Legal

Privacy Policy

Last updated: June 18, 2026

This Privacy Policy explains what personal data Zinx OS (“we”, “us”) collects, how we use it, and the rights you have over it. We aim to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent privacy laws.

1. Who we are

Zinx OS is a workspace platform that combines projects, kanban, timesheets, files, CRM, and invoicing for agencies, solopreneurs, and developers. We act as the data controller for account data and as a data processor for the content you upload into your workspace.

2. Data we collect

  • Account data: name, email, and profile picture provided by Google when you sign in.
  • Connected Google services: if you choose to connect Google Drive or Gmail, the data needed to run those features (see “Google user data” below). These connections are optional.
  • Workspace content: the projects, tasks, time entries, files, clients, invoices, and messages you create inside your workspace.
  • Automation data: if you build automations, we store their configuration, and any credentials you enter into an automation step (such as an API key or webhook header) are encrypted at rest. Automations you enable can, at your direction, send workspace data to external URLs you configure and receive data through inbound webhooks; those external endpoints are operated by third parties and are outside our control.
  • Billing data: handled by Dodo Payments; we store only a customer reference, plan, and status. We never see or store your card details.
  • Operational data: the minimum logs and metadata needed to keep your account secure and the service running, such as sign-in events, rate-limit counters, and error logs that may include your IP address, browser user-agent, and the page where an error happened.
  • Analytics & session replay: we use PostHog to measure product usage and to record session replays with all text and form inputs masked, and Google Analytics to measure aggregate site traffic, so we can fix bugs and improve the app. In regions that require opt-in consent (such as the EU, UK, and EEA), this stays off until you agree. In regions with an opt-out model (such as the US), it runs by default and you can turn it off at any time from the cookie banner or your cookie preferences. Advertising features are disabled, and this is never used for advertising. See our Cookie Policy.

3. How we use it

  • To provide, secure, and improve Zinx OS.
  • To authenticate you, keep you signed in, and remember your active workspace.
  • To send the emails described in “Email communications” below.
  • To comply with legal obligations and prevent abuse.

3a. Email communications

We group the emails we send into three categories so it's clear which ones require your consent. You can manage your choices any time from your account's notification settings.

Account & security always on

Sign-in alerts, billing receipts, workspace invitations, security advisories, and updates to these policies that affect you. We send these on the basis of contract performance and legitimate interest, and they can't be turned off while your account is active.

Product updates opt-out, on by default

Occasional emails about new features, changelog highlights, and tips for getting more out of Zinx OS. Sent on the basis of legitimate interest. You can unsubscribe with one click in any of these emails or from your notification settings.

Offers & promotions opt-in, off by default

Holiday greetings, discounts, special offers, and re-engagement messages. We will only send these if you have explicitly turned them on in your notification settings. Every such email includes a one-click unsubscribe link, and unsubscribing from these has no effect on the other categories above.

4. Legal bases (GDPR)

  • Contract: to deliver the service you signed up for.
  • Legitimate interest: to keep the platform secure and prevent fraud.
  • Legal obligation: to comply with tax, accounting, and law-enforcement requirements.
  • Consent: for the optional analytics and session-replay cookies, which stay off until you turn them on and can be withdrawn at any time.

5. Sub-processors

We share data only with the infrastructure providers needed to run the service:

  • Google: OAuth sign-in, and, when you connect them, the Google Drive and Gmail APIs (see “Google user data” below).
  • Convex: application backend, database, and file storage.
  • Better Auth: session and authentication library (self-hosted on our infrastructure).
  • Dodo Payments: checkout, subscriptions, and billing.
  • Resend: transactional email delivery.
  • PostHog: product analytics and session replay (consent-gated as described in section 2), plus first-party, server-side error monitoring that runs independently of cookie consent so we can detect and fix failures. Error reports contain the error message, the page it happened on, and your browser user-agent; they are not used for advertising or profiling.
  • Google Analytics: aggregate, consent-gated site traffic measurement (as described in section 2). Advertising features and ad personalization are disabled, and it is never used for advertising.
  • Cloudflare (with Vercel as a fallback host): serving and delivering the app, which involves processing your IP address and request metadata.
  • Klipy and Unsplash: when you search for a GIF or stock image inside the app, your search term is sent to these providers to return results.

We do not sell your personal data, and we do not share it with advertisers.

5a. Google user data (Drive and Gmail)

Some Zinx OS features let you connect your own Google account so the app can act on your behalf. These connections are optional and per user, and you can revoke them at any time from your Google Account security settings or by disconnecting inside Zinx OS.

  • Sign-in (openid, email, profile): when you sign in with Google we receive your name, email address, and profile picture to create and secure your account.
  • Google Drive (drive.file): if you connect Drive, Zinx OS can create and manage only the folders and files it creates in your Drive, so it can sync the project files you upload or make inside the app. This does not let Zinx OS see, read, or change any of your other existing Drive files.
  • Gmail (gmail.send): if you connect Gmail, Zinx OS can send emails from your address that you compose inside the app, for example messages to your CRM contacts. This permission only allows sending. Zinx OS cannot read, list, or otherwise access your mailbox.

We use Google user data only to provide these user-facing features. We do not use it for advertising, we do not sell it, and we do not let humans read it except with your consent, where needed for security or to comply with the law, or in aggregated or anonymized form to operate the service.

Zinx OS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Data retention

We keep your account and workspace data for as long as your account is active. When you delete your account from your account settings, your personal profile (name, email, avatar) is removed promptly, typically within minutes. Content you created inside shared workspaces (chat messages, time entries, kanban activity) is anonymized rather than deleted: your name appears as “Deleted user” so collaborators' workspaces continue to function. Workspaces you own must be transferred to another member or deleted before you can delete your account. Billing records are retained for up to 7 years for tax and accounting compliance.

7. Your rights

Subject to applicable law, you have the right to access, correct, export, restrict, or delete your personal data, and to object to or withdraw consent for certain processing. To exercise any of these, email us using the contact below; we'll respond within 30 days. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

8. International transfers

Your data may be processed in countries outside your own, including the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors.

9. Security

Your data is encrypted in transit with TLS and encrypted at rest; encryption in transit and at rest for our database and file storage is provided by our infrastructure providers. On top of that we apply role-based access controls scoped to each workspace, and we encrypt sensitive third-party tokens (such as your Google access tokens and any secrets you enter into automation steps) before storing them. No system is perfect; if we ever discover a breach affecting your data, we'll notify you and the relevant authorities as required by law.

10. Cookies

We set strictly necessary cookies, plus optional analytics and session-replay cookies. Analytics cookies stay off until you opt in where opt-in consent is required, and run by default with an easy opt-out elsewhere (such as the US). See our Cookie Policy for the full list and your choices.

11. Changes

If we make material changes to this policy, we'll notify you in-app or by email before they take effect.

12. Contact

For privacy questions or data requests, email contact@zinxos.com.