Privacy & Cookie Policy of Zhero Srl

This Privacy & Cookie Policy describes how Zhero Srl (hereinafter “Zhero” or “Data Controller”) collects, uses, protects, and manages users’ personal data in compliance with Regulation (EU) 2016/679 (“GDPR”), current Italian legislation on personal data protection, and applicable privacy and cookie regulations. The policy is designed to be clear and transparent, providing users with all necessary information about the processing of their data.

1. Company Information (Data Controller)

Company name: Zhero Srl Registered office: Via Friuli 8/B, 20135 Milano (MI), Italy Privacy contact email: privacy@zhero.ai

Zhero Srl is the Data Controller for personal data collected through its website and services. For any questions or requests related to privacy, you can contact us at the email address indicated above.

2. Personal Data Collected

Zhero collects and processes various types of personal and company data, strictly necessary for the purposes indicated in this policy. In particular, the data collected may include:

  • Name and Surname – User or contact person’s identification information.
  • Email – Professional or personal email address.
  • Company – Name of the company/organization the user works for or represents.
  • Zscaler Tenant ID – Unique identifier of the customer’s Zscaler tenant (technical data related to the services provided).
  • Tenant Domains – Domains associated with the customer’s Zscaler tenant.
  • Licenses – Information on products/services licenses held by the customer (e.g., number of licenses, type, duration).

Such data is provided voluntarily by the user (for example through forms) or acquired during the use of Zhero services, as detailed below.

3. Data Collection Methods

Zhero collects the personal data and information listed above through various methods, in compliance with the principles of lawfulness, fairness, and transparency. In particular, data may be collected through:

  • Cookies: through cookies on the site (particularly analytics cookies like Google Analytics 4, described later) that collect navigation information in aggregate or identifiable form according to the consent settings provided by the user.
  • Online forms: through forms completed by the user on our site or application (e.g., contact forms, registration, requests for information or service activation) where the user voluntarily enters their data.
  • API: through Application Programming Interfaces when Zhero services are integrated with other platforms. For example, if the user uses an integration or external service connected to Zhero, relevant data (such as Zscaler Tenant ID, domains, etc.) may be acquired via API automatically to provide the requested service.

During collection, Zhero commits to collecting only data strictly necessary for the intended purposes and to ensuring that collection methods guarantee adequate security (for example, HTTPS protected connections for online forms).

4. Purposes of Processing

The data collected is processed by Zhero exclusively for the following explicit and legitimate purposes:

  • Customer management: to manage the relationship with customers and users, including customer records, technical or commercial support, billing, and after-sales assistance. This also includes any communications related to the contractual relationship or information requested by the user.
  • License management: to administer and monitor the licenses of products/services provided to the user or client company. For example, verify the number of active licenses, expiration, compliance with terms of service, as well as activate/deactivate features related to licenses.
  • Sending update emails: to send service communications and updates related to Zhero products or services. This includes notifications about new features, security updates, changes to service terms, or other important information for the user as a customer. Additionally, with the user’s specific consent, the email address may be used to send newsletters or promotional communications about Zhero products and services similar to those already purchased (the user can oppose such sending at any time).

The purposes described above will be pursued in compliance with applicable regulations. The data collected will not be further processed for purposes incompatible with the initial ones, except with further consent from the data subject or a different legal basis that allows it.

5. Legal Basis for Processing

Each processing of personal data carried out by Zhero is based on an adequate legal basis, in accordance with the provisions of Art. 6 of the GDPR. In this context:

  • Personal data (name, surname, email): are processed with the explicit consent of the data subject. This means that, for example, when the user fills out a form providing their name and email, they will be asked to accept this policy and consent to the processing of this data for the specific purposes indicated (such as receiving update communications). Consent is free, specific, informed, and revocable at any time. (Legal basis: Art. 6(1)(a) GDPR – consent of the data subject).
  • Company data (company name, Zscaler Tenant ID, Tenant domains, license information): are processed as necessary for the performance of a contract to which the company (or the user representing it) is a party, or for the implementation of pre-contractual measures taken at the user’s request. In practice, this data is essential to provide the requested services (e.g., activating and managing a Zscaler tenant, assigning licenses, etc.) and therefore their processing is lawful without the need for further consent, as it is strictly related to the contract/service. (Legal basis: Art. 6(1)(b) GDPR – performance of a contract).

In some cases, additional legal bases may apply: for example, a legal obligation (Art. 6(1)(c) GDPR) that requires the storage or communication of certain data, or the legitimate interest of the Controller (Art. 6(1)(f) GDPR) for certain activities compatible with the rights of the data subject. In any case, where the legal basis is legitimate interest, Zhero will carefully assess its prevalence over the fundamental rights and freedoms of the data subject.

6. Data Sharing (Recipients of Personal Data)

Zhero does not share or sell users’ personal data to third parties for commercial or marketing purposes. The data provided will be processed only and exclusively for the purposes indicated above by Zhero’s staff and collaborators, expressly authorized for processing and adequately instructed in data protection matters.

In some cases, for operational and management needs, data may be communicated to trusted external subjects who provide services instrumental to Zhero’s activities (for example: IT service providers, cloud services, maintenance of IT systems, legal or tax consultants). These subjects will act as Data Processors pursuant to Art. 28 GDPR, based on specific contractual agreements that impose confidentiality and security obligations equivalent to those of Zhero. In no case will users’ personal data be disseminated (i.e., made public) without consent.

Exceptionally, data may be communicated to public or judicial authorities, exclusively where this is required by legal obligations or by orders of the authority (e.g., legal investigations). Outside of these cases, the user’s data remains within Zhero and its ecosystem of service providers, without unauthorized transfers.

Transfer of data abroad: Currently, Zhero preferably processes and stores data within the European Union. If for technical or operational reasons it becomes necessary to transfer personal data to third countries (for example, when using international cloud services such as those offered by Google for Google Analytics), Zhero ensures that the transfer will take place in accordance with Articles 44-49 of the GDPR, i.e., to countries that guarantee an adequate level of protection recognized by the European Commission, or through the adoption of appropriate safeguards (such as Standard Contractual Clauses approved by the European Commission) and with the implementation of supplementary measures to protect data.

7. User Rights (Data Subjects)

As a data subject, the user has a series of rights guaranteed by the GDPR in relation to their personal data. Zhero is committed to facilitating the exercise of these rights and to responding to users’ requests within the timeframes provided by law. In particular, the user has the right to:

  • Access – Obtain confirmation of whether personal data concerning them is being processed and, if so, receive a copy of the data in an intelligible format, as well as information about the processing (purposes, categories of data, recipients, retention period, etc.).
  • Rectification – Request the correction or updating of inaccurate or incomplete personal data concerning them, so that it is always accurate and up-to-date.
  • Erasure – Obtain the erasure of personal data concerning them (right to be forgotten) if the conditions provided for in Art. 17 GDPR are met, for example if the data is no longer necessary for the original purposes, if the user withdraws consent (and there is no other legal basis for processing) or if the processing is unlawful.
  • Restriction of processing – Obtain that their data is temporarily blocked (i.e., not further processed, beyond mere storage) in the presence of certain conditions, for example if the user contests the accuracy of the data (for the time necessary to verify its accuracy) or objects to the processing (pending the assessment of the possible prevalence of the legitimate grounds of the Controller).
  • Objection – Object at any time, for reasons connected to their particular situation, to the processing of personal data based on Zhero’s legitimate interest. Moreover, the user always has the right to object if the data is processed for direct marketing purposes (including profiling for marketing purposes, if present); in this case the data will no longer be used for this purpose.
  • Portability – Receive in a structured, commonly used and machine-readable format the personal data they have provided to Zhero, and transmit this data to another controller without hindrance from Zhero, in the cases provided for in Art. 20 GDPR (i.e., if the processing is based on consent or on a contract and is carried out by automated means).
  • Withdrawal of consent – (When applicable) Withdraw at any time the consent previously given for the processing of personal data for one or more specific purposes. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. If, for example, the user had consented to receive update emails, they can later choose to unsubscribe (opt-out) and Zhero will cease to send them communications of that type.

In addition to the rights listed above, the user has the right to lodge a complaint with a supervisory authority for personal data protection (in Italy, the Data Protection Authority), if they believe that the processing of their data violates current legislation. More information is available on the official website of the Authority (www.garanteprivacy.it).

Exercise of rights: The user can at any time exercise their rights by sending a written communication to Zhero, in particular by email to privacy@zhero.ai. The request must be formulated in clear and comprehensible terms; Zhero may need to verify the identity of the requester before responding to the request, to ensure that data is not disclosed to unauthorized persons. The Controller will respond to the data subject’s requests without undue delay and, at the latest, within 30 days of receiving the request, except for any extension in cases permitted by the GDPR (in this case, the user will be informed of the reasons for the delay).

8. Cookie Policy

Zhero’s website uses cookies and similar technologies to ensure the proper functioning of services and improve users’ browsing experience, in compliance with Italian and European regulations on the matter (ePrivacy directive and related regulations, in coordination with the GDPR). This section describes the use of cookies on the Zhero site, including the use of Google Analytics 4, and the ways in which the user can manage or remove these cookies.

What are cookies?

Cookies are small text files that visited websites send to the user’s device (usually to the browser), where they are stored to be then retransmitted to the same sites on the next visit. Cookies allow sites to recognize users, store their preferences (e.g., the selected language), and collect information about interactions with the site. There are different types of cookies:

  • Technical cookies: are necessary for the functioning of the site and do not require the user’s consent (for example, session cookies to maintain login, or cookies to remember what has been added to a cart). Without these cookies some parts of the site might not work properly.
  • Analytics cookies: serve to collect aggregate statistical information on the use of the site (number of visitors, most viewed pages, time spent, etc.). If they collect anonymous or appropriately anonymized data and are used only in aggregate form, in some cases they can be equated to technical cookies; if instead they allow identification, they are considered third-party cookies that require consent.
  • Profiling cookies: are designed to track the user’s navigation on the net and create profiles on their tastes, habits, choices, in order to send targeted advertising. Zhero’s site does not use profiling cookies.

Cookies used by Zhero (Google Analytics 4)

The following cookies are currently used on the Zhero site:

  • Essential technical cookies: Navigation or session cookies strictly necessary to ensure the normal use of the site and its functionalities. These cookies do not collect personal information of a commercial nature and do not require consent. For example, they might include cookies to keep the user session open after login in the reserved area, or to remember language preferences.
  • Third-party analytics cookies (Google Analytics 4): Zhero uses Google Analytics 4 (GA4), a web analytics service provided by Google LLC, to collect anonymous statistical data on the use of the site. GA4 employs cookies that allow for analysis of how users use the site. The information generated by these cookies (such as pages visited, time spent on the site, type of device and browser used, and in some cases the anonymized IP address) are transmitted to Google’s servers, which process them for the purpose of providing aggregate reports to Zhero.

Zhero has configured Google Analytics 4 to anonymize users’ IP addresses, masking at least the last part of the IP address, so that the information collected through GA4 cannot be used by Google to directly identify a specific person. Furthermore, GA4 in this implementation does not cross-reference data collected on our site with other data in Google’s possession and does not use the collected data for profiling or remarketing purposes without a further legal basis.

The data collected through GA4 is used by Zhero exclusively for internal analysis, in order to understand how to improve the site and the services offered (for example, to understand which pages are most visited, which content is most useful, etc.). These cookies will be installed only if the user gives their consent through the banner or brief information on cookies displayed on first access to the site. Any refusal of consent for analytics cookies does not affect browsing on the site: the user will still be able to access all content and functionalities, simply Zhero will not collect information about their visit for aggregate statistics.

More information on Google Analytics 4: Data generated by Google Analytics cookies may be stored by Google for the period specified by their policies (currently, Google provides for the retention of Google Analytics 4 data for 14 months, unless different configurations are in place). Google commits to processing data in compliance with privacy standards and has adhered to relevant certification mechanisms (such as Standard Contractual Clauses for data transfer outside the EEA, and in the context of the new Trans-Atlantic Data Privacy Framework if applicable). For further details on how Google uses this data, you can consult Google’s official documentation or its privacy policy.

Management and removal of cookies by the user

The user has the possibility at any time to manage cookie preferences, and possibly revoke consent already given, through the following methods:

  • Banner and cookie preferences on the site: On first access to the Zhero site, an information banner is presented that allows accepting all cookies or selecting which categories of cookies to activate. The user can use this tool to grant or deny consent for non-technical cookies (such as those of Google Analytics 4). Even after the first access, the user can modify their choices at any time by recalling the cookie settings (for example through a special “Manage cookies” link or similar present on the site, if provided).
  • Browser settings: The user can configure their browser to be notified of the presence of cookies, then decide whether to accept them or not on a case-by-case basis, or refuse them all. Moreover, through the browser settings it is possible to delete cookies already saved previously. The procedures for managing cookies vary depending on the browser used; below, we provide links to instructions for the most common browsers:
    • Google Chrome: Google Support – Managing Cookies in Chrome
    • Mozilla Firefox: Mozilla Support – Delete cookies
    • Apple Safari: Apple Support – Manage cookies and website data
    • Microsoft Edge: Microsoft Support – Delete and manage cookies

(The links above lead to external sites, owned by the respective browser manufacturers, containing updated instructions on how to manage cookie settings. Zhero is not responsible for the content of such third-party sites.)

  • Disabling Google Analytics: If the user wishes to disable Google Analytics on all websites, they can install the appropriate browser add-on for the deactivation of Google Analytics provided by Google (available at: https://tools.google.com/dlpage/gaoptout). This plug-in communicates with Google Analytics JavaScript code preventing it from sending information about the visit to the site.

Please note that disabling all cookies, including technical ones, could compromise some functionalities of the site (for example, it might not be possible to maintain access to the reserved area). In general, it is possible to navigate on the Zhero site even refusing all non-essential cookies.

9. Data Security

Zhero adopts appropriate technical and organizational security measures to protect users’ personal data from unauthorized access, disclosure, alteration, or unauthorized destruction. In particular, we use secure communication protocols (such as HTTPS/TLS), firewall protection systems, database access controls, and internal procedures for secure data management. Personnel authorized for processing are instructed about the importance of protecting personal data and bound by confidentiality obligations. Despite Zhero’s commitment to protecting personal data, it should be kept in mind that no transmission or electronic storage system is 100% secure; therefore, in case of a data breach likely to present a high risk to the rights and freedoms of users, Zhero will adhere to the notification obligations provided for by the GDPR (Arts. 33-34).

10. Data Retention Period

Zhero retains users’ personal data only for the time necessary to achieve the purposes for which they were collected or to satisfy legal or contractual obligations. In general:

  • Data collected for contractual purposes (e.g., customer and license management) is kept for the entire duration of the contractual relationship and, subsequently, for the period necessary to fulfill legal obligations (e.g., tax or accounting obligations, storage of invoices) or to protect any rights in legal proceedings. Normally, this data will not be kept for more than 10 years from the termination of the relationship, unless further retention is necessary (for example in case of ongoing disputes).
  • Data processed on the basis of consent (e.g., email for sending updates/newsletters) will be kept until withdrawal of consent or request for deletion by the data subject, it being understood that, in the absence of prolonged interactions, Zhero may proceed with periodic verifications and request confirmation of interest in receiving communications.
  • Navigation data collected through Google Analytics 4 is stored by Google in aggregate/anonymous form for the period chosen in the settings (for example 14 months), as indicated previously, and by Zhero only in aggregate form for statistical analysis without the possibility of tracing it back to the specific user.

At the expiry of the retention periods indicated above, the data will be deleted, anonymized, or aggregated irreversibly, unless they must be further retained by order of the Authority or to exercise or defend a right in court.

11. Changes to this Policy

This Privacy & Cookie Policy may be subject to revisions and updates over time, also due to regulatory changes or variations in the services offered by Zhero. Any substantial changes will be communicated to users through appropriate channels (for example, a notice on the site or via email, where technically possible). The user is therefore invited to periodically consult this page to be informed about the most recent version. The date of last update is indicated at the bottom of the policy.

Last update: March 02, 2025.