ZEOUR LTD Privacy Policy

Client tenants (Controller): If you join a queue operated by a business Client that has purchased our Service, the Client is the Data Controller for that tenant. The Client determines purposes and means of processing for their queue and provides instructions to ZEOUR LTD under a DPA. The Client’s identity and contact details are shown in the app (e.g., “Data Controller: Client Name”).

ZEOUR LTD (Processor or Controller): ZEOUR LTD acts as Processor to the Client for tenant queues, and as Controller when we run a ZEOUR‑operated queue. We can be contacted at:

Registered Office: London, 20 Wenlock Road, N1 7TA, London, United Kingdom
Email: info@zeour.co.uk

This policy covers personal data processed to operate the Virtual Queue: requesting tickets, allocating capacity, sending operational notifications by SMS/WhatsApp/Email, and generating administrative/security logs. Typical flow: choose an experience, request a ticket, and receive serving time details. Tickets issued today are generally served tomorrow during the assigned slot, subject to availability and configuration set by the Client/Controller. This policy does not cover third‑party websites linked from the Service.

• Contact details: mobile phone number and/or email address.
• Ticket data: selected experience, ticket number, serving date/time, language.
• System data: hashed contact identifiers (at rest), delivery status, logs, IP (for admin audit), timestamps.
• Support data: messages you send to us.
• Optional: name or other details if you provide them in free‑text fields.

We do not intentionally process special category data. Please avoid including sensitive data in free‑text inputs.

Source: Personal data is provided directly by you, or generated by system logs when you interact with the Service.

• Queue operation: issue tickets, manage capacity, deliver operational notifications. Legal basis: contract (to provide requested service) or legitimate interestsin efficient queue management.
• Security & abuse prevention: rate limiting, fraud prevention, audit logging. Legal basis: legitimate interests and legal obligation where applicable.
• Regulatory compliance: responding to data subject requests, retaining minimal records. Legal basis: legal obligation.
• Support communications: responses to your inquiries. Legal basis: legitimate interests.

We do not send marketing messages without your consent.

We use carefully‑selected service providers to deliver the Service:

• GatewayAPI — SMS delivery (recipient number, message content, delivery metadata).
• Green‑API — WhatsApp messaging (recipient number, message content, delivery metadata).
• SMTP provider — Email delivery (recipient email, subject, body, headers).
• Cloud hosting/database — Application hosting, storage, and backups.

We sign DPAs with sub‑processors and require appropriate technical and organizational measures.

Where personal data is transferred outside the UK/EU, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and conduct diligence on recipients’ security and privacy practices.

We keep personal data only for as long as necessary to provide the Service and meet legal and operational requirements. Ticket data and delivery logs are retained for minimal periods configured by the Controller in Admin settings (e.g., retention days for tickets and notification jobs). Backups follow fixed schedules and are encrypted. Retention controls are tenant‑specific, and the Client/Controller sets the appropriate values.

• Encryption in transit; hashing of phone/email at rest.
• Least‑privilege access; admin audit logs; credential and secret rotation; rate limiting.
• Backups with periodic restore testing and segregated storage.
• Incident response, breach assessment, and notification procedures.
• Change management and vulnerability updates in line with supplier guidance.

You may have rights to access, rectification, erasure, restriction, objection, and data portability, and the right to lodge a complaint with a supervisory authority.

To exercise rights regarding ticket data, use the "Your Data" page available for each tenant/service (e.g., /[tenant]/your-data). You will be asked to verify ownership of the contact method via a one‑time verification code before we export or delete data. If you cannot access that page, contact the Controller (Client tenant) or ZEOUR LTD using the details above.

If you believe your data protection rights have been infringed, you can contact us first so we can help resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

The Service is intended for users aged 16+ (or local equivalent). We do not knowingly collect personal data from children under applicable age thresholds.

We do not use automated decision‑making that produces legal or similarly significant effects on individuals.

Public pages use essential cookies only (e.g., session or preference cookies). No advertising cookies are used.

We may update this policy to reflect changes in our practices or legal requirements. We will indicate the effective date above. Material changes will be announced in‑app.