Payload Website Template

Zeno – Privacy Policy

Last updated: 25 November 2025
Effective from: 25 November 2025

Zeno AI Limited (“Zeno”, “we”, “us”, or “our”) respects your privacy and is committed to protecting the personal data we hold about you.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use:

the Zeno mobile application,

any related websites, and

any other online products or services that link to this Privacy Policy

(together, the “Service”).

This Privacy Policy forms part of the Zeno Terms and Conditions of Use. If you do not agree with this Privacy Policy, you must not use the Service.

This Privacy Policy applies to users worldwide. Additional information for users in Hong Kong, the EEA/UK/Switzerland, and certain US states (including California) is set out in dedicated sections below.

1. Who we are and our role under different laws

Zeno AI Limited is a company incorporated in Hong Kong that provides an AI-powered self-reflection and mental-wellness companion designed to help you explore your thoughts, emotions, habits, and patterns over time.

Our contact details are in Section 13 (How to contact us).

Under different privacy laws, we are:

A “data user” for the purposes of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

A “controller” for the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR (together, “GDPR”).

A “business” for the purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and similar US state privacy laws where they apply.

2. What this Policy covers

This Policy explains:

what personal data we collect about you;

how we use and share that data;

the legal bases we rely on (where applicable);

how long we keep your data;

your rights and choices; and

how to contact us with questions or concerns.

This Policy does not apply to information processed solely by third parties (for example, your therapist’s own records) once you share data or a therapist report with them. In those cases, their own privacy policies and professional duties apply.

3. Eligibility and sensitive nature of data

Our Service is only available to people who:

are at least 17 years old, and

have legal capacity to enter into a binding agreement in their country of residence.

If you are under 18, you must have permission from a parent or legal guardian to use the Service, and they must agree to our Terms and this Privacy Policy on your behalf.

Because Zeno is a mental-wellness and self-reflection companion, your User Content (journal entries, check-ins, reflections) can be highly sensitive. We treat this as confidential and use it as described in this Policy.

4. Personal data we collect

“Personal data” (also called “personal information”) means any information relating to an identified or identifiable person.

4.1 Data you provide directly

We collect the following categories of data when you create an account, use the Service, or communicate with us:

a) Account Information

Name (or chosen display name)

Email address or other login identifier

Password or authentication credentials (stored in hashed form)

Subscription and transaction history (e.g. Apple/Google receipts references, plan type)

b) Check-ins, journaling and conversation content (“User Content”)

When you use Zeno, you may choose to share:

messages and conversations with Zeno

daily check-ins (e.g. sleep quality, happiness ratings, gratitude entries, wins of the day)

longer reflections and journaling entries

dreams or other emotional notes you record in the app

any other free-text content you type into Zeno

This content may include sensitive personal data, such as details about your mental health, relationships, physical health, beliefs, or past experiences. You decide what to share.

c) Therapist reports and exports

If you use the Therapist Report or similar export feature, we process:

the content included in the report (summaries of your check-ins, patterns, notable topics)

the export format (e.g. PDF, text)

any email address or sharing method you choose, if the report is sent from within the app

You control whether a report is generated and with whom you share it.

d) Communication Information

If you contact us (for example by email or in-app support):

your name and contact details

the content of your messages

any attachments or files you send us

e) Surveys, feedback, and beta features

If you take part in optional surveys, research interviews, beta tests, or provide feedback, we may collect:

your responses and feedback

demographic information you choose to provide (e.g. age range, approximate location, general background)

preferences and suggestions about the app

You do not have to participate in these activities to use the core Service.

4.2 Data we collect automatically when you use the Service

When you install, access, or use the Service, we automatically collect certain technical data (“Technical Information”), such as:

a) Log Data

IP address

date and time of access

app version and build

pages, screens, or features you access

error logs and crash reports

b) Usage Data

how often you open the app

which features you interact with (e.g. check-ins, journaling, insights, therapist report)

time zone and general location (e.g. country) inferred from your device or IP

interactions with notifications or in-app messages

c) Device Information

device type and model

operating system and version

language settings

mobile network information (where relevant)

d) Cookies and similar technologies (for web)

On our websites, we use cookies and similar technologies to:

keep you logged in;

remember your preferences;

understand how people use the site;

improve performance and security.

You can usually control cookies through your browser settings. If you disable certain cookies, some features may not work correctly.

4.3 Data from third parties

We may receive personal data about you from third parties, such as:

App stores and payment processors (Apple, Google, Stripe, etc.): purchase confirmations, subscription status, country, and limited transaction information (we do not receive your full card number).

Authentication providers (if used): basic profile and login data where you choose social or single sign-on.

Analytics and error-reporting providers: crash logs, performance data, and general usage analytics.

Marketing providers (if you opt-in): email open/interaction data, campaign performance.

We do not buy personal data about you from data brokers or sell your personal data to others.

5. How we use your personal data

We use your personal data for the following purposes:

5.1 To provide and maintain the Service

Creating and managing your account

Delivering core features (check-ins, journaling, conversations with Zeno, insights, therapist reports)

Displaying trends and patterns over time (e.g. sleep vs. mood)

Processing payments, subscriptions, and billing via Apple, Google, or other providers

Sending administrative information such as changes to terms, privacy policy, or service updates

5.2 To help you reflect and understand patterns

Generating conversational responses from Zeno

Providing summaries, reflections, and insights on your entries

Highlighting trends (for example, persistent low sleep or happiness scores)

Suggesting relevant prompts or topics to explore, based on your past use

5.3 To operate, secure, and improve the Service

Monitoring system performance and preventing abuse or misuse

Debugging issues and fixing bugs

Improving existing features and developing new ones

Running analytics to understand general usage patterns (e.g. which features are used most)

Producing aggregated or de-identified statistics that no longer identify individuals

We may use User Content and Technical Information in aggregated or de-identified form to improve our models and features. We aim not to identify you from this aggregated or de-identified data and will not attempt to re-identify it unless required by law.

5.4 To communicate with you

Responding to your support requests or questions

Sending you service-related messages (e.g. reminders, helpful tips, app changes)

With your consent, sending optional updates or content about mental-health education, product news, or offers

You can unsubscribe from non-essential marketing emails at any time using the link in the email or via app settings (where available).

5.5 To ensure safety, prevent misuse, and comply with law

Detecting and preventing fraud, abuse, or security incidents

Enforcing our Terms and Conditions

Responding to valid legal requests or obligations

Protecting our rights, property, and the safety of users and the public

6. Legal bases for processing (EEA, UK, Switzerland)

Where GDPR or similar laws apply, we rely on one or more of the following legal bases:

Performance of a contract
To provide and maintain the Service, including processing your Account Information, User Content, and Technical Information, where this is necessary to fulfil our agreement with you.

Legitimate interests
To operate, secure, and improve the Service; to prevent fraud and abuse; to understand usage; and to develop new features. We balance these interests against your rights and privacy expectations.

Consent
For certain activities (such as specific marketing, optional surveys, or where required for particular cookies/analytics), we rely on your consent. You may withdraw your consent at any time via the methods provided, without affecting the lawfulness of processing before withdrawal.

Legal obligation
To comply with applicable laws, regulations, and legal processes (for example, tax and accounting obligations, or responding to lawful requests from public authorities).

7. How we share your personal data

We do not sell your personal data, and we do not share it for cross-context behavioural advertising or targeted advertising under applicable US state laws.

We share personal data only in the limited circumstances below.

7.1 Service providers (“processors”)

We work with trusted third-party service providers who help us operate our business and the Service, such as:

cloud hosting and storage providers;

database and infrastructure providers;

analytics and crash-reporting tools;

customer support and email delivery services;

payment processors and app stores (Apple, Google, etc.);

AI infrastructure providers used to generate responses.

These providers may access your personal data only to perform services on our behalf, under appropriate contractual safeguards, and must not use it for their own unrelated purposes.

7.2 Therapists or other professionals you choose to share with

If you use the Therapist Report or similar export feature, you may choose to:

download the report;

send it by email; or

otherwise share it with a therapist or other professional.

Once you share a report or any content with a third party, their privacy and confidentiality policies apply. We cannot control or be responsible for how they store, interpret, or use that information.

We do not automatically send any of your data to a therapist or third party unless you explicitly instruct us to do so.

7.3 Business transfers

If we are involved in a merger, acquisition, restructuring, sale of assets, or similar corporate transaction, your personal data may be transferred to the relevant third party as part of that transaction, subject to this Privacy Policy and applicable law.

7.4 Legal and safety reasons

We may disclose your personal data to courts, regulators, law-enforcement, or other third parties when we believe it is reasonably necessary to:

comply with a legal obligation or valid legal request;

protect our rights, property, or safety, or that of our users or the public;

enforce our Terms and Conditions;

detect, prevent, or address fraud, security, or technical issues.

7.5 Affiliates

We may share personal data with our group companies or affiliates (entities that control, are controlled by, or are under common control with Zeno) so long as they process it in a way that is consistent with this Privacy Policy.

8. International data transfers

Zeno is a Hong Kong company, and many of our service providers are based in other countries. This means your personal data may be transferred to and processed in countries that may have different data-protection laws from your own.

Where required by law (for example, for transfers from the EEA/UK/Switzerland), we implement appropriate safeguards, such as:

standard contractual clauses approved by relevant regulators; and/or

other lawful transfer mechanisms.

We also comply with relevant data protection principles under the Hong Kong PDPO, including requirements around cross-border data transfers and security measures.

Regardless of where your data is processed, we handle it as described in this Privacy Policy.

9. Data retention

We retain your personal data only for as long as necessary to:

provide and improve the Service;

maintain business records;

comply with legal obligations;

resolve disputes and enforce our agreements.

In general:

Account and profile data are retained while your account is active.

User Content (check-ins, journals, conversations) is retained until you delete it or delete your account, subject to reasonable backup and archival practices.

Technical logs and analytics data are typically retained for shorter periods (for example, months rather than years), unless needed for security, legal, or operational reasons.

Aggregated or de-identified data (which cannot reasonably be linked back to you) may be retained for longer to help us improve and understand the Service.

If you delete your account, we will take reasonable steps to delete or anonymise your personal data, except where we are required or permitted to keep certain data (for example, for legal, tax, regulatory, fraud-prevention, or security purposes).

10. Your rights and choices – global overview

Depending on your location and applicable law, you may have some or all of the following rights:

Access:
Request a copy of the personal data we hold about you.

Rectification:
Request correction of inaccurate or incomplete personal data.

Erasure (“right to be forgotten” / deletion):
Request deletion of your personal data, in certain circumstances.

Restriction:
Request that we limit the processing of your personal data in specific situations.

Data portability:
Request a structured, commonly used, and machine-readable copy of certain information you have provided to us.

Object:
Object to our processing where we rely on legitimate interests, including profiling conducted on that basis, and to direct marketing.

Withdraw consent:
Where we rely on consent, withdraw that consent at any time (this will not affect processing that has already happened).

You can exercise some of these rights directly in the app (for example, by editing or deleting entries). For other requests (such as full access or account deletion), you can contact us using the details in Section 13.

We may need to verify your identity before completing your request. Where permitted by law, we may refuse or limit a request if it is manifestly unfounded, excessive, or would infringe the rights of others, but we will explain our reasoning where we are legally able to do so.

11. Additional information for Hong Kong users (PDPO)

If you are located in Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) gives you certain rights in relation to your personal data.

11.1 Data user

For PDPO purposes, Zeno AI Limited is the data user in respect of your personal data collected and used via the Service.

11.2 Access and correction rights

Under the PDPO, you have the right to:

request access to personal data we hold about you; and

request correction of personal data that you consider inaccurate.

We may charge a reasonable fee for processing a data access request, in accordance with PDPO, but not for a data correction request.

Requests can be made using the contact details in Section 13. We will respond in accordance with PDPO requirements.

12. Additional information for EEA, UK and Swiss users (GDPR)

If you are located in the EEA, the UK, or Switzerland, this section applies in addition to the rest of the Policy.

12.1 Controller details

For users in:

EEA / Switzerland: Zeno AI Limited is the controller of your personal data.

UK: Zeno AI Limited is also the controller.

If we appoint an EU or UK representative in future, we will update this Policy with their details.

12.2 Your rights under GDPR

In addition to the rights described in Section 10, you have the right to:

Lodge a complaint with a supervisory authority, in particular in the Member State or country where you live or work, or where you believe an infringement of data protection law has occurred.

We encourage you to contact us first so that we can try to resolve your concerns directly.

12.3 Automated decision-making and profiling

We use algorithms and AI models to generate responses and identify patterns in your entries. This may involve a limited form of profiling in the sense of GDPR (e.g. understanding patterns in your sleep and mood scores to generate insights).

However:

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you without meaningful human involvement, within the meaning of Article 22 GDPR.

Our insights are advisory and reflective; they do not make binding decisions about your access to services, employment, credit, insurance, or similar areas.

13. Additional information for California and certain US state residents

If you are a resident of California or a US state with a similar consumer privacy law, this section applies in addition to the rest of the Policy.

13.1 Categories of personal information

In the 12 months prior to the “Last updated” date of this Policy, we may have collected the following categories of personal information (as defined in CCPA):

Identifiers (e.g. name, email address, device identifiers, IP address)

Commercial information (e.g. subscription and transaction history)

Internet or other electronic network activity information (e.g. usage data, log data, device information)

Geolocation data (approximate, such as country or city inferred from IP)

Audio/visual content only if you choose to send it to us in support interactions

Sensitive personal information that you voluntarily provide (e.g. health-related or mental-wellness-related comments in your entries)

13.2 “Selling” or “sharing” personal information

We do not:

“sell” personal information,

“share” personal information for cross-context behavioural advertising, or

process personal information for targeted advertising,

as these terms are defined under CCPA/CPRA and similar state laws.

We also do not use or disclose sensitive personal information for purposes other than those permitted under applicable law (for example, providing the Service that you request and ensuring security and integrity).

13.3 Your US state privacy rights

Subject to applicable exceptions, residents of California and certain other US states have the right to:

Know the categories and specific pieces of personal information we have collected about you.

Delete personal information we have collected from you.

Correct inaccurate personal information we hold about you.

Access your personal information in a portable format (where feasible).

Be free from discrimination for exercising your privacy rights.

You or your authorised agent can submit a request using the contact methods set out in Section 13. We may take reasonable steps to verify your identity (or your agent’s authority) before fulfilling your request.

14. Children, crisis situations, and limits of the Service

14.1 Children

The Service is not intended for children under 17, and we do not knowingly collect personal data from anyone under 17.

If we learn that we have collected personal data from a child under this age threshold, we will take reasonable steps to delete it. If you believe a child under 17 has provided us with personal data, please contact us using the details in Section 13.

Users aged 17–18 must have parental or guardian permission to use the Service; the guardian is responsible for ensuring the young person’s understanding of this Policy and our Terms.

14.2 Crisis and emergencies

Zeno is not an emergency or crisis service and does not provide real-time monitoring or intervention.

If you:

feel you might harm yourself or someone else;

are in immediate danger; or

are experiencing a medical or psychiatric emergency,

you must immediately contact local emergency services, a crisis hotline, or a licensed health professional. Do not rely on the Service in these situations.

15. Security

We implement commercially reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or destruction. These measures may include:

encryption in transit and at rest (where applicable);

access controls and authentication;

regular security monitoring and updates;

staff training and confidentiality obligations for authorised personnel.

However, no system is completely secure. We cannot guarantee absolute security of your data or that unauthorised third parties will never be able to defeat our measures.

If we become aware of a data-security incident that affects your personal data, and we are legally required to notify you, we will do so within the time frame required by applicable law.

16. How to contact us

If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, you may contact us at:

Zeno AI Limited
1/F., Hing Lung Commercial Building,
68–74 Bonham Strand,
Sheung Wan,
Hong Kong

Email: hello@zenoai.app

If you are in the EEA, UK, or Switzerland, you may also have the right to contact your local data-protection authority. We encourage you to reach out to us first so we can try to resolve any concerns directly.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect:

changes in law or regulatory requirements;

changes to our Service or business practices; or

improvements to how we explain our practices.

When we make material changes, we will provide reasonable notice (for example, through the app or by email) and indicate the “Last updated” date at the top of the Policy. Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes. If you do not agree, you must stop using the Service and may request deletion of your account.