Introduction
At ZÜMI, we respect your privacy and are committed to protecting personal data. ZÜMI is a B2B event sales and marketing platform that helps exhibitors (sales, marketing, and RevOps professionals) manage event leads through badge scanning, AI-driven transcriptions and summaries, automated follow-up emails, and CRM syncing. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our services. ZÜMI is based in Hungary (within the EU jurisdiction) and complies with the EU General Data Protection Regulation (GDPR) as well as other applicable international privacy laws. We maintain a clear, formal, and legally sound approach to data protection suitable for our enterprise customers.
By using ZÜMI’s website, application, and services, you acknowledge that you have read and understood this Privacy Policy. If you have any questions or concerns about our data practices, please contact us using the information in the “Contact Us” section below.
This Privacy Policy applies to all personal data processed by ZÜMI through our globally available platform, including our website, web and mobile applications, and any related microsites or services. It covers personal data of the following individuals:
ZÜMI Customers and Users: Employees or representatives of our business clients who use ZÜMI (e.g. sales, marketing, and RevOps users, and event staff). This includes account owners and team members using ZÜMI’s tools.
Event Attendees and Business Contacts: Individuals whose information is collected by our customers at events using ZÜMI (for example, prospects or business customers whose badges are scanned, whose information is entered, or who interact with follow-up communications via ZÜMI).
Please note that in many cases ZÜMI acts as a data processor on behalf of our business customers for event attendee data. Our customers are the data controllers who determine why and how that personal data is used (for example, for their sales follow-ups). ZÜMI processes such data only as instructed by the customer and as described in this Policy. For personal data that we collect and use for our own purposes (such as user account information and our website visitor data), ZÜMI is the data controller.
Our services are intended for business use and not for children. We do not knowingly collect personal data from individuals under 18 years of age. If you are under 18, please do not use ZÜMI or provide any personal information. If we learn that we have inadvertently collected information from a minor under 18, we will promptly delete it.
ZÜMI collects business-related personal data necessary to provide and improve our event management and marketing services. The types of personal data we collect include:
Contact and Identity Information: Name, work email address, work telephone number, job title, company/organization name, department, and other basic contact details. This may apply to our customer users (e.g. when registering an account) and to event leads (e.g. info obtained from a scanned badge or business card such as name, email, company, title).
Event Lead Details: Information about event attendees and business prospects that our customers collect at events. This can include contact information (as above), as well as company industry, seniority or role, and any notes or qualifiers from the event (e.g. interest areas, product of interest, follow-up actions). If a badge scan or event system provides additional data (like an attendee ID, address, or registration info), we will collect those details as provided.
Communications Content: If you use ZÜMI to capture conversations or notes, we collect the content of those communications. For example, our platform may record or transcribe conversations with leads (via an AI transcription service) and generate AI-driven summaries of meetings or discussions. We store these transcripts and summaries, which may contain personal data about the attendees (e.g. their comments, answers, or preferences as discussed). We also process the content of emails or messages sent through our platform (including automated follow-up emails sent to leads) and any responses or interactions.
CRM and Integration Data: ZÜMI integrates with third-party tools like HubSpot, Salesforce, and other CRM systems (via Apideck). If you choose to sync ZÜMI with such tools, we may fetch and store relevant data from your CRM (e.g. existing contact details, company info, deal status) to display or update in ZÜMI. Likewise, new data collected in ZÜMI (like a new lead from an event or notes about a contact) may be transmitted to your CRM. This means we may temporarily hold or process personal data originally stored in your integrated systems in order to sync records.
Usage Data: Information about how you and your event contacts interact with our platform. This includes:
Platform Usage: Actions you take in the ZÜMI app or website (e.g. login times, features used, pages or screens viewed, button clicks, number of leads scanned, emails sent, etc.).
Microsite and Email Engagement: If we provide event microsites or landing pages for leads, we collect data on visits and interactions (such as page views, links clicked, content downloaded). For emails sent via ZÜMI, we track if and when recipients open emails or click links (using tracking pixels and unique links) to measure engagement and follow-up effectiveness.
Device and Technical Information: When users access ZÜMI (or when leads interact with ZÜMI-powered content online), we collect technical data like IP address, browser type, device type, operating system, referring URLs, and other device identifiers. We also log certain information automatically (e.g. log-in logs, error logs) for security, debugging and analytics.
Cookies and Similar Technologies Data: We use cookies, beacons, and similar tracking technologies (explained in more detail below) to collect information about website visitors and user sessions. This may include cookie identifiers, language preferences, and browsing activity on our sites.
No Special Categories: We do not intentionally collect any sensitive personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic or biometric data, health information, or information about sexual orientation. ZÜMI is focused on business contact data. We ask that our customers and users do not input or upload sensitive personal data into our platform. In the event that transcripts or notes incidentally include sensitive information, we will treat it with high security and confidentiality, but such data should be avoided in our system.
We collect personal data in several ways, which include:
Directly from You (User Input): We collect data that you and your colleagues provide when using ZÜMI. When using the app, you may manually enter information about a lead or notes from a conversation. Any forms you fill out on our website or app (such as account settings, feedback forms, or support requests) will send us the information you choose to provide.
Event Badge Scanning and Interaction: A core feature of ZÜMI is event lead capture. If you use our mobile app or scanners at an event, we collect the information obtained from scanning attendee badges or business cards. This typically comes from the text displayed on the attendee’s badge which contains their registration details (like name, contact info, company, title). The act of scanning automatically transfers the attendee’s data into ZÜMI. Additionally, if you engage with an attendee and record notes or use voice-to-text transcription for that interaction, the information from that interaction is collected by the platform.
AI Processing and Generation: When you utilize our AI features, such as transcribing a conversation or generating a summary or follow-up content, ZÜMI will send the relevant data (e.g. an audio recording or text of your notes) to our AI engine (powered by OpenAI and/or AWS AI services) to process and return the transcript or summary. In doing so, the raw input and AI-generated output are collected and stored in our system for your later review. Similarly, if we offer AI-driven lead scoring or prioritization, we collect the data points (e.g. lead title, company size, interaction history) used to produce a score, as well as the resulting score or rating.
From Integrated Third-Party Services: If you connect your ZÜMI account to third-party services (such as CRM systems through our integration partner Apideck, or calendar/email systems), we will receive personal data from those services based on your connection. For instance, if you connect a CRM, ZÜMI may pull in your existing contacts or leads (names, emails, companies, deal info) to match or update them with new event data. If you enable calendar access, we might retrieve attendee names or emails from your event invites. Any data imported from third-party tools will be treated in accordance with this Policy and the terms of those tools’ APIs.
Automated Means: Cookies & Web Tracking: When you visit our website or when event leads visit a ZÜMI-hosted microsite, we use cookies and similar technologies to automatically collect certain data (as detailed in Cookies and Tracking Technologies below). Likewise, when we send emails on behalf of our users to their leads, we may use tiny image files (tracking pixels) and unique link URLs to log when those emails are opened or clicked. This automated collection happens through common internet technologies and helps us monitor usage and engagement without you having to manually submit data.
From Event Organizers or Public Sources: In some cases, we might receive attendee data from event organizers or other partners if they are working with our customer. For example, an event host might provide an attendee list or access to a registration database for verification or enhanced scanning accuracy. Additionally, we may use public professional sources (like Apollo, LinkedIn or company websites) to verify or enrich business contact details, but only where it is lawful and relevant to our B2B services.
We collect personal data either as a controller (for things like your account and our website usage) or on behalf of our customer who collected the data (for event leads). In either case, we strive to be transparent about the data we handle and ensure it is collected lawfully.
ZÜMI uses the collected personal data to provide effective event management tools and to operate our business. We limit use of personal data to the purposes described below, and we ensure that such use has an appropriate legal basis under applicable law (such as GDPR). The ways we use personal data include:
Providing and Improving Our Services: We use personal data to set up and maintain user accounts, authenticate users, and provide core functionalities of the ZÜMI platform. This includes enabling you to scan badges and capture lead information, storing that information in organized fashion, generating AI-based transcriptions and summaries of conversations, and facilitating immediate follow-ups (e.g. drafting and sending emails or messages to your event leads). We also use data to integrate with other tools as instructed (for example, syncing new contacts and notes to your CRM system). In short, all data you input or collect is used to perform the services you expect from ZÜMI. We continually improve and personalize our platform — for example, using usage data and feedback to refine our AI models, user interface, and workflows (but not in a way that infringes on privacy rights).
Communications and Notifications: We use contact information (email, phone if provided) to communicate with you about our services. This includes sending service-related communications such as confirmations, event reminders, technical notices, updates about new features, security alerts, and support/administrative messages. If you are a ZÜMI user, we may also send you training materials or product announcements to help you get the most out of the platform (you can opt out of non-essential communications, see Your Rights and Choices below). For event leads or business contacts, ZÜMI facilitates communications on behalf of our customers – for example, sending a follow-up email to an attendee you met, containing a thank-you note or marketing materials. Those emails appear to come from the customer’s business (often using the user’s name/email as sender), and ZÜMI simply processes the dispatch and tracking. We do not independently market to our customers’ event leads unless they separately interact with us.
Analytics and Product Development: We analyze usage data, interaction logs, and feedback to understand how our services are used and to improve them. This includes measuring the effectiveness of trade show follow-ups (e.g. email open and response rates), analyzing aggregate trends in lead engagement, and identifying what features are most (or least) used. Such analysis helps us optimize workflows, fix performance issues, and develop new features. For instance, we might analyze the text of many meeting summaries (in an automated way) to improve our AI’s ability to generate accurate recap emails. When feasible, we use aggregated or anonymized data for analytics, to avoid using personal data more than necessary. We may also use your data to develop new AI-driven capabilities, such as lead scoring or priority recommendations (profiling data to suggest which leads are “hotter”). Any automated analysis or scoring we perform is only meant to assist our users – it does not entail fully automated decisions that produce legal or similar significant effects on individuals. Users can always override or ignore AI-based suggestions.
CRM Synchronization and Data Management: For users who integrate ZÜMI with other systems (CRM, marketing automation, etc.), we use personal data to enable these integrations. For example, after an event, our system may automatically create or update contact entries in your CRM with the leads’ information and interaction history. We also retrieve information from your CRM to display within ZÜMI (e.g. showing that a scanned lead is already a customer in your database). These uses are done under your instruction to streamline your sales and marketing processes.
Security and Fraud Prevention: We process personal data as needed to secure our services and users’ data. This includes using identifiers like IP addresses and account activity to detect, investigate, and prevent fraudulent use, spam, unauthorized access, attacks, and other harmful activity. We may analyze logs and communications for security screening (for example, to block a suspicious login or to identify misuse of the badge scanning feature). Personal data may be used to verify accounts and to enforce our terms of service. If necessary, we might use certain data to pursue remedies or limit damages in case of a security incident or breach.
Legal Compliance and Protection of Rights: We may need to process personal information to comply with legal obligations, such as maintaining proper business records, handling data subject requests, or responding to lawful requests by public authorities. If we are subject to an audit or regulatory inquiry, we might use relevant data to respond. Additionally, if necessary, we will use and disclose personal data to protect our rights, privacy, safety or property, or that of our customers, partners, or others – for example, to assert legal claims, enforce contracts (such as our Terms of Service or a Data Processing Agreement with a client), or defend against legal claims.
Marketing (for Our Services): If you provide us with your contact information as a prospective customer or sign up on our website (e.g. for a newsletter or waitlist), we may use your personal data to send you marketing communications about ZÜMI products, services, and events that might interest you. This may include email updates, newsletters, or event invitations. We will only do so in accordance with applicable law – for example, if required, we will obtain your consent to send marketing emails, and we will always provide a clear way to opt out. (As noted above, we do not send marketing emails to the leads that our customers collect except at the direction of those customers. Those leads may instead receive marketing from our customer, facilitated by ZÜMI as a processor.)
We ensure that we have a valid legal basis for each use of personal data. Under the GDPR (and equivalent laws), our primary legal grounds are: performance of a contract (to provide our services to our customers and users), legitimate interests (to operate, improve, and secure our platform in a business-to-business context, and to facilitate reasonable marketing and follow-up communications in the context of trade shows), consent (when required, such as for certain marketing communications or non-essential cookies), and compliance with legal obligations (when processing is necessary for us to comply with law). If you have questions about the specific legal basis for a particular processing activity, please contact us.
ZÜMI uses cookies and similar tracking technologies to provide our services, analyze user activity, and track engagement. This section explains how we use these technologies and your choices regarding them:
What Are Cookies? Cookies are small text files stored on your device (computer, smartphone, etc.) by websites you visit. They are widely used to make websites work or to be more efficient, as well as to provide information to the site owners. Similar technologies include web beacons (tiny invisible images or scripts in emails or web pages) and local storage in apps. ZÜMI and our service providers utilize these tools for various functions.
How We Use Cookies:
Necessary Cookies: We use cookies that are essential for the operation of our website and platform. For example, when you log into the ZÜMI platform, we set secure session cookies to remember you and keep you logged in as you navigate. These cookies enable core functionality like authentication and user input preferences, and our site cannot function properly without them.
Functionality Cookies: These cookies remember your preferences and settings to provide a more personalized experience. For instance, a cookie may store your language preference or the fact that you’ve dismissed a certain in-app tutorial so that we don’t show it again.
Analytics Cookies: We use analytics and performance tracking (ours or third-party tools) to understand how visitors use our website and how users interact with the platform. For example, we might use Google Analytics or a similar service to collect information about website page visits, session length, and referring sites. For the ZÜMI app, we might track usage events to analyze feature adoption. The information collected is generally aggregated and helps us improve site functionality and user experience.
Tracking Pixels & Email Analytics: In the context of event follow-ups, ZÜMI may embed unique tracking pixels in the emails sent through our platform. These tiny images let us know if an email was opened and can record whether specific links in the email were clicked. We use this information to inform our customer (the sender) about the effectiveness of their outreach (for example, to mark a lead as “interested” if they clicked a link to view a product brochure). On any ZÜMI-hosted microsite or landing page that a lead might visit from an email link, we may also use cookies or tracking scripts to log their activity (e.g. which pages were viewed, how long spent). This helps our customer tailor their follow-up strategy.
Advertising Cookies: Note: At this time, ZÜMI does not display third-party ads on our platform and we do not use third-party advertising networks that track you across sites. We do not use cookies for targeted advertising of third-party products. Any future change in this practice will be reflected in an updated policy and opt-in consent where required.
Third-Party Cookies: Some cookies or trackers on our site or service may be placed by third-party service providers. For example, if we use an analytics service like Google Analytics, that provider may set their own cookies to help measure site interactions. Similarly, if we enable login via a service like Microsoft Azure AD or Google (for SSO), those providers may set cookies as part of authentication. We ensure any third-party scripts are used in compliance with privacy laws and our agreements with those providers.
Your Choices for Cookies: When you first visit our website from certain jurisdictions, you will see a cookie notice or banner. Where required by law, we will ask for your consent to use non-essential cookies (such as analytics cookies). You can at any time adjust your cookie settings through our cookie consent tool (if provided) or by adjusting your browser settings to refuse or delete cookies. Please note that if you disable certain cookies, some features of the site or service (especially login and core features) may not function properly. For email tracking, if you do not wish to be tracked, you can opt out of further emails by unsubscribing, or you can configure your email client to block images (which will prevent the tracking pixel from loading).
Do-Not-Track Signals: Some browsers offer a “Do Not Track” (DNT) feature that signals to websites that you do not want to be tracked across different sites. Currently, our website does not respond to DNT signals specifically, because there is not yet a common standard for how to interpret them. However, we treat all visitors’ personal data in accordance with this Policy and we provide the controls described above for cookie management.
By using our site and services, you consent to the placement of cookies and tracking technologies as described, unless you disable them via the methods above.
We understand the importance of keeping personal data confidential. ZÜMI does not sell personal data to third parties. We only share personal data in the following circumstances, and always under appropriate protections:
Service Providers (Subprocessors): We use trusted third-party companies to help us operate and support the ZÜMI platform. These service providers act under our instructions and are bound by data protection agreements to only process data for our purposes and to protect it. Key subprocessors and partners include:
Cloud Hosting and Infrastructure: We rely on Amazon Web Services (AWS) to host our application and databases on secure servers in Europe. AWS stores and processes personal data (including event lead information, account info, and uploaded data) on our behalf.
AI Processing Providers: We integrate with OpenAI (and potentially AWS AI services) to power the generative AI features of ZÜMI. For example, when generating a transcript or summary, personal data (like conversation text or audio) may be sent securely to OpenAI’s API. OpenAI will process that data to return the result to us. OpenAI is a data processor in this context and is contractually prohibited from using your data for any purpose other than providing the service we request (OpenAI does not use API data to train their public models).
Integration Platform (Apideck): ZÜMI uses Apideck’s unified API platform to connect with third-party CRM and other systems. When you sync data to or from a CRM like HubSpot or Salesforce, the data passes through Apideck’s system which acts as a conduit. Apideck may briefly process or log the data to ensure the transfer and integration works properly. Apideck is committed to privacy and security and acts as our processor under strict terms.
Email and Communication Services: To send emails and other messages reliably, we may use email delivery services or SMTP providers (for example, an AWS emailing service or a transactional email service). These providers will handle recipients’ email addresses and content of the email for the purpose of sending the message. They are not permitted to use that information for anything else.
Analytics and Support Tools: We may use third-party analytics services (like Google Analytics or similar) to collect usage data as described above, or customer support tools that manage support tickets or chat communications with us. Such tools might process user identifiers and communications. Any such providers are carefully chosen and bound to protect your data.
We keep an updated list of major subprocessors which can be provided upon request. All subprocessors are evaluated for their security and privacy practices, and we execute Data Processing Agreements (DPAs) including Standard Contractual Clauses where appropriate to safeguard personal data.
Third-Party Integrations (at Your Direction): When you choose to connect ZÜMI with external platforms (e.g., syncing with your CRM, or exporting data to another system), we will share the relevant data with the third party at your instruction. For example, if you click “Sync to Salesforce,” ZÜMI (via Apideck) will transmit the selected lead data (name, contact details, notes, etc.) to your Salesforce account. Similarly, if you use our platform to send a lead’s information to a marketing automation tool or to schedule a meeting via a calendar integration, we share data with those tools as needed to fulfill your request. In these cases, the third party will process the data under their own privacy policy (for instance, your CRM provider’s privacy terms), and we encourage you to review those. ZÜMI only facilitates the data transfer and does not control those external systems. We will never send data to a third-party integration unless you have actively connected it and initiated such action.
Within Our Corporate Group: If ZÜMI is provided by a company that has affiliates or subsidiaries, we may share personal data with our corporate family on a need-to-know basis. (For example, if ZÜMI establishes offices outside of Hungary, or an affiliate company helps to provide customer support or development, your data might be accessed by that affiliate.) All such intra-group sharing would be under consistent privacy and security rules and, if transferring outside the EU, under Standard Contractual Clauses or an equivalent lawful mechanism.
Business Transfers: If ZÜMI or its parent company undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of its assets, personal data may be transferred to the successor or acquiring entity. For example, if another company acquires ZÜMI, your information would likely be one of the assets transferred. In such cases, we will ensure that the new owner continues to be bound by privacy safeguards at least as strict as those described in this Policy, and we will provide notice to users before any personal data is subject to a new privacy policy. You will have the opportunity to stop using our services or exercise any rights you have with respect to your data at that time.
Legal Requirements and Protection of Rights: We may disclose personal data to third parties (such as courts, law enforcement agencies, regulators, or lawyers) if we determine that such disclosure is (a) required by law or regulation – for example, in response to a subpoena, court order, or other legal process; or (b) necessary to protect our rights or property or the rights, property, or safety of others. This includes exchanging information with other organizations for fraud prevention, detecting security vulnerabilities, or addressing violations of law or contractual obligations. If we receive a government or law enforcement request for personal data, we will review it carefully and only comply if required by applicable law. When permitted, we will also attempt to notify affected users of such requests.
With Consent: Apart from the situations above, if we ever need to share your personal data in a way not covered by this Policy, we will obtain your consent. For example, if we wanted to use a customer testimonial or logo that contains personal information, we would ask for permission.
In all cases of sharing, we minimize the data disclosed to only what is necessary for the intended purpose and we ensure that recipients are obligated to protect it. ZÜMI never sells or rents personal information to third parties for their own marketing use. We do not share personal data with advertisers or unrelated parties for promotional purposes.
ZÜMI operates globally, and the personal data we collect may be processed in different countries, including countries outside the European Union (EU) or European Economic Area (EEA). For example, while our primary servers are in the EU (on AWS in Europe), some of our service providers and integration targets are located in the United States and other countries. This means personal data may be transferred from your country or region to another jurisdiction that may not have the same data protection laws.
When we transfer personal data internationally, we take appropriate steps to ensure it remains protected according to EU standards and applicable law:
Within the EU/EEA: If you are located in the EU/EEA, know that your data is generally stored and processed on servers in the EU. However, certain subprocessors (such as OpenAI or other support/analytics tools) might process data in the United States or other countries.
Adequacy and Safeguards: For transfers out of the EU/EEA (or the UK or Switzerland), we rely on legal mechanisms to lawfully transfer data. These include:
The European Commission’s Standard Contractual Clauses (SCCs): We have SCCs in place in our contracts with non-EU service providers, which legally oblige them to protect EU personal data to EU standards.
Data Processing Agreements: All our processors handling EU personal data sign agreements that include GDPR-required protections and commitments.
Additional Safeguards: Where needed, we implement supplemental measures such as encryption of data in transit and at rest, access controls, and strict policies to handle any government data requests, to ensure that transferred data receives adequate protection. We also evaluate, where applicable, the risk associated with international transfers (Transfer Impact Assessments).
Adequacy Decisions: In cases where the data is transferred to a country that the EU has deemed as providing adequate data protection (e.g., countries with an adequacy decision), we may rely on that decision instead.
United States Transfers: Some personal data may be transferred to the U.S. (for instance, to OpenAI’s systems or if we use a U.S.-based support tool). The U.S. is not currently judged to have blanket “adequate” status by the EU (aside from participants in frameworks like the EU-U.S. Data Privacy Framework for certain companies). In the absence of an adequacy decision covering the specific transfer, we utilize SCCs and the additional safeguards mentioned above for these transfers. We also only work with U.S. vendors who commit to GDPR-level protection and who do not use the data for any purpose other than providing the contracted service.
Other Regions: For transfers from the UK, we use the UK International Data Transfer Addendum in combination with SCCs. For Switzerland, we adapt the SCCs according to Swiss requirements. If we transfer data from other countries with data export requirements (such as Canada, Brazil, etc.), we will similarly ensure compliance with those regimes, using contractual and legal mechanisms available.
By using ZÜMI’s services or providing us with your information, you acknowledge that your personal data may be transferred to and processed in jurisdictions outside your own. However, rest assured that regardless of where your data is processed, we will protect it in line with this Privacy Policy and applicable law. If you have questions about our international data transfer practices or want to obtain a copy of relevant transfer agreements (like the SCCs), you can contact us at the address provided.
ZÜMI takes data security very seriously and implements industry-standard security measures to safeguard personal data against unauthorized access, alteration, disclosure, or destruction. We understand that enterprise customers expect robust protection for their data. The security measures we employ include:
Encryption: All data transmitted between your device and our servers is encrypted using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols. This means information like login credentials, scanned data, and API calls to our servers (or to OpenAI via our servers) are encrypted in transit. We also encrypt personal data at rest in our databases and storage (using strong encryption algorithms), so that the data is protected even if storage media were accessed without authorization.
Access Controls: We limit access to personal data strictly to those employees, contractors, and service providers who need it to perform their job duties or provide the service. All such access is controlled via authentication, and wherever possible, we use role-based access control to ensure individuals only see the data necessary for their role. Administrative access to our systems requires strong authentication (e.g., multi-factor authentication) and is logged and monitored. Our staff are trained on confidentiality and data protection obligations.
Network & Application Security: We use firewalls and monitoring tools to protect our network and servers from malicious activity. Our platform is designed with security in mind – we regularly update software and apply security patches to address vulnerabilities. We conduct periodic security testing, including vulnerability assessments and penetration testing by qualified experts, to identify and fix potential weaknesses. Critical customer data is separated logically to prevent any cross-tenant data leaks in our multi-tenant environment.
Data Minimization & Pseudonymization: We strive to collect only the data that is needed for the stated purposes. In some cases, we pseudonymize or anonymize data after it is no longer directly required in identifiable form. For example, analytical data might be aggregated so that it no longer can be linked to individual persons.
Monitoring and Auditing: We maintain logs of access to systems containing personal data and monitor these for any suspicious behavior. Our systems alert us to unusual patterns that might indicate a security threat. We also periodically review our security policies and procedures to ensure they meet evolving threats and industry best practices (such as ISO 27001 or SOC 2 standards, which we aim to adhere to or are working towards).
Subprocessor Security: We choose reputable providers (AWS, OpenAI, Apideck, etc.) that demonstrate strong security practices and certifications (for instance, AWS has multiple security certifications and compliance attestations). We flow down security requirements to them via contract and review their compliance resources.
Despite all these measures, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. Users are responsible for keeping their account login credentials secure and not sharing them. If you believe your account or data may have been compromised (for example, if you notice unauthorized activity in your account), please contact us immediately.
ZÜMI has a detailed Data Breach Response Plan in place. In the event of a data breach that affects personal data, we will act promptly to identify, contain, and remediate the issue. If a personal data breach occurs and poses a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (Data Protection Authority) without undue delay and, where feasible, within 72 hours as required by GDPR. If the breach is likely to result in a high risk to affected individuals (e.g., potential for identity theft, financial loss, or other significant harm), we will also inform those individuals without undue delay, in clear language about what happened and any steps they should take to protect themselves.
Our notification would include information about the nature of the breach, the data involved (general categories), known or suspected effects, and the measures we have taken or will take to address it (including efforts to mitigate possible adverse effects). We would also provide contact information for further inquiries. We are committed to being transparent with our clients and users about security and privacy issues, and we will take all required and appropriate steps in the unfortunate event of an incident.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, or as required by law. Because ZÜMI serves as a data platform for our customers, retention can vary depending on the context:
Event Leads and Customer-Uploaded Data: If you are using ZÜMI to collect leads and interact with them, we will retain that lead information, conversation logs, summaries, and related data on our systems until you or your organization decide to delete it or terminate your use of ZÜMI. In practice, this means we keep the data for as long as your ZÜMI account is active so that you have historical records and can manage ongoing relationships with those contacts. You have control over this data – if at any time you wish to remove a particular contact or record, you can delete it through the platform interface, and we will erase it from our production systems (subject to routine backup retention, as described below). If your organization ceases to be a ZÜMI customer, we will either return, delete, or anonymize the personal data of your event leads within a reasonable period after contract termination, as per our agreement (for example, typically within 30-60 days after service cessation, any remaining personal data is deleted or irreversibly anonymized).
User Account Data: We retain the personal data associated with your ZÜMI user account (such as your name, email, profile info, and credentials) for as long as you maintain an account with us. If you decide to close your account or if your organization’s contract with us ends, we will delete or anonymize your personal account data within a set timeframe after account closure, except for data we are required or permitted to keep for legal compliance or legitimate business purposes. For instance, we may retain basic contact information to inform you of any post-termination issues or to facilitate reactivation if you come back, but we generally delete or de-identify it after a defined period of inactivity.
Communications Data: If you correspond with ZÜMI (for example, via support emails or feedback forms), we may retain those communications as long as necessary to address your inquiry, provide support, and improve our services. Support tickets may be kept for an internal period to track our service performance. Marketing email lists will retain your contact until you unsubscribe or ask us to delete it, or if emails to you consistently bounce (indicating the address is no longer active).
Logs and Analytics: System logs (security logs, API call logs, audit trails) that may contain personal data (like user IDs or IP addresses) are generally retained for a limited period for troubleshooting and security monitoring, and then are either deleted or anonymized. Aggregated analytics data that does not identify individuals may be kept longer for trend analysis.
Legal and Compliance Retention: We may need to keep certain information for longer periods if required by applicable laws. For example, financial records (which might include billing contact information) could be kept for the duration required by tax law or accounting standards (e.g., 7 years in some jurisdictions). Also, if we are dealing with a legal dispute or receiving a legal hold request, we will retain relevant data until the issue is resolved and we are legally permitted to delete it.
Backup Policy: Like most SaaS providers, we perform routine data backups for disaster recovery purposes. Those backups are stored securely and are retained for a limited time on a rolling basis. Even after data is deleted from our active database, it might persist in encrypted backups for some additional time until those backups are rotated out. We restrict access to backups and enforce strict retention limits, after which backup data is deleted. In the event we restore from backup due to a disaster, we will re-delete any data that had previously been deleted as soon as reasonably possible.
Once the retention period for any personal data expires, or if we no longer have a legitimate business reason to retain the data, we will either delete it securely or anonymize it (so that it can no longer be associated with an identified or identifiable individual). Anonymized data is no longer considered personal data and we may retain and use it for analytics, research, and product improvement indefinitely without further notice, as it contains no identifiable information.
In summary, we keep your information for as long as it is needed for the purpose it was collected, and for a reasonable period thereafter if necessary. We then remove it safely. If you have specific questions about our retention practices (for example, how long we keep transcripts vs. contact info), feel free to contact us.
You have important rights regarding your personal data. ZÜMI is committed to upholding these rights and providing you with appropriate control over your information. The availability of certain rights may depend on your jurisdiction (for example, GDPR grants specific rights to individuals in the EU, and similar rights exist under other laws like the California Consumer Privacy Act (CCPA) as amended by the CPRA, etc.). We extend fundamental privacy rights to all our users and the individuals whose data we process, to the extent feasible. Below is a summary of your rights and how to exercise them:
Right to Be Informed: You have the right to be informed about the collection and use of your personal data. This Privacy Policy is intended to provide you with that information. We aim to be transparent about what data we have, why we have it, and how we use it.
Right of Access: You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it. This is often called a “Data Subject Access Request.” For example, if you are an event attendee who suspects a ZÜMI customer collected your data, you can ask us to confirm if we have your data and request a copy. (Note: If we process your data on behalf of one of our customers, we may refer your request to that customer who is the data controller, but we will assist as needed.) ZÜMI will provide a response as required by law, typically within one month for GDPR requests.
Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. For ZÜMI users, much of your basic info can be corrected directly in your account profile settings. For event leads, you may need to contact the company that scanned you or contact us to relay the correction. We will rectify any proven inaccuracies promptly.
Right to Erasure: You have the right to request deletion of your personal data (“right to be forgotten”) in certain circumstances. If you are a ZÜMI user, you may request that we delete your account data. If you are an event attendee (lead) and you do not wish to be contacted or have your data stored in ZÜMI, you can request us (or the company that collected your info) to delete your data. We will honor valid deletion requests, provided we do not have an overriding legitimate ground to retain the data (such as a legal obligation). Keep in mind that if ZÜMI is processing your data on behalf of a customer, we might need to coordinate the deletion with them (and in many cases, the fastest route is to contact that company directly). When we delete personal data, we will also inform our processors to delete corresponding data if they no longer need it.
Right to Restrict Processing: You can ask us to restrict or pause the processing of your personal data in certain situations – for example, while we are verifying the accuracy of your data or if you have objected to processing (see below) and we are considering that objection. When processing is restricted, we will still store your data but not actively use it until the issue is resolved.
Right to Data Portability: For data you have provided to us and which we process by automated means based on consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, a CSV or JSON file), and you have the right to transmit that data to another controller. In practical terms, ZÜMI users can export certain data (like leads lists, etc.) directly from the platform. We can also assist in providing your data in a portable format upon request. For event attendees whose data was collected, this right can be exercised by obtaining your data via an access request and then reusing it as you see fit.
Right to Object: You have the right to object to our processing of your personal data in some cases. Specifically, you can object to processing that is based on our legitimate interests or for direct marketing purposes.
Direct Marketing Opt-Out: If we send you marketing emails (e.g., product updates or newsletters), you can opt out at any time by clicking the “unsubscribe” link in those emails or by contacting us. Once you opt out, we will remove you from our marketing list (though we may still send essential service communications). We do not use your data for third-party marketing.
Legitimate Interest Objection: If you do not agree with an assessment that we have a legitimate interest to process your data, you may object and explain your reasons. For example, if you are an event attendee and you object to your data being processed by ZÜMI on the basis of legitimate interest (perhaps you believe your consent was needed), we will review such objections and respond appropriately. In general, if an objection is valid, we will stop or adjust the processing unless we have compelling legitimate grounds to continue (per GDPR rules).
Right to Withdraw Consent: In cases where we rely on your consent to process personal data (for instance, if we ever requested consent for certain email communications or for optional data collection), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing that was done before you withdrew, and it won’t affect processing under other legal bases. If you withdraw consent for something like marketing emails or certain analytics cookies, we will cease that processing for your data going forward.
Rights related to Automated Decision-Making: ZÜMI does not make any fully automated decisions about individuals that produce legal effects or similarly significant effects. While we use AI to assist with things like lead scoring, this is a tool for our users and does not by itself determine an outcome for the data subject without human involvement. Therefore, GDPR Article 22 (right not to be subject to automated decision-making) is generally not applicable. However, if you believe you have been subject to automated processing by ZÜMI that significantly affects you, please let us know and we will provide information and consider any objections or requests related to that processing.
California Privacy Rights: If you are a resident of California, in addition to the rights above (many of which align with CCPA/CPRA rights), you have the right to request that we disclose what personal information we collect, use, disclose, and sell (we note again that we do not sell personal info). You also have the right to request deletion of your personal information (with similar exceptions as under GDPR), and the right to correct inaccurate personal information. California law also provides a right to opt out of the “sale” or “share” of personal information and to limit use of sensitive personal information. ZÜMI does not sell personal data and does not share personal data for cross-context behavioral advertising purposes. If we ever did in the future, we would provide a “Do Not Sell or Share” link. California residents can exercise their rights by contacting us as described below. We will not discriminate against you for exercising any of these rights (e.g., we will not deny service or provide a different quality of service just because you exercised your privacy rights).
Other Jurisdictions: Individuals in some other regions (such as Canada, Australia, Brazil, etc.) may have similar rights under applicable law. ZÜMI will honor valid requests from individuals to exercise applicable data rights, regardless of jurisdiction, to the extent feasible and required by law.
How to Exercise Your Rights: To exercise any of your rights, please contact us at the email or mailing address provided in the Contact Us section. Please clearly describe your request – for example, “I am requesting access to my personal data” or “please delete my account and all associated data.” For certain requests, we may need to verify your identity to ensure we do not disclose data to an unauthorized person or delete the wrong person’s information. We may ask for additional information to verify your identity (such as confirming your email address or other details). If you are an authorized agent making a request on behalf of someone else (as allowed under CCPA for instance), we will require proof of authorization and still need to verify the identity of the data subject.
We will respond to your request within the timeframe required by law. Under GDPR, that’s usually within one month; under CCPA, within 45 days (with a possible extension). We will inform you if we need more time or if any exemption applies that allows us to refuse the request (such as if fulfilling it would adversely affect others’ rights or if we must keep data for legal reasons). Typically, our services being B2B means many requests (especially for event lead data) might be handled in conjunction with the business that collected your information – we will guide you accordingly if that’s the case.
If you have any issues with how we handle your request or you are not satisfied with our response, you have the right to complain to a data protection authority. For EU individuals, you can contact your local supervisory authority; ZÜMI’s lead authority is likely the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), given our base in Hungary. For UK individuals, it’s the ICO; for Canada, the OPC, etc. We would, however, appreciate the chance to address your concerns directly first, so we encourage you to reach out to us with any complaint and we will do our best to resolve it.
As stated, our services are not directed to anyone under the age of 18. We do not knowingly solicit or collect personal data from minors. All our marketing and services are business-focused, and we expect users of ZÜMI and event attendees whose data is collected to be adults engaged in professional contexts. If you are under 18, you should not use our platform or provide us with any personal information.
If we become aware that we have inadvertently collected personal data from a child under 18 (for example, if a teenager attended a business event and we were not informed of their age), we will take immediate steps to delete such data from our records. If you are a parent or guardian and you believe your child (under 18) has provided personal information to us, please contact us so we can remove it.
We may update or revise this Privacy Policy from time to time to reflect changes in our business, technology, legal requirements, or for other legitimate reasons. When we make changes, we will post the updated Policy on our website and change the “Last Updated” date at the top or bottom of this Policy. If the changes are significant, we will take additional steps to notify you: for example, by emailing a notice to account holders or by displaying a prominent notice on our site or within the platform.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of ZÜMI after any updates constitutes your acknowledgment of the changes and your agreement to the updated policy. If you do not agree with the changes, you should discontinue use of the services and contact us if you want to exercise any of your rights (for example, to have your data deleted).
If you have any questions, concerns, or requests regarding this Privacy Policy or how ZÜMI handles your personal data, please do not hesitate to contact us. We are here to help and strive to address any privacy-related inquiries promptly.
Contact Information for Privacy Inquiries:
Email: hello@yourzumi.com (Please include “Privacy Inquiry” in the subject line for quicker routing.)
We will respond to your questions or requests as soon as possible, generally within a few business days. If you are contacting us to exercise a specific data right, please refer to the guidelines in Your Rights and Choices to help us process your request efficiently.
Governing Law: This Privacy Policy, and any disputes or claims arising out of or in connection with it, are governed by the laws of Hungary. As a company based in the European Union, we operate under the EU’s data protection framework (GDPR) and relevant Hungarian data protection laws. By engaging with ZÜMI, you acknowledge that this Policy is subject to Hungarian law and EU regulations. You also agree that any disputes will be subject to the jurisdiction of the competent courts in Hungary, unless otherwise required by applicable consumer protection or data protection laws.
Thank you for trusting ZÜMI with your event and marketing data. We are committed to protecting your privacy and delivering a secure, compliant service.
