ZenTalk
Legal

Privacy Policy

Last updated May 10, 2026

We wrote this policy to be useful, not just to cover ourselves legally. It names every outside service that touches your data and explains what we actually do with the AI, voice, payment, and email features the product ships. If something feels unclear, email us at support@usezentalk.com and a real person will write back.

Who we are

ZenTalk is a unified communications and customer success platform. We do live chat with an AI sales agent, voice calls with transcription and translation, an email helpdesk, payment capture inside conversations, click fraud protection for paid traffic, and a customer profile and project workspace for ongoing engagements. We are the people who built and operate usezentalk.com. When this policy says "we," "us," or "ZenTalk," it means us.

ZenTalk is currently in an invite only beta. We run on our own infrastructure on Google Cloud. There is no third party customer authentication provider, no advertising network, and no data broker in the loop.

What information we collect

From your team (operator data)

  • Account details: name, email, password (stored as a bcrypt hash, never in plain text), workspace and site configuration, two factor authentication secrets and recovery codes.
  • Reporting structure you set up inside the workspace (lead and manager assignments).
  • Email sender domains you authenticate, sender addresses you create, and any email content you send through the helpdesk.
  • Payment processor credentials you enter so the AI sales agent can mint payment links. These are encrypted at rest using AES 256 GCM with a key bound to our infrastructure. We cannot read them in plain text after you save them.

From visitors to your sites

  • Cookie identifiers placed by the chat widget on your site, plus any signed identity token your site issues to log a visitor in.
  • Whatever the visitor types into chat or shares through a lead form. Typically name, email, phone, and the body of the conversation.
  • Voice call audio when a visitor uses the call button. Both AI and human to human calls can be recorded. Recordings live in our private storage bucket with a default 30 day retention window.
  • Best effort geolocation derived from the visitor's IP address (country, city) and basic device metadata (browser family, OS, screen).
  • Page history breadcrumbs for the visit's session. Only pages on the site that hosts the widget, never browsing outside it.
  • For paid ad campaigns routed through the click fraud gateway: source IP, ad network attribution parameters (for example gclid), and the verdict our gateway reached.

Automatically

  • Standard server logs: request paths, response codes, timing, IP addresses. Used to keep the system running and to find bugs.
  • Audit log entries every time someone in your workspace performs a sensitive action (granting roles, exporting leads, applying AI insights to the bot, opening a teammate's mailbox once email impersonation ships).

How we use AI to process content

AI is core to ZenTalk's product, so it is worth being explicit. We use Google's Gemini API for the following:

  • AI sales agent. Chat content, the operator's persona configuration, and pricing rules are sent to Gemini to generate replies during a conversation.
  • AI voice agent. Visitor audio is streamed to Gemini Live for real time speech recognition and reply generation when a visitor uses the AI call feature.
  • Translation. Message text is sent to Gemini for language detection and translation when the visitor and agent use different languages.
  • Transcription. Voice notes and call recordings are sent to Gemini for speech to text.
  • Conversion intelligence. Once a conversation is closed or escalated, its transcript is sent to Gemini for structured analysis (topics, objections, sentiment) so the operator can see patterns across many chats.
  • Visitor history summary. When an agent opens a customer profile, recent conversation history is sent to Gemini to produce a 30 second handoff summary.

We use the production Gemini API tier, which under Google's terms does not use your prompts or completions to train Google's foundation models. Google may retain inputs for a short period to monitor for abuse. That is Google's standard API policy and applies equally to every customer of theirs. We never sell prompts or model outputs.

Connected ad accounts (Google Ads)

ZenTalk offers an optional integration that connects your Google Ads account so we can mirror your ZenTalk blocked IP list into your campaigns' Excluded IPs setting. The point is to stop Google from charging you for clicks from IPs you have already decided are junk traffic.

When you choose to connect Google Ads on a site:

  • You authorise ZenTalk via Google's standard OAuth 2.0 consent screen. We request a single scope: https://www.googleapis.com/auth/adwords (manage your Google Ads campaigns).
  • Google issues us a refresh token. We store it encrypted at rest using AES 256 GCM with a key held in Google Secret Manager. Access tokens (1 hour life) are refreshed transparently when needed.
  • We use the granted access narrowly: read your accessible customer accounts and their campaign list, read existing campaign IP block criteria, and write IP block criteria (additions and removals) to the campaigns you explicitly select. Nothing else.

We do not:

  • Read or modify your bid strategies, budgets, or spend caps.
  • Read or modify ad creatives, keywords, or audiences.
  • Pull conversion, performance, or revenue data out of your Google Ads account.
  • Sell, share, or use your Google Ads data for advertising, machine learning training, or any purpose other than the IP exclusion sync described above.
  • Use Google Ads data to develop or improve features unrelated to the connected workspace.

ZenTalk's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke ZenTalk's access at any time, either from the Google Ads integration page inside your dashboard (one click Disconnect) or from your Google Account permissions page. Revoking removes the refresh token from our database and stops all future syncs immediately. Existing IP exclusions in your Google Ads campaigns are not automatically removed when you disconnect. They were applied to your account and remain there until you delete them in the Google Ads UI.

Sub processors and third party services

We do not sell your data, we do not share it with advertisers, and we do not run any third party tracking pixels or analytics on usezentalk.com. The services below receive data only because the product would not function without them.

  • Google Cloud Platform (United States). Hosts our servers, databases, and object storage. All data is encrypted at rest and in transit.
  • Google Cloud Storage. Chat attachments (images, files, voice notes) and voice call recordings live here in a private bucket. Access requires a short lived signed URL.
  • Google Gemini API. Receives the inputs described in the AI section above. See Google's API terms for their handling.
  • SendGrid. Delivers our transactional emails, our customers' agent side outbound emails, and accepts inbound visitor replies via Inbound Parse. Email recipients and subject and body content pass through SendGrid.
  • Authorize.Net. When an operator configures payment integration, their customers' card details are entered directly into Authorize.Net's hosted form, never into ZenTalk. We receive only a token and the resulting transaction status.
  • Agora. Relays human to human voice between an agent and a visitor when they make a call inside chat. Audio passes through Agora's media servers in real time. We do not store the call audio at Agora. Recordings (when enabled) are uploaded to our own GCS bucket.
  • Threat intelligence provider. Receives the IP address of a visitor when they create a chat session, and returns whether the IP looks like a VPN, Tor exit node, or open proxy. A privacy protective filter against abuse. We do not share this provider's identity publicly. Customers under NDA can request the name and the provider's data processing terms.
  • AbuseIPDB. Provides a daily list of known malicious IPs that we synchronise into the click fraud gateway. We send no per visitor data to AbuseIPDB. It is a one way bulk import.
  • Google Ads API. Only when you explicitly connect a Google Ads account on a site. Receives the IPs from your ZenTalk blocklist as campaign IP exclusion writes. See the dedicated section above for the full scope of access.
  • ClamAV. Runs on our servers (no data leaves our infrastructure) to scan every uploaded attachment for malware before it is delivered.

If we are required by law to disclose data, we will comply and we will notify you whenever we legally can.

Connected mailboxes (IMAP and SMTP)

ZenTalk has two distinct mailbox connection features. Both encrypt the password at rest using AES 256 GCM with a key held in Google Secret Manager. Neither is required for the core product to work.

Built in email client (per agent)

Your team can read and reply to email from inside the dashboard. Each agent enters their own IMAP and SMTP server settings and password on the Mail tab. We use those credentials only to authenticate against the agent's mail server when fetching or sending mail on their behalf.

Owners, admins, and an agent's reporting lead may open the agent's mailbox view inside ZenTalk for management purposes. Every such impersonation event is recorded in the audit log (who looked at whose mailbox and when), and the agent can request that log at any time. This is the same model most workplace mail systems use. We make it visible and reviewable instead of hidden.

Per sender mailbox sync (chat email round trip)

Separately, you can connect IMAP credentials per sender address on the Domains page (for example for sales@yourcompany.com). This is what makes chat emails round trip into the operator's actual mailbox. Outbound emails sent from the chat composer get appended to that mailbox's Sent folder, and visitor replies are appended to its Inbox folder.

We use these credentials only to APPEND messages to the configured Sent and Inbox folders. We do not read your mail, scan it, or use it for any purpose other than the round trip described above.

Optional desktop activity tracker

If your employer chooses to install our optional desktop application, the app records on seat activity (idle versus active time) and may capture screenshots at a configurable interval. The desktop tracker:

  • Is not part of the web product. It is installed only if you or your IT team chooses to deploy it.
  • Requires the operating system permissions that screen capture and input monitoring need. The OS prompts the user the first time the app runs.
  • Stores screenshots in a per workspace storage bucket with a default 30 day retention window after which they are automatically deleted.

If you are an employee whose workplace requires this app, ask your employer for their internal monitoring policy. We act as a data processor on your employer's behalf for the contents of this stream. Your employer is the controller.

How we keep your data safe

  • All traffic is served over TLS 1.3 with HSTS.
  • Passwords are hashed with bcrypt. Refresh tokens are rotation tracked so a stolen token is detected on next use.
  • Two factor authentication (TOTP, RFC 6238) is available on every account and required for sensitive admin actions like the bulk leads export.
  • Database backups are encrypted and run daily, kept for 30 days.
  • Sensitive payment processor credentials and email mailbox passwords are encrypted at rest using AES 256 GCM with a key held in Google Secret Manager.
  • Per agent privacy gates. By default, regular agents see visitor email and phone redacted (j****@example.com). Owners and admins can grant individual agents PII access on the Team page.
  • Access to production systems is restricted to a small number of engineers who need it.
  • If we ever suffer a security incident affecting your data, we will notify you promptly and tell you exactly what happened.

How long we hold onto your information

  • Account data is kept for as long as your account is active.
  • Conversations and tickets are kept for the lifetime of the workspace by default.
  • Voice call recordings: 30 days by default.
  • Desktop tracker screenshots: 30 days by default.
  • Server logs: 30 days.
  • Database backups: 30 days.
  • Audit log entries: indefinite (so an OWNER can look back at past administrative actions).
  • If you close your account, we delete personal data within 30 days, except where we are legally required to retain it.

Your rights and choices

Depending on where you live (GDPR in the EU and UK, CCPA in California, similar laws elsewhere), you have the right to access, correct, delete, port, or restrict our use of your data. ZenTalk honours these rights regardless of where you live.

If you are an end user (a visitor on a website that uses ZenTalk), the operator of that website is the controller of your data. You can exercise your rights against them directly, or you can email us and we will route the request and assist them in responding.

To exercise any of these rights, email us at support@usezentalk.com. We will respond within 30 days (sooner in practice).

International data transfers

Our servers run in the United States. If you are outside the US, your data is transferred to and processed in the US. We rely on the standard contractual clauses approved by the European Commission for transfers from the EU and UK.

Children

ZenTalk is built for businesses. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe a child has used the service, contact us and we will delete the data.

Cookies

We use a small number of cookies to keep the platform running and to understand how teams use it. The chat widget on customer sites uses a first party cookie to recognise returning visitors. You can read the full details in our Cookie Policy.

Changes to this policy

If we make meaningful changes to this policy, we will email account holders at least 14 days before the changes take effect. The "last updated" date at the top of this page always reflects the most recent version, and we keep prior versions on file.

How to reach us

We are a small team and we read every message personally. Email us at support@usezentalk.com with any question, concern, or data request. We will always write back.