Privacy Policy – Zentre (Website & SaaS)
English convenience translation. The legally authoritative version is the German “Datenschutzerklärung”; in case of discrepancies, the German version prevails.
Last updated: 06 Jun 2026
1. Controller
EZTO TECHNOLOGIES GmbH, Am Brand 41, 55116 Mainz, Germany
Data protection contact: dpo@ezto.io | Legally relevant notices: legal@ezto.io
Zentre is operated in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
2. Allocation of roles (Website/Business vs. SaaS)
- SaaS / Zentre (customer tenant): In providing Zentre, EZTO generally processes personal data as a processor (Art. 28 GDPR) on behalf of the customer (controller). Details are set out in the Data Processing Agreement (DPA).
- Support & security in the SaaS context: Where support, error analysis, security/abuse prevention, or incident handling require the processing of customer data within the customer tenant, such processing is carried out as processing on behalf of the controller under the DPA.
- Website & business operations: For website operation, marketing/communications, contract initiation/conclusion, and billing/payment processing, EZTO processes personal data as its own controller; this Privacy Policy applies to such processing.
- No BYOK: Zentre does not currently support “Bring Your Own Key” (BYOK).
3. Purposes, data categories, and legal bases (Website & Business)
- Website operation, provision of content, IT security: Art. 6 (1) (f) GDPR (legitimate interest).
- Contract initiation/performance, account administration, communication: Art. 6 (1) (b) GDPR.
- Billing, accounting, retention obligations: Art. 6 (1) (c) GDPR (legal obligation) and/or Art. 6 (1) (b) GDPR.
- Consent-based technologies (e.g., analytics): Art. 6 (1) (a) GDPR in conjunction with Section 25 TDDDG.
4. Website: Cookies & consent
- Consent management: Usercentrics
- Plausible Analytics: data-minimizing/cookieless, only after consent (opt-in)
- Necessary cookies: operation, security, abuse prevention (Section 25 (2) TDDDG)
5. SaaS (Zentre): Data categories and principles
- Account/organization data (e.g., name, email, organization, roles/permissions)
- Usage, security, and billing metadata (e.g., timestamps, request IDs, usage/cost, security-relevant events, IP where necessary)
- Content data (prompts/uploads/outputs) for service provision, depending on use case and configuration
- Web search (where activated): When the web search function is used, search queries (which may contain personal data) are transmitted to the search provider Linkup (Linkup Technologies SAS, France) in order to retrieve current information from the public web. Linkup processes within the EU; a zero-data-retention option is available.
- Default: no general content logging of prompts/outputs; chat retention concerns the user/workspace history.
- Exceptions: Temporary processing/storage may be necessary where debug/logging options are activated, in support cases on instruction, or for security-relevant events (in each case according to necessity and the retention configuration).
- No training by EZTO: EZTO does not use content data to train its own AI models. Use for training purposes is also excluded vis-à-vis the integrated model providers – where contractually agreed and technically available (e.g., zero data retention).
- AI routing via Cortecs: Routing to AI models takes place by default via the EU-based AI gateway Cortecs (Cortecs GmbH, Vienna), which processes data within the EU and integrates the downstream model providers as its own subprocessors. Where content is forwarded to model providers, their processing is governed by the respective terms and the chosen configuration.
- EU AI Act & transparency: As an orchestration and governance layer, Zentre is designed to support customers in complying with Regulation (EU) 2024/1689 (AI Act). Users interact with AI systems; outputs are generated automatically by AI models and may be erroneous (transparency within the meaning of Art. 50 AI Act). The AI Act applies in stages; specific obligations depend on the role of the parties involved and the use case.
- Note: Support requests/tickets may contain personal data (e.g., name, email, screenshots, diagnostic data). Such data is processed only to the extent necessary to handle the support case and in accordance with the DPA.
6. Hosting & data location
Standard: Hosting with Scaleway (Scaleway SAS, France) in the EU region Paris (fr-par), to the extent technically provided for in the respective service/plan. Productive data storage takes place within the EU/EEA.
Enterprise / Private Cloud: Differing EU hosting, on-prem, or private-cloud options are possible where agreed.
7. Recipients / service providers
- Service providers (subprocessors) may be engaged to provide the services, in particular for hosting/infrastructure (Scaleway, EU), AI gateway/routing to model providers (Cortecs, EU), web search (Linkup, EU, where used), email/communications, and engineering/support services.
- The current list of subprocessors (including purpose and, where available, location/country) is available at /legal/subprocessors.
- Changes are generally announced at least 30 days before they take effect, unless compelling security reasons require a faster change.
8. Remote access / access from third countries
To provide engineering and support services, vetted employees and service providers outside the EU/EEA may also be deployed. Where this requires access to customer data in the SaaS context, such access takes place only to the extent necessary, on a need-to-know basis, as time-limited as possible, approved, and logged. Where a third-country transfer is necessary (including remote access), it takes place under appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., EU Standard Contractual Clauses) and – where necessary – supplementary measures (e.g., encryption, access restrictions).
9. Third-country transfers
In the standard setup (EU hosting with Scaleway/Paris, EU routing via Cortecs, and Linkup in the EU where applicable), no third-country transfers regularly take place. Where transfers outside the EU/EEA are necessary (e.g., upon active selection of non-EU models or remote access), they take place under appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., adequacy decision, EU Standard Contractual Clauses/SCC). Supplementary measures (e.g., encryption, access restrictions) are taken into account where necessary.
10. Retention period / deletion
- Website & business data: storage according to purpose and statutory retention obligations (in particular contract/billing data).
- SaaS / Zentre:
- Chat/workspace content data: standard 90 days, unless configured or agreed otherwise (e.g., Enterprise/Private Cloud).
- Backups: technical deletion/overwrite cycles typically up to 90 days.
- Security data/logs: only as long as necessary for security, abuse prevention, and incident analysis; potentially longer in the event of legal claims or statutory obligations.
- Web search: no permanent storage of search queries by EZTO.
- After contract termination, customer data is returned and/or deleted in accordance with the DPA.
11. Data security
EZTO implements appropriate technical and organizational measures to protect personal data (Art. 32 GDPR), in particular access controls, transport encryption (TLS 1.3), encryption of data/artifacts at rest (AES-256-GCM), tenant separation, and security monitoring, commensurate with the respective risk. EZTO operates an ISO/IEC 27001-aligned ISMS and is currently undergoing certification.
12. Data subject rights
Data subject rights under the GDPR, in particular access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21) to processing based on legitimate interests. Withdrawal of consent at any time with effect for the future (Art. 7 (3)). There is a right to lodge a complaint with a data protection supervisory authority, in particular the authority competent for EZTO (the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate, LfDI RLP).
13. Contact
- For data protection inquiries: dpo@ezto.io
- For legally relevant notices: legal@ezto.io