Legal document

Privacy Policy

How Z·Apply handles personal and operational data, with transparency about integrations, legal basis, data subject rights and Google API Limited Use compliance.

PT EN
Data controller
51425442 LEANDRO ROBERTO DA SILVA
Tax ID (CNPJ)
51.425.442/0001-10
Address
Rua Panamá, 131 — Bairro Casa Branca, Santo André/SP, CEP 09015-680
Data Protection Officer
Leandro Roberto da Silva
contato@z-apply.com
Last updated
April 27, 2026
Version
2.0

1. About us

Z·Apply is a SaaS platform for customer service over WhatsApp and Instagram with artificial intelligence, CRM, unified inbox, scheduling and external integrations. The service is operated in Brazil and serves companies that need to organize customer service, lead capture and scheduling operations in a multi-tenant environment.

Data controller: 51425442 LEANDRO ROBERTO DA SILVA, registered under CNPJ 51.425.442/0001-10, headquartered at Rua Panamá, 131 — Bairro Casa Branca, Santo André/SP, CEP 09015-680.

Data Protection Officer (DPO): Leandro Roberto da Silva — contato@z-apply.com.

2. Data we collect

We may process the following categories of data, depending on platform usage:

Registration data

  • Name, email, phone number, company name and tax ID (CNPJ), when provided.

Operational data

  • WhatsApp and Instagram conversations processed by the platform.
  • Captured leads, appointments, internal notes and interaction history.

Usage data

  • Access logs, pages visited within the dashboard, IP address and browser type.

Data from external integrations

  • Google Calendar: when you connect your Google account, we access authorized calendar event data to synchronize appointments and check availability. This may include event title, date, time and participants. We use the scopes https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/calendar.events and https://www.googleapis.com/auth/userinfo.email (to identify the connected account).
  • WhatsApp Business / Instagram Messaging: messages received and sent through the connected number/account and conversation metadata.

Payment data

  • In the current product state, Z·Apply does not process payments between the customer company and its end customers and does not store credit card data.

3. How we use the data

  • Provide the contracted service, including customer service, CRM, scheduling, reports and dashboard operations.
  • Synchronize appointments with Google Calendar when the integration is active.
  • Send operational notifications, such as lead alerts, handoffs and status changes.
  • Improve the product based on aggregated and anonymized usage data.
  • Comply with legal, regulatory and security obligations.

4. Google Calendar — Limited Use

Explicit Limited Use commitment. Z·Apply's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically, Z·Apply:

  • Only accesses Google Calendar data to create, update and remove appointment events originated in Z·Apply, and to check time availability (busy periods).
  • Does not use Google Calendar data for advertising, marketing or sale to third parties.
  • Does not share Google Calendar data with third parties, except as necessary to provide the service (e.g., infrastructure provider) or when required by law.
  • Does not use Google Calendar data to train artificial intelligence or machine learning models, our own or third-party.
  • Does not allow humans to read Google Calendar data, except: (a) with the user's explicit consent; (b) for security purposes; (c) to comply with legal obligations; or (d) for necessary internal operations using aggregated/anonymized data.
  • Stores Google access tokens encrypted and per-company, with multi-tenant isolation.
  • Allows the user to revoke access at any time, directly in the Z·Apply dashboard (Settings → Google Calendar → Disconnect) or in the Google account security settings.

5. Storage and security

  • The service is operated in Brazil and uses contracted infrastructure compatible with the product's operation.
  • Credentials, OAuth tokens and other sensitive secrets are protected by encryption at rest (AES via Django EncryptedField) and isolated per company.
  • Multi-tenant isolation: each company can only access its own data.
  • Dashboard access is controlled by role (RBAC), with roles such as administrator, manager and collaborator.
  • Backup and continuity routines are executed according to the environment's operation.
  • All connections to the service use HTTPS / TLS.
  • OAuth states are cryptographically signed (Django signing) with expiration to mitigate CSRF.

6. Data sharing

  • We do not sell personal data.
  • We share data only with (a) hosting infrastructure providers; (b) integration services configured by the user (Google, Meta/WhatsApp, Meta/Instagram); (c) when required by court order or competent legal authority.
  • Each customer company accesses only its own data — there is no cross-tenant reading.

7. Data retention

  • Data is kept while the account is active and as long as it is necessary to provide the service.
  • After cancellation, data may be retained for up to 90 days for possible reactivation and, after that period, permanently deleted.
  • Google OAuth tokens are immediately revoked when the integration is disconnected from the dashboard.
  • Early deletion can be requested by email, subject to applicable legal and technical obligations.

8. Data subject rights

Under Brazil's LGPD (Law No. 13,709/2018), and where applicable equivalent rights under the GDPR, the data subject may request:

  • Confirmation of the existence of data processing.
  • Access to their data.
  • Correction of incomplete, inaccurate or outdated data.
  • Anonymization, blocking or elimination of unnecessary or non-compliant data.
  • Data portability.
  • Deletion of personal data processed under consent.
  • Information about public and private entities with which data was shared.
  • Revocation of consent, when that is the applicable legal basis.

To exercise any of these rights, contact our DPO at contato@z-apply.com. We respond within 15 business days from the receipt of the request.

9. Cookies

The site uses technical session cookies for authentication, dashboard operation and user experience maintenance. We may also use aggregated site usage measurement (analytics) for operational stability and product improvements.

We do not use third-party advertising tracking cookies.

10. Changes to this policy

This policy may be updated periodically. Relevant changes may be communicated by email, notice in the dashboard or by other appropriate means. The date in the header of this document reflects the current version, and previous versions can be requested through the privacy channel.

11. Contact

For general product questions: contato@z-apply.com.

For privacy questions, information security, exercise of LGPD/GDPR rights or contact with the Data Protection Officer: contato@z-apply.com.