Features Why Us FAQ Product Integrations
Testimonials Pricing
Login / Sign Up
Home Product Integrations Features Why Us Testimonials FAQ Pricing Privacy & Security Terms

LEGAL

Privacy and Security

How ZitBoard collects, protects, and respects your data — and the controls you have over it.

1. Overview

ZitBoard Technologies Inc. ("ZitBoard," "we," "us," or "our") is committed to protecting your privacy and securing your data. This page describes what personal and operational data we collect, how we use and protect it, your rights as a data subject, and the security architecture that underpins the ZitBoard platform.

This policy applies to all users of the ZitBoard platform, marketing website, and associated services. By accessing or using our services, you agree to the practices described here. If you do not agree, please discontinue use and contact us to close your account.

We do not sell personal data. We collect only what is necessary to operate, improve, and secure the service.

2. Data Collection and Use

2.1 What We Collect

We collect information in the following ways:

  • Account data: Name, work email address, job title, and organisation name provided at registration or through demo intake forms.
  • Usage data: Feature interactions, session duration, page views, and in-product events used to understand how the platform is used and to improve it.
  • Platform data: Sales pipeline records, hiring pipeline entries, AI scoring outputs, and other structured data you or your team enters into ZitBoard as part of normal platform use.
  • Technical data: IP addresses, browser type, operating system, and device identifiers collected automatically through standard web server logs and analytics.
  • Communications: Content of support tickets, chat messages, and emails you send to us.

2.2 How We Use It

  • Provision and operate the ZitBoard platform and related services.
  • Authenticate users and enforce access controls within your tenant.
  • Personalise your experience and surface relevant platform features.
  • Respond to support requests and account inquiries.
  • Conduct internal analytics to improve product quality and reliability.
  • Send transactional communications such as account confirmation and billing receipts.
  • Detect, investigate, and prevent security incidents and fraudulent activity.
  • Comply with legal obligations and enforce our Terms and Conditions.

2.3 What We Do Not Do

  • We do not sell your personal data to third parties for their own marketing purposes.
  • We do not use your platform data — pipeline records, AI scores, and similar — to train models for any party outside your tenant.
  • We do not share your data with advertisers or data brokers.

3. Data Retention and Deletion

3.1 Retention Periods

We retain personal data for as long as necessary to provide the service, fulfil contractual obligations, and comply with applicable law. Standard retention periods are:

  • Active account data: Retained for the lifetime of your account plus 90 days after closure, unless a shorter period is requested.
  • Usage and event logs: Retained for up to 12 months for operational analytics and security auditing.
  • Billing records: Retained for seven years in accordance with financial and tax record-keeping obligations.
  • Support communications: Retained for 24 months after ticket closure to support quality assurance and dispute resolution.

3.2 Deletion and Export

You may request deletion or export of your data at any time by contacting privacy@zitboard.dev. We will fulfil verified requests within 30 days except where retention is required by law or legitimate business interest such as fraud investigation or tax compliance.

Account administrators can trigger bulk data exports directly from the platform settings panel. Exports are provided in standard machine-readable formats (JSON or CSV).

4. Data Security Measures

4.1 Tenant Isolation

ZitBoard is architected as a true multi-tenant platform. All database queries, API paths, and internal service calls are scoped to a cryptographically signed tenant identifier. There are no cross-tenant reads at any layer of the stack. Tenant isolation is enforced at the application layer and independently validated at the data layer.

4.2 Authentication and Identity

  • All authenticated sessions use short-lived JWT access tokens and rotating refresh tokens delivered over HTTPS only.
  • OAuth 2.0 flows are supported for enterprise identity providers via SAML 2.0 and OIDC.
  • Role-based access control (RBAC) gates every protected operation; users can only perform actions permitted by their assigned role within their tenant.
  • Multi-factor authentication (MFA) is available to all users and enforced by default for administrative roles.

4.3 Encryption

  • In transit: All data transmitted between clients and ZitBoard services is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled globally.
  • At rest: Persistent data stores are encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service with automated rotation.
  • Backups: All backup snapshots are encrypted before storage and kept in geographically separate regions for resilience.

4.4 Infrastructure and Operational Hardening

  • ZitBoard runs on Kubernetes with network policies that restrict pod-to-pod communication to declared service paths only.
  • Secrets — API keys, database credentials — are managed via a dedicated secrets manager with automatic rotation; plaintext secrets are never stored in code or environment variables in production.
  • Container images are scanned for known vulnerabilities before deployment. Only images that pass policy checks can be promoted to production.
  • Infrastructure access requires MFA and is logged to an immutable audit trail. Production access by engineers is role-restricted and time-bounded.
  • Observability is provided through Prometheus metrics, structured application logs, and alert policies that notify the on-call team of anomalies within minutes.

4.5 Security Testing

We perform continuous automated security scanning as part of our CI/CD pipeline, including static analysis (SAST) and dependency vulnerability checks. We also conduct periodic penetration testing by qualified third parties. Critical and high-severity findings are remediated on a tracked schedule before they reach production.

5. Access, Rights, and Control

5.1 Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Ask us to correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data where we have no overriding legal basis for retention.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to restriction: Ask us to limit processing of your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

5.2 How to Exercise Your Rights

Submit data subject requests to privacy@zitboard.dev. We will acknowledge receipt within 5 business days and fulfil verified requests within 30 days. We may request proof of identity before processing sensitive requests.

5.3 In-Platform Controls

Account administrators have self-serve controls to manage user access, export data, and configure data retention settings directly within the platform settings panel, without needing to contact support.

6. Cookies and Tracking Technologies

6.1 What We Use

We use cookies and similar technologies — local storage, session storage, pixel tags — on our marketing website and platform for the following purposes:

  • Strictly necessary: Session management, authentication state, and security tokens. These cannot be disabled without breaking core functionality.
  • Functional: Remembering your preferences such as theme selection (light/dark mode) and language.
  • Analytics: Aggregate, anonymised usage data to understand how the site and platform are used. We do not use analytics cookies to build individual advertising profiles.

6.2 Managing Cookies

You can manage or disable non-essential cookies through your browser settings or any cookie consent mechanism displayed on our site. Disabling strictly necessary cookies will prevent you from using authenticated features of the platform.

We do not use third-party advertising cookies or sell cookie-derived data to advertisers.

7. Third-Party Partners and Processors

7.1 Sub-processors

We engage trusted third-party service providers to help operate the platform. These include cloud infrastructure providers, transactional email delivery services, customer support tooling, and payment processors. All sub-processors are bound by written data processing agreements (DPAs) that require them to:

  • Process data only on our documented instructions.
  • Implement appropriate technical and organisational security measures.
  • Not sub-contract without our prior written approval.
  • Delete or return data at the end of the engagement.

7.2 No Selling or Sharing for Third-Party Marketing

We do not sell, rent, or share your personal data with any third party for their independent marketing or advertising purposes. Data shared with sub-processors is limited to what is strictly necessary for them to deliver their service component.

7.3 International Transfers

ZitBoard is headquartered in the United States. Where we transfer personal data across international borders, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses under GDPR — to maintain the level of protection required by applicable law.

8. Compliance and Governing Law

8.1 Applicable Regulations

ZitBoard's privacy and security practices are designed to comply with applicable data protection and privacy laws, including:

  • GDPR (EU General Data Protection Regulation 2016/679) for users in the European Economic Area.
  • CCPA / CPRA (California Consumer Privacy Act and California Privacy Rights Act) for California residents.
  • UK GDPR for users in the United Kingdom.
  • Other applicable national or state privacy laws where ZitBoard operates or processes data.

8.2 Legal Bases for Processing (GDPR)

Where GDPR applies, we process personal data on the following legal bases:

  • Contract performance: Processing necessary to deliver the services you have contracted for.
  • Legitimate interests: Security monitoring, fraud prevention, analytics, and service improvement — balanced against your privacy interests.
  • Legal obligation: Compliance with applicable laws, regulatory requirements, and lawful court orders.
  • Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time.

8.3 Governing Law

This policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. Disputes are subject to the dispute resolution process set out in our Terms and Conditions.

9. Incident Response and Breach Notification

9.1 Incident Response Plan

ZitBoard maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. The on-call security function operates continuously and is alerted within minutes of anomalous activity through automated monitoring and alerting pipelines.

9.2 Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, ZitBoard will:

  • Notify affected users without undue delay, and in any case within 72 hours of becoming aware of the breach where required by GDPR or other applicable law.
  • Notify the relevant supervisory authority within the timeframes required by applicable law.
  • Provide a clear description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it.

9.3 Reporting a Vulnerability

If you discover a security vulnerability in our platform, please report it responsibly to security@zitboard.dev. We are committed to acknowledging reports within 2 business days and working with you to remediate confirmed issues promptly. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

10. Privacy and Security Best Practices in the Tool

ZitBoard provides in-platform controls to help your organisation maintain strong security hygiene. We encourage all account administrators to use the following:

  • Enforce MFA: Enable mandatory multi-factor authentication for all users in your tenant. This is the single most effective control against credential-based attacks.
  • Apply least-privilege roles: Assign users only the permissions they need. Review role assignments regularly and remove access for departed team members promptly.
  • Review audit logs: Access the audit log in platform settings to monitor user activity, permission changes, and data export events within your tenant.
  • Configure SSO: Connect ZitBoard to your organisation's identity provider via SAML 2.0 or OIDC to centralise authentication and enforce your existing password and MFA policies.
  • Export data regularly: Use the data export feature to maintain your own backup copies of pipeline records for business continuity purposes.
  • Report suspicious activity promptly: If you notice unexpected logins, unusual data access patterns, or any anomalous behaviour, contact security@zitboard.dev immediately.

11. Frequently Asked Questions

Does ZitBoard sell my data?

No. We do not sell personal data to any third party under any circumstances. Our business model is subscription-based software; your data is not our product.

Is my data shared with other ZitBoard tenants?

No. Tenant isolation is a core architectural guarantee. Your data is logically and cryptographically separated from every other tenant. No other tenant can access your records.

Where is my data stored?

ZitBoard's production infrastructure is hosted in the United States. Backup replicas may be stored in geographically separate regions for resilience. Enterprise customers may request data residency options — contact demo@zitboard.dev to discuss your requirements.

How do I delete my account and associated data?

Contact privacy@zitboard.dev with your account email and a deletion request. We will complete verified account closures within 30 days. Billing records are retained for the period required by law.

Is ZitBoard SOC 2 certified?

We are actively working toward SOC 2 Type II certification. Enterprise customers may request our current security documentation and controls summary under NDA by contacting demo@zitboard.dev.

Can I use ZitBoard under GDPR?

Yes. ZitBoard supports GDPR-compliant use. We act as a data processor for personal data you enter into the platform and as data controller for data you provide for account management. We offer a Data Processing Agreement (DPA) on request — contact privacy@zitboard.dev.

How do I contact ZitBoard about privacy or security matters?

Privacy requests and data subject rights: privacy@zitboard.dev
Security vulnerability reports: security@zitboard.dev
General inquiries: demo@zitboard.dev

Thank you for trusting ZitBoard with your data. We take that responsibility seriously and are committed to continuous improvement of our privacy and security practices.