GDPR Compliance

Last updated: February 27, 2026

GDPR Compliance Statement

Effective Date: 8 March 2026 Last Updated: 8 March 2026

Zentrovia Solutions Private Limited (CIN: U62099KA2025PTC204133) ("Zentrovia", "we", "us", or "our") is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA) and the United Kingdom in accordance with the General Data Protection Regulation (EU 2016/679) ("GDPR") and the UK Data Protection Act 2018.

This statement supplements our Privacy Policy (zenflip.io/legal/privacy) and provides additional detail for EEA and UK residents.

1. Data Controller

Zentrovia Solutions Private Limited CIN: U62099KA2025PTC204133 Registered Office: 499, 10th Cross, NGEF Layout, Bangalore 560056, India Email: privacy@zenflip.io

When ZenFlip Creators collect personal data from their Viewers (e.g., through lead capture forms, analytics), the Creator is the data controller and Zentrovia acts as a data processor.

  • Contract performance (Article 6(1)(b)): Account creation, publication hosting, subscription management, support services.

  • Legitimate interests (Article 6(1)(f)): Platform improvement, security monitoring, fraud prevention, analytics. We have conducted balancing tests to confirm these interests do not override your rights.

  • Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, AI Chat processing for Viewers.

  • Legal obligation (Article 6(1)(c)): Tax obligations, regulatory compliance, court orders.

3. International Data Transfers

Zentrovia is headquartered in India. Personal data of EEA/UK residents is transferred outside the EEA/UK. Safeguards include: Standard Contractual Clauses (SCCs) per Commission Decision 2021/914 for all transfers to India and US-based providers; encryption in transit (TLS 1.2+) and at rest (AES-256); role-based access controls on a need-to-know basis; and regular assessment of the legal framework in recipient countries.

Key sub-processors and locations: Amazon Web Services (AWS) - US/EU; Stripe - US; Anthropic/OpenAI/Google (AI providers, where enabled) - US.

Request a copy of our SCCs at privacy@zenflip.io.

4. Data Subject Rights

Under the GDPR, you have the right to: access your personal data and processing details (Article 15); rectify inaccurate or incomplete data (Article 16); erase data no longer necessary or where you withdraw consent (Article 17); restrict processing in certain circumstances (Article 18); receive your data in JSON or CSV format and have it transmitted to another controller (data portability, Article 20); object to processing based on legitimate interests or for direct marketing (Article 21); not be subject to solely automated decision-making producing legal effects (Article 22); and withdraw consent at any time without affecting prior lawful processing (Article 7(3)).

Contact privacy@zenflip.io. We respond within 30 days, extendable by 60 days for complex requests with notice. Identity verification may be required.

5. Data Retention

Detailed retention periods are in our Privacy Policy (Section 8). Data is securely deleted or anonymised upon expiry.

6. Data Protection Impact Assessments

We conduct DPIAs for processing likely to result in high risk, including AI-powered features (AI Chat, Summaries, Search), publication analytics with viewer tracking, and lead capture data processing.

7. Breach Notification

We notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach (Article 33). Where the breach is likely to result in high risk to your rights, we notify affected individuals without undue delay (Article 34).

8. Sub-Processors

Current sub-processors: Amazon Web Services (cloud infrastructure), Stripe (payments), Contentful (marketing content - no personal user data), Anthropic (AI processing, where configured), OpenAI (AI processing, where configured), Google (AI processing, where configured), and email service providers (transactional emails).

All sub-processors are bound by data processing agreements with GDPR-compliant terms. We notify users of material changes to sub-processors via this page and, for significant changes, by email. You may object to a new sub-processor within 30 days of notification.

9. Data Processing Agreements

Creators who collect personal data from Viewers may request a DPA. Enterprise customers receive a DPA as standard. Others may request one at legal@zentrovia.tech.

10. EU Representative

As Zentrovia has no EEA establishment, we are appointing an EU Representative under Article 27 of the GDPR. Details will be published here once confirmed.

[EU Representative: To be appointed]

11. Data Protection by Design and Default

We apply data minimisation, purpose limitation, storage limitation, security by default (encryption, access controls, privacy-protective defaults), and AI data protection by design (minimum data necessary, no retention beyond processing session).

12. Digital Services Act Alignment

As a hosting service provider under the DSA (Regulation 2022/2065), we maintain: a content reporting mechanism (report@zenflip.io); expeditious content removal upon actual knowledge of illegality; a counter-notification process for Creators; transparency in content moderation decisions; and a single point of contact for authorities in EU Member States.

13. Contact Us

Privacy enquiries: privacy@zenflip.io Legal enquiries: legal@zentrovia.tech

You may lodge a complaint with your local supervisory authority (directory: edpb.europa.eu).