Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create a Zynk account, we collect your name, email address, and password (hashed, never stored in plaintext).
• Profile Information: Your display name, role/title, and optional profile photo.
• Meeting Data: Meeting titles, descriptions, dates, times, and platform preferences you create within Zynk.
• Organization Data: Organization names and member email addresses for team features.

1.2 Information Collected Automatically

• Device Information: Device type, operating system, app version, and unique device identifiers.
• Usage Data: Features used, screens viewed, and interaction patterns within the app.
• Push Notification Tokens: Device tokens for delivering meeting reminders (stored encrypted).
• Log Data: App errors, crash reports, and performance data for debugging purposes.

1.3 Information from Third-Party Services

When you connect third-party services, we receive:

• Google OAuth: Access tokens for Google Calendar API (calendar events, meeting links). Scopes: calendar.read, calendar.events.
• Microsoft OAuth: Access tokens for Microsoft Graph API (Teams meetings, Outlook Calendar). We request minimal necessary scopes.
• Zoom OAuth: Access tokens for Zoom API (create meetings, retrieve join links).

All OAuth tokens are encrypted using AES-256 before storage. We only request scopes necessary for the features you enable.

2. How We Use Your Information

We use the collected information to:

• Provide, operate, and maintain the Zynk service
• Sync your calendar events and meeting data across integrated platforms
• Create and manage Zoom, Teams, and Google Meet meetings on your behalf
• Send push notifications for meeting reminders you've configured
• Enable team collaboration features within Organizations
• Improve our app based on usage patterns and feedback
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations

3. Data Storage and Security

Zynk uses Supabase — a SOC 2 Type II compliant, open-source Firebase alternative — for database storage and authentication. Your data is hosted on servers located in the US East regionby default, with automated backups and encryption at rest using AES-256.

Security measures we employ:

• All data transmission encrypted via TLS 1.3
• OAuth tokens encrypted at rest with AES-256
• Row-Level Security (RLS) policies on all database tables
• Regular security audits and penetration testing
• Strict employee data access controls and audit logs

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in these circumstances:

• Service Providers: Supabase (database/auth), AWS (infrastructure), Expo (push notifications). All are contractually bound to data protection standards.
• Team Members: Within Organizations, certain profile information (name, avatar) is visible to org members you've invited or who've invited you.
• Legal Requirements: If required by law, court order, or to protect safety and rights.
• Business Transfer: In case of merger or acquisition, with advance notice to users.

5. Third-Party Integrations

When you connect Google, Microsoft, or Zoom, your usage of those platforms is also governed by their respective privacy policies:

• Google Privacy Policy
• Microsoft Privacy Statement
• Zoom Privacy Statement

You can disconnect any integration at any time from Settings → the relevant integration page. We will revoke tokens and delete related data within 30 days.

6. Data Retention

• Account Data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Meeting Data: Retained for 2 years or until you delete meetings manually.
• OAuth Tokens: Deleted immediately upon disconnecting an integration.
• Log Data: Retained for 90 days for debugging purposes, then permanently deleted.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data via the app's Settings.
• Erasure: Request deletion of your account and all associated data.
• Portability: Receive your data in a machine-readable format.
• Objection: Object to certain processing activities.
• Withdraw Consent: Disconnect integrations or delete your account at any time.

To exercise these rights, contact us at privacy@zynk.app.

8. Children's Privacy

Zynk is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it immediately.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.

10. Cookies and Tracking

The Zynk mobile app does not use browser cookies. If you access Zynk via the web, we use essential session cookies only for authentication. We do not use advertising or tracking cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email at least 14 days before changes take effect. Continued use after the effective date constitutes acceptance.

12. Contact Us

For privacy-related questions or requests, contact us at:

• Email: privacy@zynk.app
• Address: Zynk Privacy Team, [Your Company Address]
• DPO: For GDPR inquiries: dpo@zynk.app