ui.skipToMain

Security & Privacy

Version 1.1Last update:

This page is the plain-language summary of how Zenovay handles your data. It is meant to be honest before it is reassuring: we list what we do, what we don't, and the things we don't yet have any right to claim.

If anything below contradicts our Privacy Policy, DPA, or Subprocessors list, the legally binding document wins. We treat divergence between this page and those documents as a bug — please report it.

Where your data lives

Zenovay's primary database (Supabase PostgreSQL) is hosted in the European Union (eu-central-1, Frankfurt) since 24 April 2026. Cloudflare Workers run on the global edge; Cloudflare R2 (heatmap screenshots) is configured with EU data location preference.

A small number of subprocessors are US-based (Stripe, Resend, OpenAI via Cloudflare AI Gateway). Transfers rely on the EU-US Data Privacy Framework where the recipient is DPF-certified, plus the 2021 Standard Contractual Clauses (Module 2) with supplementary technical measures. See the full subprocessor list.

What we collect (and what we don't)

On websites that use Zenovay's optional Cookieless Mode, the tracker stores no cookies and no localStorage. Visitor and session identifiers are computed in-memory from a daily-salted SHA-256 hash of the IP subnet, user agent, and a server-side rotating salt — these IDs vanish when the page unloads.

When Cookieless Mode is not enabled by the site operator, the tracker may set first-party cookies (zenovay_visitor_id for 30 days, zenovay_session_id for 30 minutes). We never collect names, email addresses, payment details, or precise GPS coordinates from website visitors. We do not sell personal information, and we do not share for cross-context behavioural advertising; we honour the Global Privacy Control (GPC) signal.

For the legal-grade detail of every category, purpose, and legal basis, see the Privacy Policy.

How long we keep it

Raw analytics events are purged after the retention period defined by the customer's plan:

  • Free: 1 year (365 days)
  • Pro: 2 years (730 days)
  • Scale: 4 years (1,460 days)
  • Enterprise: configurable, default 4 years

Administrative audit logs (user actions, billing events, settings changes) are retained for 24 months. They contain no plaintext IP — only one-way SHA-256 hashes — and are purged automatically each day at 03:00 UTC.

How we protect it

  • TLS 1.2+ enforced on every endpoint by Cloudflare. Internal Worker-to-Supabase traffic is TLS 1.3.
  • All data at rest in Supabase is encrypted (AES-256). Cloudflare R2 objects are encrypted at rest. Supabase backups are encrypted.
  • IP addresses are stored only as daily-salted SHA-256 hashes — never plaintext. This includes the visitors table, audit logs, and team audit logs. The plaintext column was dropped from the schema entirely on 2026-04-26.
  • Postgres Row Level Security policies are enforced on every customer-data table. Service-role access is limited to the API worker; direct database access is not exposed.
  • All administrative actions are logged immutably. The audit log table has INSERT-only RLS — no UPDATE or DELETE policies exist, so historical entries cannot be silently rewritten.
  • Banned or revoked sessions are propagated to the edge within seconds via Cloudflare KV; in-flight refresh tokens are invalidated server-side.

Your rights

You can exercise the rights of access (GDPR Art. 15), rectification (Art. 16), erasure (Art. 17), portability (Art. 20), and objection (Art. 21) at any time. The free 'Download my personal data' export and the 'Delete account' flow are available in your Profile.

California residents have CCPA/CPRA rights to know, delete, correct, and opt out of sale or sharing. We honour the Global Privacy Control browser signal automatically — if your browser sends Sec-GPC: 1, we treat it as a valid opt-out without further action.

For written requests or jurisdiction-specific rights, see the Privacy Policy.

What we don't claim

Zenovay itself is not currently SOC 2 certified. Our infrastructure providers maintain industry-standard certifications: Cloudflare (SOC 2 Type II, ISO 27001, ISO 27018), Supabase (SOC 2 Type II). We will update this page if and when we obtain our own audit.

We do not claim ISO 27001, HIPAA, or PCI DSS certifications. We process payments through Stripe, which is PCI DSS Level 1 certified — Zenovay never touches raw card data. Automated weekly security scans (npm audit, Semgrep, gitleaks, OWASP ZAP, Lighthouse, Supabase Advisors) run against every production service every Monday; findings flow into a centralised review queue.

Report a security issue

If you find a security issue, please contact us at security@zenovay.com.

We aim to acknowledge reports within 48 hours. We do not yet operate a paid bug bounty programme; we credit responsible reporters by name (or pseudonym) on this page when they request it.

Related Policies:Privacy PolicyTerms of ServiceCookie PolicyDPAAcceptable UseSubprocessorsSecurity & PrivacyImpressum