Privacy Policy – Zentre (Website & SaaS)

English convenience translation. The legally authoritative version is the German “Datenschutzerklärung”; in case of discrepancies, the German version prevails.

Last updated: 06 Jun 2026

1. Controller

EZTO TECHNOLOGIES GmbH, Am Brand 41, 55116 Mainz, Germany

Data protection contact: dpo@ezto.io | Legally relevant notices: legal@ezto.io

Zentre is operated in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

2. Allocation of roles (Website/Business vs. SaaS)

3. Purposes, data categories, and legal bases (Website & Business)

4. Website: Cookies & consent

5. SaaS (Zentre): Data categories and principles

6. Hosting & data location

Standard: Hosting with Scaleway (Scaleway SAS, France) in the EU region Paris (fr-par), to the extent technically provided for in the respective service/plan. Productive data storage takes place within the EU/EEA.

Enterprise / Private Cloud: Differing EU hosting, on-prem, or private-cloud options are possible where agreed.

7. Recipients / service providers

8. Remote access / access from third countries

To provide engineering and support services, vetted employees and service providers outside the EU/EEA may also be deployed. Where this requires access to customer data in the SaaS context, such access takes place only to the extent necessary, on a need-to-know basis, as time-limited as possible, approved, and logged. Where a third-country transfer is necessary (including remote access), it takes place under appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., EU Standard Contractual Clauses) and – where necessary – supplementary measures (e.g., encryption, access restrictions).

9. Third-country transfers

In the standard setup (EU hosting with Scaleway/Paris, EU routing via Cortecs, and Linkup in the EU where applicable), no third-country transfers regularly take place. Where transfers outside the EU/EEA are necessary (e.g., upon active selection of non-EU models or remote access), they take place under appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., adequacy decision, EU Standard Contractual Clauses/SCC). Supplementary measures (e.g., encryption, access restrictions) are taken into account where necessary.

10. Retention period / deletion

11. Data security

EZTO implements appropriate technical and organizational measures to protect personal data (Art. 32 GDPR), in particular access controls, transport encryption (TLS 1.3), encryption of data/artifacts at rest (AES-256-GCM), tenant separation, and security monitoring, commensurate with the respective risk. EZTO operates an ISO/IEC 27001-aligned ISMS and is currently undergoing certification.

12. Data subject rights

Data subject rights under the GDPR, in particular access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21) to processing based on legitimate interests. Withdrawal of consent at any time with effect for the future (Art. 7 (3)). There is a right to lodge a complaint with a data protection supervisory authority, in particular the authority competent for EZTO (the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate, LfDI RLP).

13. Contact