← Back

Privacy Policy

Last updated: 6 June 2026

Updated 6 June 2026

We’ve refreshed our Privacy Policy and Data Processing Addendum: we now name Resend as the provider that delivers our emails, corrected our data-hosting location to the EU (Ireland), set out the Article 28 processing details in the DPA, and clarified what account deletion does. Read the details.

This policy describes how we handle data today. We'll flag any material change at the top of this page before it takes effect.

1. Who we are

Zennic ("we", "us") provides a project-management tool for kitchen designers, contractors and their clients at app.zennic.dev.

Our role under UK / EU data-protection law depends on the data in question:

  • We are the controller for the data needed to run Zennic itself - your account details (email, name, role and a hashed password), sign-in sessions, security and error logs, and, where you pay for the service, billing details. We decide how and why this data is processed, and this policy governs it.
  • We are a processor for the project data a design studio uploads about its own clients, contractors and projects - names, addresses, photos, documents, messages and costs. The studio (our business customer) is the controller of that data and decides how it's used; we process it only on the studio's instructions, to provide the service. That processing is governed by our Data Processing Addendum as well as this policy.

If a designer or studio invited you to a project, we received your details from them rather than from you directly. We hold that project data as their processor - so if you want it corrected or removed, the quickest route is to ask the studio you're working with; you can also contact us and we'll pass the request on.

Zennic Ltd
Registered in England & Wales, company no. 16534591
3 Lostock Street
Manchester M40 7LW
United Kingdom

For any questions about this policy, email [email protected]. We are not required to appoint a Data Protection Officer (Article 37 UK GDPR); data-protection questions go to the same address.

2. What information we collect

We collect only the information needed to operate the service:

  • Account information - email address, name, role (designer / contractor / manager / client), and a hashed password. Provided by you or by the team member who invited you.
  • Project data - project titles, addresses, costs, deposit status, milestone schedules, photos, documents and team messages. Created and uploaded by you and your collaborators on the platform. Where a studio uploads this about its own clients, we handle it as the studio's processor (see §1).
  • Usage data - error reports (technical metadata about JavaScript errors, no message content) and standard server logs (IP address, user-agent, timestamp).
  • Product metrics - privacy-preserving aggregate counters (for example, counts of pages opened and sign-ins) sent to our error-tracking provider to monitor reliability and how features are used. They set no cookie, do no advertising or cross-site tracking, and contain no message content.
  • Session replay - when an error occurs or you report a bug, Sentry (our error-tracking sub-processor, see §5) captures a short, masked recording of your recent on-screen activity (clicks, page navigation and console messages) so we can reproduce the problem. All text and form inputs are masked and all images are blocked, so the recording shows layout and interactions - never your content or the data on screen. It's captured only around errors and bug reports, never continuously, and is not used for analytics or advertising.

We do not collect special-category data (race, health, biometrics etc.). We do not run advertising trackers. We do not sell data.

3. How we use your information

  • To provide the service: showing you your projects, sending invite emails, generating signed download URLs for files.
  • To secure the service: detecting abuse, enforcing rate limits, investigating bugs.
  • To communicate operationally: invitations, password resets, notifications about your projects.
  • To improve the service: monitoring error rates and performance through our error-tracking sub-processor (see §5).

4. Legal basis for processing (UK / EU GDPR)

  • Contract - most processing is necessary to provide you the service you've signed up for.
  • Legal obligation - retaining financial records for the period required by HMRC (six years from the end of the relevant tax year) and defending against potential claims under the Defective Premises Act 1972 / Building Safety Act 2022.
  • Legitimate interest - securing the service, preventing abuse, technical error logging, and aggregate product metrics. We've assessed that these interests don't override your rights, as the processing is limited and what you'd reasonably expect.
  • Consent - for any communication outside what's needed to operate your account (we don't currently send any).

5. Who we share information with

We use the following sub-processors. Each has its own privacy policy and processes data on our behalf under data-processing agreements:

  • Supabase - database, authentication and file storage. Data hosted in the EU (Ireland).
  • Resend - delivery of our transactional emails (invitations and password resets) and handling of the resulting bounce / complaint notifications. Resend processes the recipient's email address and name and the project title shown in the subject line. Operated from the United States under Standard Contractual Clauses / the UK International Data Transfer Addendum.
  • Cloudflare - application hosting and content delivery, and bot-protection (Turnstile) on the sign-in and password-reset screens. Edge servers worldwide; primary processing in the EU.
  • Sentry - error and performance tracking, and masked session replay (see §2). Hosted in the EU (Frankfurt).

We don't share personal data with anyone else except where required by law (e.g. court order, lawful police request).

6. International data transfers

Personal data is stored in the EU (Ireland). As a UK-based controller, that UK-to-EEA transfer relies on the UK's adequacy regulations for the EEA. Some sub-processors (Resend, Cloudflare, Sentry) are US-based or route through other jurisdictions for technical operation; those transfers are covered by appropriate safeguards (Standard Contractual Clauses or the UK International Data Transfer Addendum). A copy of the relevant safeguards is available on request to [email protected].

7. How long we keep your information

We keep your data only as long as we need it for the purpose we collected it. Project data ages through four retention tiers, each tied to a clear legal basis:

  • Active project - handover not yet complete. Everything is retained. Basis: contract.
  • Up to 24 months after handover - full retention. Covers warranty, snagging and returning-customer flows. Basis: contract + legitimate interest.
  • 24 months to 6 years - project messages, photos and uploaded documents are deleted. We keep financial records (costs, deposits, dates) and the project structure. Basis: legal obligation to retain tax records (HMRC, 6 years).
  • 6 to 15 years - project skeleton only. The address is removed and the project title is replaced with a generic label. (Individual names are removed separately when a person closes their account - see below.) We keep dates, costs, trades and stage structure. Basis: legitimate interest in defending claims under the Defective Premises Act 1972 / Building Safety Act 2022.
  • 15+ years - only anonymous, aggregate statistics remain. Individual project rows are dropped.

If you delete your account before then:

  • Within 5 days (a cool-off period so you can change your mind) we anonymise your account - your name is removed from your messages, uploads and notes, and your sign-in is permanently disabled. The project content itself is then deleted on the project's retention schedule above.
  • Project records that we're legally required to keep (financial transactions for the tax-retention window) stay in the tier-redacted form described above, without your contact details attached.
  • In-app notifications: 180 days.
  • Server logs and error reports: 30 days.
  • Session replays: up to 90 days, on our error-tracking provider.
  • Backups: up to 7 days for daily snapshots.

8. Your rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion ("right to erasure")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent (where processing relies on consent)

Two of the most common are available directly from your Settings page - you can download a copy of your data or delete your account at any time. For anything else (rectification of inaccurate data, restriction of processing, objection, withdrawal of consent), email [email protected] and we'll respond within one month.

If you're unhappy with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk or your local EU data protection authority.

8a. Automated decision-making

We don't use your personal data for any automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 UK GDPR).

9. Cookies and local storage

We use only strictly-necessary cookies and local storage:

  • Supabase authentication cookies to keep you signed in.
  • A short-lived cookie that remembers the page you were heading to before signing in, so you land there afterwards.
  • Staff-only cookies that remember the "view-as" preview state (the previewed company's id and name).
  • On the sign-in and password-reset screens, our bot-protection provider (Cloudflare Turnstile) may set a strictly-necessary cookie to tell humans apart from bots.
  • If you submit a message or note while offline, it is held in your browser's local storage and sent automatically when you reconnect (kept up to 24 hours). The app also caches some pages and files locally so it works offline and loads faster.

We do no advertising or cross-site tracking, and we set no analytics or tracking cookies, so no cookie banner is required under PECR / ePrivacy. (The aggregate product metrics in §2 set no cookie.)

10. Security

Data is encrypted in transit (TLS) and at rest. Access is restricted by row-level security on every table, supplemented by application-layer checks for privileged operations (which run server-side with keys that are never exposed to the browser). Passwords are hashed with bcrypt by our authentication provider. File uploads are served via short-lived signed URLs.

11. Changes to this policy

We may update this policy as our practices change. The latest version is always at /privacy. Material changes (new categories of data, expanded retention) will be flagged at the top of this page before they take effect. For a new sub-processor we give business customers at least 14 days' notice - through the in-app banner and, for account owners, by email - so they can object on data-protection grounds.

12. Contact

Questions, requests, or complaints: [email protected], or in writing to:

Zennic Ltd
Registered in England & Wales, company no. 16534591
3 Lostock Street
Manchester M40 7LW
United Kingdom