Privacy Policy
Last updated: 14 March 2026
1. Who we are
Zolo is a service operated as a sole proprietorship based in the Netherlands, accessible at getzolo.app. For privacy inquiries, contact us at admin@getzolo.app.
2. What data we process
We process the following categories of personal data:
- Account data — name, email address, company name, chamber of commerce number, VAT number, IBAN, address details and profile photo.
- Client data — name, address, email, phone number and VAT number of your clients as entered by you.
- Financial data — invoices, quotes, credit notes, project information and time entries.
- Purchase invoices and attachments — uploaded PDF files and images stored in secure cloud storage (Supabase Storage).
- Technical data — IP address, browser type and session information for security and debugging.
- AI usage data — anonymous telemetry about AI feature usage. No content of quotes or invoices is retained by the AI provider.
3. Why we process this data
- Providing and improving the Zolo service (contractual obligation).
- Account authentication and security (legitimate interest).
- Sending transactional emails such as invoices, quotes and reminders (contractual obligation).
- Compliance with legal obligations, such as fiscal record-keeping requirements (legal obligation).
4. Sub-processors
We use the following sub-processors. All parties are located in or process data within the EU, or provide adequate safeguards:
| Party | Purpose | Location |
|---|---|---|
| Supabase | Database & file storage | Frankfurt, EU |
| Vercel | Hosting & serverless | EU region |
| Anthropic | AI generation (quotes) | US — no training data |
| Resend | Transactional email | EU-compatible |
| Stripe | Payments (future) | EU-compatible |
5. Retention periods
We retain your data as long as your account is active. Upon cancellation, all personal data is permanently deleted within 30 days, unless a legal retention obligation applies. Fiscal records (invoices, purchase invoices) are subject to a mandatory retention period of 7 years under Dutch law.
Note: The 7-year retention obligation is your own responsibility as a business owner. We recommend exporting your data before closing your account.
6. Your rights
As a data subject, you have the following rights under the GDPR:
- Access — you can request what data we hold about you.
- Rectification — incorrect data can be corrected via settings or by contacting us.
- Erasure — you can request deletion of your data (right to be forgotten), unless a legal retention obligation applies.
- Data portability — you can request an export in a machine-readable format.
- Objection — you can object to processing based on legitimate interest.
Contact us at admin@getzolo.app to submit a request. We respond within 30 days.
7. Security
Zolo implements appropriate technical and organisational measures to protect your data, including AES-256 encryption at rest, TLS 1.2+ in transit, Row Level Security (RLS) ensuring users can only access their own data, and restricted staff access.
8. Contact and complaints
For questions or requests: admin@getzolo.app.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.