Z
Zeerus

Privacy Policy

Last updated: [DRAFT — insert date of legal review]

This is a working draft prepared to reflect what Zeerus actually collects, stores, and shares today. It has not been reviewed by a lawyer and should not be relied on for real customers until it is. Bracketed items need a decision from you (or your lawyer) before this goes live.

1. Scope

This policy explains how Zeerus collects, uses, and protects personal information. It covers two different groups of people:

  • Agency users — you and your team, who create Zeerus accounts to use the Service.
  • Your clients— the people whose information your agency enters into Zeerus (names, contact details, policy information). For your clients' data, your agency is the data controller and Zeerus acts as a processor — see our Data Processing Addendum for that relationship. This section still explains, transparently, what we do with that data on your behalf.

2. Information we collect

From agency users, directly:

  • Name, email address, and password (hashed — we never see or store your plaintext password);
  • Agency name and mailing address;
  • Billing information, handled directly by Stripe — we store a Stripe customer/subscription reference, not your card details;
  • Anything you enter into the Service, including notes, uploaded documents, and support/feedback messages.

On behalf of agency users, about their clients:

  • Name, email, phone, mailing address;
  • Birthday and anniversary (used for reminders);
  • Insurance policy details: carrier, policy number, premium, renewal and review dates, commission information;
  • Notes and activity history your agency records (calls, emails, meetings);
  • Whether the client has consented to receive automated email reminders (required under CASL before we send any).

Collected automatically:

  • Standard web server logs (IP address, browser type, pages visited) for security and troubleshooting;
  • A session cookie used to keep you signed in, set by our authentication provider (Supabase).

3. How we use this information

  • To provide the Service — storing and displaying your book of business, sending renewal/reminder emails you've configured, processing your subscription payment;
  • To communicate with you about your account, billing, and material changes to the Service;
  • To maintain an audit log of changes made in your workspace, for your own accountability and dispute resolution — this log cannot be edited or deleted through the app;
  • To detect, investigate, and prevent fraud, abuse, or security incidents;
  • To improve the Service. [If you ever use aggregated/anonymized usage data for product analytics, say so explicitly here.]

We do not sell personal information, and we do not use your clients' personal information for any purpose other than providing the Service to your agency.

4. Legal basis and consent (PIPEDA)

We handle personal information in line with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA): we only collect what's reasonably needed to provide the Service, we don't use it for unrelated purposes, and we give you tools to access, correct, and delete data. For automated emails to your clients, the Service requires your agency to record that a client has consented before those emails are sent, in line with CASL.

5. Where your data is stored

Zeerus's database is hosted on Supabase infrastructure in the ca-central-1 (Canada) region. [Confirm: does anything — file storage, backups, logging — live outside Canada? Say so here if so; data residency claims need to be accurate for every subprocessor, not just the primary database.]

6. Who we share information with

We share information with a small number of service providers who help us run Zeerus, each bound by their own privacy and security commitments:

  • Supabase — database, authentication, and file storage;
  • Vercel — application hosting;
  • Stripe — subscription billing and payment processing;
  • Resend — sending transactional and reminder emails on your behalf;
  • Sentry — error monitoring, hosted in the EU, to help us detect and fix bugs.

Some of these providers operate infrastructure outside Canada as part of their global service (for example, Stripe's payment processing, and Sentry's EU hosting). [Confirm each subprocessor's data location and add specifics here — this matters for customers with strict data residency requirements.]We don't share personal information with anyone else, except where required by law or to protect the rights, safety, or property of Zeerus, our users, or the public.

7. Security

Every agency's data is isolated using row-level security in our database, so one agency cannot access another's records. Passwords are hashed, not stored in plain text. Data in transit is encrypted (HTTPS/TLS). [Add any further specifics — encryption at rest, access-control practices, incident response process — once finalized.]No system is perfectly secure, and we can't guarantee absolute security, but we take reasonable technical and organizational measures to protect the information you trust us with.

8. Data retention and deletion

We retain agency and client data for as long as the agency's account is active. If an agency closes its account, we retain data for [e.g. 30 days] to allow export, then delete it. The audit log is retained for as long as the underlying account exists, as it exists specifically to provide an unmodifiable record of account activity.

9. Your rights

Under PIPEDA, you (or, where your agency is the controller, your clients through your agency) have the right to access the personal information we hold, request corrections, and request deletion, subject to our legitimate need to retain certain records (for example, billing history or the audit log). To make a request, contact [privacy contact email].

10. Cookies

Zeerus uses a single essential session cookie to keep you signed in. We don't use advertising or third-party tracking cookies. [Update this if analytics tooling is added later.]

11. Children

Zeerus is a business tool for licensed insurance professionals and is not directed at, or intended for use by, children.

12. Changes to this policy

If we make material changes to this policy, we'll notify agency owners (for example, by email or an in-app notice) before the changes take effect.

13. Contact

Questions or requests about this policy can be sent to [privacy contact email].