How we collect, process, and protect your personal information
At Z360.AI, we take the protection of your personal data seriously. This privacy policy informs you about which personal data we collect and process when you visit our website, register for our service, and use our platform as a customer (restaurant owner or operator). It also informs you about your rights under the General Data Protection Regulation (GDPR).
This policy concerns the processing of data of our customers, prospects, and website visitors, for which Z360.AI is the data controller. For the personal data of our customers' end customers (guests) that is processed via our platform in the course of WhatsApp chats and phone calls, the respective customer (restaurant) is the controller; in this respect Z360.AI acts solely as a processor under Art. 28 GDPR on the basis of the Data Processing Agreement (DPA).
The controller within the meaning of the GDPR is:
Z360.AI (owner: Alper Koyuncu)
Konrad-Adenauer-Str. 4
93077 Bad Abbach, Germany
Phone: +49 941 942 230 52
Email: info@z360.ai
For data protection inquiries, you can reach us at privacy@z360.ai.
Depending on your use, we process the following categories of personal data about you as a customer, prospect, or website visitor:
First and last name, salutation, and the username or identifier of your account used during registration.
Email address, telephone number, and the master data of the business you create on our platform – in particular restaurant name, address, telephone number, email address, and an optionally uploaded logo. This data is stored in our database in order to manage the account and provide the service.
Login credentials for your user account. Passwords are stored exclusively in encrypted or hashed form via our authentication service (Supabase Auth); we have no access to your password in plain text. We also process the role and permission assignments of your account.
To process paid use, we process billing-related data. The actual payment processing is carried out by our payment service provider Stripe (see the section "Payment Processing via Stripe"). Full payment data – such as credit card numbers or bank details for SEPA direct debits – is entered directly with Stripe and is not stored by us. In our database we only store the Stripe customer ID, the subscription ID, the billing or subscription status, and usage-based billing data (e.g., the volume of AI and telephony services used).
Information about how you use our platform and services, including usage-based consumption data (e.g., the number of voice calls and the volume of AI usage), which we evaluate for billing and to improve the service.
IP address, login data, browser type and version, time zone setting and location, operating system and platform, time of access, and protocol/log data generated when accessing our website and platform.
When you call our telephone number, you are assisted by an AI-powered voice agent. In this context we process your telephone number and the content of the conversation, including a recording and/or transcript, in order to handle your request. For details, see the section "Phone Calls with Our AI Voice Agent".
We only process your personal data insofar as this is legally permitted. The main purposes and the respective legal basis under Art. 6 GDPR are:
Our customers' data – in particular account, contract, and business data – is stored in a database that we operate with the infrastructure provider Supabase Inc. Supabase processes this data exclusively on our behalf and on the basis of a data processing agreement.
Access to this data is restricted to those persons who need it to provide and administer the service (need-to-know principle). We take appropriate technical and organizational measures to protect the data against unauthorized access, loss, or alteration.
To process paid services, we use the payment service provider Stripe. The provider for customers in the European Economic Area is Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
Depending on your selection, credit card, SEPA direct debit, and PayPal are available as payment methods. Payment data is entered directly in a secure environment provided by Stripe (Stripe Checkout). We do not receive or store full card or account details; Stripe only transmits to us a customer ID, a subscription ID, and the payment or billing status.
Stripe processes the personal data arising in the payment process as an independent controller in order to carry out the payment and to prevent fraud and abuse. The legal basis for transmitting the data required for payment to Stripe is the performance of the contract (Art. 6(1)(b) GDPR). Further information on data processing by Stripe can be found in Stripe's privacy policy at https://stripe.com/privacy.
When you call our business telephone number, your calls are answered and handled by an AI-powered voice agent. In doing so, we process your telephone number and the content of the conversation, including a recording and/or transcript. In this respect, Z360.AI is the controller within the meaning of the GDPR.
The purpose of the processing is to receive and handle your request, answer inquiries, initiate and perform contractual relationships, and ensure the quality of our customer service. The legal basis is the performance of pre-contractual or contractual measures (Art. 6(1)(b) GDPR) as well as our legitimate interest in efficient and high-quality telephone availability (Art. 6(1)(f) GDPR).
To operate the AI voice agent, we use the service provider ElevenLabs, Inc., USA, which performs the voice processing (speech recognition and speech synthesis) on our behalf as a processor. The telephone connection is established via the telephony provider Twilio Ireland Ltd., Ireland. Insofar as personal data is transferred to a third country (in particular the USA) in this context, we base such transfers on the EU Commission's Standard Contractual Clauses (Art. 46 GDPR).
We store the recordings and transcripts of your phone calls for a maximum of ninety (90) days and then delete them automatically and irreversibly, unless statutory retention obligations apply. The content of your conversations is not used to train or improve AI models.
To provide our service, we use carefully selected service providers that process personal data on our behalf. For the processing of your account, contract, and billing data these are in particular:
• Supabase Inc., USA – database and authentication services
• Vercel Inc., USA – hosting infrastructure
• Stripe Payments Europe, Limited, Ireland – payment processing (independent controller; see above)
• Twilio Ireland Ltd., Ireland – telephony for inbound calls
• ElevenLabs, Inc., USA – AI voice agent for phone calls
• ZeptoMail (Zoho Corporation), USA/India – sending of transactional and notification emails
A complete overview of the sub-processors that we use to process the end-customer or guest data of our customers can be found in the Data Processing Agreement (DPA).
Some of the service providers we use are located in or process data outside the European Union, in particular in the USA. Insofar as personal data is transferred to a third country in this context, we ensure an adequate level of data protection through appropriate safeguards – in particular the EU Commission's Standard Contractual Clauses under Art. 46 GDPR.
We store your personal data only for as long as is necessary for the purposes stated. Account and contract data is stored for the duration of the contractual relationship. After the contract ends, we delete or anonymize the data, insofar as no statutory retention obligations apply. Invoice- and accounting-relevant data is retained in accordance with the applicable tax- and commercial-law periods (generally up to ten years).
Recordings and transcripts of phone calls with our AI voice agent are stored for a maximum of ninety (90) days and are then deleted automatically and irreversibly (see the section "Phone Calls with Our AI Voice Agent").
We have put in place appropriate technical and organizational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed. Access to your personal data is limited to those employees, agents, and contractors who have a business need to know.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the competent supervisory authority of a breach where we are legally required to do so.
Subject to the legal requirements, you have the following rights in relation to your personal data:
If you have any questions about this privacy policy or our privacy practices, or if you wish to exercise your rights, please contact us: