Data privacy at Zoovu and FAQs

Zoovu is deeply committed to protecting our clients’ information and ensuring compliance with all applicable data privacy laws, including GDPR, UK GDPR, and CCPA, in the delivery of our services. We recognize that data privacy is a shared responsibility, and we are dedicated to enabling our clients to use Zoovu’s services while meeting their own obligations under applicable data privacy regulations. Additionally, Zoovu adheres to the principles of privacy by design and privacy by default, embedding data protection measures into our systems and processes from the outset. This page is intended to support your compliance efforts by providing detailed information about Zoovu’s data protection practices and the options available to you regarding the data processed by Zoovu in connection with your use of our services.

1. What data does Zoovu collect?

Zoovu collects and processes the following categories of data:

  • End User Data: Data about individuals who use the client’s websites or e-commerce platforms where Zoovu services (such as a Digital Assistant) are implemented. These data subjects are natural persons interacting with the client’s online services.
  • Authorized User Data: Data about employees or other individuals authorized by the client to access Zoovu services. These data subjects may include the client’s employees, agents, or independent contractors who are given permission to access and use Zoovu’s dashboard to configure settings or retrieve information on behalf of the client.
  • Client Data: This includes data about the client’s contact details, typically related to their representatives or key contacts.
Section 5 of this document further defines our role in relation to the data that Zoovu processes.

1.1 End User Data:

Zoovu collects and processes the following types of End User Data when engaging with our services:

  • IP Address: Used for breach prevention and analysis mechanisms (anti-DDOS protection etc.). .
  • Device Information: Includes basic browser and device information, incl. browser name, version, screen resolution.
  • Behavioral Data: Clicks, navigation patterns, page visits, visit counts, and time spent on pages.
  • Session Data: Random user IDs are used for session tracking to provide customized services (e.g., language preferences) and to maintain session continuity.
  • User Interaction Data: Includes information entered by End Users into product finders, configurators, or chatbots. Examples include user preferences, search queries, and responses to guided questionnaires.

Zoovu ensures that all processed data is anonymous. IP addresses are anonymized immediately upon collection by removing (hashing) the last octet. Zoovu does not use IP addresses to track or identify End Users and no full IP addresses are stored.

Zoovu stores conversations as part of Zoovu’s reporting services (Insights) for clients and to re-train and refine our own models for future improvements, which is a key value of our service. However, all conversations are completely anonymous and cannot be linked to any individual. They are used solely to provide insights and reporting to clients and are never shared with third parties or used for any other purpose. Each conversation has a unique session key, but it is not tied to any user ID—only to a server session on Zoovu’s side. Additionally, Zoovu does not use fingerprinting or identity stitching, as Zoovu’s internal policy. Furthermore, Zoovu has implemented measures to prevent users from entering personal data and advises end users not to enter personal data.

1.2 Authorized Users Data:

Zoovu collects the following information from Authorized Users: their name, email address, and password. Additionally, Zoovu automatically gathers information about how Authorized Users interact with our services ("Usage Data").

Usage Data includes:

  • IP Address: Used for breach prevention and analysis mechanisms (anti-DDOS protection etc.).
  • Audit log of actions executed: (e.g John Smith added a questions to assistant on 2024-12-11 05:31:12)
  • Event data: such as Digital Assistant performance, question and answer flows, navigation patterns, and product interactions.
  • Traffic source details.
  • Information on log-in and log-out times.
  • Browser and device information.

To ensure privacy, all Usage Data is anonymized, de-identified, and aggregated. This ensures that no personally identifiable information can be linked back to individual users.

1.3 Clients Data:

Zoovu collects the following information about its corporate clients:

  • Business email address
  • Name and surname
  • Business phone number
  • Business physical address (including shipping and billing addresses)
  • LinkedIn profile
  • Company name
  • Job title or position
  • Contract number

2. Why does Zoovu collect data? Purpose of processing

2.1 End User Data:

Zoovu provides its clients with the ability to understand the behavior of End Users in aggregated / statistical form. This service is called Zoovu Insights. With Zoovu Insights clients can analyse the following data:

  • Interactions of End Users within an assistant during a long period of time (up to 14 months).
  • Interactions of End Users across multiple assistants.
  • Interaction of End Users during a user journey between using an assistant and purchasing a product.

Zoovu also uses the statistical-aggregated data to help improve our products and services.

The raw data powering Zoovu Insights is securely stored in our databases and is never exposed through any user interface. It is only used to generate statistical and aggregated data, which is never shared with clients. Zoovu strictly uses statistical or aggregated insights to understand how our platform is used. The raw data primarily consists of a series of event records:

[event type: assistant start, event time: 2024-03-06, 12:34, assistant ID 126456, visit ID: 4a39f879bc2b3].

2.2 Authorized User Data:

The purpose of processing Authorized User Data is to effectively provide our services, including administrative actions such as assigning users to Clients and managing features enabled for a given Client. This also includes enabling login access to the Insights dashboard, preventing fraud and identity theft, assisting Clients in identifying the causes of system issues, evaluating the performance of our services, improving our products and services, managing billing, and settling disputes.

2.3 Clients Data:

Client Data is used to manage and fulfill the contract between Zoovu and the Client, maintain the business relationship, send direct marketing communications, and meet tax and legal obligations.

3. How does Zoovu collect data?

3.1 End User Data:

Zoovu automatically collects End User Data through cookies or similar tracking technologies. Our system uses first-party cookies on client websites via a simple div tag and script. These cookies are essential for tracking website visitors for the purposes outlined above. Our setup supports a privacy-compliant opt-out or opt-in approach when required.

If cookies or similar technologies require user consent under applicable laws (e.g., UK GDPR, GDPR, or the EU ePrivacy Directive), it is the Client’s responsibility to obtain consent from each End User. The Client must ensure their website or platform includes clear, easy-to-understand notices about the use of cookies, what data is collected, why it’s collected, and any other legal requirements. Additionally, if needed, the Client must provide users with the ability to withdraw their consent at any time. Zoovu supports Clients by providing details about the cookies or similar technologies we use. Consent is usually managed through client’s Consent Management Platform (CMP), which Clients can configure to meet their privacy regulations. This includes opt-in/opt-out options and categorizing Zoovu’s cookies (e.g., as strictly necessary or analytics).

Here is the list of all cookies. Clients have the flexibility to assess the importance of cookies and configure their CMP accordingly. The recommendations regarding the criticality of cookies (i.e., essential vs. non-essential) are provided as guidelines only.

3.2 Clients Data:

Clients share their data during the engagement process, and it is further processed throughout the lifecycle of the contract.

3.3 Authorized Users Data:

Authorized users provide their name and password to access our dashboard. Usage data is automatically collected through cookies or similar tracking technologies.

4. Who do we share data with?

4.1 Subprocessors

Zoovu does not sell or market data to third parties. We partner with certified third-party subprocessors and Zoovu affiliates to help deliver our services. These subprocessors store and assist in processing End User Data

Subprocessor Purpose Export mechanism Location
Microsoft Azure Data Center
  • EU Commission / UK Government adequacy decisions
  • EU SCCs + UK Addendum
  • EU-U.S. and Swiss-U.S. Data Privacy Frameworks, the UK Extension to the EU-U.S. Data Privacy Framework
EU/USA
Zendesk Support platform for customers
  • EU Commission adequacy decisions
  • Case-by-case basis subject to prior customer’s consent.
USA
Cloudflare
  • CDN – Total Data Transfer
  • CDN – Request
  • DDoS protection
  • Argo
  • Dedicated SSL – Certificates
  • Enterprise – Primary – Domains
  • Enterprise – Secondary – Domains
  • Load Balancing – DNS queries
  • Load Balancing – Origin
  • Load Balancing – Data Transfer
  • Managed DNS – DNS queries
  • Rate Limiting – Rate Limiting Requests
  • WAF
  • EU Commission / UK Government adequacy decisions
  • EU SCCs + UK Addendum
  • EU-U.S. and Swiss-U.S. Data Privacy Frameworks, the UK Extension to the EU-U.S. Data Privacy Framework
EU/USA

4.2 Vendor audits

Zoovu audits its vendors, both at the time of onboarding and thereafter, to ensure that they adhere to data privacy laws/regulations, have in place appropriate organizational and technical measures in place and sign all relevant Data Processing Addendums and Standard Contractual Clauses where applicable.

4.3 Intragroup data flows:

All Zoovu entities have signed a Group Data Transfer Agreement incorporating the Standard Contractual Clauses mandated by Decision (EU) 2021/914 of 4 June 2021, for the transfer of personal data to third countries under GDPR. Additionally, the agreement includes the international data transfer addendum to the European Commission’s Standard Contractual Clauses issued under Section 119A of the UK Data Protection Act 2018, for data transfers under UK GDPR:

Affiliate Purpose and Role Location
Zoovu Limited Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
UK
Zoovu (Austria) GmbH Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
Austria
Zoovu (Germany) Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
Germany
Zoovu (Poland) sp. z o.o. Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
Poland
Zoovu (USA) Inc Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
USA
Zoovu Canada Inc Ongoing operating activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
Canada
Zoovu (USA) Holdings LLC Activity and business of Zoovu Group companies, including managing customer, partner, vendor, employees and shareholder relationships.
Data (joint) controller/processor
USA

4.4 Where does Zoovu store data?

End User Data of our clients based in the European Economic Area (EEA) is hosted by default on an EU-based instance of Microsoft Azure (The Netherlands). Additionally, interactions of EEA-based users with Zoovu are managed through EU-based Cloudflare servers.

Zoovu also offers a US-based instance (Azure US, North Virginia). Following the European Commission's adequacy decision in July 2023 for the EU-US Data Privacy Framework, the US is deemed to provide an adequate level of protection for personal data transferred to participating US companies, as Microsoft is. To further safeguard cross-border data transfers to the US, Zoovu incorporates Standard Contractual Clauses (SCCs) in its Data Processing Agreement, ensuring compliance with the strict standards of GDPR and UK GDPR.

5. What’s the lawful basis for processing? Grounds for data processing

Zoovu acts as the processor of End User Data. As a processor, Zoovu does not determine the lawful basis for processing End User Data; as per GDPR and UK GDPR this responsibility lies with the controller—Zoovu's clients—who are required to establish the appropriate legal ground for processing. Under the CCPA, Zoovu is categorized as a "service provider" When the client falls under the definition of “business”.

Zoovu is the controller of Client Data and Authorized User Data. The primary legal basis for processing these data types is the necessity for entering into and performing contractual obligations. Additionally, the legitimate interest in maintaining and managing business relationships serves as a secondary basis for processing Client Data.

6. Security in Zoovu. Technical and organizational security measures.

Zoovu complies with industry-recognized security frameworks, including SOC 2 and ISO 27001, to safeguard client’s data. To ensure the highest level of security and compliance, Zoovu has implemented the following technical and organizational measures:

  1. Information Security Management System (ISMS): Audited and certified based on globally recognized standards (ISO 27001, SOC 2 Type 2).
  2. Regular Security Audits: Conducted to proactively identify and address potential vulnerabilities.
  3. Zoovu Platform Access Controls:
    • Regular review of user accounts and access permissions.
    • Dedicated accounts for each Zoovu Platform user.
    • Automatic log-out after defined periods of inactivity.
    • Restricted administrative access to authorized personnel only.
  4. Endpoint Security: Comprehensive anti-virus protection and data encryption on all devices.
  5. Business Continuity: Implementation and annual testing of a robust business continuity plan.
  6. Data Backups: Regularly performed to ensure data availability and integrity.
  7. Secure Development Lifecycle (SDLC): Established procedures to enhance application security.
  8. Customer-Specific Authentication: Optional integration with SAML 2.0 for enhanced authentication.

Additionally, we enforce strict internal policies on data protection, and all Zoovu employees undergo annual training to stay updated on data privacy and security best practices.

7. Data retention periods:

End User Data 1 year after client contract ends
Clients Data 6 years after contract ends
Authorized User Data 6 years after contract ends

8. How we enable the exercise of user’s data rights?

Zoovu enables End Users to exercise their data protection rights, through client CMP, particularly their ability to control tracking, through opt-in and opt-out mechanisms:

  • Opt-In/Opt-Out Functionality:
    • End Users can opt-in or opt-out of tracking via methods (Zoovu.trackingOptIn() and Zoovu.trackingOptOut()).
    • These methods are available on pages with Zoovu digital assistants and can also be applied site-wide.
  • Integration with Client Websites:
    • Zoovu's clients are responsible for embedding these methods into their cookie consent or tracking systems.
    • For example, an “Accept All” button on a cookie banner triggers the opt-in method, while declining cookies triggers opt-out.
  • Variants for Implementation:
    • Clients can choose between site-wide or assistant-specific integration, depending on their website setup.
  • Consent Management Compatibility:
    • Zoovu supports integration with existing consent management platforms (CMPs), helping clients comply with regulations like GDPR and ePrivacy Directive.
  • Focus on Compliance and User Control:
    • End Users are provided with transparency and control over their data tracking preferences, ensuring compliance with applicable legal requirements.

This system empowers End Users to manage their tracking preferences while aligning with regulatory standards.

Any other requests to exercise privacy rights can be sent to the following email address: [email protected] or to Zoovu Limited, 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom. Alternatively, you can fill in the contact form on our Contact page to submit your request.

9. Does Zoovu have a Data Protection Officer?

Yes, Zoovu’s Data Protection Officer contact details are below:

Aphaia Ltd

Eagle House

163 City Road, London

EC1V 1NR

DPO Telephone: +44 20 3917 4158 Email address: [email protected]

Last updated on February 2025

Obligatory disclaimer: The content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR, UK GDPR and/or CCPA may or may not apply to you.