For visually impaired users, this policy is available in large-type PDF upon request.

Privacy Policy for ZentroProp

Last Updated: May 22, 2025
Version: 1.1

1. Introduction

Welcome to ZentroProp ("we," "us," or "our"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services (the "Services").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

2. Information We Collect

We may collect information about you in a variety of ways. The information we may collect via the Application includes:

Personal Data: Personally identifiable information, such as your name, email address, and other information you voluntarily give to us when choosing to participate in various activities related to the Application, such as registration, connecting your Gmail account, or contacting us.
Gmail Data:
- When you connect your Gmail account, we access your emails to provide our invoice processing services. This includes email content (subject, sender, body, date) and attachments.
- We securely store OAuth tokens provided by Google to maintain access to your Gmail account for the purpose of providing the Services. You can revoke this access at any time via your Google Account settings.
- From your emails and their attachments, we extract and may store information such as: sender email address, recipient email addresses, email subject, email body text, email date, attachment filenames, and the textual content of attachments (particularly PDFs and images that may contain invoice data). This information is used to identify and process potential invoices.
Data from Third-Party Services (e.g., OpenAI):
- Email snippets and extracted text are sent to OpenAI’s API. OpenAI processes this data only for the purpose of returning structured invoice information to our Services. We have opted out of data usage for training OpenAI's models and for data retention where such options are available via their API terms and data policies.
- We store the classification results from OpenAI (e.g., whether an email is identified as an invoice or receipt) and the structured data extracted by OpenAI (such as vendor name, invoice amount, due date, invoice number, and other relevant line items). This stored information is used to populate the invoice details within the ZentroProp application for your review and management.
Derivative Data: We do not currently collect derivative data such as IP addresses or browser types, nor do we use third-party analytics services to collect such information. Should this change in the future, this policy will be updated accordingly.

3. How We Use Your Information

Having accurate information permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Application to:

Create and manage your account.
Process your emails to identify and extract invoice information.
Generate PDF summaries or representations of emails identified as invoices.
Store and display processed invoice data for your access and management.
Communicate with you about your account or our services.
Improve the efficiency and operation of the Application.
Monitor and analyze usage and trends to improve your experience with the Application.
Comply with legal obligations.
Limited Use of Gmail Data: Notwithstanding anything else in this Privacy Policy, information received from Google APIs (such as Gmail data) will be used only to provide or improve user-facing features that are prominent in the application's user interface. We comply with the Google API Services User Data Policy, including its Limited Use requirements. This means:
- We do not use Gmail data for serving advertisements.
- We do not transfer Gmail data to others unless necessary for providing or improving the feature, complying with applicable laws, as part of a merger, acquisition, or sale of assets (with user consent where required), or for security purposes (e.g., investigating abuse).
- We do not allow humans to read your Gmail data unless we have your affirmative agreement for specific messages, it is necessary for security purposes, to comply with applicable laws, or for our internal operations on aggregated and anonymized data.
- Human access to your Gmail data will be strictly limited to specific security purposes, to comply with applicable law, or with your explicit consent for support and troubleshooting. When feasible, we redact personal information during such manual reviews.

4. Disclosure of Your Information

We may share information we have collected about you in certain situations. Your information may be disclosed as follows:

By Law or to Protect Rights: If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation.
Third-Party Service Providers: We may share your information with third parties that perform services for us or on our behalf, including:
- OpenAI (or similar LLM providers) for email content analysis and data extraction.
- Amazon Web Services (AWS) or similar cloud providers for data hosting (e.g., S3 for storing generated PDFs and invoice data, Heroku for application hosting).
Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Legal Requirements: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of ZentroProp, (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (iv) protect against legal liability.

International Transfers

We store and process your data on servers located in the United States. When we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to the US, we rely on Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) or the UK International Data Transfer Agreement (IDTA) or Addendum, as applicable, and supplementary safeguards where applicable.

5. Security of Your Information

We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. If we become aware of a personal-data breach, we will notify affected users and applicable regulators within 72 hours, where required by law.

6. Your Rights and Choices

Account Information: You may request to review, change, or terminate your account and associated information by contacting us at charles@zentroprop.com. We will respond to your request within a reasonable timeframe.
Revoking Gmail Access: You can disconnect your Gmail account from our Services at any time through your account settings page within the ZentroProp application. You can also revoke our application's access to your Gmail data directly from your Google Account security settings page: https://myaccount.google.com/permissions. Upon revocation, we will cease accessing your Gmail data.
Data Retention: We adhere to the following data retention schedule:
- Email bodies & attachments in raw form: Deleted approximately 24 hours after successful extraction and processing.
- Structured invoice data (extracted from emails/attachments): Retained as long as your account is active or until you choose to delete specific invoice records. Upon account closure, this data is purged from our primary databases within approximately 30 days and from backups within approximately 90 days.
- Gmail OAuth tokens: Deleted within approximately 1 hour of you disconnecting your Gmail account via our Services or upon account closure.
- Server access logs are retained for up to 30 days for security monitoring, then deleted or anonymized.

Additional Rights for EEA, UK, and Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to: (i) request access to your personal data, (ii) request correction or deletion, (iii) restrict or object to our processing, (iv) receive a copy of the data in portable form, and (v) lodge a complaint with a supervisory authority.

Our legal bases for processing your data are: performance of a contract (Art. 6 (1)(b) GDPR) for providing the Services, and legitimate interests (Art. 6 (1)(f) GDPR) for improving and securing the Services. Where we rely on consent (e.g., for connecting your Gmail account), you may withdraw it at any time.

Additional Rights for California Residents

California law grants you the right to request: (i) disclosure of the categories and specific pieces of personal information we collect, use, disclose, or sell; (ii) deletion of personal information; (iii) that we do not sell or share your personal information (we do not sell or share it – ‘Sell’ and ‘share’ have the meanings given in Cal. Civ. Code §1798.140); and (iv) freedom from discrimination for exercising these rights. Submit requests to privacy@zentroprop.com. We may need to verify your identity (e.g., through your account login or a signed declaration) before fulfilling a request.

7. Policy for Children

Our Services are not directed to or intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact us at the contact information provided below.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes, we will endeavor to notify you by email (if you have provided one) or through an in-app banner, where feasible, at least 30 days before such changes take effect. You are advised to review this Privacy Policy periodically for any changes.

9. Contact Us

If you have questions or comments about this Privacy Policy, please contact us at:

ZentroProp

General Inquiries Email: charles@zentroprop.com

Data Protection & Privacy Requests: privacy@zentroprop.com

PO Box 729, Lincoln, ME 04457

10. Cookies and Tracking Technologies

We currently do not use cookies or analytics pixels. Before we begin using such technologies, we will update this Policy and, where legally required, obtain your consent through a clear opt-in banner.

11. EU Representative

As we do not currently meet the thresholds requiring an EU representative under GDPR Article 27, this is not applicable at this time. This will be reassessed as our user base and processing activities evolve.