Privacy Policy

Privacy Policy

Effective Date: 8 March 2026 Last Updated: 8 March 2026

Zentrovia Solutions Private Limited (CIN: U62099KA2025PTC204133), a company incorporated under the Companies Act, 2013, with its registered office at 499, 10th Cross, NGEF Layout, Bangalore 560056, India ("Zentrovia", "we", "us", or "our") operates the ZenFlip digital publishing platform accessible at zenflip.io ("Platform"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you access or use our Platform, including any associated websites, applications, APIs, and services (collectively, the "Services").

We are committed to complying with applicable data protection laws worldwide, including but not limited to the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), the Information Technology Act, 2000 (India) ("IT Act"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (India) ("IT Rules"), the General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the EU Digital Services Act (Regulation 2022/2065) ("DSA"), and other applicable data protection and privacy legislation in the jurisdictions where we operate.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Services.

1. Definitions

For the purposes of this Privacy Policy:

• "Creator" means a registered user of ZenFlip who uploads, creates, and publishes content through the Platform.

• "Viewer" means any individual who accesses, reads, or interacts with publications hosted on the Platform.

• "Data Principal" (as defined under the DPDP Act) or "Data Subject" (as defined under the GDPR) means the individual to whom personal data relates.

• "Data Fiduciary" (as defined under the DPDP Act) or "Data Controller" (as defined under the GDPR) means the entity that determines the purposes and means of processing personal data.

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

2. Our Role

• When you use ZenFlip as a Creator: Zentrovia is the Data Fiduciary/Data Controller for your account data, billing data, and platform usage data. For viewer data collected through your publications (e.g., lead capture forms, publication analytics), you are the Data Fiduciary/Data Controller and Zentrovia acts as a Data Processor on your behalf.

• When you access a flipbook as a Viewer: The Creator who published the flipbook is the Data Fiduciary/Data Controller for data collected through lead capture forms and similar features. Zentrovia processes this data on the Creator's behalf. For data we collect independently (e.g., technical logs, cookies for platform functionality), Zentrovia is the Data Fiduciary/Data Controller.

3. Information We Collect

3.1 Account Information

When you create a ZenFlip account, we collect: full name and display name, email address, password (stored in irreversibly hashed form using bcrypt), organisation name and billing address (for paid plans), profile photograph (optional), and authentication tokens from third-party sign-in providers (e.g., Google OAuth).

3.2 Payment and Billing Data

When you subscribe to a paid plan, our payment processor Stripe collects and processes your payment details. We do not store full credit card numbers, bank account numbers, or complete payment credentials on our servers. We receive and retain a truncated card identifier, billing address, transaction history, invoice records, and subscription status from Stripe. Stripe operates as an independent data controller for payment processing data subject to Stripe's own privacy policy.

3.3 Publication and Content Data

When you use the Platform, we process: PDF files you upload for conversion into flipbooks, publication metadata (titles, descriptions, settings, branding configurations), custom domain and CNAME configurations, and template and design customisations. We do not review, screen, or approve User Content before publication. As detailed in our Terms of Service, Creators are solely responsible for the content they upload and publish.

3.4 Lead Capture Data

If a Creator enables lead capture forms on their publications, we collect data submitted by Viewers on the Creator's behalf. This may include names, email addresses, phone numbers, company names, and any custom fields configured by the Creator. The Creator is the Data Fiduciary/Data Controller for this data. Creators are responsible for providing appropriate privacy notices to their Viewers and for ensuring they have a lawful basis to collect this data.

3.5 AI Feature Data

If AI-powered features (AI Chat, AI Summaries, AI Search) are used, we process: messages typed into AI Chat interfaces, session identifiers (anonymous), usage metadata (message count, timestamps - not message content for analytics), and feedback voluntarily provided (thumbs up/down, reports).

AI Chat responses are generated by third-party AI service providers. When AI Chat is used, messages are transmitted to one or more of the following providers, depending on configuration:

• Anthropic (Claude): https://www.anthropic.com/privacy

• OpenAI: https://openai.com/privacy

• Google (Gemini): https://ai.google.dev/terms

We do not use your content, publications, or AI Chat messages to train AI models. Our contracts with third-party AI providers include provisions prohibiting the use of your data for model training. However, AI providers may process and temporarily retain messages in accordance with their own data processing policies to provide the service and for safety monitoring.

AI outputs may be inaccurate, incomplete, or misleading. We do not verify, endorse, or guarantee the accuracy of any AI-generated content. Please refer to our AI Acceptable Use Policy for full details.

BYOK (Bring Your Own Key): If you provide your own API key, it is encrypted at rest using AES-256-GCM, decrypted only in memory during API calls, and never logged or displayed. When you use BYOK, your messages are sent directly to your chosen AI provider under your account and are subject entirely to that provider's privacy policy, data retention practices, and terms of service. You are solely responsible for the security and costs associated with your API key.

3.6 Usage and Analytics Data

We automatically collect: device type, browser type, operating system, and screen resolution; IP address (anonymised for analytics purposes where feasible); pages visited, features used, session duration, and interaction patterns; publication viewer analytics (page views, time per page, geographic region, referral sources); and error logs and performance metrics.

3.7 Copyright Complaint Data

If you submit a copyright infringement notice (DMCA takedown request) or counter-notification, we collect the information contained in that notice, including your name, contact details, and a description of the allegedly infringing material. This information may be shared with the relevant Creator as part of the notice-and-takedown process and may be forwarded to legal authorities if required.

3.8 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain sessions, remember preferences, and gather analytics. For detailed information, please refer to our Cookie Policy at zenflip.io/legal/cookies.

4. How We Use Your Information

We use your personal information for the following purposes:

• Service delivery: Account management, PDF-to-flipbook conversion, publication hosting, AI feature processing, analytics dashboards

• Billing and payments: Subscription processing, invoicing, tax compliance, plan management

• Communication: Transactional emails (verification, password reset, team invitations), service announcements, and optional marketing communications (with consent)

• Security and fraud prevention: Detecting unauthorised access, abuse prevention, rate limiting, enforcing our Terms of Service and Acceptable Use Policy

• Platform improvement: Usage analysis, feature development, bug fixes, performance optimisation

• Legal compliance: Responding to lawful government requests, court orders, copyright complaints, regulatory obligations, and enforcing our legal rights

• Content moderation: Processing reports of potentially unlawful or policy-violating content in accordance with our obligations under the IT Rules 2021 and the EU Digital Services Act

• AI processing: Transmitting user inputs to third-party AI providers to generate responses (AI Chat, Summaries, Search)

5. Legal Bases for Processing

5.1 Under the DPDP Act (India)

We process digital personal data on the following bases: (a) Consent - free, specific, informed, and unambiguous consent provided at the time of data collection; and (b) Legitimate uses - processing necessary for compliance with Indian law or for purposes specified in the DPDP Act. You may withdraw consent at any time by contacting us or through your account settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5.2 Under the GDPR (EEA/UK)

For individuals in the EEA or UK: (a) Contract performance (Article 6(1)(b)); (b) Legitimate interests (Article 6(1)(f)) - platform improvement, security, fraud prevention; (c) Consent (Article 6(1)(a)) - marketing, non-essential cookies, AI Chat processing for Viewers; (d) Legal obligation (Article 6(1)(c)) - tax obligations, court orders, regulatory requirements.

5.3 Under CCPA/CPRA (California)

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. To exercise these rights, contact privacy@zenflip.io.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share personal information only as follows:

6.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process data under strict contractual obligations: Amazon Web Services (AWS) for cloud hosting and infrastructure; Stripe for payment processing; Contentful for marketing content management (no personal user data); AI providers (Anthropic, OpenAI, Google - as configured) for AI Chat response generation; and email service providers for transactional communications.

6.2 Creators and Viewers

If a Viewer submits data through a Creator's lead capture form, that data is made available to the Creator. Creators are independent Data Fiduciaries/Controllers for this data.

6.3 Legal Requirements

We may disclose personal information when required by law, regulation, court order, or governmental request, including requests from Indian authorities under the IT Act, DPDP Act, or CERT-In directions, and from authorities in other jurisdictions where we are legally obligated to respond. We may also disclose information where necessary to protect rights, property, or safety.

6.4 Copyright Complaints

When we receive a valid copyright complaint, we may share the complainant's information with the Creator whose content is subject to the complaint, and vice versa for counter-notifications.

6.5 Breach Notification

In the event of a personal data breach: we will notify CERT-In within 6 hours as required under CERT-In directions; we will notify the Data Protection Board of India as required under the DPDP Act; we will notify the relevant EEA/UK supervisory authority within 72 hours where required under the GDPR; and we will notify affected individuals without undue delay where the breach is likely to result in significant harm.

6.6 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred. We will provide 30 days' notice and an opportunity to delete your account before any such transfer.

7. International Data Transfers

Zentrovia is headquartered in India. Personal data may be transferred to and processed in countries outside your country of residence, including the United States (where our cloud infrastructure on AWS is located) and other countries where our service providers operate.

For transfers from the EEA/UK: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented by appropriate technical and organisational measures.

For transfers from India: We comply with any restrictions imposed by the Central Government under Section 16 of the DPDP Act.

For transfers from California: We ensure that service providers receiving personal information are contractually bound to provide the same level of protection as required under the CCPA/CPRA.

8. Data Retention

• Account data: Duration of account + 30 days post-deletion for recovery.

• Payment records: 8 years (Indian Income Tax Act and GST requirements).

• Publication data: Duration of account. Deleted publications permanently removed within 30 days.

• Analytics data: Aggregated/anonymised analytics retained indefinitely. Identifiable viewer data retained for 26 months.

• AI Chat messages: Duration of browser session only, unless persistence is enabled by the Creator (retained 30 days, then auto-deleted).

• Lead capture data: Until Creator deletes it or account termination + 30 days.

• Copyright complaint records: 3 years from resolution.

• Server and security logs: 90 days (180 days for security-relevant logs as required by IT Rules).

We erase personal data when no longer needed for its collected purpose, upon withdrawal of consent, or upon a valid erasure request, whichever is earliest, unless retention is required by law.

9. Your Rights

9.1 India (DPDP Act)

Right to access a summary of your personal data and processing activities; right to correction, completion, and updating of personal data; right to erasure of personal data no longer necessary for the purpose collected; right to grievance redressal through our Grievance Officer; right to nominate another individual to exercise your rights in the event of death or incapacity; right to complain to the Data Protection Board of India.

9.2 EEA/UK (GDPR)

Right of access (Article 15); right to rectification (Article 16); right to erasure (Article 17); right to restriction (Article 18); right to data portability in JSON or CSV format (Article 20); right to object to processing based on legitimate interests or for direct marketing (Article 21); right not to be subject to solely automated decision-making (Article 22); right to withdraw consent at any time (Article 7(3)); right to lodge a complaint with your supervisory authority.

9.3 California (CCPA/CPRA)

Right to know what personal information is collected, used, disclosed, and sold; right to delete personal information; right to correct inaccurate personal information; right to opt out of sale/sharing (we do not sell or share personal information); right to non-discrimination for exercising rights.

To exercise any rights, contact privacy@zenflip.io. We respond within 30 days (or shorter if required by applicable law). Identity verification may be required.

10. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal data from children under 18. If AI Chat or other interactive features are enabled on publications intended for audiences that may include minors, Creators are responsible for disabling those features or implementing appropriate age verification. If we become aware that a child under 18 has provided personal data, we will promptly delete it and obtain verifiable parental consent where required under the DPDP Act. Contact privacy@zenflip.io to report concerns.

11. Security Measures

We implement appropriate technical and organisational security safeguards as required under the DPDP Act, GDPR, and industry best practices, including: encryption in transit (TLS 1.2+) and at rest (AES-256); secure password hashing (bcrypt); role-based access controls and least-privilege principles; regular vulnerability scanning and security assessments; audit logging of administrative actions; infrastructure on SOC 2 and ISO 27001 certified data centres (AWS); incident response procedures compliant with CERT-In directions (6-hour reporting); access logs retained for at least one year for breach detection; and data backups for business continuity.

No security system is impenetrable. While we implement commercially reasonable measures, we cannot guarantee absolute security.

12. Do Not Track

We do not currently respond to "Do Not Track" browser signals as there is no universally accepted standard for how to respond to such signals.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email and/or in-Platform notification at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

14. Grievance Officer

In accordance with the IT Rules 2021 and the DPDP Act:

Grievance Officer Name: Jagadish C U Zentrovia Solutions Private Limited Email: grievance@zenflip.io

The Grievance Officer will acknowledge complaints within 24 hours and resolve them within 15 days.

15. Contact Us

Zentrovia Solutions Private Limited CIN: U62099KA2025PTC204133 Registered Office: 499, 10th Cross, NGEF Layout, Bangalore 560056, India

Privacy enquiries: privacy@zenflip.io Copyright complaints: copyright@zenflip.io Grievance Officer: grievance@zenflip.io General support: support@zenflip.io Legal enquiries: legal@zentrovia.tech Website: https://zenflip.io