Privacy Policy

1) Roles & Scope

• For Contact Data (your end-customers), we act as your processor/service provider; you are the controller/organization.
• For website, account, billing, security logs, and product analytics, we are a controller.
• This Policy covers our websites, app, APIs, and integrations (GBP, Zapier, direct APIs, carriers, CRM/POS connectors).

2) Information We Process

• Account & billing: admin details, identifiers, transactions.
• Google connection data: OAuth tokens, account/location IDs, review/reply content within approved scopes.
• Contact Data: names, phone numbers, emails, tags/segments.
• Messaging metadata: timestamps, delivery status, opt-ins/opt-outs, reply codes.
• Device/usage: IP, user agent, telemetry, logs, cookie-like identifiers.
• Support: tickets, chat/email transcripts; optional call recordings (with notice).
• Personalized images (if enabled): ephemeral generation of images with overlaid first name or business assets; no biometric identification.

3) How We Use Information

Provide/operate the Services; fulfill your instructions; send configured messages; post authorized GBP replies. Safety/program integrity (security monitoring, fraud/abuse prevention, rate limiting, spam mitigation). Improve features (aggregated/anonymized analytics). Legal compliance; carrier/platform requirements; service notices. No sale of Contact Data; no ads based on Google-sourced data.

4) Data Minimization & Retention

• Pass-Through Mode (default): process CRM Contact Data ephemerally; retain only (i) message logs and (ii) suppression/opt-out records.
• Minimum-Retention Mode (optional): limited storage to support sequencing/analytics with an admin-controlled window (default 90 days, configurable 0--365 days).
• Account/billing: retained for life of account + up to 7 years for tax/audit.
• We retain limited data where required by law or to resolve disputes; suppression logs are retained to honor opt-outs.

5) Lawful Basis & Regional Notes

• Canada (PIPEDA/CASL): express consent where required; implied-consent windows for existing business relationships (~24 months) or inquiries (6 months) must be tracked; each CEM includes identification and a functioning unsubscribe.
• EU/UK (GDPR/UK GDPR): for Contact Data we act as processor; for account/site data we are controller. We support data-subject rights and use SCCs/IDTA for restricted transfers.
• U.S. (TCPA/state laws): prior express consent (informational) or prior express written consent (marketing) for automated texts; recipients can revoke consent by any reasonable means.
• HIPAA: PHI is prohibited unless a BAA is executed in advance.

6) Google APIs; OAuth; E-SIGN

Google APIs and OAuth: ZappyCards accesses Google Business Profile data only after you explicitly authorize access via Google OAuth. The data we access may include business profile information such as business name, address, phone number, website, business hours, and customer reviews associated with your Google Business Profile.

We use this Google-sourced data solely to provide user-facing featureswithin the ZappyCards platform, such as displaying and managing business information and reviews. We do not sell, share, or use Google user data for advertisingor any purpose unrelated to the functionality you explicitly enable.

Access to Google data is limited to the approved OAuth scopes, restricted to authorized systems, and protected using industry-standard security controls. You may revoke ZappyCards’ access to your Google account at any time through your Google Account permissions.

Electronic communications (E-SIGN). By creating an account, you consent to receive notices and disclosures electronically (via email or in-app). You may withdraw this consent by contacting support; however, withdrawal may limit or prevent your ability to use certain services.

7) Sharing & International Transfers

• We share information with subprocessors (cloud hosting, SMS delivery, analytics, support tools) under contract; integration partners you connect; advisers/authorities as required; and during corporate transactions with safeguards.
• Data may be processed outside your province/country; for restricted transfers we use SCCs/IDTA and supplementary measures.

8) Security; Vulnerability Reporting

• We maintain administrative, technical, and physical safeguards appropriate to risk, including encryption in transit, least-privilege access, MFA for admin access, logging/monitoring, vendor due diligence, secure development, and backups/DR.
• To report a security issue, contact security@zappycards.com; we will acknowledge good-faith reports and coordinate remediation.

9) Your Rights & Choices

Depending on region: access, correction, deletion, portability, restriction/objection, and marketing opt-out. End-contacts should contact our Customer (controller); we assist controllers with requests. Manage cookies in your browser and any in-product controls.

10) Children

Business-use only; not for children under 16. Do not submit children's data.

11) Breach Notification

We will notify controllers without undue delay of breaches affecting Contact Data and assist with regulatory/individual notices (e.g., GDPR's 72-hour framework), consistent with our DPA.

12) Changes & Contact

We may update this Policy; material changes will be notified with a new effective date.

Questions/requests: support@zappycards.com or the postal address above.