← Back

Data Processing Addendum

Last updated: 6 June 2026

Updated 6 June 2026

We’ve refreshed our Privacy Policy and Data Processing Addendum: we now name Resend as the provider that delivers our emails, corrected our data-hosting location to the EU (Ireland), set out the Article 28 processing details in the DPA, and clarified what account deletion does. Read the details.

This Data Processing Addendum ("Addendum") supplements the Terms of Service ("Principal Agreement") and governs the parties' obligations under the UK GDPR and the EU GDPR (together, "GDPR") in relation to any personal data you make available through Zennic ("the Service"). The Service is operated by Zennic Ltd, registered in England & Wales (company no. 16534591), registered office 3 Lostock Street, Manchester M40 7LW.

It applies when you, as a business customer (a design studio, contractor or similar), upload personal data about other people - your own clients, contractors or staff. For that data you are the controller and Zennic is the processor. This Addendum forms part of the Terms automatically; we'll also provide a counter-signed copy on request to [email protected].

1. Definitions

Terms used but not defined here have the meanings given in the GDPR.

  • Customer Personal Data - any personal data you (the Controller) make available to Zennic (the Processor) through the Service.
  • Sub-processor - any third party engaged by the Processor that processes Customer Personal Data on its behalf.

2. Roles and instructions

The Controller determines the purposes and means of processing Customer Personal Data. The Processor acts only on the Controller's documented instructions - which include the Principal Agreement, this Addendum, and your use of the Service's features - and as required by applicable law. We'll tell you if, in our opinion, an instruction breaches the GDPR.

3. Our obligations as processor

  • Process Customer Personal Data only on your documented instructions, and as required by applicable law.
  • Ensure personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to protect Customer Personal Data, as described in Annex A.
  • Engage Sub-processors only as listed in Annex B, and only after giving you an opportunity to object to a new Sub-processor.
  • Assist you, taking account of the nature of the processing, in responding to data-subject rights requests.
  • Assist you with your security, breach-notification, data-protection impact assessment and prior-consultation obligations under Articles 32–36 GDPR.
  • Notify you without undue delay, and in any event within 72 hours of becoming aware, of any personal-data breach affecting Customer Personal Data.
  • On termination of the Principal Agreement, delete or return all Customer Personal Data, subject to the retention schedule in Annex C and to any retention required by law.
  • Make available the information necessary to demonstrate compliance with this Addendum, and allow for and contribute to audits no more than once per year on reasonable notice (or following a breach).

4. International transfers

Customer Personal Data is processed in the EU (Ireland). Where Sub-processors operate outside the UK / EEA (for example Resend in the United States), the Processor relies on the UK International Data Transfer Addendum and / or the EU Standard Contractual Clauses; the parties incorporate the Module 3 (processor-to-processor) clauses by reference. A copy of the relevant safeguards is available on request to [email protected].

5. Term and termination

This Addendum is effective for as long as the Processor processes Customer Personal Data on the Controller's behalf.

6. Liability

Each party's liability under this Addendum is subject to the limitation-of-liability section of the Principal Agreement.

7. Order of precedence

If there is a conflict between this Addendum and the Principal Agreement, this Addendum prevails to the extent of the conflict, but only in relation to data-protection matters.

Annex A - Technical & organisational measures

  • Encryption in transit - TLS 1.2+ on all endpoints.
  • Encryption at rest - managed encryption on database and file storage.
  • Access control - per-row row-level security on all tables; service-role keys held only by the Processor.
  • Authentication - passwords hashed (bcrypt) by our authentication provider.
  • Backups - regular snapshots with limited retention.
  • Incident response - documented process; notification to the Controller without undue delay and in any event within 72 hours of becoming aware (the Controller, in turn, notifies its supervisory authority).
  • Personnel - confidentiality obligations on anyone with access.

Annex B - Sub-processors

  • Supabase - hosted database, authentication and file storage. EU (Ireland).
  • Resend - delivery of transactional email (invitations, password resets) and bounce / complaint handling. Processes recipient email, recipient name and the project title in the subject line. United States; SCCs / UK IDTA.
  • Cloudflare - application hosting and content delivery. Global edge; primary processing EU (Ireland). SCCs / UK IDTA.
  • Sentry - error and performance tracking, and masked session replay. EU (Frankfurt). SCCs / UK IDTA.

We'll notify you of any new Sub-processor at least 14 days before it starts processing Customer Personal Data - by email to your account owner and through the in-app banner. You may object on reasonable data-protection grounds within that window, and we'll work with you in good faith to find an alternative.

Annex C - Retention

Customer Personal Data is retained according to the tiered schedule described in our Privacy Policy (§7), which is tied to the relevant legal bases (including HMRC tax-record and Defective Premises / Building Safety Act retention).

Annex D - Details of processing (Article 28(3))

  • Subject-matter - provision of the Zennic project-management service to the Controller.
  • Duration - the term of the Principal Agreement, plus the retention tail described in Annex C.
  • Nature and purpose - hosting, storage, transmission, organisation and display of Customer Personal Data so the Controller and its authorised collaborators can run their projects, and sending transactional email on the Controller's behalf. Carried out on the Controller's documented instructions only.
  • Types of personal data - names, email addresses, postal / project addresses, telephone numbers, project titles and descriptions, messages and notes, uploaded photos and documents, costs and payment status, and milestone / scheduling data.
  • Categories of data subjects - the Controller's clients, contractors, employees and other project collaborators whom the Controller invites to or records on the Service.

Questions

Anything about this Addendum, or to request a counter-signed copy: [email protected].