Privacy Policy

Key points (plain English)

• Zotrack is built for business use. We process workspace data to provide the Service.
• For most in-app workspace data, your employer/customer is the controller and we are the processor.
• We use logs and analytics to secure the Service, prevent abuse, and improve reliability.
• We do not sell personal data.

Who we are

The Service is provided by TalphaSolutions.

Scope

This policy covers:

• Website visitors (marketing site pages, cookie banner/consent, demo forms)
• Prospects who request a demo or contact us
• Users of the Zotrack application (Admins, Managers, Employees)

Controller vs Processor

Data protection law distinguishes between a "controller" (decides why/how personal data is processed) and a "processor" (processes on behalf of a controller).

When we act as a controller

We act as a controller for:

• marketing website activity and cookie preferences,
• demo requests and sales/support communications,
• account administration and billing (where applicable),
• security monitoring, fraud prevention, and protecting the Service.

When we act as a processor

We act as a processor when we process Customer Data inside a customer workspace on behalf of a business customer (the "Customer"), such as:

• employee profiles and roles,
• leave requests, balances, approvals,
• expense submissions and receipt attachments,
• invoices/quotes/receipts and contact details entered by Customer,
• resource allocation plans and utilisation.

If you are a User within a Customer workspace, your employer/Customer is typically the controller. Requests about in-workspace data should usually be directed to the Customer (we assist them as required).

Personal data we collect

We collect personal data in three main ways: (a) data you provide, (b) data collected automatically, and (c) data processed in customer workspaces.

Data you provide to us directly

• Demo/contact: name (optional), work email, company name (optional), company size (optional), message content.
• Account/admin: work email, name (optional), role, authentication details (stored securely).
• Support: communications with us and any files you attach.

Data we collect automatically

• Device/log data: IP address, device type, browser type, timestamps, approximate location derived from IP.
• Usage data: feature usage events, performance metrics, error logs, audit logs (who did what and when).
• Security data: suspicious activity signals, failed login attempts, rate limit events, abuse prevention telemetry.

Customer Data in workspaces (processor data)

Depending on configuration and use, Customer Data may include:

• employee identity (name, work email), role and permissions,
• leave records and approval history,
• expenses, amounts, categories, project/client references, receipt images/files,
• invoice/quote/receipt details and recipient contact details,
• planning/allocation information linked to employees/projects.

Sensitive data

Zotrack is not designed for special category data (e.g., medical details) or highly sensitive identifiers unless necessary and lawful. Customers should avoid uploading such data (especially inside attachments) unless they have a lawful basis and safeguards.

How we use personal data

We use personal data to:

• provide, operate, maintain, and support the Service,
• authenticate users and enforce role-based permissions,
• process demo requests and respond to enquiries,
• provide customer support and troubleshoot issues,
• monitor, prevent, and investigate abuse, fraud, and security incidents,
• measure and improve performance, reliability, and user experience,
• comply with legal obligations and enforce our Terms.

Aggregated / de-identified analytics

We may create and use aggregated and/or de-identified datasets that do not identify individuals and are not reasonably linkable back to a specific Customer, for analytics, benchmarking, and product improvement.

Legal bases (UK/EU)

Where applicable, we rely on:

• Contract (to provide the Service and support)
• Legitimate interests (security, fraud prevention, service improvement, business operations)
• Consent (non-essential cookies and optional marketing where required)
• Legal obligation (compliance with law, recordkeeping, lawful requests)

If processing is based on legitimate interests, you can object in certain circumstances by contacting support@zotrack.com.

Google Analytics (GA4)

We use Google Analytics 4 to understand how visitors use our website and to improve performance and content.

What GA4 collects (examples)

• pages viewed and navigation paths,
• approximate location (country/region),
• device and browser information,
• events such as clicks, scrolls, and time on page.

Cookies and identifiers

GA4 may use cookies or similar identifiers to distinguish unique browsers and measure usage.

IP addresses

We do not use Google Analytics to store IP addresses in our analytics reports.

Consent and controls

• We load analytics only after you accept analytics cookies where consent is required.
• You can withdraw consent at any time using our cookie settings (cookie banner or settings link).
• You can also control cookies via your browser settings.

Retention

We retain analytics data for a limited period configured in GA4 and then it is deleted or anonymised.

Cookies and similar technologies

We use cookies and similar technologies for:

• essential operation (sessions, security),
• preferences,
• analytics (Google Analytics, with consent where required).

Cookie categories

• Essential cookies: required for the website to function.
• Analytics cookies: help us understand usage and improve the site.
• Preference cookies: remember settings (where applicable).

If you disable cookies, some site features may not work correctly.

Sharing of personal data

We may share personal data with:

• service providers (hosting, storage, email delivery, monitoring) who process data under our instructions,
• professional advisers under confidentiality,
• authorities if required by law or valid legal process,
• parties involved in a corporate transaction (e.g., acquisition) with appropriate safeguards.

We do not sell personal data.

Subprocessors

We use subprocessors to provide the Service (for example cloud hosting and monitoring). We require subprocessors to protect personal data appropriately.

Subprocessor list: available on request by emailing support@zotrack.com.

International transfers

Personal data may be processed outside the UK/EEA. Where required, we use appropriate safeguards (such as standard contractual clauses or UK transfer mechanisms) and take steps to protect data during transfer.

Data retention

We retain personal data only as long as necessary for:

• providing the Service,
• maintaining security and preventing abuse,
• backups and disaster recovery,
• complying with legal obligations,
• establishing, exercising, or defending legal claims.

Retention periods may vary depending on data type, contract term, and operational needs. Customers should export any needed data before cancellation/termination.

Security

We implement reasonable technical and organisational measures such as:

• encryption in transit (TLS),
• role-based access controls,
• tenant/workspace separation,
• monitoring and logging,
• backups and recovery procedures.

No system is 100% secure. You are responsible for keeping your credentials confidential and choosing strong passwords.

Your rights

Depending on your location, you may have rights such as:

• access,
• correction,
• deletion,
• restriction,
• portability,
• objection,
• rights relating to automated decision-making.

How to exercise your rights

Email support@zotrack.com. To protect accounts, we may need to verify your identity before acting on a request.

If you are a User within a Customer workspace, your employer/Customer may need to action requests as the controller. We will assist the Customer as required.

Complaints

If you are in the UK, you can complain to the Information Commissioner's Office (ICO). If you are in the EEA, you may complain to your local supervisory authority.

Marketing communications

If we send marketing emails, you can opt out at any time via the unsubscribe link or by contacting support@zotrack.com.

Service/transactional messages may still be sent where necessary (e.g., security, account notices).

Automated decision-making

We do not typically use automated decision-making that produces legal or similarly significant effects. If we introduce this, we will update this policy.

Third-party links

Our website may include links to third-party sites. We are not responsible for the privacy practices of those sites.

Changes to this policy

We may update this policy from time to time. The "Last updated" date will change, and material changes may be communicated via the website or Service.

Contact

Email: support@zotrack.com