ioZen

Privacy Policy

Last updated: January 29, 2026

This Privacy Policy explains how ioZen (“we”, “us”, or “our”) collects, uses, shares, and protects your information when you use our platform and services (the “Service”). We are committed to protecting your privacy and being transparent about our data practices.

ioZen is based in Vancouver, British Columbia, Canada.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Password (stored encrypted, we never store plaintext passwords)
  • Workspace name

1.2 Usage Data

We automatically collect:

  • Device information (browser type, operating system)
  • IP address
  • Pages visited and features used
  • Date and time of access
  • Referring URL

1.3 User Content

Content you create or upload through the Service, including:

  • FlowApp configurations and settings
  • Form responses and submissions collected from your end users
  • Contact and record data
  • File attachments

1.4 Payment Information

If you subscribe to a paid plan, our payment processor (Stripe) collects payment details. We do not store your full credit card number.

1.5 Communications

When you contact us, we collect the content of your messages, your email address, and any information you choose to provide.

1.6 Marketing Attribution Data

When customers enable attribution tracking on their FlowApps, we collect from end users:

  • UTM parameters (source, medium, campaign, content, term)
  • Platform click IDs (fbclid, gclid, ttclid, li_fat_id, msclkid)
  • Session data (session ID, first/last touch timestamps, page referrer, landing page)
  • Geo data derived from IP address (country, region, city, timezone). Raw IP addresses are not stored.

This data is collected to enable conversion attribution for the customer’s advertising campaigns. Customers control whether attribution tracking is enabled on each FlowApp.

1.7 Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy.

If you are in the European Economic Area (EEA) or UK, we process your personal data based on the following legal grounds:

PurposeLegal Basis
Providing the ServicePerformance of contract
Account managementPerformance of contract
Payment processingPerformance of contract
Customer supportPerformance of contract / Legitimate interests
Usage analytics and improvementLegitimate interests (improving our Service)
Security and fraud preventionLegitimate interests (protecting our Service and users)
Marketing communicationsConsent (you can opt out at any time)
Legal complianceLegal obligation

3. How We Use Your Information

We use your information to:

  • Provide the Service: operate, maintain, and deliver the features you use
  • Process payments: handle billing and invoicing
  • Communicate with you: send service updates, security alerts, and support messages
  • Improve the Service: analyze usage patterns to fix issues and add features
  • Ensure security: detect and prevent fraud, abuse, and technical problems
  • Comply with law: meet our legal obligations

4. AI and Your Data

ioZen uses AI to power features like form generation, field intelligence, and automation. Here is how we handle your data in relation to AI:

  • AI features only process data as needed to deliver the specific functionality you request
  • Private fields are never sent to AI models. You control which fields interact with AI.
  • We do not use your data to train AI models. Your Content is not used to train, fine-tune, or improve any AI or machine learning models, whether ours or third-party.
  • AI requests are routed through Vercel AI Gateway to providers including OpenAI, Anthropic, Google, and xAI. All are bound by data processing agreements (see Subprocessor List).

5. How We Share Your Information

We do not sell your personal information. We never have and never will.

We may share your information with:

5.1 Service Providers

Third-party companies that help us operate the Service, including:

  • Hosting and infrastructure: Supabase, Vercel
  • CDN and security: Cloudflare
  • Payment processing: Stripe
  • AI processing: OpenAI, Anthropic, Google, and xAI via Vercel AI Gateway (see Subprocessor List)

All service providers are bound by data processing agreements and confidentiality obligations. See our full Subprocessor List.

5.2 Advertising Platforms (Customer-Controlled)

When customers enable conversion tracking, we send server-side conversion events to advertising platforms on their behalf:

  • Meta (Facebook/Instagram): via Conversions API
  • Google: via Measurement Protocol
  • LinkedIn: via Conversions API
  • TikTok: via Events API

Important: All personally identifiable information (such as email and phone number) is SHA-256 hashed before transmission to these platforms. Raw PII is never sent. Customers control which platforms receive data and can disable conversion tracking at any time. ioZen acts as a processor. The customer is the controller who decides whether to enable this feature.

We may disclose information when required by law, regulation, court order, or governmental authority.

5.4 Business Transfers

In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We may share information for other purposes with your explicit consent.

6. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit: all data transmitted via TLS 1.3
  • Encryption at rest: database encryption using AES-256
  • Access controls: role-based permissions and authentication
  • Private fields: sensitive data stored in isolated tables, never exposed to AI
  • Encrypted fields: highest-sensitivity data stored in encrypted vault (Supabase Vault)
  • Regular assessments: ongoing security reviews and monitoring
  • Infrastructure: built on SOC 2 Type II certified providers (Supabase, Vercel, Cloudflare)

No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

7. Data Retention

  • Active accounts: We retain your data for as long as your account is active
  • After deletion: When you delete your account, we delete or anonymize your data within 30 days, except where retention is required by law (e.g., billing records, legal disputes)
  • Usage logs: Automatically deleted after 12 months
  • Backups: Removed from backups within 90 days of deletion

8. International Data Transfers

Your data may be processed in Canada and the United States, where our service providers operate.

For transfers from the EEA/UK, we rely on:

  • Adequacy decisions (Canada is recognized as adequate by the EU)
  • Standard Contractual Clauses (SCCs) with US-based providers
  • Supplementary measures as needed

9. Your Privacy Rights

9.1 For Everyone

Regardless of your location, you can:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and data
  • Export your data in a portable format
  • Opt out of marketing communications

9.2 European Economic Area and UK (GDPR)

If you are in the EEA or UK, you also have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Data portability: receive your data in a structured, machine-readable format
  • Withdraw consent at any time (without affecting prior processing)
  • Lodge a complaint with your local data protection authority

Data Protection Contact: privacy@iozen.ai

We are in the process of appointing an EU representative under GDPR Article 27. Until then, please direct inquiries to privacy@iozen.ai.

9.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Correct inaccurate personal information
  • Opt out of sale or sharing: ioZen does not sell your personal information. When customers enable conversion tracking, hashed data may be shared with advertising platforms on the customer’s behalf. The customer (not ioZen) controls this sharing.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information we collect: Identifiers (name, email, IP address), internet/electronic activity (usage data), commercial information (subscription details), professional information (workspace data).

Categories we disclose to service providers: Identifiers, internet/electronic activity (for hosting, analytics, and payment processing).

To exercise your CCPA rights, contact us at privacy@iozen.ai or visit our Do Not Sell page.

9.4 Canada (PIPEDA / BC PIPA)

If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in British Columbia, the Personal Information Protection Act (PIPA):

  • Access your personal information held by us
  • Correct inaccurate information
  • Withdraw consent for collection, use, or disclosure (subject to legal or contractual restrictions)
  • Challenge compliance by filing a complaint with the Office of the Privacy Commissioner of Canada

We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate, and with your knowledge and consent.

9.5 Mexico (LFPDPPP)

If you are in Mexico, you have ARCO rights under the Federal Law on Protection of Personal Data Held by Private Parties:

  • Acceso (Access): know what data we have about you
  • Rectificación (Rectification): correct inaccurate data
  • Cancelación (Cancellation): request deletion of your data
  • Oposición (Opposition): object to processing of your data

To exercise your ARCO rights, contact us at privacy@iozen.ai. We will respond within 20 business days.

9.6 How to Exercise Your Rights

To exercise any privacy right:

  1. Email us at privacy@iozen.ai with your request
  2. We may verify your identity before processing the request
  3. We will respond within 30 days (or sooner if required by applicable law)
  4. There is no fee for the first request in any 12-month period

10. Children’s Privacy

The Service is not intended for children under 16 years of age (or under 13 in jurisdictions where that is the applicable threshold, such as the United States under COPPA). We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

11. Data Breach Notification

In the event of a data breach affecting your personal data:

  • We will notify the relevant supervisory authorities within 72 hours as required under GDPR
  • We will notify affected individuals without undue delay if the breach poses a high risk to their rights
  • We will comply with breach notification requirements in all applicable jurisdictions (PIPEDA, CCPA, LFPDPPP, etc.)

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes:

  • We will notify you by email at least 30 days in advance
  • We will update the “Last updated” date at the top of this page
  • We will post a notice on the Service

Your continued use after changes take effect constitutes acceptance.

13. Contact Us

If you have questions about this Privacy Policy or our data practices:

For GDPR-related complaints, you also have the right to lodge a complaint with your local data protection authority.