Back to Zenova

Privacy Policy

Last updated: March 15, 2026

1. Introduction

Welcome to Zenova ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered time blocking and productivity application (the "Service").

By using Zenova, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

  • Account Information: Email address, name, and authentication credentials through Supabase Auth
  • Profile Information: Timezone preferences, wake/sleep times, and planning preferences
  • Payment Information: Billing details processed securely through Stripe (we do not store full payment card numbers)
  • Google Calendar Data: With your explicit consent, we access your Google Calendar events in read-only mode to provide scheduling assistance

2.2 Usage Data

We automatically collect:

  • Goals and Tasks: Text descriptions of your goals, estimated durations, schedules, and completion status
  • Time Entries: Start/end times, durations, and descriptions of tracked activities
  • Projects and Categories: Names, descriptions, and organizational structures you create
  • Streaks and Analytics: Completion patterns, productivity metrics, and usage statistics
  • AI Interactions: Your natural language inputs to our AI features and the generated responses

2.3 Technical Data

  • IP address and browser information
  • Device type and operating system
  • Session cookies and authentication tokens
  • Usage patterns and feature interactions

3. How We Use Your Information

We use your information for the following purposes:

3.1 Core Service Functionality

  • Creating and managing your account
  • Processing AI-powered goal parsing and scheduling
  • Generating time-blocked schedules and recommendations
  • Tracking time entries and calculating productivity metrics
  • Providing calendar integration and conflict detection
  • Managing streaks and accountability features

3.2 AI Processing

When you use our AI features, your natural language inputs are sent to Vercel AI Gateway, which routes requests to selected provider models from Google and OpenAI. This processing is necessary to:

  • Parse natural language goals into structured tasks
  • Generate intelligent scheduling recommendations
  • Provide calendar optimization suggestions
  • Answer productivity-related questions

Important: Zenova does not use your prompts or AI outputs to train our own models. Vercel AI Gateway and the upstream AI providers may process your data according to their own privacy policies and terms. Avoid sharing sensitive personal information (health details, financial information, passwords) in AI prompts.

3.3 Billing and Subscriptions

  • Processing payments through Stripe
  • Managing subscription plans (Free, Pro)
  • Handling billing inquiries and disputes
  • Enforcing usage limits based on subscription tier

3.4 Service Improvement

  • Analyzing usage patterns to improve features
  • Monitoring AI performance and accuracy
  • Detecting and preventing abuse or unauthorized access
  • Troubleshooting technical issues

3.5 Communications

  • Authentication emails (password resets, email verification)
  • Important service updates and security alerts
  • Billing notifications and subscription confirmations

4. Google Calendar Integration

When you connect Google Calendar, we request read-only access to your calendar events. Specifically:

  • We access event titles, start/end times, and recurrence patterns
  • We do NOT create, modify, or delete events in your Google Calendar
  • We do NOT access attendees, descriptions, or attachments
  • Your Google refresh token is encrypted at rest using AES-256-GCM
  • You can revoke access at any time in your Settings

Google Calendar data is used solely to provide scheduling context and avoid conflicts when generating your daily/weekly plans.

5. Data Sharing and Third Parties

5.1 Service Providers

We share data with the following third-party services:

  • Supabase: Authentication and database hosting
  • Stripe: Payment processing
  • Vercel: Hosting, infrastructure, and AI gateway routing
  • Google and OpenAI: AI model processing for selected features
  • Google: OAuth authentication and calendar data (with your consent)

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

5.3 Business Transfers

If Zenova is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

5.4 What We Do NOT Do

  • We do NOT sell your personal information to advertisers
  • We do NOT share your data for marketing purposes without consent
  • We do NOT use your calendar data for advertising
  • We do NOT use your content to train our own AI models

6. Data Security

We implement appropriate technical and organizational measures:

  • All data is transmitted over HTTPS/TLS 1.3
  • Google OAuth tokens are encrypted with AES-256-GCM
  • Database connections are encrypted and access-controlled
  • Regular security audits and dependency updates
  • Rate limiting to prevent brute force attacks
  • Input validation and sanitization

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

  • Account Data: Retained until you delete your account
  • Goals and Tasks: Retained until deleted by you or account closure
  • Time Entries: Retained until deleted by you or account closure
  • AI Usage Logs: Retained for 90 days for billing and debugging, then deleted
  • Stripe Data: Retained per Stripe's requirements (typically 7 years for tax purposes)
  • Server Logs: Retained for 30 days

Upon account deletion, all personal data is permanently removed within 30 days, except where we are legally required to retain it.

8. Your Rights (GDPR and CCPA)

Depending on your location, you may have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you. Contact us at privacy@zenova.sh to request your data export.

8.2 Right to Rectification

You can update your profile information at any time in the Settings page. For other corrections, contact us.

8.3 Right to Erasure

You can delete your account and all associated data from the Settings page. This action is irreversible.

8.4 Right to Data Portability

You can export your goals, time entries, and projects in JSON format from the Settings page.

8.5 Right to Restrict Processing

You can pause AI processing features while keeping your account active. Contact us to restrict specific processing activities.

8.6 Right to Object

You can object to processing based on legitimate interests by contacting us.

8.7 California Residents (CCPA)

California residents have the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale of personal information (we do not sell data), and the right to non-discrimination for exercising these rights.

9. Cookies and Tracking

We use the following cookies:

9.1 Essential Cookies

These are required for the Service to function and cannot be disabled:

  • Authentication tokens (Supabase)
  • Session management
  • Security and fraud prevention

9.2 Functional Cookies

These remember your preferences:

  • Theme preferences (dark/light mode)
  • Timezone settings
  • UI state (sidebar collapse, view preferences)

9.3 Analytics Cookies

We may use Vercel Analytics or similar tools that collect anonymous usage data. These cookies do not identify you personally.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will prevent the Service from functioning properly.

10. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We rely on Standard Contractual Clauses and adequacy decisions for such transfers.

Our service providers and processors, including Supabase, Stripe, Vercel, Google, and OpenAI, may process data in the United States and other countries. By using our Service, you consent to these transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for material changes

We recommend reviewing this Privacy Policy periodically. Changes are effective when posted unless otherwise stated.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Email: privacy@zenova.sh
  • Data Protection Officer: privacy@zenova.sh

For EU residents, you also have the right to lodge a complaint with your local data protection authority.