Privacy Policy
Last updated: 20 April 2026
Zynterra Ltd. ("us", "we", or "our") owns and operates the website https://www.zynterra.com/ (referred to below as the "Website" / "Service"), through which it operates an application, online and offline platform (together, the "Platform") used to deliver the Service in a digital environment.
Zynterra greatly values your personal data and the rights you hold in connection with them. The data we collect during your use of our Website is processed in accordance with the laws of the Republic of Bulgaria.
In addition, Zynterra is committed to providing comprehensive and effective protection of your personal data by implementing the necessary technical and organisational measures, with the aim of continuously improving the service we offer.
In this regard, our employees are obliged and duly informed about the specifics of safeguarding the confidentiality of personal data provided to them for the purposes of the normal use of our services.
Specifically, from this document you will learn:
- Our full contact details in our capacity as controller of your personal data;
- Scope and roles;
- What categories of personal data we collect, for what purposes and on what legal basis we collect your personal data;
- With whom we share your data;
- For how long we retain your information before it is securely deleted;
- What your rights are in connection with the processing of your personal data.
Definitions
- Service / Website: https://www.zynterra.com, and all other functionalities related to it.
- Personal-data protection laws / regulations: all applicable laws, secondary legislation and legal requirements relating to the protection, processing and security of your personal data, including, but not limited to, Regulation (EU) 2016/679 (the EU General Data Protection Regulation — GDPR), the Personal Data Protection Act of the Republic of Bulgaria (PDPA), and any other applicable national or international laws on data protection, privacy and security applicable to the processing of data on our part.
- Usage data: data collected automatically, generated by the use of the Service or by the infrastructure of the Website / Service itself (for example, the duration of a page visit).
- Cookies: small files stored on your device (computer or mobile device) when using the Service.
- Personal-data controller: a natural or legal person which, alone or jointly with others, determines the purposes and means of processing personal data. For the purposes of this Privacy Policy, we are the controller of your personal data.
- Personal-data processor (or Service Provider): a natural or legal person that processes personal data on behalf of the controller (us). We may use the services of various service providers in order to process your data more efficiently.
- Data subject (or User): any living natural person who uses our Service and is the subject of personal data.
- Processing: any operation or set of operations performed on your personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Recipient: a natural or legal person, public authority, agency or other body to which your personal data is disclosed in accordance with the applicable data-protection legislation.
1. Personal-data controller
Zynterra Ltd. is a company incorporated and registered in the Republic of Bulgaria, entered in the Commercial Register at the Registry Agency under UIC 208066407, with registered office and address of management in Sofia, "Vitosha" district, "Sofia Park" residential complex, Bl. 121, Apt. 3.
As a company established in a Member State of the European Union, we are required to comply with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR) in respect of all personal-data processing operations.
In providing our Services through our Website, we act as a personal-data controller within the meaning of the GDPR and bear responsibility for the processing of your personal data.
For general questions regarding personal-data protection, you can contact us by sending your enquiry to our email, visible in the "Contacts" section.
Our full contact details
| Name | Zynterra Ltd. |
| UIC | 208066407 |
| VAT number | BG208066407 |
| Registered office and address of management | Sofia Park, Block 121, Apt. 3, 1766 Sofia, Bulgaria |
| info@zynterra.com | |
| Support | support@zynterra.com |
| Data-protection contact | info@zynterra.com |
For data-protection enquiries, please use the following email: info@zynterra.com.
Zynterra operates an e-commerce platform (the "Platform") that includes the zynterra web application and the zynterra POS mobile application (iOS / Android), enabling merchants to create and manage online stores and to process in-person payments. In this context, zynterra acts in two distinct capacities under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):
- As a personal-data controller — for the personal data we collect and use for our own purposes (e.g. data of visitors to our website, holders of merchant accounts, billing, platform security).
- As a personal-data processor — for the personal data that merchants' customers enter through the merchants' online stores. In that case the merchant is the personal-data controller, and zynterra processes such data on the merchant's behalf and in accordance with the merchant's instructions.
2. Scope and roles
This Privacy Policy applies to:
- Visitors to our website (www.zynterra.com) and the Platform.
- Merchants who register and use the Platform, including the zynterra POS mobile application.
- Anyone who contacts us by email, through support requests, or through other communication channels.
This Privacy Policy does NOT govern how merchants process the data of their own customers. Each merchant is an independent personal-data controller for the data collected through its online store. Merchants are responsible for publishing their own privacy policies and for ensuring their own GDPR compliance. If you are a customer of a merchant's store, please refer to the privacy policy of that merchant.
The relationship between zynterra (as processor) and merchants (as controllers) is governed by our Data Processing Agreement (DPA), which constitutes Annex 1 to our Terms of Service.
3. For what purposes and on what basis do we collect your personal data?
3.1. When acting as a personal-data controller
We collect and process the following categories of personal data:
3.1.1. Account and profile data
- Full name, email address, phone number.
- Company name, role, login credentials (passwords are stored only in hashed form).
- Account preferences, language settings.
3.1.2. Billing and compliance data
- Unified Identification Code (UIC), VAT number.
- Banking data (IBAN), billing address.
- Subscription plan, payment history, invoices.
- For cash-on-delivery (COD) orders — the merchant's bank account (IBAN) for the purposes of settling payments, since zynterra is the contractual party with the courier companies for the collection of cash-on-delivery amounts.
3.1.3. Usage and device data
- IP address, browser type and version, operating system.
- Pages visited, features used, time spent on the Platform.
- Referrer source, session identifiers.
- Error logs and performance data.
- Mobile-device identifiers, application version and operating-system version (when using the zynterra POS application).
- NFC transaction metadata for Tap-to-Pay card payments processed through the zynterra POS application.
- QR-code payment data processed through the zynterra POS application.
3.1.4. Marketing and communications data
- Email subscription preferences, newsletter sign-ups.
- Responses to surveys or feedback requests.
- Records of marketing consent.
3.1.5. Support and correspondence data
- Content of support requests, chat transcripts, email correspondence.
- Any attachments or documents shared with us during support.
3.2. Data we process as a processor
When we act as a personal-data processor on behalf of merchants, we process the following categories of data on the merchant's instructions:
3.2.1. Store data
- Product listings, stock information, pricing, images and descriptions.
3.2.2. Order data
- Names, email addresses, phone numbers, delivery and billing addresses of end users.
- Order details (items, quantities, amounts, discounts, payment references).
- Order status and history.
3.2.3. Fulfilment data
- Delivery information (courier, tracking number, delivery status).
- Records of returns and refunds.
zynterra does not use this data for its own purposes. It is processed solely in accordance with the merchant's instructions and our DPA.
3.3. How we collect personal data
We collect personal data from the following sources:
- Directly from you — when you register an account, fill in forms, contact support, or otherwise interact with the Platform.
- From your device — automatically through cookies, server logs and similar technologies when you visit our website or use the Platform.
- From third-party integrations — for example, when a merchant connects a payment provider. Note: Stripe manages its own KYC (Know Your Customer) processes independently; we do not collect or store the identity-verification data that Stripe processes for the purposes of its own compliance.
3.4. Legal bases for processing
We process personal data as a controller on the following legal bases under Article 6(1) GDPR:
| Performance of a contract (Art. 6(1)(b)) | Processing your account data to provide the Platform, manage your subscription, handle billing and payments. |
| Legitimate interests (Art. 6(1)(f)) | Improving the Platform, preventing fraud, ensuring security, analysing aggregate usage patterns, internal administration. |
| Consent (Art. 6(1)(a)) | Sending marketing communications, placing optional cookies. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. |
| Legal obligation (Art. 6(1)(c)) | Retention of invoice records for tax and accounting purposes, responding to lawful requests from authorities. |
When we process personal data as a processor, the legal basis is determined by the controlling merchant, not by zynterra.
3.5. Cookies and tracking technologies
We use cookies and similar technologies on our Website and Platform. For detailed information about the cookies we use, their purposes and how to manage your preferences, please refer to our Cookie Policy.
4. With whom do we share your personal data?
We may share personal data with the following categories of recipients:
4.1. Sub-processors
We use the following sub-processors to provide the Platform:
| Amazon Web Services EMEA SARL | Luxembourg (EU) | Cloud hosting, data storage, computing infrastructure |
| Stripe, Inc. | USA (EU SCCs + DPF) | Payment processing (online via Stripe Connect; in-person via Stripe Terminal in the zynterra POS application) |
| SendGrid / Twilio, Inc. | USA (EU SCCs + DPF) | Delivery of transactional emails |
| Sentry (Functional Software, Inc.) | USA (EU SCCs + DPF) | Error monitoring and performance tracking |
| Generic Soft | Bulgaria (EU) | Viber messaging API. When merchants send transactional or promotional messages to end users via Viber, the following data are transmitted: end user's phone number, message content (which may include order details, delivery information or promotional offers), and delivery status. Generic Soft and Viber Media S.à r.l. process these data as independent controllers for the purposes of their own service provision. |
| Anthropic, Inc. | USA (EU SCCs + DPF) | AI-powered content generation, translation and optimisation |
| OpenAI, Inc. | USA (EU SCCs + DPF) | AI-powered content generation, translation and optimisation |
| Netim | France (EU) | Domain-name registration services |
4.2. Courier partners
When merchants use courier services through the Platform, order and delivery data are shared with the relevant couriers:
| Speedy AD | Bulgaria (EU) | Logistics and delivery |
| Sameday Courier | Romania (EU), with operations in Bulgaria | Logistics and delivery |
| BOX NOW | Greece (EU), with operations in Bulgaria | Logistics and delivery (parcel-locker network) |
4.3. Professional advisers
We may share personal data with our lawyers, accountants, auditors and insurers where necessary to obtain professional advice or to manage legal proceedings.
4.4. Authorities and legal requirements
We may disclose personal data to law-enforcement bodies, regulatory authorities, courts or other public bodies where required by applicable law, regulation, legal process or enforceable government request.
4.5. Corporate transactions
In the event of a merger, acquisition, reorganisation or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected individuals of any such transfer and of any changes to the applicable privacy terms.
5. International data transfers
The personal data we process are stored and processed primarily within the European Union / European Economic Area (EU/EEA), specifically in Amazon Web Services (AWS) data centres in the EU region.
Where we transfer personal data outside the EU/EEA (specifically to the United States for services provided by Stripe, SendGrid/Twilio, Sentry, Anthropic and OpenAI), we rely on the following safeguards:
- EU Standard Contractual Clauses (SCCs) — adopted by the European Commission under Decision 2021/914.
- EU-US Data Privacy Framework (DPF) — where the recipient is DPF-certified, providing an additional layer of adequacy.
- Transfer Impact Assessment (TIA) — where applicable and the destination country outside the EU/EEA does not benefit from a European Commission adequacy decision.
We do not transfer personal data to countries outside the EU/EEA unless an adequate level of protection is ensured through one of the mechanisms described above.
6. For how long we retain your information before it is securely deleted
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:
| Account data | For the lifetime of the account, plus 5 years after account closure (for legal and audit purposes). |
| Accounting and financial records | For the lifetime of the account plus 10 years after closure (in accordance with the Accountancy Act, Art. 12, which requires 10-year retention of accounting documents). |
| Usage and device logs | From 90 to 365 days, depending on the type of log. |
| Marketing data | Until unsubscription from communications, or 24 months of inactivity (whichever occurs first). |
| Support requests | For the lifetime of the account plus 2 years after closure. |
| Data as a processor (data of merchants' end customers) | On the merchant's instructions, in accordance with our DPA. Upon termination of the merchant's account, the data are deleted or returned within 90 days. |
| Audit logs | Automatic deletion after 30 days. |
| Backups | Rotation and deletion on a regular schedule. Backups are not used for active processing. |
Upon expiry of the retention periods, personal data is securely deleted or anonymised where we have grounds to do so under the General Data Protection Regulation (GDPR).
7. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These measures include, but are not limited to:
- Encryption in transit — all data transmitted between users and the Platform are protected by TLS (Transport Layer Security).
- Encryption at rest — data at rest are encrypted using industry-standard encryption.
- Hardened network infrastructure — firewalls, intrusion-detection systems and network segmentation.
- Least-privilege access — access to personal data is restricted to authorised personnel on a need-to-know basis.
- Security logging and monitoring — system access and changes are logged and monitored.
- Vulnerability management — regular security assessments and timely application of patches.
No system can guarantee absolute security. If you become aware of a security incident affecting your account, please contact us immediately at support@zynterra.com.
8. What are your rights in connection with the processing of your personal data
If you are located in the EU/EEA or are a national of an EU/EEA Member State, you have the following rights under the GDPR in respect of the personal data we process about you as a controller:
| Access (Art. 15) | To request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | To request correction of inaccurate or incomplete personal data. |
| Erasure (Art. 17) | To request the deletion of your personal data where there is no good reason for continued processing. |
| Restriction (Art. 18) | To request the restriction of processing in certain circumstances (e.g. while we verify accuracy). |
| Objection (Art. 21) | To object to processing based on legitimate interests, or for direct-marketing purposes. |
| Data portability (Art. 20) | To receive your personal data in a structured, commonly used, machine-readable format. |
| Withdrawal of consent (Art. 7(3)) | Where processing is based on consent, to withdraw it at any time, without affecting prior lawfulness. |
How to exercise your rights: Send a request to info@zynterra.com. We will respond within one month. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within the first month. We may ask you to confirm your identity before taking action on the request.
Automated decision-making: zynterra does not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
In the event of complaints, you may turn to the supervisory authority for personal-data protection. Data processed in Bulgaria are under the supervision of the Commission for Personal Data Protection (CPDP), which exists to protect your rights. If you suspect unlawful processing of your personal data, you may contact the Commission:
| Commission for Personal Data Protection (CPDP) | 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria |
| kzld@cpdp.bg | |
| Website | www.cpdp.bg |
9. Children
The Platform is not directed at children. We do not knowingly collect personal data from children. Under Bulgarian law, the processing of personal data of children under 14 years of age requires verifiable parental consent. If we learn that we have collected personal data from a child under 14 without proper consent, we will take measures to promptly delete that data.
10. Processor terms
When zynterra acts as a personal-data processor on behalf of merchants, the processing terms are set out in our Data Processing Agreement (DPA), which is available as Annex 1 to the Terms of Service. The DPA complies with Article 28 GDPR and sets out the subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects.
11. Links to third parties and merchants' stores
The Platform and our Website may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to read their privacy policies.
Similarly, each online store of a merchant is operated by the merchant as an independent personal-data controller. zynterra is not responsible for the merchant's data-processing practices. If you have questions about how a merchant processes your data, please contact the merchant directly.
12. Changes to this Privacy Policy
We may update this Privacy Policy periodically. If we make material changes, we will provide reasonable advance notice — for example, by posting a notice on our Website or sending an email to registered merchants. The "Last updated" date at the beginning of this policy indicates when it was last revised.
zynterra will notify you of material changes to this Privacy Policy. Where your consent is the legal basis for processing, we will obtain new consent before applying the changes. For processing based on other legal grounds, continued use of the Platform after the notice period constitutes acceptance of the updated Privacy Policy.
13. Contact
If you have questions about this Privacy Policy or about how we process personal data, please contact us as follows:
| Zynterra Ltd. | Sofia Park, Block 121, Apt. 3, 1766 Sofia, Bulgaria |
| info@zynterra.com | |
| Support | support@zynterra.com |