Understand Zenovay's data sharing practices, sub-processors, and your control over third-party access.
Our Data Sharing Principles
What We Don't Do
Zenovay commits to:
| Practice | Our Policy |
|---|---|
| Sell personal data | Never |
| Share for advertising | Never |
| Cross-site tracking | Never |
| Data broker transfers | Never |
| Unauthorized access | Never |
What We Do
We share data only for:
- Service delivery (hosting, processing)
- Customer support (your request)
- Legal compliance (when required)
Sub-Processors
Current Sub-Processors
These are the providers Zenovay uses to run the service. The authoritative, always-current list lives on our public sub-processors page at zenovay.com/legal/subprocessors.
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Edge compute, storage, CDN, DDoS/bot protection | United States (global edge) |
| Supabase | PostgreSQL database, auth, storage | European Union (Frankfurt) |
| Stripe | Payment and subscription processing | United States |
| Resend | Transactional email delivery | United States |
| Mapbox | Geolocation and 3D globe visualization | United States |
| OpenAI | AI features (insights, support assistant) | United States |
Sub-Processor Details
Cloudflare
- Purpose: Edge computing, key-value and object storage, static hosting, CDN, DDoS and bot protection
- Data: HTTP requests, IP addresses (transient)
- DPA: Yes
- Transfer mechanism: EU-US Data Privacy Framework
- Privacy: cloudflare.com/privacypolicy
Supabase
- Purpose: Primary database, authentication, and storage
- Data: Analytics and account data
- DPA: Yes
- Region: eu-central-1 (Frankfurt) — primary database region since 24 April 2026
- Privacy: supabase.com/privacy
Stripe
- Purpose: Payment processing, billing, and subscription management
- Data: Billing details
- DPA: Yes
- Transfer mechanism: EU-US Data Privacy Framework
- Privacy: stripe.com/privacy
Sub-Processor Updates
We keep the public sub-processors list current and update it when a provider changes. Before relying on Zenovay, review the live list at zenovay.com/legal/subprocessors and our Data Processing Agreement.
Data Access Control
Who Can Access Your Data
| Role | Access Level |
|---|---|
| Your team | Full (per permissions) |
| Zenovay support | On request only |
| Sub-processors | Technical only |
| Third parties | Never |
Support Access
Zenovay support can only access your data when you ask for help and grant access. When you open a support request, you control whether our team can view your workspace to investigate:
- Go to Support and start a new request
- Use the Allow support access option to grant or withhold workspace access
- Leave it off if you'd prefer support to work without viewing your data
Audit Log
Review workspace activity, including security-relevant actions:
- Go to Settings → Security → Audit Log
- Review the logged events
- Export the log if you need a copy for your records
Data Processing Agreement
DPA Contents
Our DPA covers:
- Subject matter and duration
- Nature and purpose of processing
- Types of personal data
- Data subject categories
- Your rights as controller
- Our obligations as processor
- Sub-processor requirements
- Security measures
- Data breach procedures
- Audit rights
- Data return/deletion
Reviewing the DPA
Our Data Processing Agreement is published at zenovay.com/legal/dpa. It applies to all customers as part of our terms. If you need a countersigned copy or have specific contractual requirements, email [email protected].
Standard Contractual Clauses
For international transfers, we rely on:
- EU Standard Contractual Clauses (2021)
- The EU-US and Swiss-US Data Privacy Framework, where the sub-processor is certified
Details for each provider are listed on the sub-processors page.
No Data Selling
CCPA Compliance
Under CCPA "sale" definition:
- We do not sell personal information
- We do not share for cross-context advertising
- We act as a service provider
Advertising Networks
We never share your analytics data with:
- Google Ads
- Facebook Ads
- Any advertising network
- Retargeting services
- Data brokers
Customer Data Isolation
Multi-Tenant Architecture
Your data is isolated:
Zenovay Infrastructure
├── Customer A Data (encrypted, isolated)
├── Customer B Data (encrypted, isolated)
└── Customer C Data (encrypted, isolated)
Each customer's data:
- Encrypted at rest
- Encrypted in transit
- Logically separated
- Access controlled
No Cross-Customer Access
- Customers cannot see each other's data
- Analytics are not combined
- No shared identifiers
Integration Data Sharing
When You Connect Integrations
You can connect a few external services to a website from its settings. Each one shares only the data needed for that integration:
| Integration | Data Shared | Purpose |
|---|---|---|
| Google Search Console | Search query and ranking data (read) | SEO insights |
| GitHub | Issue and commit metadata | Engineering context |
You control what's connected:
- Open the website's dashboard and go to its Settings
- Open the Integrations tab
- Connect or disconnect each service
Webhooks are managed separately under Settings → Security → API keys, where you can scope each webhook to a single website or to your whole workspace.
API Access
When you use our API (Pro and above):
- You control data flow
- Your responsibility after export
- We log API access
Compliance
Infrastructure Providers
Zenovay runs on infrastructure from providers with their own independent certifications (for example, Cloudflare holds SOC 2 Type II and ISO 27001, Supabase holds SOC 2 Type II, and Stripe is PCI DSS Level 1). Zenovay itself is not separately SOC 2 or ISO 27001 certified.
GDPR Readiness
We maintain:
- Records of processing
- DPAs with sub-processors
- Data breach procedures
- Regular security reviews
For our full security posture, see zenovay.com/legal/security.
Your Rights
Restrict Sharing
You can:
- Control support access when you open a request
- Disable integrations
- Export and delete your data
Data Portability
Export your personal data anytime — it's free on every plan and returned in machine-readable JSON.
See Data Export.
Account Deletion
Delete your account and its data:
- Go to your Profile (account section)
- Click Delete account
- Type
DELETEto confirm - Your account and associated data are permanently removed
Privacy Policy Requirements
Your Disclosure
Include in your privacy policy:
## Third-Party Analytics
We use Zenovay for website analytics. Zenovay:
- Processes visitor data on our behalf
- Does not sell personal data
- Does not share with advertisers
- Uses sub-processors for hosting and delivery
For more information, see Zenovay's privacy policy
at [zenovay.com/legal/privacy](https://zenovay.com/legal/privacy).
Link to Our Policy
Direct users to:
Questions and Contact
Privacy Questions
Contact us:
- Email: [email protected]
- Subject: "Privacy Inquiry"
Data Subject Requests
For visitor requests:
- You handle as the controller
- We assist as the processor
- API available for erasure/export
Security Concerns
Report to:
- Email: [email protected]
Best Practices
Regular Review
- Check the sub-processor list periodically
- Review integration permissions
- Audit team access
- Update your privacy policy
Documentation
Maintain records of:
- The DPA you rely on
- Sub-processor acknowledgments
- Integration configurations
- Access control settings
Communication
- Inform users of analytics use
- Respond to inquiries promptly
- Update policies when changes occur