How quickly can I get started with Zenovay?

Getting started takes less than 5 minutes. Simply sign up for a free account, add our one-line JavaScript code to your website, and you will start seeing visitor data on the 3D globe immediately. No complex configuration or technical expertise required.

Is Zenovay GDPR and privacy compliant?

Yes. Zenovay is designed with privacy-first principles and complies with GDPR, CCPA, and other privacy regulations. Our analytics use minimal, essential cookies for session management and do not use cross-site tracking or fingerprinting. We do not sell visitor data. See our Cookie Policy and Privacy Policy for full details.

What makes the visitor value scoring so accurate?

Our AI analyzes multiple behavioral signals including page views, time on site, scroll depth, interaction patterns, and conversion indicators. The algorithm learns from your specific website patterns to assign value scores that correlate strongly with actual conversions and business value.

Can I integrate Zenovay with my existing tools?

Yes! Zenovay provides a comprehensive API and webhooks for custom integrations. Connect with tools like Stripe, Slack, and Zapier, or build custom integrations with our REST API. Our team can help set up complex integrations for Enterprise customers.

What happens if I exceed my plan visitor limit?

We never stop tracking your visitors or cut off your service. If you exceed your plan limit, we will notify you and you can upgrade to accommodate your growth. For occasional spikes, we provide a small buffer. We believe growing businesses should not be penalized for success.

How accurate is the geographic location data?

Our location data is highly accurate, typically within city-level precision (85-95% accuracy). We use multiple IP geolocation databases and advanced algorithms to ensure the most accurate positioning on the 3D globe. Enterprise customers can access even more precise data.

Can I customize the dashboard and reports?

Absolutely! Pro and Enterprise plans include custom dashboard creation, white-label reporting, and the ability to create custom metrics and segments. You can save multiple dashboard views, schedule automated reports, and share specific insights with team members.

What kind of support do you provide?

We provide email support for all users, with priority support for paid plans. Enterprise customers get dedicated phone support and a dedicated account manager. Our support team consists of analytics experts who can help with setup, optimization, and strategy.

Is there a long-term contract required?

No contracts required! All our plans are month-to-month or yearly (with a discount). You can upgrade, downgrade, or cancel anytime. We believe in earning your business every month by providing exceptional value, not by locking you into long contracts.

Is there a free plan?

Yes! Zenovay includes a free plan with 1 website, 2 team members, and 1 year of data retention. No credit card required. You can upgrade to a paid plan anytime for more websites, team members, and longer data retention.

Data Processing Agreement

Last update: February 8, 2026

This Data Processing Agreement ("DPA" or "Addendum"), including the Standard Contractual Clauses (as defined below) attached hereto (collectively, the "DPA"), is made and entered into as of the effective date (the "Effective Date") of the applicable customer's ("Customer") acceptance of the Terms of Service between Zenovay Inc. ("Company" or "Zenovay") and Customer to which this DPA is attached and incorporated (the "Agreement"). All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement.

This Addendum shall become legally binding upon Customer entering into the Agreement or upon execution of this Addendum.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

"Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
"Data Subject" means (i) an identified or identifiable natural person who is in the EEA or whose rights are protected by EU Data Protection Laws; or (ii) a "Consumer" as the term is defined in the CCPA.
"Customer Data" means any content, data, information or other materials (including Personal Information) that Customer, End Users, or Customer's Affiliates submit to, or which are collected by, the Services for processing by Zenovay in connection with the Services.
"EEA" means the European Economic Area.
"EU Data Protection Laws" means all data protection laws and regulations applicable to the processing of Personal Information under the Agreement, including, where applicable, EU Directive 95/46/EC, Regulation (EU) 2016/679 ("GDPR"), the EU e-Privacy Directive (Directive 2002/58/EC), the Swiss Federal Act on Data Protection ("nDSG", in force since 1 September 2023), and any national implementing laws.
"Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject. Personal Information includes information that is considered "personal data", "personally identifiable information", or similar terms as defined by applicable Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission Decision 2021/914 of 4 June 2021.
"Sub-processor" means any third-party processor engaged by Zenovay or its Affiliates to process Personal Information on behalf of Customer under the Agreement.

2. Relationship of the Parties; Processing of Data

2.1 Roles and Scope of Processing

The parties acknowledge and agree that with regard to the processing of Personal Information, Customer is the data controller (or "business" under the CCPA) and Zenovay is the data processor (or "service provider" under the CCPA). Customer shall, in its use of the Services, process Personal Information in accordance with the requirements of applicable Data Protection Laws. Customer's instructions for the processing of Personal Information shall comply with applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information.

2.2 Customer's Processing Instructions

By entering into this DPA, Customer instructs Zenovay to process Personal Information only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Customer's use of the Services (including through the dashboard, API, or other interfaces); (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by Zenovay as constituting instructions for purposes of this DPA.

2.3 Zenovay's Compliance with Instructions

Zenovay shall process Personal Information only in accordance with Customer's documented instructions, unless processing is required by applicable laws to which Zenovay is subject, in which case Zenovay shall inform Customer of that legal requirement before processing unless such law prohibits such information on important grounds of public interest.

2.4 Details of Processing

The subject matter, nature, purpose, duration, and types of Personal Information and categories of Data Subjects processed under this DPA are described in Exhibit A (Details of Processing) attached hereto.

3. Confidentiality

Zenovay shall ensure that any persons authorized to process Personal Information on its behalf are subject to a duty of confidentiality, whether by contract or statutory obligation.

4. Security

4.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zenovay shall implement and maintain appropriate technical and organizational measures to protect Personal Information from Security Incidents (as defined below) and to preserve the security and confidentiality of Personal Information, as described in Exhibit B (Security Measures) attached hereto.

4.2 Security Incident Notification

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. Zenovay shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of any Security Incident. Such notification shall:

Describe the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Information records concerned
Communicate the name and contact details of Zenovay's data protection officer or other relevant contact from whom more information can be obtained
Describe the likely consequences of the Security Incident
Describe the measures taken or proposed to be taken to address the Security Incident and to mitigate its possible adverse effects

5. Sub-processors

5.1 Authorized Sub-processors

Customer acknowledges and agrees that Zenovay may engage Sub-processors to process Personal Information on Customer's behalf. The current list of Sub-processors is available at zenovay.com/legal/subprocessors.

5.2 Sub-processor Obligations

Zenovay shall:

Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those imposed on Zenovay under this DPA
Remain fully liable to Customer for the performance of each Sub-processor's obligations
Conduct appropriate due diligence on each Sub-processor before engagement

5.3 Changes to Sub-processors

Zenovay shall provide Customer with at least 30 days' prior written notice of the addition of any new Sub-processor. Customer may object to Zenovay's use of a new Sub-processor by notifying Zenovay in writing within 10 days of receipt of Zenovay's notice, provided such objection is based on reasonable grounds relating to data protection. If Customer reasonably objects to a new Sub-processor and Zenovay cannot provide a commercially reasonable alternative, Customer may terminate the affected Services by providing written notice to Zenovay.

6. Data Subject Rights

Zenovay shall, to the extent legally permitted and within the scope of its role as processor, promptly notify Customer if Zenovay receives a request from a Data Subject for access to, correction, amendment, or deletion of that person's Personal Information. Zenovay shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations to respond to requests for exercising Data Subject rights under Data Protection Laws, including the right to access, rectify, erase, restrict processing, data portability, and object to processing.

7. Return and Deletion of Data

7.1 Data Retention Periods

Personal Information is retained according to Customer's subscription plan:

Free Plan: 1 year (365 days)
Pro Plan: 2 years (730 days)
Scale Plan: 4 years (1,460 days)
Enterprise Plan: Custom retention period as agreed in the applicable Order Form

7.2 Two-Phase Deletion Process

When Personal Information exceeds the retention period applicable to Customer's plan, Zenovay implements a two-phase deletion process:

Phase 1 - Soft Hide: Personal Information older than the retention period is marked as hidden and excluded from Customer's analytics queries. The data remains in Zenovay's systems but is not accessible through the Services.
Phase 2 - Grace Period: Customer is notified via email that data has been hidden. A 30-day grace period begins, during which Customer may upgrade to a higher plan to recover the hidden data.
Phase 3 - Permanent Deletion: After the 30-day grace period expires, hidden Personal Information is permanently deleted using secure deletion methods.

7.3 Data Recovery

If Customer upgrades to a plan with a longer retention period during the grace period, Zenovay will automatically recover (unhide) Personal Information that falls within the new retention period. Data that was permanently deleted cannot be recovered.

7.4 Deletion Upon Termination

Upon termination or expiration of the Agreement, Zenovay shall (at Customer's election): (a) return to Customer all Personal Information in Zenovay's possession or control via data export; or (b) delete all Personal Information in Zenovay's possession or control. This requirement shall not apply to the extent Zenovay is required by applicable law to retain some or all of the Personal Information, in which event Zenovay shall isolate and protect the Personal Information from any further processing except to the extent required by such law.

8. Audit Rights

Zenovay shall make available to Customer, upon reasonable request and subject to confidentiality obligations, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. Customer may exercise its audit rights under this Section by:

Reviewing Zenovay's security certifications and audit reports when available (Zenovay is working toward SOC 2 Type II certification and will make reports available upon request once obtained)
Sending Zenovay a questionnaire concerning Zenovay's data protection practices (limited to once per year unless required by Data Protection Laws)
In exceptional circumstances, conducting an on-site or remote audit of Zenovay's data protection practices, subject to reasonable notice, confidentiality obligations, and reimbursement of Zenovay's reasonable costs

9. International Transfers

9.1 Data Transfers

Zenovay may transfer and process Personal Information globally as necessary to provide the Services. If Zenovay transfers Personal Information from the EEA or Switzerland to a country outside the EEA/Switzerland that has not been recognized by the European Commission or the Swiss Federal Council as providing an adequate level of data protection, such transfers shall be subject to appropriate safeguards as required by Data Protection Laws, including:

EU-US Data Privacy Framework (DPF) / Swiss-US DPF: For transfers to US-based subprocessors certified under the DPF, reliance on the European Commission Adequacy Decision of 10 July 2023 and the corresponding Swiss recognition.
Standard Contractual Clauses (SCCs): As detailed in Section 9.2 below.
Supplementary Measures: Transfer Impact Assessments, encryption in transit and at rest, access controls, and other measures recommended by the EDPB and EDOEB in light of the Schrems II ruling.

9.2 Standard Contractual Clauses

To the extent that Zenovay processes Personal Information protected by EU Data Protection Laws (including the GDPR and nDSG) and transfers such Personal Information to a country not recognized by the European Commission or the Swiss Federal Council as providing an adequate level of protection, the Standard Contractual Clauses (Module Two: Controller-to-Processor) shall apply and are incorporated by reference into this DPA. For the purposes of the Standard Contractual Clauses:

Customer is the "data exporter" and Zenovay is the "data importer"
The parties agree to the optional clauses in Clause 7, Clause 11, and Clause 9(a)
The Member State governing law shall be the law of the Member State in which Customer is established or, if Customer is not established in a Member State, the law of Ireland
The competent supervisory authority shall be the supervisory authority of the Member State in which Customer is established; for Swiss Customers, the EDOEB (Federal Data Protection and Information Commissioner); for Customers not established in a Member State or Switzerland, the Irish Data Protection Commission
For transfers subject to the nDSG, references to GDPR provisions are interpreted as references to the equivalent nDSG provisions, and references to the EU/EEA are interpreted as references to Switzerland
The description of the transfer is set out in Exhibit A (Details of Processing)
The technical and organizational measures are set out in Exhibit B (Security Measures)

10. Limitation of Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.

11. General Provisions

11.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of such conflict or inconsistency.

11.2 Modification

Zenovay may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or industry best practices. Material changes will be notified to Customer at least 30 days before they take effect.

11.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

11.4 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, except where the Standard Contractual Clauses specify otherwise.

Exhibit A: Details of Processing

List of Parties

Data exporter: Customer (as defined in the Agreement)

Data importer: Zenovay Inc., 415 Branding Street #4200, San Francisco, CA 94105, United States

Description of Transfer

Subject matter: The subject matter of the data processing is the provision of website analytics services.

Nature and purpose of processing: Zenovay will process Personal Information to provide website and application analytics services, including:

Collecting and analyzing website visitor data
Generating analytics reports and insights
Providing dashboard and data visualization services
Storing and maintaining analytics data
Automated visitor value scoring (0-100 scale based on behavioral signals, geography, and device data)
AI-powered analytics insights (via Cloudflare AI Gateway and OpenAI, when enabled by Customer)
Providing customer support and account management

Duration of processing: The duration of processing is for the term of the Agreement plus the data retention period applicable to Customer's subscription plan (1 year for Free, 2 years for Pro, 4 years for Scale, or custom for Enterprise). Data exceeding the retention period is subject to the two-phase deletion process described in Section 7.

Categories of Personal Information: The categories of Personal Information transferred may include:

Network Data: IP addresses (stored for geographic analysis and security), approximate geolocation (country, region, city)
Device Data: User agent strings, device type, browser, operating system, screen resolution
Browsing Data: Page URLs visited, page titles, referrer URLs, timestamps, time spent on pages
Behavioral Data: Scroll depth, click counts, form interactions (excluding sensitive fields), engagement metrics
Campaign Data: UTM parameters, advertising platform click identifiers (e.g., Google, Facebook, TikTok)
Conversion Data: Custom events, goal completions, and associated values as configured by Customer
Session Data: Session identifiers, duration, pages per session, returning visitor status

Optional Data (when features enabled by Customer):

Session Replay: DOM snapshots, mouse movements, clicks, and scroll behavior (sensitive fields automatically masked)
Heatmaps: Aggregated click and scroll position data
User Identification: Name, email, phone, company, and custom identifiers when provided by Customer's implementation
B2B Enrichment: Company name, domain, industry, size, and other business attributes derived from third-party enrichment services

Customer is responsible for determining what Personal Information is collected and ensuring compliance with applicable privacy laws.

Categories of Data Subjects: Data Subjects whose Personal Information is processed include:

Visitors to Customer's websites and applications
Users of Customer's online services
Customers of Customer's products or services
Employees or representatives of Customer (for account management purposes)

Sensitive data: Zenovay does not intend to process sensitive personal data (e.g., health information, biometric data, financial account details). Customer is prohibited from transmitting sensitive personal data to Zenovay without prior written agreement and appropriate safeguards.

Frequency of transfer: The frequency of transferring the personal data is continuous, until the agreement comes to an end.

Exhibit B: Security Measures

Zenovay has implemented and will maintain the following technical and organizational security measures:

1. Physical Access Controls

Cloud infrastructure hosted on Cloudflare's global edge network, certified to industry standards (SOC 2, ISO 27001)
Database services provided by Supabase, hosted on certified cloud infrastructure
Physical access controls managed by infrastructure providers (Cloudflare, Supabase)
24/7 security monitoring and surveillance of data center facilities

2. System Access Controls

Multi-factor authentication (MFA) required for administrative access
Role-based access controls (RBAC) limiting access based on job function
Unique user credentials for all system access
Regular access reviews and revocation of unnecessary permissions
Logging and monitoring of all system access and activities

3. Data Access Controls

Encryption of data in transit using TLS 1.2 or higher
Encryption of sensitive data at rest using AES-256 encryption
Access to Personal Information restricted to authorized personnel only
Data segregation to prevent unauthorized cross-customer data access

4. Transmission Controls

Encryption of data transmission using TLS/SSL protocols
Secure APIs with authentication and authorization controls
Logging and monitoring of data transmissions

5. Input Controls

Audit logging of data creation, modification, and deletion
Version control and change management procedures
Automated backups with point-in-time recovery capability

6. Availability Controls

Cloudflare global edge network with automatic failover across 300+ data centers
Supabase managed database with point-in-time recovery
Regular backups stored in geographically distributed locations
Disaster recovery and business continuity procedures
System monitoring and incident response procedures
Note: No specific uptime SLA is provided unless separately agreed in an Enterprise contract

7. Organizational Measures

Regular security awareness training for employees
Confidentiality agreements signed by all employees
Incident response and breach notification procedures
Periodic security reviews and assessments
Vendor risk management program for Sub-processors

Contact Information

For questions about this DPA or data processing practices, please contact:

Email: privacy@zenovay.com

Support: support@zenovay.com

Address: Zenovay Inc., 415 Branding Street #4200, San Francisco, CA 94105