ZZRO LABS← BACK
LEGAL · POLARE GROUP SÀRL

GDPR Compliance

Last updated: 1 May 2026 · Polare Group Sàrl, Geneva, Switzerland

This page explains how Polare Group Sàrl complies with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Swiss Federal Act on Data Protection (nFADP, in force 1 September 2023). We treat compliance with these frameworks not as a minimum requirement but as an architectural design principle.

1. Our Commitment

Privacy is built into ZRO Labs products from the ground up. We collect the minimum data necessary to provide our services. We do not monetise user data. We do not sell, broker, or share personal data for advertising purposes.

ZRO Ghost (usezro.app) collects no data whatsoever — it operates entirely on-device with no server communication.

2. Lawful Bases for Processing

Under Article 6 GDPR, we rely on the following lawful bases:

  • Contract (Art. 6(1)(b)): processing your account and payment data to deliver services you have contracted for.
  • Legal obligation (Art. 6(1)(c)): retaining records as required by Swiss commercial and tax law.
  • Legitimate interests (Art. 6(1)(f)): anonymised analytics and security monitoring, where our interests do not override your rights.
  • Consent (Art. 6(1)(a)): optional cookies and marketing communications, obtained separately via a compliant consent mechanism.

3. Data Subject Rights

As a data subject under GDPR, you have the following rights, exercisable by contacting privacy@zrolab.com:

  • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16): correct inaccurate personal data.
  • Right to erasure (Art. 17): request deletion where data is no longer necessary, consent has been withdrawn, or processing is unlawful.
  • Right to restriction (Art. 18): limit processing during the resolution of a dispute or objection.
  • Right to portability (Art. 20): receive your data in a machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Rights related to automated decisions (Art. 22): we do not make solely automated decisions with significant legal effects.

We will respond to all verifiable requests within 30 days. No fee is charged for reasonable requests.

4. Data Transfers

Switzerland is recognised by the EU Commission as providing adequate data protection. Our primary data processing occurs within Switzerland and the EEA. Where transfers occur outside these regions (e.g. authentication via Apple or Google), we implement Standard Contractual Clauses (SCCs) and verify the adequacy of safeguards.

5. Data Processor Relationships

Where we engage third-party processors (hosting providers, payment processors), we enter into Data Processing Agreements (DPAs) compliant with Art. 28 GDPR. Our processors operate under contractual obligations equivalent to those we hold ourselves.

6. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34 GDPR).

7. Privacy by Design and by Default

In accordance with Art. 25 GDPR, our engineering practices implement privacy by design and by default:

  • Minimum data collection — we collect only what is strictly necessary
  • Pseudonymisation of analytics data wherever feasible
  • Role-based access controls for all internal systems
  • Regular data protection impact assessments for new features
  • Encrypted storage and encrypted transit (TLS 1.3 minimum)

8. Data Protection Officer

We have designated a responsible person for data protection matters. For all GDPR-related inquiries:

Privacy Contact
Polare Group Sàrl
c/o Russell Bedford Fiduciaire Genève SA
Rue Jean-Petitot 7, 1204 Genève, Switzerland
Email: privacy@zrolab.com

9. Supervisory Authority

You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC):

Feldeggweg 1, 3003 Berne, Switzerland
Website: edoeb.admin.ch

EU residents may also contact the supervisory authority in their member state of residence.

10. Swiss nFADP Compliance

Our practices also comply with the revised Swiss Federal Act on Data Protection (nFADP) which entered into force on 1 September 2023. The nFADP aligns closely with GDPR and provides equivalent protections for Swiss residents.