Overview
ZenBriefr LLC is committed to protecting your privacy. This policy explains how we handle data when you use our Zendesk app for AI-powered ticket summarization and OCR processing.
Privacy-First Approach: ZenBriefr uses advanced PII redaction technology to ensure customer personal information never appears in AI processing logs or third-party systems.
Data Collection & Processing
What We Process
- Ticket Content: Text from Zendesk tickets, with personal information automatically redacted before AI processing
- Attachments: Images and documents for OCR text extraction, with PII redaction applied to extracted content
- Account Information: Zendesk subdomain, admin email, user ID for authentication
- Usage Metadata: Processing timestamps, feature usage, error logs (no PII)
What We DON'T Store
- No Ticket Data: Ticket content is processed in real-time and immediately discarded
- No Customer PII: Personal information is never stored, logged, or retained
- No Attachments: Files are processed temporarily and permanently deleted
- No Conversation History: We maintain zero conversation or chat logs
PII Protection Technology
Automatic Redaction Process
- PII Detection: Names, email addresses, phone numbers, account IDs, and addresses automatically identified
- Token Replacement: Personal information replaced with placeholder tokens (e.g., [CUSTOMER_NAME], [EMAIL_ADDRESS])
- AI Processing: Only anonymized content with placeholder tokens sent to AI services
- Local Restoration: Original information restored locally after AI processing completes
- Zero PII Transmission: Customer personal data never leaves your secure environment
Technical Implementation
- Pre-Processing Layer: PII redaction occurs before any external API calls
- In-Memory Processing: Redaction mappings stored temporarily in memory only
- Immediate Cleanup: All processing data cleared after each request completion
- No Logging Override: PII redaction cannot be disabled or bypassed
Data Handling
Processing Approach
- Ephemeral Processing: All content processed in memory with immediate disposal
- PII-Safe Transmission: Only anonymized tokens sent to third-party services
- Hash-Only Caching: Content hashes stored for deduplication (no actual content or PII)
- Privacy-Safe Metadata: Only non-identifying metadata retained for performance optimization
Third-Party Services
- OpenAI: Receives only PII-redacted content with placeholder tokens. Data retention disabled and content automatically deleted within 30 days
- Supabase: Account authentication data only (subdomain, admin email, tokens)
- No PII Sharing: Customer personal information is never transmitted to any third party
- Service Provider Compliance: All third-party services maintain enterprise-grade security standards
Data Security
Security Measures
- Encryption in Transit: All data transmission uses TLS 1.3
- OAuth Authentication: Secure token-based Zendesk integration
- No PII Storage: Customer personal information never stored in our databases
- Access Controls: Minimal access principles and role-based permissions
- Security Monitoring: Continuous monitoring for unusual access patterns
Compliance
- GDPR Compliant: PII redaction ensures enhanced compliance with data protection regulations
- CCPA Compliant: California privacy law requirements met through privacy-by-design approach
- SOC 2 Principles: Security, availability, and confidentiality controls implemented
- Enterprise Standards: Bank-level security practices and data handling procedures
Legal Basis for Processing (GDPR Article 6)
Our legal basis for processing personal data under GDPR is:
- Legitimate Interests (6(1)(f)): Processing anonymized ticket content to provide AI summarization services that improve support team efficiency
- Consent (6(1)(a)): When you install and use ZenBriefr, you consent to data processing as described
- Contract Performance (6(1)(b)): Processing necessary to provide the services you've subscribed to
You can withdraw consent or object to processing at any time by uninstalling the app.
Your Rights
Data Subject Rights (GDPR Articles 15-22)
- Right to Access (Article 15): Contact us for account information access
- Right to Rectification (Article 16): Update account info through Zendesk admin
- Right to Erasure (Article 17): Uninstall app to remove all account data
- Right to Object (Article 21): Object to processing by uninstalling the app
- Right to Data Portability (Article 20): No customer data stored to port
- Right to Restrict Processing (Article 18): Temporarily disable app features
How to Exercise Rights: Email support@zenbriefr.com or uninstall the app through Zendesk admin.
Account Management
- Uninstallation: Removes all stored account tokens and metadata
- Trial Expiration: Account data automatically deleted after 30 days of inactivity
- Data Retention: Account metadata retained only while app is installed
Data Breach Notification (GDPR Articles 33-34)
In the unlikely event of a data breach affecting personal data:
- Authority Notification: We will notify relevant supervisory authorities within 72 hours
- User Notification: Affected users will be notified without undue delay if high risk to rights and freedoms
- Mitigation: Immediate steps will be taken to contain and remedy the breach
- Limited Impact: Our PII redaction and zero-storage architecture minimizes potential breach impact
International Data Transfers
When we process data using third-party AI services:
- Anonymized Transfers: Only PII-redacted content crosses international boundaries
- Adequate Safeguards: All international transfers comply with GDPR adequacy decisions or appropriate safeguards
- Data Minimization: Only necessary anonymized data transferred for service provision
Updates to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Users will be notified of material changes through their Zendesk admin interface or email at least 30 days before implementation.
Governing Law
This privacy policy is governed by and complies with GDPR, CCPA, and other applicable privacy regulations. For EU users, this policy is subject to EU data protection law.