Overview
ZenBriefr LLC is committed to protecting your privacy. This policy explains how we handle data when you use our Zendesk app for file viewing, OCR text extraction, reply enhancement, and link detection.
Privacy by Design: ZenBriefr processes ticket content in real time and does not store raw ticket content or attachments. AI processing runs under OpenAI's zero-retention API terms, and contact/financial identifiers are redacted from summaries before processing. We retain only the account metadata needed to run the app (see details below).
Data Collection & Processing
What We Process
- File Content: PDFs, images, and documents for instant viewing and OCR text extraction
- Reply Text: Ticket replies for AI draft generation and translation
- Ticket Content: Text content for automatic link detection and extraction
- Account Information: Zendesk subdomain, admin email, user ID for authentication
What We DON'T Store
- No File Storage: Attachments are viewed in real-time, never stored on our servers
- No Raw Ticket Storage: Raw ticket content is processed temporarily and discarded after the request (generated summaries may be cached briefly — see "What We Store" below)
- No End-Customer PII Storage: Ticket requester personal information is not stored or logged
- No Reply History: Enhanced replies are not stored after processing
- No Link Data: Extracted links are not retained after display
How We Protect Your Data
Selective PII Redaction (Summaries)
- Contact & Financial Identifiers: When generating ticket summaries, email addresses, phone numbers, Social Security numbers, and payment card numbers are detected and replaced with placeholder tokens before the content is sent to our AI provider.
- Local Restoration: Any placeholder tokens returned by the AI are restored to their original values in your result. The mapping is held in memory only for the duration of the request and then discarded.
- Scope: This redaction is applied to the summarization feature. Other features (such as reply drafting and translation) require the original wording to function and rely on the AI-provider safeguards described below.
AI Provider Safeguards
- Zero-Retention API: We use OpenAI's API (not consumer ChatGPT). Content sent for processing is not used to train models and is deleted within 30 days under OpenAI's data-handling terms.
- Encryption in Transit: All data transmission uses TLS.
- Data Minimization: Only the content needed to perform the requested feature is sent.
Data Handling
What We Store
- No File Storage: Attachments are viewed in real time and are never stored on our servers.
- No Raw Ticket Storage: Raw ticket content is processed in memory and discarded after the request completes.
- Short-Term Summary Cache: Generated summaries may be cached briefly, keyed by a content hash, so repeated requests for the same ticket are fast and low-cost. This cache holds the generated summary (not raw ticket content) and expires automatically.
- Account Metadata: Zendesk subdomain, admin email, and user ID for authentication, plus OAuth tokens stored encrypted at rest.
Third-Party Services
- OpenAI: Processes ticket content to generate summaries, drafts, and translations under zero-retention API terms (not used for training; deleted within 30 days). Contact and financial identifiers are redacted from summarization content beforehand.
- Supabase: Stores account authentication data only (subdomain, admin email, encrypted tokens, plan/usage metadata).
- Service Provider Compliance: Our third-party providers maintain industry-standard security practices.
Data Security
Security Measures
- Encryption in Transit: All data transmission uses TLS 1.3
- OAuth Authentication: Secure token-based Zendesk integration
- No PII Storage: Customer personal information never stored in our databases
- Access Controls: Minimal access principles and role-based permissions
- Security Monitoring: Continuous monitoring for unusual access patterns
Compliance
- GDPR Aligned: Data minimization, zero-retention AI processing, and selective redaction support compliance with data protection regulations
- CCPA Compliant: California privacy law requirements met through privacy-by-design approach
- SOC 2 Principles: Security, availability, and confidentiality controls implemented
- Enterprise Standards: Bank-level security practices and data handling procedures
Legal Basis for Processing (GDPR Article 6)
Our legal basis for processing personal data under GDPR is:
- Legitimate Interests (6(1)(f)): Processing ticket content (with contact and financial identifiers redacted for summaries) to provide AI services that improve support team efficiency
- Consent (6(1)(a)): When you install and use ZenBriefr, you consent to data processing as described
- Contract Performance (6(1)(b)): Processing necessary to provide the services you've subscribed to
You can withdraw consent or object to processing at any time by uninstalling the app.
Your Rights
Data Subject Rights (GDPR Articles 15-22)
- Right to Access (Article 15): Contact us for account information access
- Right to Rectification (Article 16): Update account info through Zendesk admin
- Right to Erasure (Article 17): Uninstall app to remove all account data
- Right to Object (Article 21): Object to processing by uninstalling the app
- Right to Data Portability (Article 20): No customer data stored to port
- Right to Restrict Processing (Article 18): Temporarily disable app features
How to Exercise Rights: Email support@zenbriefr.com or uninstall the app through Zendesk admin.
Account Management
- Uninstallation: Removes all stored account tokens and metadata
- Trial Expiration: Account data automatically deleted after 30 days of inactivity
- Data Retention: Account metadata retained only while app is installed
Data Breach Notification (GDPR Articles 33-34)
In the unlikely event of a data breach affecting personal data:
- Authority Notification: We will notify relevant supervisory authorities within 72 hours
- User Notification: Affected users will be notified without undue delay if high risk to rights and freedoms
- Mitigation: Immediate steps will be taken to contain and remedy the breach
- Limited Impact: Our data-minimization and zero-retention approach minimizes potential breach impact
International Data Transfers
When we process data using third-party AI services:
- Provider Safeguards: Content is processed by OpenAI under zero-retention API terms; contact and financial identifiers are redacted from summarization content beforehand
- Adequate Safeguards: International transfers rely on the providers' contractual data-protection terms and applicable safeguards
- Data Minimization: Only the data necessary for the requested feature is transferred
Updates to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Users will be notified of material changes through their Zendesk admin interface or email at least 30 days before implementation.
Governing Law
This privacy policy is governed by and complies with GDPR, CCPA, and other applicable privacy regulations. For EU users, this policy is subject to EU data protection law.