Privacy Policy.

What we collect

Information you submit. Name, email, phone (if provided), business name, service interest, and messages you send. When you sign up for a ZRG tool (AI Lead Finder, SEO Audit, CRM), we also store your password hash, account preferences, and purchase history.

Automatic / technical data. We collect IP address, user-agent string, request timestamps, and referrer URL on every request to our backend. This is retained for up to 30 days in server logs for security + abuse detection. Successful logins, password changes, invite acceptances, and other auth events are retained in an audit log for up to one year.

Cookies. Essential cookies for sign-in (session + refresh tokens, 2FA trusted-device flag, Square OAuth state). Optional analytics cookies (Google Analytics 4) only if you consent via the cookie banner.

Voice notes. If you use the voice-transcription feature in the CRM, we send audio files to OpenAI Whisper for transcription. Audio is not retained by OpenAI per their API terms, and we store only the resulting transcript.

How we use it

We use your info solely to respond to your inquiry, schedule a call, and follow up if you become a client. We do not sell, rent, or share your data with third parties for their marketing purposes. Form submissions flow into the Zay CRM (owned and operated by Zay Revenue Group) and to our team email.

Subprocessors

Zay Revenue Group uses the following subprocessors. Each is bound by a data processing agreement and is listed with the data category we send and the purpose.

• Anthropic (Claude): prompts for AI features (lead enrichment, email drafting, status checks, SEO audit narrative). Per Anthropic API terms, prompts are not used for training. US region.
• Google (Gemini): fallback AI engine when Claude is unavailable. Same data category as Claude. Global region.
• OpenAI (Whisper): voice-note audio for transcription only. Audio not retained by OpenAI. US region.
• Resend: transactional + marketing email delivery. Recipient email + message body + send timestamp. US/EU regions.
• Amazon Web Services (S3): file uploads, contracts, deliverable attachments. US-East-1.
• Fly.io: application hosting (API + worker). IP address and request metadata in edge logs. US region.
• PostgreSQL (managed): primary database. All app data. US region.
• Redis (BullMQ queues): background job payloads (email sends, audit runs, social publish retries). US region.
• Square: payments + invoices. Recipient email, amount, card last-4 (never the full PAN). US region.
• Twilio: SMS send if enabled (currently not wired in production). Recipient phone + message body. US region.
• Google Places API: business lookup for the AI Lead Finder. Search query only. Global region.
• RocketReach: contact enrichment when user clicks "Enhance". Name + company as query. US region.
• Google PageSpeed Insights: performance scoring for the SEO Audit. Website URL only. Global region.
• Puppeteer rendering (Fly.io-hosted): renders user-submitted URLs for the SEO Audit screenshot. URL only, rendered server-side. US region.
• Calendly: meeting scheduling. Name + email + chosen slot. US region.

If you require a Data Processing Addendum (DPA) as an EU / UK customer, request one at hello@zayrev.com.

What each AI vendor sees

We limit the data each AI vendor receives to the minimum the feature needs. No ZRG AI call sends full CRM database exports or customer PII beyond what the specific feature requires.

• Claude (Anthropic): sees the text prompt for the feature plus any user-supplied context (e.g. the single lead row being enriched, the single message being drafted, the URL being status-checked). Does not see password hashes, Square secrets, Meta tokens, full contact lists, or invoice amounts.
• Gemini (Google): same data scope as Claude. Invoked as a fallback when Claude is unavailable.
• Whisper (OpenAI): sees only the raw audio of the specific voice note the user recorded. No CRM context attached.

AI-generated content that we send via email or DM is labeled "Drafted with Claude" (or equivalent) so the recipient knows AI touched the message. You can always review + edit AI drafts before sending.

Data from Google APIs (Gmail, Google Calendar, Google Drive, Google Sign-In)

When you connect your Google account to Zay CRM, we request access only to the Google API scopes required for the specific feature you enable. We never request bulk read access to your mailbox, calendar, or drive. The user-facing OAuth consent screen lists the exact scopes; the table below explains what we do with each.

Limited Use disclosure. Zay Revenue Group's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models, and we do not transfer Google user data to any third-party AI tool. Human access to Google user data is restricted to (a) explicit user consent for support, (b) what is necessary for security investigations, abuse prevention, or compliance with applicable law, or (c) aggregated and anonymized data used to improve the specific features the user invoked.

Per-scope details:

• Gmail send (https://www.googleapis.com/auth/gmail.send): used only when you click Send Email from a contact, deal, or campaign card inside the CRM. We construct the message in the CRM (subject, body, attachments you attached), call users.messages.send with that message, and store a local record of the send (recipient, subject, timestamp) for thread tracking. We do not read your inbox, sent folder, or any other Gmail data. Scope is send-only.
• Google Calendar events (https://www.googleapis.com/auth/calendar.events): used only when you click Book Meeting or Create Event on a contact in the CRM. We call events.insert / events.patch / events.delete on your primary calendar for events that the CRM created. We store the returned event ID, start/end time, and attendee list locally to keep the CRM and your calendar in sync. We do not read events you created elsewhere; we only read back the events the CRM itself created (matched by event ID).
• Google Drive file (https://www.googleapis.com/auth/drive.file): used only when you click Save to Drive on a contract PDF, invoice, or deliverable that the CRM generated. We upload the file via files.create and store the returned file ID. This scope is per-file by design — we only see files the CRM itself created or that you explicitly opened with the app. We never list your full Drive.
• Google Sign-In (openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile): used only during sign-in to authenticate you and pre-fill your name + profile photo on first account creation. We store your email, sub (Google's stable user ID), name, and profile photo URL.
• Google Business Profile (https://www.googleapis.com/auth/business.manage): used only when you connect a Google Business Profile location in CRM Settings → Integrations → Google Business Profile. We pull location metadata (name, address, hours, categories), reviews, and posts, and we publish posts/replies you compose in the CRM. We do not access locations you did not explicitly connect.

Storage and retention of Google data:

• Refresh tokens are encrypted at rest with AES-256-GCM using a per-deployment key envelope (BYO_KEY_ENCRYPTION_KEK). Access tokens are not persisted; we exchange the refresh token for a fresh access token in-memory at request time.
• Email send records (recipient, subject, timestamp) are retained for 30 days then auto-purged, except when linked to a CRM contact's activity timeline (then retained for the life of that contact record, subject to the deletion rights below).
• Calendar event records (event ID, time, attendees) are retained while the linked CRM contact or deal exists, and for 90 days after deletion.
• Drive file IDs are retained while the linked CRM record exists. We do not store file contents.
• Google Sign-In identity records are retained for the life of your Zay CRM account.

How to revoke:

• Inside the CRM: Settings → Integrations → Google → Disconnect. This revokes the refresh token and deletes derived data within 30 days (Drive file IDs, calendar event IDs, email send metadata).
• From your Google account: visit myaccount.google.com/permissions, find "Zay Revenue Group" or "Zay CRM", click Remove Access. We honor revoke notifications via Google's push channel and disconnect within minutes.
• To request full deletion of all Google-sourced data we hold, email privacy@zayrev.com.

What we do not do with Google user data: we do not sell or rent it; we do not use it for advertising; we do not share it with affiliated companies for their independent purposes; we do not use it to train AI/ML models that are not user-facing in the specific feature that requested the data; we do not retain it after you disconnect the integration beyond the windows above; we do not access more data than the specific feature requires.

This section and our Google integrations are governed by the Google API Services User Data Policy (including the Limited Use requirements), the Google Terms of Service, and the additional Google Workspace API and Marketplace Terms where applicable, in addition to our own terms.

Retention periods

We hold each data category only as long as needed for the stated purpose. Specific retention periods:

Your rights (US, EU/EEA, UK, California)

Depending on where you live, you have the following rights regarding your personal data:

• Access — request a copy of all personal data we hold about you, in a portable JSON or CSV format.
• Rectification — ask us to correct any inaccurate or incomplete personal data.
• Erasure ("right to be forgotten") — ask us to delete your personal data, subject to legal retention obligations (e.g. invoices held for tax compliance).
• Portability — receive your data in a machine-readable format and transmit it to another controller.
• Restriction — ask us to pause processing of your data while a dispute is resolved.
• Object — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent — where processing is based on consent (e.g. analytics cookies), withdraw at any time without affecting prior lawful processing.
• Lodge a complaint — with a supervisory authority (e.g. your local Data Protection Authority in the EU/EEA, the ICO in the UK, the FTC in the US).

Self-serve options inside the CRM: Settings → Account → Export my data (full ZIP including JSON + CSV) and Settings → Account → Delete my account. Or email hello@zayrev.com with the subject line "Data subject request". We verify identity (signed-in account or matching email) and respond within 30 days (EU/UK GDPR), 45 days (CCPA/CPRA), or shorter as required by your jurisdiction.

Legal bases for processing (GDPR Art. 6)

We rely on the following lawful bases under GDPR / UK GDPR:

• Contract (Art. 6(1)(b)) — to deliver the Zay CRM and Zay-OS services you signed up for, including authentication, billing, and core CRM functionality.
• Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, abuse detection, product improvement, and aggregated analytics. We balance these against your rights and you can object at any time.
• Consent (Art. 6(1)(a)) — for non-essential analytics cookies, optional marketing emails, and any AI feature where we ask you to opt in.
• Legal obligation (Art. 6(1)(c)) — to retain financial records (invoices, receipts) for the period required by US/state tax law.

For special categories of data (Art. 9), we do not knowingly collect any. If you choose to enter such data into a CRM note (e.g. health information about a customer), you remain the data controller and we are processor.

International data transfers

Zay Revenue Group is based in the United States. If you access our services from the EU/EEA, the UK, or other jurisdictions outside the US, your personal data will be transferred to and processed in the United States. We rely on the following transfer mechanisms:

• EU Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor) for transfers from the EEA. Available on request via hello@zayrev.com.
• UK International Data Transfer Addendum — for transfers from the UK.
• Adequacy decisions where applicable (e.g. EU-US Data Privacy Framework — we are working on certification, target Q3 2026).

We perform Transfer Impact Assessments for each subprocessor handling EU/EEA data. Supplementary measures include encryption in transit (TLS 1.3), encryption at rest (AES-256), least-privilege access controls, and audited subprocessor agreements.

Security measures

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Specific measures:

• Encryption in transit — all traffic uses TLS 1.2+ (TLS 1.3 preferred). HTTP Strict Transport Security with preload + 2-year max-age.
• Encryption at rest — Postgres database encrypted with AES-256. R2/S3 backup buckets encrypted with AES-256-GCM. Secrets stored in Fly.io's encrypted secret store.
• Access controls — role-based capabilities (owner/manager/sales/contractor) inside the CRM. Least-privilege engineering access. 2FA required for production database access.
• Authentication — passwords hashed with bcrypt (12 rounds). JWT pinned to HS256 with token-version invalidation on password change. Optional 2FA via TOTP or email magic-link.
• Audit logging — every privileged action (member invite, plan change, data export, refund) recorded for 365 days.
• Monitoring — automated alerts for anomalous login patterns, brute-force attempts, and unusual data-export volume.
• Vendor due diligence — every subprocessor reviewed for security certifications (SOC 2, ISO 27001, equivalent) before integration.
• Backups — full per-workspace backups every 12 hours to a geographically separate region. Restore tested quarterly.
• Incident response — documented breach notification procedure. We notify affected users and the relevant supervisory authorities within 72 hours of becoming aware of a personal data breach (GDPR Art. 33-34).

Children's privacy

Zay Revenue Group's services are not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact hello@zayrev.com and we will delete it within 30 days. We comply with the US Children's Online Privacy Protection Act (COPPA) and the corresponding provisions of the EU GDPR (Art. 8) and UK GDPR.

Automated decision-making + AI

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (GDPR Art. 22). AI features in the Zay CRM (lead enrichment, email drafting, status checks) generate suggestions or drafts that you review and edit before they take effect. You can opt out of AI-assisted features at the workspace level: Settings → AI → Disable AI everywhere.

Cookies & similar technologies

We use essential cookies for site function and optional analytics cookies only if you consent. You can change your decision at any time using the Cookie Preferences link (also in the site footer). We also respect the browser-level Do Not Track and Global Privacy Control signals — if either is enabled on your browser, non-essential cookies are automatically declined and no banner is shown.

Exact cookies & browser storage we set:

We do not currently run Meta Pixel, Google Ads tag, Hotjar, LinkedIn Insight, TikTok Pixel, or any other advertising / session-replay trackers on the public site. If that ever changes, this table will be updated before the new tag ships and existing consent will be re-requested.

Your options:

• Reject non-essential — essential cookies continue, GA4 is never loaded.
• Accept all — GA4 is loaded with IP anonymization on.
• Change your mind — click Cookie Preferences (in this page or the footer) to re-open the banner.
• Browser-level — clear your browser's site data for zayrev.com, or enable Do Not Track / Global Privacy Control. We honor both.

Do Not Sell or Share My Personal Information (CCPA / CPRA)

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to direct businesses not to sell or share their personal information. Zay Revenue Group does not sell your personal information. We also do not share it for cross-context behavioral advertising as defined under CPRA.

If you would like to confirm this, request a copy of any personal information we hold about you, or request its deletion:

• Email: support@zayrev.com with subject line "CCPA Do Not Sell request"
• Or call: (321) 666-1102

We respond within 45 days. We will not discriminate against you for exercising any of your rights — your account, plan, and pricing remain unchanged.

You can also send a Global Privacy Control (GPC) signal from your browser; we honor GPC site-wide.

Subprocessors

Full list of third-party services we use to deliver Zay CRM and Zay-OS lives at zayrev.com/subprocessors. EU and UK customers are notified by email before any new subprocessor begins processing your data.

Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:

• We update the version number and "Last updated" date at the top of this page.
• For changes that affect your rights or expand how we use your personal data, we email registered users at least 30 days before the changes take effect.
• For minor clarifications (e.g. fixing a typo, adding a new subprocessor in the same data category), we update this page and note the change in the public changelog.
• An archive of prior versions is available on request via hello@zayrev.com.

If you do not agree with the updated policy, you may close your account at any time using the self-serve flow in Settings → Account → Delete my account or by emailing hello@zayrev.com.

Contact & legal entity

This privacy policy is published by Zay Revenue Group, LLC (EIN 42-1881359), a Florida limited liability company. Data-controller contact address:

Zay Revenue Group, LLC
555 NE 8th St Apt 107
Fort Lauderdale, FL 33304
United States

Questions or data-subject requests? Email hello@zayrev.com or call (321) 666-1102.

Privacy Officer / Data Protection contact: Abdallah Alyousef — privacy@zayrev.com. We do not currently have a formally appointed Data Protection Officer (DPO) under GDPR Art. 37 because our core activities do not require one (no large-scale special-category processing). If your jurisdiction requires a DPO, the privacy email above is the designated point of contact for data-subject requests.

EU representative (GDPR Art. 27): not currently appointed. We will appoint one before scaling EU/EEA usage above the threshold; if you are an EU/EEA data subject and need a representative for the purpose of GDPR rights, email privacy@zayrev.com and we will route to a designated representative within 30 days.

This Privacy Policy is provided for transparency and legal compliance. It does not constitute legal advice. If you have questions about your specific situation, consult an attorney licensed in your jurisdiction.