that data if required. You can exercise these rights at any time by contacting our privacy support at firstname.lastname@example.org.
If you are a Survey Sender, you may modify your personal information by logging in and visiting your settings on the “My Account” page and “Plan + Billing” page, following the instructions provided, or going to our “Contact Us” page. We encourage you to promptly update your personal information when it changes.
If you are a Survey Recipient, please note that your personal data (including any personal data that may be contained in the survey responses you give) is managed and controlled exclusively by the Survey Sender – zenloop processes such data only on behalf of the Survey Sender, and in accordance with the Survey Sender’s instructions. If you would like to review, correct, delete, restrict or block your personal data or your survey responses, we ask that you please contact the Survey Sender directly.
7.3 What if I do not want my personal data to be processed?
If you do not want your personal data to be processed, you have the right to request that the data concerning you shall be erased without undue delay, provided that one of the following reasons applies and insofar the processing is not necessary:
- The personal data were collected for purposes or processed in any other way for which they are no longer necessary;
- You withdraw your consent, on which the processing is based and there is no other legal basis for processing;
- You object against the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which we are subject;
- The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
If the above-mentioned reasons applies and you wish to have your personal data deleted, please contact our privacy support at email@example.com. We will then arrange for the deletion request to be complied with immediately.
7.4 Can I restrict what you do with my personal data?
Yes. You may obtain from us a so-called ‘restriction of processing’, where one of the following applies:
- The accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
- The processing of your personal data is unlawful and you oppose the erasure of the personal data and request instead the restriction of their use;
- We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- You have objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether our legitimate grounds override yours.
If one of the aforementioned conditions is met, and you wish to request the restriction of the processing of your personal data stored by us, you may contact us at any time to arrange for the restriction of the processing.
7.5 Can I object to the processing of my personal data?
Yes. You may at any time object, on grounds relating to your particular situation, to a processing of your personal data which is based on Article 6 (1) (e) or (f) GDPR. If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds in accordance with Article 21 (1) GDPR.
Where we process personal data for direct marketing purposes, you also have the right to object at any time to the processing of your personal data for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Where we process personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, you may, on grounds relating to your particular situation, object to the processing of your personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
7.6 Can I get my data transferred to another controller?
You have the right to receive your personal data in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from us, provided that the processing is based on your consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means.
Note that this transfer may be prohibited if the processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority vested in zenloop. In exercising your right to data portability, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7.7 What happens if I change my mind – can I revoke my consent?
7.8 All went wrong – what can I do?
If you feel that our data protection measures are in violation of the law, insufficient or for any other reason you see fit, you have the right to lodge a complaint with a supervisory authority, in accordance with Article 77 GDPR.
8. Data security
8.1 Where is your data stored?
The servers that we use to host and process your data and information are located in Germany, a Member State of the European Union, or another signatory to the Agreement on the European Economic Area.
8.2 How do we safeguard your data
We are committed to handling your personal information and data with the utmost care. For this purpose, we have implemented and will maintain various technical and organizational measures here at zenloop. The measures that we undertake to protect your data are set out in our Data Security Concept, which you can find in annex 1. These measures are intended to protect your data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.
8.3 Is there a risk that my data could still be viewed by third parties?
Unfortunately, yes. Regardless of the security protections and precautions we take, there is always a risk that your personal data may be viewed and used by unauthorized third parties as a result of collecting and transmitting your data through the internet. If you have any questions about the security of your personal information, please contact our customer support at the “Contact Us” page.
9. What is the legal basis for all of this?
In processing your personal data, zenloop acts in accordance with applicable law at all times. We have named the appropriate legal basis for each data processing. Below we explain what they mean. We base our data related processes on Article 6 (1) (a) GDPR, which states that data processing is allowed if the data subject grants his or her consent for one or more specific purposes.
If the processing of personal data is necessary for the performance of a contract to which you are a party (or in order to take steps at your request prior to entering into such contract), our processing is based on Article 6 (1) (b) GDPR. Pre-contractual measures can be broadly defined and can already represent surfing on our website.
If zenloop is subject to a legal obligation which requires a processing of personal data (such as the fulfilment of tax obligations), our processing is based on Article 6 (1) (c) GDPR.
In very rare cases, the processing of personal data by us may be necessary to protect the vital interests of a data subject or of another natural person; in these cases, our processing is based on Article 6 (1) (d) GDPR.
We do not currently perform any tasks in the public interest or in the exercise of official authority vested in us; however, we may do so in the future, and where we do so, our processing is based in Article 6 (1) (e) GDPR.
Finally, our processing of personal data is based on Article 6 (1) (f) GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if the processing is necessary for the purposes of the legitimate interested pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Where our processing of personal data is based on Article 6 (1) (f) GDPR, our legitimate interests are as briefly sketched, including to operate our website, to provide our service, to ensure the stability and security of our website and services, to personalize the experience of our users and respond to their individual needs (including to continually improve our website and our customer services), and to contact you for marketing purposes (where you have given us your consent to do so).
10. Does zenloop use automated decision-making?
No. As a responsible company, zenloop does not make use of any automatic decision-making.
12. How to contact us
Here are our contact details (pursuant to Article 4 para. 7 of the European General Data Protection Regulation GDPR):
SaaS.group zenloop GmbH
12529 Schönefeld, Deutschland
Technical and organizational measures to ensure the security of processing
1. Measures to ensure confidentiality
1.1. Physical access control
Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media. Description of physical access control:
- Safety locks on doors
- Careful selection of cleaning staff
- Admission management: authorized personnel and scope of authorization are pre-defined
- Careful selection of security staff
- Further measures by service provider
1.2. Logical access control
Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws. Description of logical access control system:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- User rights are granted restrictively
- All log-ons / log-offs are recorded
- Use of central password policy
1.3. Data access control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage. Description of data access control:
- Limitation of the number of authorized employees
- Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
- All data access is logged automatically
- Small number of system administrators
- Records and log files are analyzed regularly
1.4. Separation rule
Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes. Description of the separation control process:
- Systems allow for data segregation (multi-tenancy), data is segregated by software
- Productive systems and test systems are separated from each other
- Data sets can be accessed only through those applications which have been pre-defined
- Database user rights are issued and managed centrally
1.5. Pseudonymization measures
Measures that reduce direct references to persons during processing in such a way that it is only possible to associate data with a specific person if additional information is included. The additional information must be kept separately from the pseudonym by appropriate technical and organizational measures. Description of the pseudonymization:
- none due to work on a central server system
2.1. Transmission and transport control
Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers. Furthermore measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment. Description of the transmission and transport control:
- Unnecessary printouts are terminated
- No use of physical data carriers
- Comprehensive logging procedures
- No use of private data carriers at work
2.2. Input control
Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems. Description of the input control process:
- Logging of all system activities and keeping of these logs for at least six months
- Use of central rights management for entering, altering and deleting data
3. Measures to ensure availability and resilience
3.1 Availability control
Measures to ensure that personal data are protected against accidental destruction or loss. Description of the availability control system:
- Backups are taken on a regular basis
- Backup and recovery plan is in place
- Data backup files are stored at a safe and remote location, diverse additional measures taken by suppliers
- Additionally diverse measure of server service providers
3.2. Quick recovery
Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident. Description of the measures for quick recovery:
- Data backup procedure
4. Measures for the regular testing and evaluation of the security of data processing
Measures to ensure that the data are processed securely and in compliance with data protection regulation. Measures to ensure that personal data processed on behalf of the Controller can only be processed in accordance with the instructions of the Controller. Description of the order control measures:
- Involvement of external data protection officers for all data protection-related questions
- Formalized processes for data privacy incidents