Privacy Policy

When you visit our website or blog (without creating an account):

• Technical data: IP address, user-agent, timestamp, page viewed
• Audience measurement and advertising cookies (only with your consent)
• Identifiers tied to advertising campaigns (cookies _fbp, _fbc, _ga) — see our cookie policy

When you create a Zenask account:

• Name, email, hashed password (Argon2), billing information (Stripe)
• Content you create: AI agent configuration, products, offers, brand voice, uploaded files
• Conversations: messages exchanged between your visitors and your AI agent, including user identifiers provided by the channel
• Meta / Instagram data (only if you connect an Instagram account): business account ID and name, message content, basic profiles of people who message you, as returned by Meta’s Graph API

When you book a call via Cal.com: email, first name, last name, phone number (if provided) and selected time slot. This information is processed by Cal.com as a data processor and forwarded to Zenask.

We process your data for the following purposes:

• Provide and operate the Service (authentication, agent hosting, inbox, payments) — performance of a contract (Art. 6.1.b GDPR)
• Send transactional emails (account, security, billing) — performance of a contract
• Measure audience and advertising effectiveness on our website and blog (Meta Pixel, Meta Conversions API, Google Analytics, Linkjolt) — consent (Art. 6.1.a GDPR), revocable at any time
• Advertising targeting and retargeting on Meta — consent
• Fraud prevention, security and logging — legitimate interest (Art. 6.1.f)
• Accounting and legal obligations — legal obligation (Art. 6.1.c)

We do not sell your data. We do not use the content of your conversations to train AI models.

On our public website and blog, we use measurement and advertising tools to evaluate the effectiveness of our campaigns and adapt our content. None of these tools is loaded until you have given your consent via our cookie banner.

• Meta Pixel (Meta Platforms Ireland Ltd.) — browser-side tracking of visits and clicks on our “Book a call” buttons. Cookies _fbp and _fbc are set.
• Meta Conversions API (CAPI) — server-side dispatch of the same events to Meta to improve measurement reliability (bypassing ad blockers). The data transmitted is the same as for the Pixel, with email / first name / last name / phone fields hashed in SHA-256 when available.
• Google Analytics 4 (Google Ireland Ltd.) — aggregated audience measurement. Cookies _ga, _gid.
• Microsoft Clarity (Microsoft Corporation) — audience measurement, heatmaps and anonymized session replay to understand how our website is used. Cookies _clck and _clsk. Replays do not include sensitive input fields (masked by default).
• Linkjolt — attribution of visits coming from our campaign links.

See the full breakdown (name, duration, purpose, issuer) in our cookie policy.

When a visitor books a call via Cal.com, Zenask sends Meta a so-called “Schedule” event via the Conversions API. This event contains: the visitor’s email, first name, last name and possibly phone number, all hashed in SHA-256 before transmission.

The legal basis for this processing is legitimate interest (Art. 6.1.f GDPR): measuring the effectiveness of our advertising campaigns on actually booked calls. We consider that this legitimate interest prevails over the visitor’s rights for the following reasons:

• The visitor voluntarily filled out a booking form — a positive, free and informed act
• The data transmitted is limited to what is strictly necessary
• All identifying data is irreversibly hashed before transmission (data minimization)
• The visitor can object to processing at any time by writing to admin@zenask.ai
• Cancelling the appointment on Cal.com also stops any further processing tied to that appointment

We share the minimum data necessary with the following sub-processors, all contractually committed to GDPR compliance:

• Amazon Web Services (AWS) — hosting and file storage (EU / Ireland region)
• Stripe — payment processing (IE / USA, Data Privacy Framework)
• Google Ireland Ltd. (Gemini, Analytics) — LLM inference and audience measurement
• Microsoft Corporation (Clarity) — audience measurement and heatmaps (USA, Data Privacy Framework + SCC)
• xAI (Grok), OpenAI — LLM inference (USA, SCC); these providers act as data processors and do not train their models on our data
• Meta Platforms Ireland Ltd. — Instagram Graph API (product) + Meta Pixel / Conversions API (advertising measurement)
• Cal.com, Inc. — appointment booking
• Axeptio — cookie consent management (CMP, hosted in France)
• Resend — transactional email delivery
• Linkjolt — advertising attribution

Some sub-processors (Stripe, OpenAI, xAI, Meta, Cal.com) may process personal data outside the European Union, in particular in the United States. In that case, we rely on:

• the Standard Contractual Clauses (SCC) adopted by the European Commission;
• the Data Privacy Framework (DPF) for certified providers (Meta, Google, Stripe).

• Account and billing data: throughout the duration of your subscription, then 10 years for accounting obligations
• Conversations and Meta / Instagram messages: as long as your account is active or until you delete them
• Technical logs: 90 days
• Cookie consent records: 3 years (per CNIL recommendations)
• Audience measurement and advertising data: 13 months maximum (standard lifetime of Meta and Google cookies)

Upon deletion of your account, we delete or anonymize your personal data within 30 days, except for what we are legally required to retain.

Under the GDPR, you have the rights of access, rectification, erasure, portability, restriction, objection, and the right to withdraw your consent at any time. You may also set post-mortem instructions concerning your data.

To exercise these rights, write to admin@zenask.ai — we will respond within a maximum of 30 days.

You may also lodge a complaint with the CNIL (the French data protection authority).

We use cookies and similar trackers. The full breakdown — name, purpose, duration, issuer — is in our cookie policy. You can change your preferences at any time via the “Manage my cookies” link in the footer.

This section details which data from your Instagram account we access via the Meta API, for what purposes, and how it is protected and deleted. It complements section 1 with a focus on the Instagram connection.

Permissions requested and data accessed

When you connect an Instagram account to Zenask via Instagram Login, you grant us the following permissions:

• instagram_business_basic — account ID (ig_user_id), username, profile picture, account type (business / creator), display name.
  Usage: display the connected account in your dashboard, route incoming webhook events to the right Zenask agent, identify the sender when they message you in DM.
• instagram_business_manage_messages — text content of incoming direct messages (DMs), attachments (images, videos, audio, story or post shares), sender ID and basic profile, timestamps, read receipts.
  Usage: display conversations in your Zenask inbox; allow your AI agent to draft and send automated replies on your behalf (when this feature is enabled); allow a human operator (you or a member of your team) to take over and reply manually (“Human Agent” feature).
• instagram_business_manage_comments — content of comments on your Instagram posts, comment author ID and name, related post ID.
  Usage: display comments in the Zenask inbox, allow your AI agent to reply publicly, or to initiate a private conversation in DM in response to a comment.

Processing by our AI

The content of messages and comments received via Instagram is sent to the language models (LLMs) listed in section 5 (Google Gemini, OpenAI, xAI Grok) so that your agent can understand and craft a reply. These providers act as data processors within the meaning of Article 28 GDPR: they process the data solely to generate the requested reply, do not retain it durably, and do not train their models on your data. Your Instagram data is never shared with third parties for advertising, marketing or resale purposes.

Storage and security

• Instagram access tokens are encrypted at rest (AES-GCM) in our database.
• All Meta data is stored within the European Union (AWS region eu-west-3, Paris).
• API transfers happen exclusively over TLS 1.2+.
• Access to production systems is restricted to a limited number of people and logged.

Information for Instagram users

When an Instagram user messages you, their messages are processed by Zenask on behalf of your account. As the account owner, you are responsible for configuring your agent — Zenask provides the necessary tools (system instructions, introduction message, customizable prompts) so that your agent answers honestly and transparently when a follower explicitly asks whether they are interacting with an artificial intelligence, in line with transparency best practices and Meta’s Platform Terms.

Retention and deletion

Meta / Instagram data is retained as long as your Zenask account is active and the Instagram connection is not revoked. Several deletion mechanisms exist:

• Disconnection from Zenask: from your dashboard, you can disconnect your Instagram account at any time. This immediately revokes the access token, stops webhook reception, and schedules deletion of the associated data within 30 days.
• Removal from Instagram: if you remove Zenask from your Instagram settings (“Apps and Websites → Remove”), Meta automatically notifies us via the deauthorize_callback. We immediately mark the connection as disconnected.
• Deletion request via Meta: if you check “Also delete my data” when removing the app from Instagram, Meta notifies us via the data_deletion_callback. We permanently delete the associated data within 30 days.
• Manual request: send an email to admin@zenask.ai from the address linked to your account. We process your request within 30 days.

Zenask is not intended for individuals under 16 (European Union) or under 13 (other jurisdictions). We do not knowingly collect data from minors below these thresholds. If we learn that a Zenask account belongs to a minor, we delete it. If you believe a minor has shared personal data with us, contact admin@zenask.ai.

Passwords are hashed using Argon2. Sessions use signed JWTs stored in HTTP-only cookies. Data in transit is encrypted via TLS. Access to production systems is restricted and logged.

We may update this policy. Material changes will be notified to you by email or in the product before they take effect.