Zerovial is the data controller for every researcher account, every order on file, and every WhatsApp thread we receive. This Policy explains exactly what personal data we collect, why we collect it, who processes it on our behalf, how long we keep it, and how you exercise the rights the EU GDPR, the UK GDPR, the CCPA / CPRA and the LGPD grant you over that data.
Zerovial is the data controller for personal data collected through zerovial.com, the Account system, the cart and checkout flows, the WhatsApp researcher channel, and the email and ticketing inboxes published in this site footer. Where Zerovial is established outside the European Union, we appoint an EU representative under Article 27 of the EU GDPR; the representative name and address are published in the entity block at the bottom of this page once registration is finalised.
All privacy correspondence (access requests, rectification, deletion, portability, objection, complaints) should be sent to privacy@zerovial.com. We aim to acknowledge within five (5) business days and to substantively respond within thirty (30) days. Where the request is complex we may extend by a further sixty (60) days under Article 12(3) GDPR, with notice.
We follow data-minimisation: we only collect the personal data we need to verify research eligibility, fulfil orders, ship cold-chain boxes through DHL Express or FedEx, comply with HMRC and customs paperwork, run the WhatsApp and email support inboxes, and document the research-use attestation for the regulatory file.
Under Article 6 of the EU GDPR and the parallel UK GDPR, every act of processing is grounded in one of the bases below. We do not rely on consent for processing that is essential to deliver an Order; we rely on contract or legitimate interest, which is the bar appropriate to the activity.
Zerovial operates with a small, deliberately curated set of processors. Each processor is bound by a written Data Processing Agreement under Article 28 GDPR, with appropriate Standard Contractual Clauses where data leaves the United Kingdom or the EEA. The list below is the public sub-processor register and is updated as the stack changes.
Most processing happens inside the United Kingdom or the European Economic Area. Where personal data is transferred to a third country (for example, to a courier hub or a payment processor with a US legal entity), the transfer is supported by one of the following safeguards under Chapter V GDPR: (a) an adequacy decision; (b) Standard Contractual Clauses signed with the importer, with a transfer impact assessment on file; or (c) the strict necessity exception in Article 49(1)(b) for the rare case of a single courier handoff that cannot be performed otherwise.
We do not transfer personal data to jurisdictions on the EU restricted list and we do not transfer data to any country under sanctions screened by the UK Office of Financial Sanctions Implementation (OFSI).
We retain personal data only for as long as we have a lawful purpose to do so. The table below is the canonical retention schedule. After the listed period the records are deleted or pseudonymised; aggregate, non-identifiable analytics may be retained indefinitely.
You have the rights below under the EU GDPR and the parallel UK GDPR. Where you reside in California, the rights described in the California Consumer Privacy Act / CPRA also apply and we honour them in parallel; where you reside in Brazil, the LGPD applies; where you reside in Switzerland, the revFADP applies. Equivalent rights in other jurisdictions are honoured to the extent the law applies to us.
Zerovial uses cookies and equivalent storage to make the cart, checkout, language switch and Account session work, and to measure how visitors and advertising campaigns reach the site. For advertising measurement we run the Meta pixel and the Meta Conversions API, which attribute orders to the campaign that referred a researcher; for traffic analytics we run Google Analytics 4. We do not sell personal data, and we do not load cross-site retargeting networks, data brokers, or audience-graph trackers beyond the Meta and Google measurement described here.
We follow a layered security approach: encryption in transit (TLS 1.3 only), encryption at rest on the database, role-based access on the admin console, audit logs on every privileged action, time-limited support-staff access tokens, and code-review on every change that touches personal data. The infrastructure providers we rely on are SOC 2 Type II audited where available, and ISO 27001 certified where available.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we notify the UK ICO within seventy-two (72) hours of becoming aware, and we notify affected researchers without undue delay where the risk is high (Articles 33 and 34 GDPR). The notice describes the nature of the breach, the categories and approximate volumes affected, the likely consequences, and the measures taken or proposed.
The Site and the Service are not directed to anyone under the age of 21. The minimum age to create an Account or to place an Order is 21 years, regardless of the local age of majority. We do not knowingly collect personal data from minors. If you believe a minor has created an Account or shared data with us, please write to privacy@zerovial.com and we will delete the record on verification.
We update this Privacy Policy when our processing meaningfully changes, for example when we add or remove a processor, change a retention period, or expand to a new jurisdiction. Material changes are notified by email to all Account holders at least fourteen (14) days before they take effect, except where a shorter notice is required to comply with law. The currently effective version is always the one published on this page, with the date stamp visible at the top of the document.
Where you connect a Google account to Zerovial, Zerovial's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You may connect a Google account to authorise Zerovial to read Gmail messages or send Gmail messages on your behalf. Examples include importing an Order-related email into your Account, attaching a researcher email to a support ticket, and sending a quote or shipping notification from your own Gmail address. This section is the canonical disclosure of what Google user data we access, why we access it, how we protect it, how long we keep it, and how you remove it.
Zerovial does not transfer Google user data to third parties except as necessary to provide or maintain the user-facing feature you authorised, to comply with applicable law, or as part of a merger, acquisition or sale of assets where you receive notice. Zerovial does not use Google user data for advertising of any kind, including retargeting, personalised advertising, or interest-based advertising. Zerovial does not allow humans to read your Gmail data, except (a) with your explicit consent for the specific message or thread, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used to maintain features that are not user-facing. Zerovial does not use Google user data to develop or train generalised or non-personalised artificial intelligence or machine learning models.
We follow data-minimisation: we only collect the personal data we need to verify research eligibility, fulfil orders, ship cold-chain boxes through DHL Express or FedEx, comply with HMRC and customs paperwork, run the WhatsApp and email support inboxes, and document the research-use attestation for the regulatory file.
Under Article 6 of the EU GDPR and the parallel UK GDPR, every act of processing is grounded in one of the bases below. We do not rely on consent for processing that is essential to deliver an Order; we rely on contract or legitimate interest, which is the bar appropriate to the activity.
Zerovial operates with a small, deliberately curated set of processors. Each processor is bound by a written Data Processing Agreement under Article 28 GDPR, with appropriate Standard Contractual Clauses where data leaves the United Kingdom or the EEA. The list below is the public sub-processor register and is updated as the stack changes.
Most processing happens inside the United Kingdom or the European Economic Area. Where personal data is transferred to a third country (for example, to a courier hub or a payment processor with a US legal entity), the transfer is supported by one of the following safeguards under Chapter V GDPR: (a) an adequacy decision; (b) Standard Contractual Clauses signed with the importer, with a transfer impact assessment on file; or (c) the strict necessity exception in Article 49(1)(b) for the rare case of a single courier handoff that cannot be performed otherwise.
We do not transfer personal data to jurisdictions on the EU restricted list and we do not transfer data to any country under sanctions screened by the UK Office of Financial Sanctions Implementation (OFSI).
We retain personal data only for as long as we have a lawful purpose to do so. The table below is the canonical retention schedule. After the listed period the records are deleted or pseudonymised; aggregate, non-identifiable analytics may be retained indefinitely.
You have the rights below under the EU GDPR and the parallel UK GDPR. Where you reside in California, the rights described in the California Consumer Privacy Act / CPRA also apply and we honour them in parallel; where you reside in Brazil, the LGPD applies; where you reside in Switzerland, the revFADP applies. Equivalent rights in other jurisdictions are honoured to the extent the law applies to us.
Zerovial uses cookies and equivalent storage to make the cart, checkout, language switch and Account session work, and to measure how visitors and advertising campaigns reach the site. For advertising measurement we run the Meta pixel and the Meta Conversions API, which attribute orders to the campaign that referred a researcher; for traffic analytics we run Google Analytics 4. We do not sell personal data, and we do not load cross-site retargeting networks, data brokers, or audience-graph trackers beyond the Meta and Google measurement described here.
We follow a layered security approach: encryption in transit (TLS 1.3 only), encryption at rest on the database, role-based access on the admin console, audit logs on every privileged action, time-limited support-staff access tokens, and code-review on every change that touches personal data. The infrastructure providers we rely on are SOC 2 Type II audited where available, and ISO 27001 certified where available.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we notify the UK ICO within seventy-two (72) hours of becoming aware, and we notify affected researchers without undue delay where the risk is high (Articles 33 and 34 GDPR). The notice describes the nature of the breach, the categories and approximate volumes affected, the likely consequences, and the measures taken or proposed.
The Site and the Service are not directed to anyone under the age of 21. The minimum age to create an Account or to place an Order is 21 years, regardless of the local age of majority. We do not knowingly collect personal data from minors. If you believe a minor has created an Account or shared data with us, please write to privacy@zerovial.com and we will delete the record on verification.
We update this Privacy Policy when our processing meaningfully changes, for example when we add or remove a processor, change a retention period, or expand to a new jurisdiction. Material changes are notified by email to all Account holders at least fourteen (14) days before they take effect, except where a shorter notice is required to comply with law. The currently effective version is always the one published on this page, with the date stamp visible at the top of the document.
Where you connect a Google account to Zerovial, Zerovial's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You may connect a Google account to authorise Zerovial to read Gmail messages or send Gmail messages on your behalf. Examples include importing an Order-related email into your Account, attaching a researcher email to a support ticket, and sending a quote or shipping notification from your own Gmail address. This section is the canonical disclosure of what Google user data we access, why we access it, how we protect it, how long we keep it, and how you remove it.
Zerovial does not transfer Google user data to third parties except as necessary to provide or maintain the user-facing feature you authorised, to comply with applicable law, or as part of a merger, acquisition or sale of assets where you receive notice. Zerovial does not use Google user data for advertising of any kind, including retargeting, personalised advertising, or interest-based advertising. Zerovial does not allow humans to read your Gmail data, except (a) with your explicit consent for the specific message or thread, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised and is used to maintain features that are not user-facing. Zerovial does not use Google user data to develop or train generalised or non-personalised artificial intelligence or machine learning models.
All six documents form one binding agreement between Zerovial and every researcher with a Zerovial account or order on file.