Privacy Policy

ZRO Lab SA (“ZRO”, “we”, “us”) operates the ZRO Site platform and associated services. This Privacy Policy explains what personal data we collect, why we collect it, how we store and protect it, and what rights you have. It applies to all users of ZRO, regardless of location.

We are committed to full compliance with the Swiss Federal Act on Data Protection (nFADP, in force since 1 September 2023) and the EU General Data Protection Regulation (GDPR). Where these frameworks differ, we apply whichever standard is stricter.

1. Data Controller

The data controller responsible for your personal data is ZRO Lab SA, Geneva, Switzerland. You can reach our Data Protection Officer at privacy@zrolab.com.

2. Data We Collect

Account data. When you create an account, we collect your name, email address, company name, role, and a salted password hash. This data is provided directly by you during registration.

Usage data. We automatically collect login timestamps, feature usage events, API request metadata, and error logs. This data is used for security monitoring, service reliability, and product improvement.

Project data. Everything you upload or create inside ZRO -- estimates, bills of quantities, photos, CAD files, documents, and field reports. This data belongs to you. We process it solely to provide the service and never use it to train foundation models or share it with third parties.

Billing data. Payment processing is handled by our payment provider. We store invoice records and the last four digits of your payment method for receipt purposes only. We never store full card numbers.

Communication data. If you contact us via email or in-app support, we retain the content of those communications to resolve your inquiry and improve our service.

3. Purpose and Lawful Basis

We process account and project data on the basis of the contract between you and ZRO (GDPR Art. 6(1)(b); nFADP Art. 31(1)). We process usage data and security logs on the basis of our legitimate interest in providing a secure, reliable service (GDPR Art. 6(1)(f)). We process billing data where required by legal obligations (GDPR Art. 6(1)(c)), including Swiss commercial record-keeping requirements.

4. Data Storage and Residency

All personal data and project data is stored in data centers located in Switzerland and the European Union. We do not replicate data to jurisdictions outside the EU/EEA and Switzerland. Self-hosted deployments are controlled entirely by the customer and never touch our infrastructure.

Data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.3. Database backups are encrypted and stored in the same jurisdiction as the primary data.

5. Data Retention

Account data is retained for the lifetime of your account plus 30 days after deletion. Project data is retained for the lifetime of your account and is exportable at any time via the platform. Billing records are retained for ten years as required by Swiss commercial law (Art. 958f CO). Security and access logs are retained for 90 days.

6. Your Rights

Under the GDPR and nFADP, you have the following rights regarding your personal data:

• Right of access -- obtain a copy of your personal data
• Right to rectification -- correct inaccurate data
• Right to erasure -- request deletion (“right to be forgotten”)
• Right to restrict processing
• Right to data portability -- receive your data in a structured, machine-readable format
• Right to object -- object to processing based on legitimate interest

To exercise any of these rights, email privacy@zrolab.com. We will respond within 30 days. If we need additional time, we will inform you of the reason and the expected timeline.

7. Sub-processors

We use a limited number of carefully vetted sub-processors for hosting infrastructure, transactional email delivery, and payment processing. All sub-processors are contractually bound to equivalent data protection standards. A current list is available upon request at privacy@zrolab.com.

8. Cookies and Tracking

We use essential cookies only: authentication tokens, session identifiers, and CSRF protection. We do not use analytics cookies, advertising trackers, or third-party tracking pixels.

9. International Transfers

We do not transfer personal data outside of Switzerland and the EU/EEA. In the event that a transfer becomes necessary (for example, due to a sub-processor change), we will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and a transfer impact assessment.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Art. 33-34 and nFADP Art. 24.

11. Children

ZRO is a professional construction estimation platform and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

If we make material changes to this policy, we will notify active users by email at least 30 days before the changes take effect. The effective date at the top of this page reflects the most recent revision.

13. Contact and Complaints

For questions, complaints, or data subject requests, contact us at privacy@zrolab.com. You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, if you are in the EU, your local supervisory authority.