Zentio
Legal

Privacy Policy

Last updated 8 June 2026

[02] Privacy Policy

Protecting your personal data is a top priority for us, Zentio GmbH. Below, we inform you about how we process your personal data when you visit our website www.zentio.ai in accordance with the General Data Protection Regulation (GDPR). Our website is a fully prerendered static site with no backend of its own; any processing happens either in your browser after you consent, or through the named processors described below.

1. Data Controller

Zentio GmbH
Grünberger Str. 86
10245 Berlin
Germany

Email: info@zentio.ai

Data Protection Officer (Datenschutzbeauftragter)

We have appointed an external Data Protection Officer:

Kertos GmbH
Munich, Germany
Website: https://kertos.io

Email: dataprivacy@kertos.io (data protection)
infosec@kertos.io (information security)

You can contact our Data Protection Officer directly with any question about how we process your personal data and about exercising your rights under the GDPR. For general enquiries you may also reach our internal contact, Christophe Kafrouni, at chris.kafrouni@zentio.ai.

2. General Information on Data Processing

2.1 Scope of Processing

We process personal data only to the extent necessary to provide and improve our website or respond to your inquiries.

2.2 Legal Bases

  • Consent: Art. 6(1)(a) GDPR
  • Contract performance / pre-contractual measures: Art. 6(1)(b) GDPR
  • Legal obligations: Art. 6(1)(c) GDPR
  • Legitimate interests: Art. 6(1)(f) GDPR

3. Access Data and Hosting

3.1 Server Log Files

When you visit our website, our hosting and content delivery provider (Cloudflare, see section 3.2) automatically processes connection data, including:

  • Browser type and version
  • Operating system used
  • IP address
  • Date and time of the server request
  • Referrer URL
  • Pages visited

This data is processed to deliver the website reliably and to keep it secure, for example to prevent abuse and denial-of-service attacks, based on our legitimate interest in the secure and stable operation of our website (Art. 6(1)(f) GDPR). You can object to this processing at any time on grounds relating to your particular situation (Art. 21 GDPR). Log data is retained only for as long as necessary for these purposes and is then deleted.

3.2 Hosting and Content Delivery

Our website is delivered as a fully prerendered static site through Cloudflare, operated by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA; EU establishment: Cloudflare Germany GmbH, Rosenheimer Straße 143C, 81671 Munich, Germany). The site is served via Cloudflare's global content delivery network (CDN). To deliver our content and protect the site, Cloudflare processes connection data including your IP address, based on our legitimate interest in secure and reliable delivery (Art. 6(1)(f) GDPR). We have concluded a data processing agreement (DPA) with Cloudflare in accordance with Art. 28 GDPR. Because Cloudflare operates a global CDN and is a US company, data may be processed on servers outside the EU/EEA, including in the USA (see section 10, International Data Transfers).

4. Web Analytics with PostHog

4.1 Use of PostHog

We use the service PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA) to analyze user behavior on our website. We use PostHog's EU hosting, so analytics data is processed on servers located in the European Union (Frankfurt, Germany). We have concluded a data processing agreement (DPA) with PostHog in accordance with Art. 28 GDPR. As PostHog Inc. is a US company, data may also be accessed from the USA (see section 10, International Data Transfers).

Collected data includes:

  • IP address (discarded by PostHog at ingestion and not stored with events)
  • Browser and device information
  • Interaction and page views
  • Timestamps and referrer URLs

With your consent, PostHog also generates heatmaps (aggregated maps of where visitors click, move and scroll on a page) to help us understand how our pages are used. Heatmaps are part of the Analytics category and are only created once you grant analytics consent.

4.2 Legal Basis and Consent

Data processing is based on your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG, the German Telecommunications Digital Services Data Protection Act, formerly the TTDSG). When you first visit our website, a cookie banner appears where you can give or refuse your consent, and rejecting is as easy as accepting. Your choice is stored and can be changed at any time via the "Cookie Settings" link in the footer or the banner itself. No analytics data is collected, and PostHog is not even loaded, until you grant analytics consent.

4.3 Session Replay

With your consent, PostHog also records session replays, which are reconstructions of your interactions with a page (such as clicks, scrolling and navigation) that help us identify usability problems. All form inputs are masked, so the contents of the contact form (such as your name, email address and message) are never recorded. Session replays are processed on EU servers and form part of the Analytics category, so you can refuse or withdraw consent for them at any time.

4.4 Retention Period

Analytics events are recorded without storing your IP address (PostHog discards the IP at ingestion) and contain no directly identifying information; such anonymized data may be retained for as long as it is useful for statistical analysis. Session replays, which may contain personal data, are automatically deleted after 30 days.

5. Cookies and Local Storage

5.1 Strictly Necessary

These entries are essential for the website to work and to remember your cookie choice, and are set without consent under § 25(2) TDDDG. The cookie-preference entry stores only your category choices (analytics, marketing) and a timestamp; it contains no directly identifying data.

5.2 Analytics

Analytics cookies and local storage are set only with your explicit consent (see section 4). They help us understand how visitors interact with our site so we can measure traffic and improve usability and performance, including via session replays and heatmaps. You can grant or withdraw this consent per category at any time via the Cookie Preferences Center, reachable through the "Cookie Settings" link in the footer. No analytics cookies or local storage are set until you grant analytics consent.

5.3 Cookies and Local Storage We Use

  • zentio_cookie_consent (Zentio, first-party local storage): remembers your cookie choice. Strictly necessary. Stored until you clear it.
  • ph_…_posthog (PostHog, local storage and cookie): assigns an anonymous identifier and stores analytics and session state. Analytics category, set only after consent. Typical lifetime up to 12 months.
  • Additional PostHog entries hold opt-in state and the in-session replay buffer (Analytics category, session-based).

6. Contact Form

6.1 Type and Purpose of Processing

If you contact us via the contact form, the following data is processed:

  • First and last name
  • Email address
  • Company (optional)
  • Phone number (optional)
  • Team size (optional)
  • Your message
  • The page you submitted the form from, and the date and time of submission

The data is processed in order to handle and respond to your enquiry and for potential business initiation.

6.2 Legal Basis

Processing is based on Art. 6(1)(b) GDPR where your enquiry relates to entering into or performing a contract, and otherwise on our legitimate interest in responding to your enquiry (Art. 6(1)(f) GDPR). Providing this data is neither legally nor contractually required; it is simply needed for us to respond to you. You can also contact us by email instead.

6.3 Retention

We delete this data once it is no longer needed for its intended purpose, no later than 2 years after receipt, unless legal retention requirements apply.

6.4 Storage and Processing of Contact Requests

When you submit the form, your data is transmitted to a Google Apps Script application that stores it in a Google Sheet within our Google Workspace environment and sends a notification email to our team. The processor is Google Cloud EMEA Limited (Velasco, Clanwilliam Place, Dublin 2, Ireland), part of the Google group of companies (including Google LLC, USA). We have concluded a data processing agreement (DPA) with Google in accordance with Art. 28 GDPR. Because Google involves a US affiliate, data may be accessed from the USA (see section 10, International Data Transfers).

6.5 Analytics Event on Submission

If you have granted analytics consent, submitting the form also records a PostHog event containing only your company name, the selected team-size range, and whether a phone number was provided. Your name, email address and message are never sent to PostHog.

7. Your Rights

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise any of these rights, you can contact us or our Data Protection Officer (see section 1). You also have the right to lodge a complaint with a data protection supervisory authority, in particular the authority responsible for us: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59-61, 10555 Berlin, mailbox@datenschutz-berlin.de. You may also lodge a complaint with the supervisory authority of your habitual residence.

8. No Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

9. Data Security

We use TLS encryption (HTTPS) to securely transmit your data. In addition, we implement appropriate technical and organizational measures to protect your data from unauthorized access, loss, or destruction.

10. International Data Transfers

Some of our processors are based in or affiliated with companies in the United States, so your data may be transferred to or accessed from the USA:

  • Cloudflare, Inc. (hosting and content delivery)
  • PostHog Inc. (analytics, session replay and heatmaps; data stored in the EU / Frankfurt)
  • Google Cloud EMEA Limited (Ireland), part of the Google group including Google LLC (USA) (contact-form storage and notification emails)

For these transfers we rely primarily on the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023), under which each of these providers self-certifies. Where the Framework does not apply, transfers are based on the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) together with supplementary measures (for PostHog, EU data residency in Frankfurt). You can obtain a copy of the relevant safeguards by contacting us at info@zentio.ai or our Data Protection Officer (see section 1).

11. Changes to This Privacy Policy

We reserve the right to update this privacy policy at any time. The version available at the time of your visit to our website applies.