# Zing — Privacy Policy
**Effective Date:** June 16, 2026
**Last Updated:** June 16, 2026
This Privacy Policy describes how Zing Technologies, Inc. ("Zing", "we", "us", "our") collects, uses, and protects information about users of the Zing platform, including both Merchants (business owners) and Customers (end users placing orders).
---
## 1. Information We Collect
### 1.1 Information Provided Directly
**From Customers:**
- Name (first and last)
- Phone number (E.164 format — used as canonical customer identifier)
- Email address (optional)
- Order details (items, modifiers, pickup time, special instructions)
- Payment information (processed by Stripe — Zing does not store card numbers)
- SMS opt-in status and timestamp
**From Merchants:**
- Business name, address, and contact information
- Menu data (items, prices, modifiers)
- Business hours and operational settings
- Stripe Connect account information (for payment processing)
- Twilio phone number (for voice and SMS)
### 1.2 Information Collected Automatically
- Order history and order lifecycle events
- Voice session metadata (duration, outcome, language)
- Call transcripts (with recording consent — see Section 4)
- Behavioral data for the Intelligence Engine:
- Modifier preferences (items added per order)
- Item co-occurrence patterns (items frequently ordered together)
- Sunday ordering patterns
- Re-engagement event logs (SMS sent/clicked/converted)
- Upsell event logs (suggestions shown, accepted, declined)
### 1.3 Technical Information
- IP address (for rate limiting and fraud detection)
- Device type and browser (for checkout UI optimization)
- Vercel Edge Network metadata (anonymized)
---
## 2. How We Use Information
### 2.1 Service Delivery
- Process orders and payments
- Send transactional SMS (order confirmation, status updates)
- Power the AI phone agent (menu lookup, order placement)
- Enable repeat customer recognition ("Welcome back, J.")
### 2.2 Intelligence Engine (Personalization)
Zing's Intelligence Engine uses behavioral data to:
- Recommend modifiers a customer frequently adds (Personalized Upsell)
- Suggest items frequently ordered together (Smart Basket AI)
- Surface Sunday Special offers to Sunday regulars
- Power re-engagement SMS for lapsed regulars
**Data minimization:** The Intelligence Engine uses aggregated preference counts (e.g., "customer added Bacon 4 times"), not raw order-by-order logs for profiling.
### 2.3 Marketing SMS
Marketing SMS is sent only to customers who have explicitly opted in (see Section 5 of the Terms of Service). Opt-out is honored immediately.
### 2.4 Service Improvement
- Call transcripts are used to identify agent errors and improve prompts
- Upsell event data is used to improve suggestion relevance
- No data is sold to third parties
---
## 3. Data Sharing
### 3.1 Merchants
Customer data collected during an interaction with a Merchant's Zing channel is accessible to that Merchant. Merchants may view order history, customer profiles, and call logs for their own business only.
Data is NOT shared between Merchants.
### 3.2 Third-Party Processors
| Processor | Purpose | Data Shared |
|-----------|---------|-------------|
| Stripe | Payment processing, Connect payouts | Payment method, order total |
| Twilio | SMS delivery, phone calls | Phone number, SMS content |
| Supabase | Database hosting | All customer and order data |
| Deepgram | Voice transcription (STT) | Audio stream during active calls |
| Cartesia | Voice synthesis (TTS) | Text responses during active calls |
| OpenAI/GPT | AI phone agent reasoning | Anonymized call context, menu |
| Vercel | Platform hosting | Application logs (no PII in logs) |
| Sentry | Error monitoring | Sanitized error reports |
### 3.3 Legal Requirements
We may disclose information if required by law, court order, or to protect the rights and safety of Zing, Merchants, or Customers.
---
## 4. Call Recording and AI Disclosure
- Calls to Zing-powered phone lines may be recorded.
- An AI disclosure is made at the start of every call.
- In all-party consent states, verbal consent is obtained before recording begins.
- Recording consent is logged with timestamp in the `voice_sessions` table.
- Recordings are stored for up to 90 days, then deleted.
- Transcripts are retained as long as the Merchant's account is active.
See the full [AI Disclosure Policy](/legal/ai-disclosure) for state-by-state rules.
---
## 5. Data Retention
| Data Type | Retention Period |
|-----------|-----------------|
| Order records | Indefinite (business records) |
| Customer profiles | Until deletion request |
| Customer preferences | Until deletion request |
| Call recordings | 90 days |
| Call transcripts | Account lifetime |
| Re-engagement events | 2 years |
| Upsell events | 2 years |
| Voice session metadata | 2 years |
---
## 6. Your Rights (CCPA / GDPR-adjacent)
You have the right to:
- **Access:** Request a copy of data we hold about you.
- **Deletion:** Request deletion of your personal data. (Note: Merchants retain order records as business records and may not be able to delete all data.)
- **Correction:** Request correction of inaccurate data.
- **Opt-out of marketing SMS:** Reply STOP to any SMS.
- **Do Not Sell:** Zing does not sell personal data.
**To exercise these rights:** Email privacy@zing.app with "Data Request" in the subject line.
**Response time:** 30 days for access requests; 45 days for deletion requests.
---
## 7. Security
- All data is transmitted over TLS (HTTPS).
- Supabase Row-Level Security enforces tenant data isolation — Merchant A cannot access Merchant B's data.
- Phone numbers in the voice worker are masked in logs.
- Stripe card data is never stored by Zing.
- Service-role Supabase credentials are used only in server-side API routes.
---
## 8. Children's Privacy
Zing does not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, contact privacy@zing.app.
---
## 9. Changes to This Policy
We will notify Merchants of material changes via email at least 30 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
---
## 10. Contact
**Zing Technologies, Inc.**
Email: privacy@zing.app
---
*This policy was drafted for Zing. It should be reviewed by qualified legal counsel with expertise in CCPA, TCPA, and AI/ML privacy requirements before production launch.*