Zenture

Privacy Policy

Legal NoticePrivacy PolicyTerms of useTrust CenterFAQSubprocessors

Effective from June 5, 2026

1. Controller and contact

zenture UG (haftungsbeschränkt), Dobelstrasse 5, 70184 Stuttgart, Germany, is responsible for the processing described in this Privacy Policy unless we state otherwise. You can contact us at [email protected].

We have not appointed a data protection officer because we are not currently legally required to do so.

2. Scope

This Privacy Policy applies to zenture websites, the authenticated web app, the iOS app, APIs and related services. It explains which personal data we process, why we process it, which service providers may receive it and which rights you have.

For business customers, self-service organisations and team accounts are independent SaaS use and do not, by themselves, constitute a data processing agreement or processor engagement. We may act as processor only where we process personal data strictly on behalf of that customer and a separate data processing agreement has been agreed. We do not currently provide a standard DPA through the website; if you require processor terms, contact us before using zenture for such processing. For account administration, security, billing, fraud prevention, legal compliance and platform improvement, we generally act as an independent controller.

3. Data categories

We process account and profile data such as user ID, email address, name, display name, optional company, address and profile settings; authentication and session data such as access tokens, refresh tokens, backend session IDs, device type, device name, client version, device key, IP address, user agent, timestamps and security events; product data such as chats, prompts, speech dictation transcripts, uploaded files, documents, PDFs, images, screenshots, file names, file types, metadata, extracted text, OCR results, model outputs, temporary-chat metadata, input-wizard prompts, AI personality settings, chat folders, evaluations, source results, usage records and feedback; sharing data such as public or restricted share links, copied chat content and related access metadata; integration data such as connected Notion, Confluence or Slack interface metadata and encrypted access credentials; organisation data such as organisation names, roles, memberships, invites and audit events; billing data such as Stripe customer IDs, invoices, payment status, subscriptions, wallet and credit transactions, auto-recharge settings, tax/VAT metadata and chargeback information; referral and promotion data such as referral codes, invited email addresses, promotion codes, eligibility checks and fraud-prevention signals; support data such as ticket content, call metadata, contact details and notes from support requests; and website data such as cookie choices, page views, traffic source parameters and technical request logs.

The iOS app stores access token, refresh token and backend session ID in the device Keychain and may store non-secret preferences such as theme, language, client instance and runtime settings in UserDefaults. Apple's privacy manifest for the iOS app declares email address, user ID, other user content, product interaction data and performance data for app functionality and, where applicable, analytics.

4. Purposes and legal bases

We process personal data to create and manage accounts, authenticate users, maintain sessions, provide chats and AI workflows, process uploads, transcribe speech dictation into editable text, generate and evaluate AI outputs, preserve chat history, operate organisations and integrations, process payments and credits, show transactional or security notices in the web app or iOS app, provide support, maintain security, prevent fraud and abuse, enforce our terms, comply with legal obligations and improve reliability and usability.

The legal bases are performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), legal obligations such as tax and accounting duties (Art. 6(1)(c) GDPR), our legitimate interests in operating, securing and improving the service, preventing abuse, enforcing claims and maintaining reliable infrastructure (Art. 6(1)(f) GDPR), and consent where required, especially for optional analytics cookies, marketing communications, microphone access or speech recognition permissions requested by the operating system (Art. 6(1)(a) GDPR where applicable).

5. AI chats, dictation, uploads and model providers

When you use AI features, your prompts, selected context, uploaded files, model configuration, AI personality settings, previous conversation turns and generated outputs may be processed by us and by the selected third-party model provider. Depending on the selected model or feature, this can include OpenAI, Anthropic, Google/Gemini, Mistral AI or xAI. We use these providers to generate responses, process files, support tool use, calculate usage and provide the requested functionality.

If you use speech dictation in the iOS app, the microphone captures your spoken input only after you start dictation. The audio may be processed through Apple Speech Recognition to convert it into editable text. zenture uses the resulting transcript like a typed prompt. We do not store raw dictation audio as a separate voice recording in zenture unless we explicitly introduce and disclose such a feature in the future.

If you upload documents, PDFs, images, screenshots or similar files, we may process the file content, file names, file types, metadata, extracted text, OCR results, previews or thumbnails to provide the requested AI workflow, answer your prompt, preserve chat context, enable downloads or support troubleshooting. Uploaded files may contain personal data about you or third parties. You are responsible for having the necessary rights and legal basis before uploading or otherwise processing third-party data through zenture.

We do not currently use your chats, prompts, dictation transcripts, uploads or outputs to train our own AI models. We reserve the right to offer model-improvement or training features in the future, but we will only use personal data for such purposes where we have a valid legal basis, provide the required information and, where required, obtain consent or provide an effective opt-out.

For the third-party model providers currently connected to zenture, we use API, commercial, enterprise or paid configurations where provider terms state that API or business customer inputs and outputs are not used for model training by default, unless the customer explicitly opts in or a separate agreement says otherwise. We have not enabled provider opt-ins for model training. Provider-side abuse monitoring, safety processing, caching, audit logging, legal retention or zero-data-retention availability depends on the respective provider's current terms.

You are responsible for the content you enter into zenture. You must not submit special categories of personal data, confidential third-party data, unlawful content or data you are not authorised to process unless you have a valid legal basis and the necessary rights to do so.

Temporary chats are not shown in your visible chat history unless you publish them, but related prompts, outputs, uploads, metadata, billing records, security logs or provider-side processing may still occur where necessary to provide the service, prevent abuse, troubleshoot errors, comply with law or enforce our terms.

6. Sharing, referrals and third-party data

If you copy chat content, create or publish a share link, invite another person, use referral functionality or otherwise disclose content from zenture, you decide which information is shared and are responsible for having the necessary rights and legal basis. Anyone with access to a public or unrestricted share link may be able to view the shared content until the link is disabled or the content is deleted, subject to the available product controls.

When you invite or refer another person, we may process that person's email address, referral relationship, eligibility status, fraud-prevention signals and reward metadata. You must only provide third-party contact details where you are authorised to do so.

7. Payments, credits and billing

Payments, subscriptions, invoices, credit purchases, auto-recharge and chargebacks are processed with Stripe. We store only the data needed to operate billing and credit accounting, such as Stripe customer, subscription, invoice and payment identifiers, payment status, amounts, currency, plan, tax metadata, credit packages, consumption events and audit records. Full card details are handled by Stripe and are not stored by us.

8. Authentication, CAPTCHA and OAuth

Registration, login, password reset, session refresh, account deletion and other sensitive actions may require security checks. We use Cloudflare Turnstile for CAPTCHA protection where enabled. If you sign in with Apple, Azure/Microsoft or Google, the relevant identity provider processes authentication data according to its own privacy terms and provides us with the information needed to authenticate your account, such as provider identifiers, email address and profile metadata.

9. Support, calls and social media

Support requests may be handled through ticketing, email, messaging, video-call or similar communication tools and may include your contact details, account identifiers, issue descriptions, attachments, diagnostic context, call metadata and our internal notes. We do not record support calls by default. The respective communication providers process metadata and, where applicable, communication content under their own terms.

If you contact us or interact with zenture through social media platforms, the relevant platform also processes your data as an independent provider. We process social-media messages, comments, handles and related metadata only to respond, moderate, protect our rights or operate our public presence.

9a. Feedback and product research

We may show in-app feedback requests to better understand product quality, feature usability and support needs. For this purpose we process account identifiers, product usage context, responses you submit voluntarily, and related metadata such as timestamps and client version. The legal basis is our legitimate interest in improving service quality and reliability (Art. 6(1)(f) GDPR).

We do not currently send proactive feedback emails for these purposes. You can still contact us voluntarily at any time if you want to provide feedback.

You can object to in-app feedback requests at any time. If you object, we stop using your data for further in-app feedback outreach and keep only the records required to document your objection and ensure compliance.

10. Cookies and analytics

We use essential cookies and similar storage for authentication, security, session handling, CSRF protection, language and cookie preferences, referral attribution where you have consented, and basic website functionality.

We use Google Analytics 4 on the public website. If you choose "Accept all", analytics cookies are enabled. If you choose "Accept only essential" or "Reject", analytics runs only in a limited cookieless mode where configured. We do not send directly identifying personal data to Google Analytics and do not use a Google Analytics User ID. You can reopen cookie settings from the website footer.

11. Recipients and subprocessors

We share personal data only where necessary to provide, secure, bill, support or legally operate the service. Recipients may include hosting and infrastructure providers, Supabase for database, authentication, storage and realtime functionality, Redis-backed infrastructure operated by us, AI model providers, Apple Speech Recognition when iOS dictation is used, Stripe, Cloudflare, support and communication providers, OAuth identity providers, analytics providers, professional advisers and authorities where legally required.

Our current subprocessor overview is available at zenture.app/subprocessors. We may update it when we add, remove or replace service providers.

12. International transfers

We primarily operate core infrastructure in the EU where available. Some providers are based in, or may process data from, countries outside the European Economic Area, including the United States. Where required, we rely on appropriate safeguards such as EU Standard Contractual Clauses, data processing agreements, transfer impact assessments, EU processing regions where available, or other legally recognised transfer mechanisms.

13. Storage and deletion

Account data, profile data, chats, prompts, dictation transcripts, uploads, outputs, folders, AI personality settings and related product data are generally stored until you delete the relevant content or your account, unless a shorter feature-specific retention period applies. Uploaded files and hidden temporary-chat related records remain stored until manual deletion unless cleanup, security or legal requirements require earlier or longer retention.

After account or content deletion, we may retain data where necessary for security, abuse prevention, fraud investigations, billing disputes, legal claims, tax/accounting obligations, audit logs, backups or compliance with law. Billing and tax records are retained for statutory retention periods (typically 6, 8, or 10 years depending on document type under applicable commercial and tax law). Security and abuse-prevention logs are retained only for purpose-limited windows and deleted or anonymised after those windows expire unless an active incident, legal hold, or dispute requires longer retention. Backup copies are retained on rolling schedules and removed after overwrite cycles complete.

14. Security and internal access

We use technical and organisational measures including HTTPS, HttpOnly cookies for web sessions, device-scoped backend sessions, Keychain storage on iOS, row-level security, authenticated database access, encryption for selected sensitive fields, access controls, structured redacted logging, rate limits, CAPTCHA on sensitive flows, audit trails and provider isolation through our backend and AI connector services.

Access to user content by our team is technically possible for users with a dedicated developer role, but organisationally restricted to urgent operational, security, support, debugging, legal or abuse-prevention needs. Such access is logged where technically supported and is not intended for routine review of user content.

15. Your rights

Subject to applicable law, you may request access, rectification, erasure, restriction of processing, data portability and objection to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time with effect for the future. You may also lodge a complaint with a competent data protection supervisory authority.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before acting on a request.

16. Additional notices for US residents

zenture is primarily directed at users in Germany and the European Union, but may also be accessed from the United States. We do not sell personal information for money and do not intend to share personal information for cross-context behavioural advertising as those terms are commonly used in US state privacy laws. Where required and technically feasible, we will honour applicable opt-out preference signals such as Global Privacy Control for non-essential tracking on the public website. US residents may contact us at [email protected] to request access, deletion, correction or opt-out rights available under applicable state law.

17. Children

zenture is not intended for children under 16. Users under 18 may use the service only with parental or guardian consent where required.

18. Changes

We may update this Privacy Policy from time to time, for example when the service, legal requirements or our providers change. Material changes will be communicated by website notice, in-product notice or email where appropriate.