Legal
Privacy Policy
Last updated: 15 June 2026 · Effective: 15 June 2026
This Privacy Policy explains how Zentrovia Solutions Pvt. Ltd. ("Zentrovia", "we", "us") collects, uses, and protects information in connection with the ZenPub platform ("Platform"). It covers two distinct relationships: our platform customers (publishers, learned societies, aggregators) and the end users (patrons, institutional administrators) who access content through customer-operated storefronts.
1. Data We Collect From Platform Customers
When you sign up for ZenPub we collect:
- Account data — organisation name, admin name, email address, password (hashed)
- Billing data — processed by Stripe; we store only plan tier, invoice history, and the last 4 digits of your card
- Configuration data — domain settings, branding assets, pricing rules, vocabulary preferences you set up in the admin panel
- Usage telemetry — API request counts, storage consumed, bandwidth used — used to calculate plan limits and generate your usage dashboard
- Support communications — emails and messages you send us
2. Data We Process On Your Behalf (End User Data)
When your patrons and institutional administrators use your ZenPub-powered storefront, we process data on your behalf as a data processor. You are the data controllerfor this data. We process:
- Authentication credentials (email/password or SSO/SAML attributes)
- IP addresses and institution identifiers for access control
- Content access logs (title, chapter, timestamp) required to generate COUNTER 5.1 reports for your institutional buyers
- Personal annotations, bookmarks, and highlights explicitly saved by end users
- Reading progress data for the mobile and web reader
We do not cross-reference or combine end user data across different customer tenants. A patron of one publisher's ZenPub portal has no data shared with another publisher's portal.
3. How We Use This Data
- To operate, maintain, and improve the Platform
- To generate COUNTER 5.1 usage reports on your behalf
- To enforce plan storage and bandwidth limits and send overage alerts
- To process payments and send billing communications
- To respond to support requests
- To send material service updates (not marketing, unless you opt in)
We do not sell, rent, or share any personal data with third parties for advertising or marketing purposes. We do not build advertising profiles from reading activity.
Lawful basis (GDPR Article 6)
- Contract performance (Art. 6(1)(b)) — account, billing, and platform operations
- Legitimate interests (Art. 6(1)(f)) — security monitoring, abuse prevention, service analytics
- Legal obligation (Art. 6(1)(c)) — tax records, breach notification obligations
- Consent (Art. 6(1)(a)) — optional marketing communications; you may withdraw consent at any time
4. Sub-Processors
We use the following sub-processors to operate the Platform. All are bound by data processing agreements consistent with GDPR requirements:
5. Data Retention
- Customer account data — retained for the duration of your subscription plus 30 days post-termination for export, then deleted
- COUNTER access logs — retained for 26 months (COUNTER 5.1 audit requirement), then anonymised or deleted
- Billing records — retained for 7 years as required by Indian tax law
- Support communications — retained for 2 years
- End user annotations and reading progress — deleted when the end user account is deleted or upon your written instruction
6. Cookies and Tracking
The ZenPub marketing site (zenpub.zentrovia.tech) uses only strictly necessary cookies for session management. No advertising, analytics, or fingerprinting cookies are loaded.
Your tenant-operated storefront inherits this policy by default. If you add your own analytics (e.g. a Google Analytics Measurement ID in your admin settings), you are responsible for notifying your end users and obtaining required consents.
7. Your Rights (GDPR and Applicable Law)
If you are in the EEA, UK, or another jurisdiction with applicable data protection law, you have the right to access, correct, delete, port, or restrict processing of your personal data. To exercise any right, contact privacy@zentrovia.tech. We will respond within 30 days.
For end users of your storefront, you (as data controller) are the first point of contact for data subject requests. We will assist you in fulfilling requests as required under our DPA.
If you are in the EEA or UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local supervisory authority. UK residents may contact the Information Commissioner's Office (ICO); EEA residents may contact their national DPA.
8. Security
We implement industry-standard security controls: encryption at rest (AES-256) and in transit (TLS 1.2+), row-level security isolating tenant data, short-lived signed URLs for content delivery, timing-safe token comparison, and regular security reviews. See our Security page for full details.
9. International Transfers
Zentrovia is incorporated in India. Our infrastructure is primarily hosted in the USA via AWS. Transfers from the EEA or UK to our sub-processors are covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. Contact us if you require data residency in a specific region — EU-region hosting is available on request.
10. Changes to This Policy
We will notify platform customers by email at least 30 days before any material changes to this Policy take effect. The current version is always available at this URL.
11. Contact
Data protection enquiries, DPA requests, or to exercise your rights:
Data Protection OfficerZentrovia Solutions Pvt. Ltd.
Bangalore, India
privacy@zentrovia.tech