Privacy Policy

2. DEFINITIONS

To ensure transparency and clarity throughout this document, the following terms shall have the designated meanings:

• "Merchant" (or "you", "your"): Refers to the business entity, account owner, primary user, or any authorized representative (such as an employee or manager) who registers for and uses the Service.
• "Personal Data": Means any information relating to an identified or identifiable natural person. This includes, but is not limited to, full names, email addresses, phone numbers, passwords, and sensitive personal identification metrics required for compliance (such as a Manager's Iqama ID).
• "Business Data": Refers to corporate or commercial information collected for the purposes of system functionality, taxation, and legal compliance, including Business Names, Commercial Registration (CR) numbers, VAT numbers, and precise operational addresses.
• "Processing": Means any operation or set of operations performed on Personal Data or Business Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, encryption, retrieval, or destruction.

3. INFORMATION WE COLLECT AND PROCESS

To provide, maintain, and secure our cloud-based POS, ERP, and localized Desktop applications, and to ensure strict compliance with regional tax authorities (e.g., ZATCA), we collect and process information in the following specific categories:

3.1 INFORMATION PROVIDED DIRECTLY BY THE MERCHANT

When you configure your account, set up locations, or add personnel, we collect:

3.2 CRYPTOGRAPHIC, TAX COMPLIANCE, AND DESKTOP APPLICATION DATA

To facilitate legally compliant electronic invoicing (such as the ZATCA Phase 2 integration) via our dedicated Desktop Application (Local Agent), we process highly specialized technical and cryptographic data:

3.3 AUTOMATICALLY COLLECTED AND SYSTEM DATA

3.3.1 Device, Magic API, and AI Data:

We automatically log IP addresses, authentication timestamps, and system interactions. If you use our "Magic API", we process product metadata (e.g., scanned barcodes) to populate your inventory. We may also process chat logs generated through our automated AI support widgets to resolve technical issues.

4. HOW WE USE YOUR INFORMATION

We process and use your collected Personal and Business Data for the following specific, legitimate, and operational purposes:

• 4.1 Providing and Managing the Service: To create your account, operate the cloud-based POS and ERP system, manage multi-shop configurations, authenticate your authorized employees, and grant them secure access to their respective roles and dashboards.
• 4.2 Regulatory Compliance and Electronic Invoicing: To enable and maintain official integration with tax authorities in applicable jurisdictions (e.g., ZATCA in the Kingdom of Saudi Arabia). This includes processing OTPs, generating Certificate Signing Requests (CSRs), and fetching Cryptographic Stamp Identifiers (CSIDs) to ensure your business issues legally compliant invoices. We reiterate that we do not access or use the strictly localized, encrypted Private Key stored on your hardware.
• 4.3 Financial Processing and Billing: To manage your subscriptions, issue billing statements, and facilitate secure payment processing through our authorized third-party gateways (such as Stripe).
• 4.4 The "Magic API" and Global Product Database: When you utilize our "Magic API" system, we utilize non-sensitive product metadata (such as scanned barcodes, item names, and generic images) to continuously build, train, and improve a master shared database for the benefit of the ZocoPOS ecosystem. However, your proprietary financial data (including exact wholesale costs, profit margins, and specific sales volumes) remains strictly confidential and is never shared with other users.
• 4.5 Customer Support, AI Widgets, and System Improvement: To provide technical assistance and resolve your queries, whether through human agents, live screen-sharing sessions, or AI-powered support widgets. With your interaction, we process and analyze support chat logs and AI conversations to train our support algorithms, improve AI accuracy, and enhance overall service quality.
• 4.6 Security and Fraud Prevention: To monitor system health, detect malicious or anomalous activities, prevent unauthorized access, enforce our Terms of Service, and ensure the cryptographic integrity of both our cloud infrastructure and your localized Desktop Agent.

5. HOW WE SHARE AND DISCLOSE YOUR INFORMATION

ZOCOPOS LTD explicitly states that we do not sell, rent, or trade your Personal or Business Data to third parties for marketing purposes. We strictly limit the sharing of your information to the following specific, operational, and legal circumstances:

• 5.1 Third-Party Service Providers: We may share your data with trusted third-party vendors and service providers who assist us in operating our platform, including secure cloud hosting providers, email and SMS delivery gateways, and authorized payment processors (such as Stripe). These providers are bound by strict data processing agreements and confidentiality obligations, prohibiting them from using your data for any unauthorized purposes.
• 5.2 Government and Regulatory Authorities (Tax Compliance): Because our Service acts as a compliance and electronic invoicing tool (including integration with ZATCA Phase 2 regulations in the Kingdom of Saudi Arabia), you explicitly authorize us to transmit your Business Data, invoice metadata, and cryptographic artifacts (such as CSRs and CSIDs) directly to the respective government tax authority APIs. This continuous data transmission is a mandatory legal requirement for validating your commercial transactions.
• 5.3 Legal Obligations and Protection of Rights: We reserve the right to disclose your information to law enforcement agencies, regulatory bodies, or courts if we believe in good faith that such disclosure is strictly necessary to: (a) comply with a legal obligation, subpoena, or valid legal process; (b) enforce our Terms of Use and investigate potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of ZOCOPOS LTD, our users, or the public.
• 5.4 The "Magic API" Ecosystem: As outlined in our Terms of Service, by utilizing the Magic API, you contribute non-sensitive product metadata (such as barcodes, item names, and standard images) to a master ZocoPOS shared database. This data is strictly anonymized and aggregated. Under no circumstances do we share your private financial metrics, wholesale costs, or specific sales volumes with other merchants.
• 5.5 Authorized Sales Agents and Affiliates: We may share basic account status information with our officially authorized Sales Agents and Affiliate Marketers solely for the purposes of lead generation, onboarding assistance, and localized support. However, these agents are strictly prohibited from accessing, requesting, or handling your highly sensitive data (including plain-text passwords, cryptographic PINs, or banking credentials).
• 5.6 Business Transfers: In the event that ZOCOPOS LTD is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your Personal and Business Data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or data control.

6. DATA SECURITY AND ENCRYPTION

The security of your Personal, Business, and Cryptographic Data is of paramount importance to ZOCOPOS LTD. We implement robust, industry-standard technical and organizational measures designed to protect your information against accidental loss, unauthorized access, alteration, and disclosure.

7. DATA RETENTION, EXTERNAL CLOUD BACKUPS, AND TOTAL DELETION

ZOCOPOS LTD retains your Personal and Business Data only for as long as your account is active and in good standing. We strictly enforce policies regarding data archiving and permanent deletion to ensure platform security and legal compliance.

8. YOUR DATA PRIVACY RIGHTS AND COMPLIANCE LIMITATIONS

In accordance with applicable data protection frameworks, you possess specific rights regarding your data. However, due to the strict regulatory nature of financial processing and tax compliance, certain fundamental limitations apply to these rights.

• 8.1 Multi-Portal Scope and Administration: The rights and terms outlined in this Privacy Policy govern the entirety of the Service, explicitly including both the primary Merchant Dashboard (e.g., zocopos.com) and the distinct Employee Portal (e.g., employee.zocopos.com). The Employee Portal primarily processes login credentials (usernames, passwords) and role-based permissions granted by the Merchant. The Merchant acts as the sole administrator and Data Controller for all activities and data processing occurring within the Employee Portal.
• 8.2 Right to Rectification & The Strict "No-Modification" Rule for Invoices: You retain the right to access, update, and correct your general profile details, sub-account configurations, and business identity information at any time.

  CRITICAL EXCEPTION:

  Under strict regulatory tax compliance laws (including ZATCA Phase 2 mandates), once an electronic commercial invoice has been generated and cryptographically signed, it becomes irrevocably locked. YOU HAVE NO RIGHT OR ABILITY TO UPDATE, EDIT, MODIFY, OR DELETE A SIGNED INVOICE. The Service is intentionally designed without the functionality to alter signed historical tax records. Any attempt to tamper with signed invoices is strictly prohibited and constitutes a severe breach of legal obligations.

• 8.3 Liability for Extracted and Exported Data: While your data resides on our secure cloud infrastructure, it is protected in accordance with the encryption standards detailed in Section 6. As part of your data portability rights, you are permitted and encouraged to extract and download your generated invoices (in XML and PDF formats) via the Dashboard.
  
  Merchant Liability: Once you extract, download, or otherwise remove data from the ZOCOPOS ecosystem, the protective scope of this Privacy Policy ceases regarding that specific extracted data. The physical security, digital integrity, long-term retention, and legal compliance of any downloaded or exported tax data becomes your sole, absolute, and exclusive liability.
• 8.4 Employee Data Requests (Processor Boundary): ZOCOPOS LTD acts strictly as the "Data Processor" regarding personnel data entered into the Employee Portal. If an employee of a Merchant wishes to exercise their data privacy rights (e.g., accessing, modifying, or deleting their employee profile), they must direct their request directly to the Merchant (the "Data Controller"). ZOCOPOS LTD will not independently respond to direct data requests from a Merchant's employees, except to forward such requests to the respective Merchant account owner.

9. SUPPORT, AI, AND COMMUNICATION PRIVACY

To provide highly efficient and responsive technical assistance, ZOCOPOS LTD employs a multi-tiered support infrastructure. By interacting with our customer support channels, you consent to the following data processing practices:

• 9.1 Automated AI Support and Chat Logs: Initial support interactions are managed by our proprietary Artificial Intelligence (AI) systems, which have been specifically trained on ZOCOPOS technical documentation. By utilizing our support widgets, you expressly consent to the collection, processing, and retention of your text inputs, chat logs, and system queries. We process this data to instantly troubleshoot your issues, generate analytical summaries, and continuously train and improve our AI response models.
• 9.2 Human Escalation and Audio/Video Call Processing: If the automated AI system is unable to resolve your technical issue, your support ticket—along with the complete chat history and an AI-generated diagnostic analysis—will be seamlessly transferred to a human support employee. During this escalation, if the human agent enables the interactive "Audio/Video Call" feature on your interface and you accept the connection, we will process the resulting live audio and visual data to assist you. You are solely responsible for ensuring that no unauthorized, sensitive, or private background information is visible or audible during any live video or audio sessions.
• 9.3 Live Screen Sharing Constraints: In the event that a live screen-sharing session is initiated to diagnose system errors, it is your strict legal responsibility to close, minimize, or hide all personal, confidential, financial, or non-ZOCOPOS applications and files PRIOR to granting screen access. ZOCOPOS LTD and its support agents disclaim any and all liability for the accidental exposure, capture, or viewing of your private data during a voluntary screen-sharing session.
• 9.4 On-Site Physical Support Visits and The "No-Password" Rule: Should a critical issue necessitate a physical, on-site visit to your premises by a ZOCOPOS field agent, a strict privacy and security protocol applies. Our field agents are strictly prohibited from requesting your plaintext passwords, cryptographic PINs, or financial credentials. You are required to physically enter your own credentials into the system when prompted. ZOCOPOS LTD accepts absolutely no liability for any data breach, unauthorized access, or loss of information if you voluntarily disclose your passwords to a field agent or if you leave an unlocked terminal unsupervised in the presence of our staff.
• 9.5 Official Centralized Support and Identity Verification: To ensure absolute security and accurate tracking, all email-based support inquiries must be initiated strictly from the primary email address registered to your ZOCOPOS account, and directed ONLY to our central support address (support@zocopos.com). We rely exclusively on your registered email as the definitive identifier of your business. If you submit a request using an unregistered email, we will reject it. We bear no liability for issues arising from your failure to communicate via your officially registered email address.
• 9.6 Decentralized Affiliate Support via Central Routing: While our ecosystem utilizes an affiliate and localized promotion framework, you are not required to contact your reseller directly via a separate email address. All localized support is securely managed through our central routing infrastructure. When you email our central support address or use our integrated chat applications, our backend systems dynamically identify your active session or registered email and automatically route your ticket to your designated authorized reseller or sales partner. ZOCOPOS LTD processes this routing data strictly to connect you securely with your assigned representative.
• 9.7 Executive Escalation and Administration: For critical administrative matters, legal notices, or high-level escalations that cannot be resolved via standard support channels, the official contact for the Chief Executive Officer (CEO) and central administration is admin@zocopos.com.

10. COOKIES AND TRACKING TECHNOLOGIES

• 10.1 Essential Cookies and Local Storage: To ensure the seamless operation, security, and functionality of the ZocoPOS cloud-based platform, we utilize cookies, local storage mechanisms, and secure authentication tokens (such as JSON Web Tokens - JWT). These tracking technologies are strictly necessary to authenticate your identity, maintain your active session across the Merchant Dashboard and Employee Portal, and safeguard your account against cross-site request forgery (CSRF) and other cyber threats.
• 10.2 Prohibition of Third-Party Advertising: We explicitly declare that our use of these tracking technologies is confined solely to core system functionality, performance analytics, and security auditing. ZOCOPOS LTD does not deploy tracking cookies for the purpose of behavioral profiling, nor do we sell, rent, or share your cookie data with any third-party advertising or marketing agencies.
• 10.3 User Control and System Limitations: You retain the right to configure your web browser settings to block, refuse, or delete cookies. However, please be strictly advised that because our Service relies on these technologies for essential authentication and secure communication with government APIs, rejecting or disabling cookies will severely degrade system functionality and may entirely prevent you from logging into or utilizing the ZocoPOS Service.

11. INTERNATIONAL DATA TRANSFERS AND CROSS-BORDER PROCESSING

• 11.1 Global Cloud Infrastructure: ZOCOPOS LTD is a corporate entity registered and headquartered in the United Kingdom. However, our operational services, our Merchants (including those in the Kingdom of Saudi Arabia for ZATCA compliance), and our secure cloud hosting infrastructure may be located in various international jurisdictions. Consequently, your Personal and Business Data may be transferred to, stored, and processed in countries other than the country in which it was originally collected.
• 11.2 Legal Safeguards and Compliance (UK GDPR & KSA PDPL): By registering for and utilizing the Service, you explicitly consent to this cross-border transfer of your data. ZOCOPOS LTD ensures that any international data transfer is conducted in strict compliance with applicable data protection frameworks, including the United Kingdom General Data Protection Regulation (UK GDPR) and the Saudi Personal Data Protection Law (PDPL). We utilize legally recognized transfer mechanisms, such as Standard Contractual Clauses (SCCs) and robust data processing agreements with our authorized sub-processors, to guarantee that your data receives an adequate, equivalent, and uncompromising level of protection regardless of its physical geographical location.

12. DATA BREACH NOTIFICATION AND INCIDENT RESPONSE

ZOCOPOS LTD employs stringent security architectures, but no cloud-based system is completely immune to sophisticated cyber threats. In the unfortunate event of a verified personal data breach—specifically one that is likely to result in a high risk to the rights, freedoms, and financial security of our Merchants—ZOCOPOS LTD is committed to strict compliance with international incident response mandates (including the UK GDPR and the Saudi PDPL). We will notify the relevant supervisory authorities and all directly affected Merchants via their registered email addresses without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. This notification will include the nature of the breach, the likely consequences, and the mitigation measures we have actively deployed.

13. AGE RESTRICTION AND CHILDREN'S PRIVACY

The ZocoPOS Service, encompassing the Merchant Dashboard, Employee Portal, and Desktop Local Agent, is strictly a business-to-business (B2B) and commercial enterprise platform. It is designed and intended exclusively for use by legal adults who are at least eighteen (18) years of age or who have reached the age of legal majority in their respective jurisdictions. ZOCOPOS LTD does not knowingly target, solicit, collect, or process Personal Data from minors or children under the age of 18. If we become aware or are reliably informed that a minor has created an account or transmitted Personal Data to our servers without verified parental or legal guardian consent, we will take immediate, irreversible steps to delete that account and completely wipe all associated data from our systems.