ZeroCRM Privacy Policy
Effective: October 1, 2025
This policy details how and for what purpose Zero Software Ltd. (address: 1173 Budapest, Pesti út 474., Hungary, email: [email protected], company registration number: 01 09 411511, EU tax number: HU32197358), hereinafter ZeroCRM, processes your personal data in accordance with GDPR Articles 13-14.
1. Purpose, Legal Basis, and Scope of Data Processing
| Purpose | Legal Basis | Scope of Data Subjects |
|---|---|---|
| Website traffic measurement (Google Analytics) | Legitimate interest (GDPR Art. 6(1)(f)) | Website visitors |
| Remarketing (Google Ads, Meta Pixel) | Consent (GDPR Art. 6(1)(a)) | Website visitors |
| Newsletter distribution | Consent (GDPR Art. 6(1)(a)) | Prospects, customers |
| Subscription fulfillment | Contract performance (GDPR Art. 6(1)(b)) | Customers |
| Invoicing, legal retention | Legal obligation (GDPR Art. 6(1)(c)) | Customers |
| Customer support, consulting | Legitimate interest (GDPR Art. 6(1)(f)) | Customers, prospects |
| Marketing profiling | Consent for prospects / Legitimate interest for customers | Prospects, customers |
| Whistleblowing system | Legal obligation (GDPR Art. 6(1)(c)) | Whistleblowers, affected persons |
| Customer data stored in CRM | Data processing per customer instructions (GDPR Art. 28) | Customer's clients (processing) |
2. Scope of Processed Data
2.1. Data Provided During Registration
Data provided by the User during Registration are processed:
- Name
- Phone number
- Company name
- Job title
2.2. Security-Related Logged Data
Data are logged for security reasons:
- Viewed page/function
- Exact time
- IP address
- Browser cookie
2.3. Marketing Profiling
Profile building is based on data provided by the User and questionnaires. The goal is for Users to find the messages sent genuinely interesting and relevant.
2.4. Data Stored as Data Processor
As data processor, data recorded in ZeroCRM are stored. The scope of this data depends on User data entry, and it is the User's responsibility what data is recorded.
2.5. Consent Management
For marketing, newsletter, and profiling purposes, the User provides consent simultaneously with accepting the Terms of Service (ToS). Consent can be withdrawn at any time without justification.
3. Purpose and Duration of Data Processing
3.1. Marketing and Newsletter
- Customers are informed via email about new features, training opportunities, and useful ideas for customer management.
- If notification is received at any time, the affected email address is unsubscribed.
- Contact information and notes are retained for 365 days from the last contact.
3.2. Security Logging
- System usage is logged for security reasons.
- Data are retained with varying detail for 365 days.
3.3. Data Processing (ZeroCRM Account Data)
- As data processor, customer data entrusted to ZeroCRM are automatically deleted 90 days after account closure.
- Contact information and notes are retained for 3 years from the last contact for ZeroCRM subscribers.
3.4. Legal Retention Obligation
- Due to legal requirements, some personal data and data on issued invoices are retained for the period required by applicable law (at least 10 years, maximum 15 years from issuing the last invoice).
4. Roles (Data Controller and Data Processor)
Regarding personal data recorded by the User in their own ZeroCRM system:
4.1. Data Controller
- ZeroCRM user/customer acts as data controller in this agreement.
- Determines the purpose and means of data processing.
- Decides on data processing.
4.2. Data Processor
- Zero Software Ltd. acts as data processor in this agreement.
- Cannot make substantive decisions affecting data processing.
- May only process personal data that comes to its knowledge according to the data controller's instructions, may not perform data processing for its own purposes.
- Is obliged to store and preserve personal data according to the data controller's instructions.
5. Personal Data Processing (Data Processing Activity)
5.1. Principles of Data Processing
The Parties record that to provide the System service specified in the agreement between the Parties (ToS), ZeroCRM as data processor (Processor in this section) processes Personal Data defined later for the User (Data Controller) as follows:
- Subject of data processing: The subject of processing is the ZeroCRM service according to the agreement.
- Duration of data processing: Processing continues until the agreement expires or terminates.
- Nature and purpose of data processing: Processing personal data according to this agreement is for performing the ZeroCRM service under this agreement.
- Types of personal data processed: Any type of personal data stored at the User's discretion, as the Agreement allows.
- Categories of data subjects: Customer's clients and/or business partners in any category at the User's discretion, as the Agreement allows.
5.2. Legal Basis for Data Processing
The User and ZeroCRM (hereinafter together: Parties) record that personal data processing by the Processor is essential for providing the (CRM) System that is the subject of the contract between the Parties: The Processor processes personal data of the Data Controller's employees, workers employed in other employment relationships, contractual partners, and occasionally the partner's employees (hereinafter: Data Subjects) to exercise its rights and fulfill its obligations arising from this contract during the contract's existence, for the time necessary to fulfill it (hereinafter: Personal Data).
The purpose of data processing is to fulfill the contract between the Parties and mandatory data processing required by applicable Hungarian and European laws; the legal basis is GDPR Article 6(1)(b) and (c).
5.3. Data Controller's Obligations
The Data Controller undertakes to transmit Personal Data provided by Data Subjects through their voluntary consent or on other legal basis in GDPR Article 6, or collected by any other means, to the Processor using customary, secure electronic (or paper-based) communication between the Parties so that the Processor can provide the System services under the conditions specified in this contract.
5.4. Data Processor's Obligations
The Processor warrants that its practice for processing Personal Data complies with GDPR requirements, and considering the state of science and technology, implementation costs, the nature, scope, circumstances, and purposes of data processing, and the risk to natural persons' rights and freedoms, ensures appropriate level of protection and respect for data subjects' rights through appropriate technical and organizational measures.
5.5. Sub-processors
The Processor respects the conditions mentioned in GDPR Article 28(2) and (4) regarding processors. By accepting this contract, the Data Controller gives express and general authorization for the Processor to also use the services of additional processors specified in the Data Protection Policy for providing the System, if this is necessary for efficient and effective Service provision (sub-processor).
However, the Processor is obliged to inform the Data Controller of any planned changes involving engaging additional processors or replacing them, thereby providing the Data Controller the opportunity to object to such changes.
5.6. Confidentiality
The Processor ensures that persons authorized to process Personal Data (employees) undertake confidentiality obligations or are subject to appropriate statutory confidentiality obligations.
5.7. Data Security
The Processor undertakes to implement the technical and organizational measures in GDPR Article 32, guaranteeing data security appropriate to the level of risk.
The Processor assists the Data Controller in fulfilling obligations under GDPR Articles 32-36, considering the nature of processing and information available to the processor.
5.8. Following Instructions
The Processor processes Personal Data only based on the Data Controller's written instructions (including transferring personal data to a third country or international organization), except when processing is required by law applicable to the processor, in which case the Processor informs the Data Controller of this legal requirement before processing, unless notification is prohibited by that law on important public interest grounds.
The Processor is obliged to immediately inform the Data Controller if it believes any instruction violates GDPR or other legal provisions.
5.9. Supporting Data Subject Rights
If a Data Subject exercises rights in GDPR Articles 12-22, and the request concerns Personal Data processed by the Processor under this contract and the request cannot be fulfilled through the System interface, the Data Controller is obliged to notify the Processor as soon as possible about the request's arrival and content.
If a Data Subject submits their request directly to the Processor, the Processor is obliged to notify the Data Controller as soon as possible, send the request to them, and provide all necessary support for handling.
5.10. Cooperation with Authorities
The Parties are obliged to cooperate in all official and court proceedings concerning Personal Data processed or processed under this contract – if necessary, even through intervention in the case.
5.11. Contract Termination
Upon termination of this contract – according to the Data Controller's decision – the Processor is obliged to permanently and irretrievably delete or return to the Data Controller all Personal Data and any copies or duplicates thereof (including personal data stored only electronically).
5.12. Remuneration
The Processor, considering that the Processor performs its activity under the contract within and for the purpose of tasks that are the subject of the contract between the Parties, is not entitled to further remuneration or cost reimbursement beyond the remuneration specified in the contract (or its annex) merely for becoming a Processor under GDPR.
5.13. Liability
The Data Controller is liable for any damage caused by its GDPR-violating data processing. The Processor is only liable for damage caused by data processing if it did not comply with obligations specifically determined for processors by GDPR or the provisions in this annex, or disregarded or acted contrary to the Data Controller's instructions.
6. Data Transfer
6.1. Based on Law
Transfer to competent authorities of any Personal Data that is lawfully stored and required by law or binding official obligation is authorized and obligatory. Data Controllers cannot be held liable for such data transfer and resulting consequences.
6.2. Service Transfer
If operation or utilization of the service is partially or fully transferred to a third party, personal data may be transferred partially or fully to this third party without requesting separate consent but with appropriate prior notification, provided this data transfer does not place the Data Subject in a more disadvantageous position than the data processing rules specified in the current text of this Policy.
In case of data transfer under this section, an opportunity is provided for the Data Subject to object to the data transfer before transfer occurs. In case of objection, the Data Subject's data transfer under this section is not possible.
6.3. Data Transfer Register
To verify data transfer legality and ensure information for Data Subjects, a data transfer register is maintained.
6.4. Transfer to Third Countries
Transfer of Personal Data to third countries may only occur with the Data Controller's prior written permission, ensuring guarantees in GDPR Articles 44-49.
Some sub-processors (e.g., Google LLC, Meta Platforms Inc., Apple Inc.) operate in the USA. The legal basis for data transfer is standard contractual clauses (SCC) adopted by the European Commission. Supplementary technical and organizational measures are applied (encryption, authorization management).
7. Consent Statement for Personal Data Processing
Simultaneously with accepting this Data Processing Policy, I give my voluntary and express consent to the processing of my own and my clients' personal data provided to ZeroCRM when creating the ZeroCRM account and later.
By recording my data, I simultaneously declare that:
- I am a person over 18 years of age with legal capacity.
- I represent legal entities or other organizations without legal personality, and I am a person authorized and entitled to represent the person or organization I represent and to give consent necessary for data processing and data processing under this policy.
7.1. Processing Special Categories of Data
I declare that I do not provide special categories of personal data to ZeroCRM either during registration or later in any form. Special categories of personal data include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data suitable for identifying the person
- Health data
- Data concerning sexual life or sexual orientation
7.2. Identification Numbers
I declare that I do not provide numbers suitable for personal identification to ZeroCRM – non-exhaustive examples: passport number, personal number, identity card number, address card serial number, driver's license serial number.
7.3. Communication Channels
I declare that:
- I record my clients' data exclusively through interfaces created for this purpose in the ZeroCRM software.
- I do not send them via email either to the central address ([email protected]) or to the direct email address of ZeroCRM employees.
- I never register ZeroCRM employees as users in my ZeroCRM system.
7.4. Marketing Consent
With my consent, I acknowledge that ZeroCRM may send me advertising content, information, and event invitations related to its activities and contact me by phone.
7.5. Withdrawal of Consent
I may withdraw my consent to data processing at any time by the methods specified in the policy, for example by sending a request to [email protected].
8. Data Breach Management
The Processor undertakes that if it becomes aware of an event that threatens the security, integrity, or availability of processed personal data (hereinafter: data breach), it will notify the Data Controller within 24 hours after detecting the breach about the breach's nature, circumstances, possible consequences, and measures taken or planned.
If the breach likely poses a risk to data subjects' rights and freedoms, the Data Controller – cooperating with the Processor – is obliged to report the data breach to the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours based on GDPR Article 33.
The Processor undertakes to provide all necessary information and technical support to the Data Controller for properly handling, reporting, investigating, and documenting the data breach in accordance with GDPR Articles 33-34.
9. Changes in Legal Basis During Customer Relationship
9.1. Legal Basis Based on Legitimate Business Interest
If the User provides their data by filling out a form and indicates interest in ZeroCRM, the registration is considered contract preparation. In this case, the legal basis for Personal data processing according to GDPR will be legitimate business interest.
This changed legal basis does not change the User's rights or Personal data processing; it only means that during contract preparation, if the User does not request termination of the process, Personal data processing continues for the interest and purpose of contract preparation.
9.2. Contract-Based Legal Basis in Case of Subscription
If the User subscribes to the ZeroCRM system, the subscription is made to the product under conditions detailed in the Terms of Service. In this case, the legal basis for Personal data processing according to GDPR will be contract-based legal basis.
This changed legal basis does not change the User's rights or Personal data processing; it only means that during the contract's existence, even if the User withdraws consent given for using the free version, Personal data processing continues for the interest and purpose of contract performance.
9.3. Based on Law After Contract Termination or Performance
Once the contract is performed or terminates, the data processing legal basis changes again and Personal data are processed based on law.
Regarding data on the invoice, Personal data processing is obligatory to continue based on law.
10. Data Security
10.1. Security Requirements System
The Parties record that the data security requirements system means supporting the protection of personal data with technical and personnel measures, as well as physical and IT solutions.
10.2. Compliance
The Parties declare that the Data Controller and – the Processor acting on behalf of the Data Controller – proceed in accordance with the provisions of the Info Act, data protection rules and case law during their data processing and data processing activities, comply with the provisions of applicable laws, and also consider important international recommendations related to data protection.
10.3. Security Measures
To protect personal data, Zero Software Ltd. applies the following security measures, among others:
- Encrypted data transmission via HTTPS protocol
- Regular backups and logging
- Limited and authorization-based access
- Regular vulnerability assessment and updates
10.4. Data Storage and Access
The Parties declare that personal data is stored on protected, limited-access servers, and the Data Controller and Processor take all necessary technical and organizational measures against loss, use for other purposes, unauthorized person's knowledge, disclosure, alteration, or deletion of the data subject's data.
The Parties – among other things –:
- Ensure that only authorized persons access stored data through internal system or direct access, and only in connection with the purpose of data processing
- Ensure necessary regular maintenance and development of used equipment
- Place equipment storing data in locked premises with appropriate physical protection and ensure its physical protection
- Ensure that data stored in different registers cannot be directly connected and assigned to the data subject
11. Profiling
During marketing profiling, manual segmentation occurs based on data provided by data subjects (e.g., interest area, company size, CRM usage purpose).
- No automated decision-making occurs.
- The goal is to send relevant content in newsletters.
- Profiling does not have legal effects.
- For prospects, the legal basis is: consent
- For existing customers: legitimate interest
12. Cookie Management
The ZeroCRM website (https://zerocrm.hu) uses cookies to improve user experience, ensure website functionality, and for marketing and analytics purposes. Cookies are small text files that the website places on the user's device.
12.1. Types and Purposes of Cookies Used
The following cookies are used on the website:
Strictly Necessary Cookies:
- Session identifiers (session ID)
- Cookie consent status storage
- Technical settings required for functionality
These cookies are essential for providing the website's basic functions. Legal basis: GDPR Article 6(1)(f) – legitimate interest.
Analytics/Performance Cookies:
- Google Analytics 4 (GA4): Measuring website traffic, analyzing user behavior, tracking page views, session duration. Data Controller: Google LLC (USA). Data retention: 14 months.
- Microsoft Clarity: Recording user sessions (heatmap, session replay), UX improvement. Data Controller: Microsoft Corporation (USA). Data retention: 1 year.
Legal basis: GDPR Article 6(1)(a) – consent (cookie banner acceptance).
Marketing/Remarketing Cookies:
- Google Ads: Running remarketing campaigns, tracking conversions, ad targeting. Data Controller: Google LLC (USA). Data retention: 90 days.
- Meta Pixel (Facebook Pixel): Facebook/Instagram ad targeting, remarketing, conversion measurement. Data Controller: Meta Platforms Inc. (USA). Data retention: 90 days.
Legal basis: GDPR Article 6(1)(a) – consent (cookie banner acceptance).
12.2. Cookie Consent Management
A cookie banner appears on the first visit to the website, providing the user with the option to:
- Accept all cookies,
- Accept only strictly necessary cookies,
- Individually select accepted categories.
Users can modify cookie settings at any time by clicking the "Cookie Settings" button in the website footer, or through their browser settings.
12.3. Data Transfer to Third Countries
Google Analytics, Google Ads, Microsoft Clarity, and Meta Pixel services are provided by companies operating in the USA. The legal basis for data transfer:
- Standard Contractual Clauses (SCC) adopted by the European Commission,
- Data transfer to the USA based on the Data Privacy Framework (DPF),
- Supplementary technical measures: IP anonymization (where available), encrypted data transmission (HTTPS).
12.4. Cookie Lifespan
- Session cookies: Active until browser is closed
- Persistent cookies:
- Google Analytics: 14 months
- Microsoft Clarity: 1 year
- Google Ads: 90 days
- Meta Pixel: 90 days
- Cookie consent: 12 months
12.5. Cookie Deletion and Consent Withdrawal
Users can delete cookies at any time through their browser settings, or withdraw consent in the cookie settings menu. Withdrawal of consent does not affect the lawfulness of data processing before withdrawal.
12.6. Additional Information About Cookie-Using Services
- Google Analytics Privacy Policy: https://policies.google.com/privacy
- Google Ads Privacy Policy: https://policies.google.com/technologies/ads
- Microsoft Clarity Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
- Meta (Facebook) Privacy Policy: https://www.facebook.com/privacy/explanation
13. Data Subject Rights
Under GDPR, the data subject is entitled to:
- Request information about data processing
- Request access to their own data
- Request their rectification or deletion
- Object to data processing
- Request restriction of data processing
- Request data portability
- File a complaint with NAIH (www.naih.hu)
14. Method and Deadline for Exercising Data Subject Rights
Data subjects may submit their rights exercise requests via email at [email protected].
Zero Software Ltd. responds to requests within 30 days at most; in justified cases, this deadline may be extended once to 60 days, about which separate notification is sent.
Exercising rights requires proper identification of the data subject.
15. Data Transfer and Recipients
ZeroCRM only transfers personal data to the following:
- To authorities in case of legal obligation
- To contractual sub-processors (e.g., hosting provider, email provider, payment provider)
- To new operator, if service is transferred, the data subject is notified in advance, who may object to data transfer
16. Complaint Management and Legal Remedy
If you feel the data processing violates data protection laws, you have the right to file a complaint:
National Authority for Data Protection and Freedom of Information (NAIH)
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary
- Website: www.naih.hu
- Email: [email protected]
17. Contact
Zero Software Ltd.
1173 Budapest, Pesti út 474., Hungary
Email: [email protected]
For data protection complaints:
National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary
www.naih.hu
Issued: Budapest, October 1, 2025
Zero Software Ltd.