Back
EN | ES

Privacy Policy

Last reviewed:

This Privacy Policy describes how Zendrhax ("we", "us", "our") collects, uses, and protects personal data when you use our SaaS platform and the apps we ship inside it (collectively, the "Service"). It applies to visitors, account holders, and every end user a Customer onboards into the Service.

If you have a question that isn't answered below, write to privacy@zendrhax.com.

Who we are

For purposes of EU/UK General Data Protection Regulation ("GDPR") and similar privacy laws:

  • When you sign up for an account and use the platform shell, we are the controller of your personal data.
  • When a Customer onboards their own end users or business contacts into an app (for example, by creating clients inside the Invoices app), the Customer is the controller and we act as processor. The terms of that processing are governed by our Data Processing Agreement.

What we collect

Information you give us directly

  • Account data — name, work email, password (stored as an Argon2id hash), preferred language and theme, optional 2FA configuration.
  • Workspace data — the workspaces you own or belong to and your role in each.
  • Billing data — payment method tokens, billing address, and invoice history. Card numbers and CVCs never reach our servers — they go directly to Stripe, our payment processor.
  • Support communications — anything you send to support@zendrhax.com or via the in-product contact form.

Information apps store about your business

Apps activated on your workspace (for example, the Invoices app) store the data you put into them: clients, documents, line items, notes. We hold this data as processor on your behalf — it stays inside your workspace and is included in your data export.

Information we collect automatically

  • Authentication metadata — IP address, user-agent string, device label, timestamps of each session and each significant action (audit log).
  • Login history — successful and failed sign-in attempts, flagged when they look suspicious so we can email you.
  • Operational telemetry — request metrics, error stack traces, and performance counters used to keep the Service healthy. Stack traces may contain identifiers but not payload bodies.

Information we receive from third parties

  • Stripe sends us payment status events so we can mark invoices paid or trigger dunning.
  • Cloudflare Turnstile sends us a verdict on whether a registration looks like a bot.
  • Sentry (when enabled by the operator) collects error reports forwarded by the platform.

We do not buy or rent personal data from data brokers.

How we use it

  • Run the Service — authenticate you, route you to the right workspace, render apps, store the data you and your team enter.
  • Bill you — process subscription payments and dunning.
  • Protect the platform — detect abuse, rate-limit hostile traffic, send suspicious-login alerts, retain audit logs as a forensic trail.
  • Improve the product — analyse aggregated metrics to decide what to ship next. We never read your business data for product ideation.
  • Communicate with you — transactional emails (account activation, password reset, billing receipts, security alerts) and optional weekly digests you can disable from your settings.

We do not use your personal data for advertising. We do not sell it.

Legal bases (GDPR Article 6)

  • Contract performance — running the Service you signed up for and processing the payments you owe.
  • Legitimate interests — keeping the platform secure, preventing abuse, communicating about your account. Where these conflict with your rights, your rights win.
  • Consent — for optional features you opt into (weekly digest, non-essential cookies).
  • Legal obligation — retaining records we're required to keep for tax, accounting, or law-enforcement requests with proper legal process.

Sharing

We share personal data only with the sub-processors listed at /legal/sub-processors, with each acting under a written contract that mirrors our own obligations to you.

We also disclose data when required by law (subpoena, court order, valid government request) and when necessary to protect the Service, our users, or the public from imminent harm. Every such disclosure is logged.

Storage and retention

  • Active data stays on the Service as long as your account is active.
  • Workspace data survives until the workspace is deleted by its Owner. We retain backups of deleted data for up to 30 days before they roll out of retention.
  • Audit logs are retained according to your plan's audit_log_retention_days feature (Free 30 / Starter 90 / Pro 365 / Enterprise unlimited).
  • Account anonymisation under GDPR Article 17 scrubs PII in place and hard-deletes auth artefacts. See Delete your account in the Help Center.

We host the Service on Hostinger's European and US infrastructure. Personal data may be processed in either region depending on the operator's region settings; in all cases the same protections apply.

Your rights

You can exercise the following rights from your account or by emailing privacy@zendrhax.com:

  • AccessGET /me/data-export returns a JSON archive of all data keyed to your user. Rate-limited to one export per 24h.
  • ErasurePOST /me/data-deletion-request schedules anonymisation after a 14-day grace window.
  • Rectification — edit your profile from /settings or write to support for fields the UI doesn't expose.
  • Portability — the data export is in machine-readable JSON.
  • Restriction / Objection — write to privacy@zendrhax.com.
  • Lodge a complaint with the data protection authority of your EU member state, the UK ICO, or your local equivalent. We'd rather hear from you first so we can fix it.

Security

  • TLS 1.2+ for all data in transit.
  • Passwords hashed with Argon2id; webhook signing secrets and 2FA secrets stored encrypted at rest.
  • Multi-tenant isolation enforced on every database read/write.
  • Daily backups with weekly automated restore drills.
  • Per-tenant outbound mail rate limiting to protect the platform's sender reputation when a tenant is compromised.

The detailed technical and organisational measures are listed in Annex B of our DPA.

Children

The Service is for business use and is not directed to children under 16. If you believe a child has signed up, write to privacy@zendrhax.com and we'll remove the account.

Changes to this policy

We may update this policy as the Service evolves. Material changes are announced in-product and by email to active account holders at least 14 days before they take effect. The current version is always available at this URL.

Contact

  • General privacy questions — privacy@zendrhax.com
  • Data Processing Agreement — legal@zendrhax.com
  • Customer support — support@zendrhax.com