ZendBack Privacy Policy

Effective Date: March 13, 2026    Last Updated: March 13, 2026

1. Introduction

ZendBack LLC ("ZendBack," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our mobile application and doorstep package collection service.

By accessing or using ZendBack, you agree to this policy. If you do not agree, do not use the service. This Privacy Policy is incorporated into our Terms of Service.

2. Information We Collect

Information You Provide

• Account Information: Name, email address, phone number, unit number
• Payment Information: Processed securely by Stripe; we do not store full card numbers
• Service Requests: Pickup instructions, package details, scheduling preferences
• Communications: Messages you send to our support team

Information Collected Automatically

• Device Information: Device type, operating system, app version, Firebase device ID
• Usage Data: Features used, collection history, app interactions
• Location Data: Building and unit location for service delivery only (not continuous background tracking)

Resident Data Processed on Behalf of Property Operators

When ZendBack is deployed at a residential property, some data we collect is processed in connection with your building's service agreement. This data is used solely to deliver and improve your ZendBack service.

3. Permitted Uses of Resident Data

We use resident data solely for these four permitted purposes:

• Service Delivery: Scheduling and executing package collections, coordinating with shipping carriers, issuing collection confirmations
• Aggregated Analytics: Non-identifiable, aggregated operational data to improve our services and report performance metrics to property operators. No individual resident is identifiable.
• Resident Service Communications: Notifications about your collection status and service updates directly related to your ZendBack use
• Satisfaction Surveys: Optional surveys about your ZendBack experience, no more than quarterly

We will never use your data for unrelated marketing, sell your contact information, or solicit you for services unrelated to ZendBack.

4. Cross-Property Data Segregation

ZendBack maintains strict cross-property data segregation. Resident data collected at one property is never accessible to, shared with, or used in connection with any other property or property operator. Each property's data is logically isolated within our systems at all times.

5. Data Sharing and Subprocessors

Service Providers

We work with the following categories of service providers who process data on our behalf:

• Stripe: Payment processing — stripe.com/privacy
• Firebase / Google: App infrastructure, push notifications, analytics — policies.google.com/privacy
• Apple: App Store, push notifications — apple.com/privacy
• Shipping Carriers: FedEx, UPS, USPS — for package handoff coordination only

We review our subprocessors regularly and will update this list when material changes are made.

Property Operators

We share operational reports with your building's property management company. These reports include collection metrics and service performance data for your building.

Legal Requirements

We may disclose information when required by law, court order, or to protect the rights and safety of our users or the public.

6. Security Program

ZendBack maintains a written security program that includes:

• Access Controls: Role-based access; personnel access only what is necessary for their function
• Encryption: Data encrypted in transit (TLS) and at rest
• Incident Response Plan: Written procedures for detecting, containing, and remediating security incidents
• Annual Security Training: Required for all personnel with access to resident data
• Periodic Security Assessments: Ongoing review of our security controls and practices

7. Data Breach Notification

In the event of a security breach affecting your personal data, ZendBack will notify affected residents as required by applicable law, including the Florida Information Protection Act (FIPA, Florida Statute § 501.171). Notification will include the nature of the breach, categories of data affected, and steps we are taking to address it. We will notify the Florida Department of Legal Affairs when 500 or more Florida residents are affected.

8. Data Retention

• Active Accounts: Retained while your account is active and your building participates in ZendBack
• Post-Termination: Resident data is deleted within 30 days of service termination at a property.
• Financial Records: Billing data retained for 7 years for tax and legal compliance
• Legal Hold: Data subject to litigation or regulatory inquiry may be retained until the matter resolves

9. Your Rights

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to retention requirements)
• Portability: Receive your data in a machine-readable format

Submit requests to legal@zendback.com. We respond within 30 days.

10. Florida Privacy Rights (FIPA)

ZendBack is headquartered in Florida and complies with the Florida Information Protection Act (Florida Statute § 501.171). In the event of a qualifying breach affecting Florida residents, we will provide notice as required by FIPA, including notifying the Florida Department of Legal Affairs when 500 or more Florida residents are affected.

11. Tracking Technologies

Our mobile app uses Firebase (Google) for app infrastructure and analytics. Firebase uses device identifiers and local storage — it does not set browser cookies in our app. Our website is served through Cloudflare, which sets a functional cookie (__cf_bm) for bot management and security. This cookie is strictly necessary for site security and does not track you for advertising purposes. We do not use advertising cookies, tracking pixels, or third-party analytics cookies on our website.

ZendBack does not currently respond to Do Not Track (DNT) signals, as no industry-wide standard for DNT compliance has been adopted. We do not sell or share your personal information for cross-context behavioral advertising regardless of DNT status.

12. Children's Privacy

ZendBack is not directed to children under 13 and does not knowingly collect their information. If you believe we have collected data from a child, contact legal@zendback.com and we will promptly delete it.

13. Changes to This Policy

For material changes, we will provide at least 30 days' advance notice via in-app notification and email. Non-material changes may be made without advance notice. Continued use after the effective date constitutes acceptance.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Florida. Data privacy matters for residents of other states (including California, Colorado, Virginia, and Texas) are governed by applicable state law to the extent required. Disputes are subject to the dispute resolution procedures in our Terms of Service.

15. Contact

We will respond to all privacy requests within 30 days.