GDPR Article 20 (Right to Data Portability) gives you the right to receive your personal data in a structured, commonly-used, machine-readable format. Zenovay supports this as a self-service download — no support ticket needed.
How to run the export
- Sign in to app.zenovay.com.
- Go to Settings → Account.
- In the Download your data section, click Download.
The export is built on the spot. For most accounts it's ready in a few seconds; very large accounts (lots of history) take a little longer, but it still downloads in one go.
When it's ready, your browser downloads a single JSON file named zenovay-personal-data-<your-id>-<date>.json. There's no link to chase and nothing expires — if you want a fresh copy later, just click Download again.
What's in the file
The download is one JSON document with a top-level key per category. The main sections:
| Section | Contents |
|---|---|
user | Your account email, name, locale and UI preferences, consent flags, access tier, signup date, and activity timestamps. |
websites | Metadata for every website you own or can access via a team — domain, name, tracking code, and an isOwner flag. (No visitor data — that's per-website business data, not your personal data.) |
teamMemberships | Every team you're a member of, with your role, join date, and the team's plan (no billing details). |
oauthIdentities | Linked Google/GitHub accounts (provider and profile metadata; never the password or token). |
mfa / passkeys | Registered TOTP, WebAuthn/passkey devices, and backup-code counts (no secrets). |
apiKeys / personalApiKeys | API key metadata (name, prefix, usage) — never the secret key material. |
supportTickets, referralProgram, notificationPreferences | Tickets you opened, your referral code and totals, your notification opt-ins. |
auditTrail | Actions you took and admin actions taken on your account. |
It also includes your saved queries, AI chats, integrations metadata, onboarding progress, and other data tied to you — the file's own notice section explains exactly what's included and what's deliberately left out.
Everything is plaintext JSON, UTF-8 encoded. The structure is intentionally simple so you can grep, jq, or import it without specialised tooling.
What's NOT in the file
- Visitor analytics for websites you own — those visitors are not "you", so they're not your personal data under Article 20. That data is the website-operator's business data, exportable separately via the in-app analytics export.
- Authentication secrets: MFA secrets, WebAuthn/passkey credential material, API key hashes, password hashes, and OAuth integration tokens. Their metadata (that you have N factors, that you linked GitHub on date X) is included, but the secrets themselves never are — exporting them would compromise your account (GDPR Recital 63).
- Team billing details (payment method, billing email, Stripe customer of the team) — those are the personal data of whoever pays for the team, not necessarily you.
- Admin moderation notes about you. The fact of any account restriction is included; the admin's qualitative reasoning is not.
- IP addresses, which Zenovay stores only as one-way, daily-salted SHA-256 hashes — the hashes can't be reversed and aren't included.
Article 15 vs Article 20
- Article 15 (Right of Access) — broader: you can request a description of what data we hold about you and why, even if we don't deliver it as a file.
- Article 20 (Right to Portability) — narrower but more useful: a machine-readable file you can re-upload to a competitor or feed into your own systems.
This self-service export covers both — it includes the data we hold about you, not just the data you provided. If you need a written description for a regulator, email [email protected].
Plan applicability + cost
Free, on every plan. Article 20 cannot be paywalled — we can't legally charge for the export, and we don't.