Privacy Policy

Last updated: December 6, 2024

TL;DR

  • We collect the basics. Email, name, and whatever you put on your boards. That's it. We read none of the stuff you write on your boards. It's none of our business, and frankly we have better things to do.
  • We don't sell your data. Not to advertisers, not to anyone. We're not that kind of company. Frankly, we fucking hate advertising and the way we're all just digital cattle sold and traded on the net.
  • Your voice recordings vanish. We send them to your AI provider for transcription, then poof.
  • Pro gets AI included. Free users can bring their own keys (encrypted with fancy crypto stuff).
  • Data lives in the US. We're Finnish, but our servers are American. Yes, GDPR still applies to you. You get the same european consumer protection in the capitalist hellhole that the US is. No offence, you're welcome.
  • Delete everything anytime. Settings → Delete Account. No guilt trips, no hoops. Nothing stays behind, so don't expect us to say hi when you bump into us one day.

1. Who We Are

Zenban is operated by Hexagon Intergalactic Ltd, a company registered in Finland. We are the data controller for the personal information collected through Zenban.

Contact: support@zenban.net

2. Information We Collect

Account Information

When you create an account, we collect your email address and name. If you sign in with Google, we receive basic profile information from Google.

Your Content

We store the boards, lists, and notes you create. This is necessary to provide the service.

Voice Recordings

When you use voice input, audio is recorded temporarily and sent to your chosen AI provider (OpenAI or Google) for transcription. We don't store voice recordings after transcription is complete.

AI Features

Pro subscribers get AI features included - we provide the models and infrastructure. Free users can optionally provide their own API keys from OpenAI or Google. If you provide API keys, they are encrypted using AES-256-GCM before storage and are only decrypted when making API calls on your behalf.

Technical Information

We collect standard technical information including session tokens (for authentication), push notification tokens (if enabled), and your preferences (theme, language settings).

Payment Information

Payments are processed by Polar.sh using Stripe. We don't store your payment card details. Polar.sh and Stripe handle payment information under their own privacy policies.

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Zenban service
  • Authenticate you and secure your account
  • Process your subscription payments
  • Send you important service updates (security alerts, major changes)
  • Respond to your support requests

We don't sell your data or use it for advertising. We don't send marketing emails unless you explicitly opt in.

4. Legal Basis for Processing

Under GDPR, we process your data based on:

  • Contract: Processing necessary to provide the service you signed up for (account, content storage, payments).
  • Legitimate interests: Security monitoring, service improvements, and responding to legal obligations.
  • Consent: For optional features like push notifications. You can withdraw consent at any time.

5. Data Storage and Transfers

Our service infrastructure is hosted in the United States (database on NeonDB, application hosting). This means your data is transferred from the EU to the US.

We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable to ensure appropriate safeguards for international data transfers under GDPR.

6. Third-Party Services

We use the following third-party services:

  • NeonDB: Database hosting (US-based)
  • Polar.sh / Stripe: Payment processing
  • OpenAI / Google: AI features (only if you configure them with your own API keys)

Each service has its own privacy policy governing how they handle data.

7. Data Retention

  • Account and content: Retained until you delete your account.
  • Voice recordings: Not retained after transcription.
  • Payment records: Retained as required by tax and accounting laws (typically 7 years).
  • Session tokens: Expire after 7 days of inactivity.

8. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Delete your account and data.
  • Portability: Export your data in a portable format.
  • Restriction: Request limited processing in certain circumstances.
  • Object: Object to processing based on legitimate interests.

You can delete your account directly from the settings page. For other requests, contact us at support@zenban.net.

You also have the right to lodge a complaint with a supervisory authority. In Finland, this is the Data Protection Ombudsman (tietosuojavaltuutettu).

9. Cookies and Local Storage

We use essential cookies for authentication (session tokens). We also use browser local storage to enable offline functionality as part of the Progressive Web App (PWA) features.

We don't use tracking cookies or analytics that identify individual users.

10. Children's Privacy

Zenban is not intended for children under 13. We don't knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.

11. Security

We take reasonable measures to protect your data, including:

  • Encryption of data in transit (HTTPS)
  • Encryption of sensitive data at rest (AI API keys)
  • Secure authentication with session management
  • Regular security reviews

No system is perfectly secure. If you discover a security issue, please report it to support@zenban.net.

12. Changes to This Policy

We may update this privacy policy from time to time. We'll notify you of significant changes via email or through the app. The "Last updated" date at the top shows when the policy was last revised.

13. Contact Us

If you have questions about this privacy policy or how we handle your data, contact us at:

support@zenban.net

Hexagon Intergalactic Ltd
Finland