GDPR Notice

Last updated: June 14, 2026

This notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the "General Data Protection Regulation" / "GDPR"). It describes how ZipOrder ("we", "us") processes personal data when you use our mobile and web product. The legal controller is named in Section 1 below.

Please also read our Privacy Policy for a plain-language summary of the same practices, and our Subprocessors page for the list of third-party services that may process your data on our behalf.

1. Controller

The data controller is Zero Core Studio LLC, a company incorporated under the laws of the United States. For data protection matters you can reach us at legal@ziporder.io.

2. Categories of personal data we process

• Account data: email address, sign-in tokens, locale preference, optional business name and contact details. When you sign in with Apple we additionally receive a stable Apple-issued user id; when you sign in with Google we receive your name and profile photo URL alongside the email.
• Content data: catalogs, items, prices, orders and uploaded source files (images / PDFs / spreadsheets).
• Third-party data on a public order page: the name and contact info a customer enters when submitting an order through your catalog. We disclose this to you (the supplier) and anonymize it on the public link 30 days after the order is placed.
• Service telemetry: error reports (PII redacted) and basic logs needed to operate the service. Always-on; legitimate interest under Art. 6(1)(f).
• Optional product analytics: anonymous app usage events (feature taps, screen views, error counts) sent to Firebase Analytics on mobile and Google Analytics 4 on the web. Disabled by default; processed only after explicit opt-in via the on-device consent dialog (mobile) or cookie banner (web). Withdrawable at any time from Profile → Privacy (mobile) or by clearing cookies (web).
• Billing data: subscription status received from Apple App Store / Google Play / RevenueCat. We do not see your payment card details.
• Payment data(only if the supplier enables card collection): order id, amount, currency, the payment provider's checkout / session id and payment-status events for catalog orders and in-person (POS) charges. Card details are entered on the provider's hosted page (Stripe / Iyzico) and never reach our servers.
• E-invoice / fiscal data(only if the supplier connects an e-invoice provider): the supplier's legal seller identity (tax id, tax office, address) and, on the invoiced order, the buyer's name and any tax id, plus line items and amounts — processed to issue a fiscal invoice through the connected provider.
• Connected-integration credentials: API keys / OAuth tokens for payment and accounting providers, stored encrypted (AES-256-GCM), never returned to the client, and deleted on disconnect or account deletion (a Stripe Connect link is also revoked at Stripe).

3. Purposes and legal bases

• Provide the service (Art. 6(1)(b) — performance of the contract): account, content and order data.
• Operate, secure and improve the service (Art. 6(1)(f) — legitimate interests): logs, error monitoring, abuse prevention. You may object at any time.
• Comply with legal obligations (Art. 6(1)(c)): tax records, lawful requests from authorities.
• Process payments & issue invoices when the supplier opts in: card payment processing rests on Art. 6(1)(b) (performance of the contract) and fiscal-invoice issuance on Art. 6(1)(c) (legal obligation). Card details are handled by the payment provider, not by us.
• Optional product analytics (Art. 6(1)(a) — your consent, captured by the in-app opt-in dialog or the web cookie banner): Firebase Analytics for mobile and Google Analytics 4 for web. We collect only anonymous events; no PII is sent.
• Optional analytics tags you configure on your catalog (Art. 6(1)(a) — your visitors' consent, governed by your own privacy notice): if you enter a Facebook Pixel or Google Analytics ID into your ZipOrder profile, we inject those tags into your public catalog page. You become the controller for that processing; we operate as your processor.

4. Recipients and international transfers

We use the subprocessors listed on the Subprocessors page. EU data is stored in the EU (Frankfurt for the database, Ireland for authentication, EU region for object storage). Some subprocessors (e.g. Sentry, Resend) are based in the United States; transfers rely on the EU Commission's adequacy decision for the EU–US Data Privacy Framework or on Standard Contractual Clauses. When a supplier enables card collection or connects an e-invoice provider, the relevant order and invoice data is also shared with that provider (e.g. Stripe, Iyzico, Nilvera, Paraşüt, QuickBooks, Xero), which may be located in the United States or Türkiye; those transfers likewise rely on the applicable adequacy decision or Standard Contractual Clauses.

5. Retention

• Source documents (uploaded scans / PDFs): 72 hours after processing, then deleted from object storage.
• Customer PII (per-order) — name, email, phone, delivery address, location coordinates: anonymized 30 days after the order is placed; the order record itself (items, totals, status) is kept anonymized for the supplier's analytics.
• Order share links: expire 30 days after the order is placed; expired links return 404.
• Paused catalogs: 30 days after subscription lapse the catalog is soft-deleted (slug removed), 120 days after the catalog is hard-deleted.
• Contact phone & security codes: the E.164 phone number you enter to show customers is retained as long as the account is active. One-time verification codes (OTP) for sensitive actions are sent by email, expire within ~10 minutes, and are held only transiently in hashed form — never persisted in our database.
• Sign-in logs (SignInLog): retained 13 months for security / audit purposes; deleted automatically afterwards.
• Abuse reports + admin actions (AdminAction): retained indefinitely for legal compliance and account-recovery investigations. These records survive even if the underlying account is deleted (Art. 17(3)(e) — legal claims exception).
• Account & catalog data: kept until you delete your account or the lapsed-account window (120 days after a paused subscription) ends.
• Fiscal invoices & payments: invoices issued through a connected e-invoice provider are retained by that provider and the tax authority under tax law (typically 5–10 years), and payments settle in the supplier's own provider account — both outside ZipOrder and not deletable by us. On our side we keep only the order's payment-status metadata.
• Backups: rolling 30-day window, then overwritten.

6. Your rights

You have the following rights under the GDPR:

• Access (Art. 15) — request a copy of your data. Available self-service via Profile → Privacy → Request data export.
• Rectification (Art. 16) — correct any inaccurate data via the app, or by writing to us.
• Erasure (Art. 17) — delete your account and all associated data via Profile → Privacy → Delete account.
• Restriction (Art. 18) and objection (Art. 21) — write to legal@ziporder.io.
• Portability (Art. 20) — the data export above is provided in a machine-readable JSON format.
• Withdraw consent (Art. 7) — at any time, with no effect on processing already carried out.
• Lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu.

7. Automated decision-making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. The AI scanner extracts information from the documents you upload but every item remains editable; the final catalog is always your decision.

8. Updates

We may update this notice when our practices change. Material changes will be communicated via the app or by email. Older versions are kept on file at legal@ziporder.io.