Privacy Policy

About this policy

This Privacy Policy explains how Zavo LTD, a company registered in England and Wales (company number 14543620), whose registered office is at 3 Orchard Pl, Broadway, London SW1H 0BF, United Kingdom (Marcus, we, us or our), collects, uses and protects personal data, and the rights you have under UK data protection law — the UK GDPR and the Data Protection Act 2018.

It applies to our website, the Marcus workspace and the AI employee service that works across Slack, Microsoft Teams, email and SMS (together, the Service). Marcus is a business-to-business service; this policy is written for the people at the businesses we deal with — visitors, prospects, account holders and their teams.

Our two roles: controller & processor

Data protection law distinguishes the controller (who decides why and how data is used) from the processor (who handles it on the controller's behalf). Marcus acts in both roles, depending on the data:

• We are the controller for personal data about our website visitors, prospects, and the people who register for and administer customer accounts — for example account, billing, support and usage data. This policy governs that data.
• We are a processor for the personal data our business customers run through the Service — for example the messages, files and records Marcus reads and writes in your connected channels and tools. The customer is the controller of that data; we process it only on their instructions under our Data Processing Agreement (DPA).

If a business used Marcus to message or reply to you, that business — not Zavo — is the controller of your data. Please contact them to exercise your rights. We will help them respond as their processor.

Personal data we collect

As a controller, we may collect and use:

• Account & identity data — name, work email, phone number, job title, company, and login credentials.
• Billing & transaction data — plan, billing address, VAT details and payment history. Card payments are handled by our payment processor; we do not store full card numbers.
• Usage & technical data — how you use the workspace, configuration, IP address, device and browser information, and log and diagnostic data.
• Communications — messages you send us, sales and support chats, support tickets, and records of our correspondence with you.
• Marketing data — your preferences for receiving communications from us.

Where we get your data

• Directly from you — when you sign up, configure the Service, contact us, or book a demo.
• Automatically — through cookies and similar technologies when you use our website and workspace (see our Cookie Policy).
• From your colleagues — for example when someone invites you to their Marcus workspace.
• From third parties — such as our payment processor, the integrations you connect, and, for business marketing, reputable public and commercial sources.

How & why we use your data

We use personal data only where we have a lawful basis to do so. Our purposes and bases are:

• To provide the Service — create your account, deliver features and support — to perform our contract with you.
• To take payment — billing, invoicing and collecting amounts due — to perform our contract and meet our legal obligations.
• To secure and improve the Service — monitoring, fraud prevention, troubleshooting and product analytics — in our legitimate interests in running a safe, reliable service.
• To communicate with you — service messages, and business marketing where permitted — in our legitimate interests or with your consent, which you can withdraw at any time.
• To comply with the law — tax, accounting and responding to lawful requests — to meet our legal obligations.

Your content & AI processing

When our customers use Marcus to read, draft and send messages or work across their connected channels and tools, we process that content as their processor, on their instructions and under our DPA. AI models generate Marcus's responses and outputs.

• We do not use customer content to train AI models. We do not use your messages, files or other content to train or fine-tune our own or any third party's general AI models.
• Customers can configure retention, and higher plans offer a Zero Data Retention option.
• Marcus connects only to the channels and tools you authorise, and acts within the permissions you grant. Sensitive actions can be set to require human approval.

Who we share data with

We do not sell your personal data. We share it only with parties who help us run the Service, under contracts that require them to protect it and use it only on our instructions. These include:

• Cloud hosting & infrastructure — our hosting and database providers, which keep customer data within the EU.
• Payments — our subscription and payment processor for billing.
• AI providers — the model providers that power Marcus, engaged under terms that prohibit training on our data.
• Integrations you connect — the messaging, email and business tools you link to Marcus, which exchange data with us to deliver the features you enable.
• Operational tools — authentication, analytics, email and customer-support providers.
• Advisers & authorities — professional advisers, and regulators or law-enforcement where we are legally required to disclose.
• Business transfers — a buyer or successor if we reorganise, merge or sell part of our business.

A current list of our sub-processors is available on request and is set out in our DPA for customers.

International transfers

We aim to keep customer data within the UK and the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards, such as a UK adequacy decision, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, together with additional protections where needed. You can ask us for more detail about the safeguards we use.

How long we keep data

• Account data — for as long as you have an account, and for a reasonable period afterwards.
• Billing and tax records — typically up to six years, to meet our legal and accounting obligations.
• Customer content we process for customers — for as long as the customer instructs, in line with their settings and our DPA, then deleted or returned.
• Logs and diagnostics — for a limited period for security and troubleshooting.
• Marketing data — until you opt out or ask us to stop.

How we protect your data

We maintain technical and organisational measures appropriate to the risk, including hosting data in the EU, encryption in transit and at rest, access controls, logging and monitoring, and staff confidentiality obligations. Our infrastructure is independently audited (including SOC 2 Type II and ISO 27001). No system is ever completely secure, but if a personal-data breach occurs we will act promptly and notify you and the relevant authorities where the law requires.

Your rights

Under UK data protection law you have the right to:

• Access a copy of the personal data we hold about you.
• Have inaccurate or incomplete data corrected.
• Have your data erased in certain circumstances.
• Restrict or object to certain processing, including direct marketing.
• Receive certain data in a portable, machine-readable format.
• Withdraw consent at any time where we rely on it.

To exercise these rights, contact us using the details below. We may need to verify your identity, and we will respond within one month. You can complain to the Information Commissioner's Office (ICO) at any time, but we'd appreciate the chance to help first. If you are a contact of one of our customers, please direct your request to that business as the controller.

Children

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18 in a personal capacity. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. If we make material changes we'll give you reasonable notice — for example by email or a notice in the workspace. The "Last updated" date at the top shows when it was last revised.

Contact us & complaints

For any privacy question or to exercise your rights, contact:

Zavo LTD
3 Orchard Pl, Broadway, London SW1H 0BF, United Kingdom
Privacy: hello@zavo.ai
Support: support@zavo.ai

You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; ico.org.uk; 0303 123 1113.