Privacy policy.

When you sign up + use Zayos:

• Business identity: legal name, DBA, EIN, contact email + phone
• User identity: name, work email, password (stored hashed), MFA tokens
• Stripe Connect onboarding: bank routing + ID verification — Stripe collects these directly; we never see them
• Operational data: menu, prices, hours, staff, orders, refunds, reviews, integrations
• Usage data: pages viewed, features used, error logs (IP + user agent) so we can debug and improve the product
• Communications: support tickets, broadcasts you send, messages exchanged with us

• Run the platform you signed up for (orders, payments, dispatch, etc.)
• Bill you accurately
• Reach you about your account, security, and material product changes
• Aggregate (anonymized) usage to publish industry benchmarks and improve the product. Never tied back to your business by name.
• Comply with tax + AML + KYC obligations (Stripe Connect, IRS reporting)

We don't sell your data. We don't use your data to train models that another operator gets to see. Your menu is your menu.

Strictly the providers we need to run the service:

• Stripe — payments, KYC, payouts
• Supabase — managed Postgres, auth
• Vercel — application hosting
• Cloudflare R2 — file storage (logos, menu photos)
• Resend — transactional email
• Twilio — SMS
• Otter — marketplace order ingestion (DoorDash, Uber Eats, Grubhub, Postmates)
• DAVO — automated sales-tax filing (operator-initiated; you opt in)
• Inngest — durable job queue
• Sentry — error monitoring

Each has its own DPA with Zayos. We periodically audit which sub-processors access which data. Adding a sub-processor requires 30 days notice via email and a posted update at this URL.

Application + database in US-East (Vercel + Supabase Pro), with daily encrypted backups retained 30 days. We're not yet certified for EU data residency — if you're an EU operator with a residency requirement, talk to us before signup. We have a Canada-region path queued.

• Active account: as long as your account is active
• Order + payment records: 7 years (US tax retention)
• Audit logs: 13 months (SOC-2 alignment)
• Cancelled account: anonymized within 90 days of cancellation request, except records covered by tax retention

Access + export: /app/settings/data → Export data. JSON bundle within 30 days, sooner usually within an hour.

Correction: edit profile fields directly; for fields you can't edit (legal name, EIN), email us.

Deletion: /app/settings/data → Delete account, or email us. We anonymize PII in 30 days; tax-retained records persist with name/email stripped.

Opt out of marketing: we don't send marketing email to operators by default — only product, security, and billing communication. If we ever do, every email will include a one-click unsubscribe.

GDPR / CCPA / CPRA: if you're in the EU, UK, or California and want a formal request processed under those frameworks, email abdallah@zayrev.com with subject "DSR request" — 30-day SLA.

Concrete security measures we ship today:

• Postgres Row-Level Security on every multi-tenant table
• TLS 1.2+ in transit, AES-256 at rest (Supabase Pro)
• Stripe Connect handles all card data; we never see a PAN
• Webhook payloads are HMAC-SHA256 signed with replay defense
• MFA available for every operator account; required for owner role once > 2 locations
• Audit logs on every operator-initiated mutation
• Rate limiting on auth, OTP, password-reset, and money-moving routes

For a fuller picture see /zayos/legal/security.

We use first-party cookies for session auth, language preference, and cart state. We don't use cross-site tracking cookies on our marketing site (no Google Analytics, no Facebook Pixel). On the operator dashboard we use an essential analytics cookie to count active sessions per tenant; you can disable it in /app/settings/privacy.

We don't have a designated DPO under GDPR Article 37 (we're below the threshold). Privacy questions go to abdallah@zayrev.com. If you're not satisfied with our response, you can lodge a complaint with your local supervisory authority.