Effective date: January 17, 2026
ZenAI processes personal data only to deliver catalog intelligence, product recommendations, and related SaaS capabilities. This page describes how we meet our obligations under the EU General Data Protection Regulation (GDPR).
When retailers upload catalog files or call the ZenAI API, they act as the data controller. ZenAI operates as the data processor, handling data strictly according to customer instructions and the Data Processing Agreement (DPA).
The controller must ensure a lawful basis (e.g., consent or legitimate interest) before sharing EU personal data. ZenAI processes that data solely to rank products, train recommendation vectors, deliver analytics, and improve fraud/misuse detection. We never sell or repurpose customer data.
We respond to controller-submitted requests within 30 days and log all actions for auditability.
ZenAI encrypts data in transit (TLS 1.2+) and at rest (AES-256). Access is limited to vetted personnel with MFA. Infrastructure is hosted in EU data centers with ISO 27001-certified vendors. Current sub-processors include:
We maintain signed DPAs with each provider and will notify controllers before onboarding new ones.
Catalog imports and derived embeddings are retained for the duration of the subscription and deleted within 30 days of termination unless required by law. Raw access logs roll after 90 days. Customers may trigger on-demand purges through the dashboard or API.
Where data leaves the EEA, ZenAI relies on Standard Contractual Clauses (SCCs) and continuous risk assessments. Customers can pin data residency to EU regions via the deployment settings page.
Security incidents are reported to affected controllers without undue delay and, when applicable, to supervisory authorities. Questions, DPA requests, or Data Protection Officer inquiries can be sent to office@zenaisoftware.com.