Privacy Policy
EspañolLast updated: May 6, 2026
This Privacy Policy describes how SPEUX EIRL (“Zentro”, “we”) processes the personal data it receives through its Cash on Delivery (COD) order management SaaS platform, available at https://zentro.one.
1. Data Controller
Legal name: SPEUX EIRL
Tax ID (RUC): 20607072168
Registered address: Lima, Perú
Privacy officer email: privacy@zentro.one
Zentro acts as data controller regarding subscriber (merchant) data, and as data processor regarding end-customer data that merchants store and manage through the platform.
2. Data we collect
2.1 Merchant account data
- User name, email and password (bcrypt hash).
- Merchant's business name, tax ID and organization details.
- Access logs, audit events, and IP addresses.
2.2 Order data (merchant's end-customers)
- Name, phone, and national ID (when provided by the end-customer).
- Delivery address, region, province, district, coordinates.
- Order history, amounts, payment proofs, and shipping status.
2.3 Third-party integration data
We request the minimum permissions required. Full per-integration breakdown appears in sections 9 through 12 of this policy.
3. How we use the data
- Operate and maintain the order management platform.
- Sync shipment status with integrated couriers.
- Generate operational and commercial reports for the merchant.
- Detect and prevent fraud or service abuse.
- Comply with applicable legal obligations.
We do not sell, rent, or share merchant or end-customer data with advertisers, data brokers, ad networks, or third parties for purposes other than those stated here.
4. Sub-processors
Zentro uses the following providers to operate the service. All are contractually bound by confidentiality and security obligations equivalent to those described in this policy:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting and CDN | EE.UU. / Global edge |
| Neon (PostgreSQL) | Managed database | EE.UU. |
| Vercel Blob | Storage of payment proofs and images | EE.UU. |
| Sentry | Error and performance monitoring | EE.UU. |
| Browserbase | Secure browser automation (Zeus integration) | EE.UU. |
| Resend | Transactional email delivery | EE.UU. |
5. Security
We apply reasonable technical and organizational measures to protect data:
- In transit: TLS 1.2+ on all connections.
- At rest: AES-256-GCM for tokens and integration credentials.
- Role-based access control (RBAC): ADMIN, SUPERVISOR, SELLER, LOGISTICS — least privilege per role.
- Multi-tenant isolation: every query filters by organization; merchant data never crosses tenants.
- Audit logs: traceability of access and sensitive changes.
- Separate backups for testing and production environments.
6. Retention
Account data is retained while the subscription is active. After cancellation, we delete merchant data within 30 days, unless retention is legally required. Application logs rotate after 90 days.
7. Your rights (Peru Law 29733, GDPR/CCPA)
As a data subject you have the right to:
- Access: know what data we process about you.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data.
- Object: object to specific processing.
- Portability: receive a structured copy of your data.
To exercise these rights, write to privacy@zentro.one or use the form at Data Deletion. We respond within 20 business days. EU residents may also lodge complaints with their local Data Protection Authority.
8. International data transfers
Some sub-processors operate outside Peru (mostly in the U.S.). Transfers rely on Standard Contractual Clauses (SCCs) and providers with recognized certifications (SOC 2, ISO 27001).
9. Data from Shopify
When a merchant connects their Shopify store, Zentro receives the following data via the Admin API. We request read-only permissions:
| Permission (scope) | Data accessed | Purpose |
|---|---|---|
read_orders | Confirmed orders (customer, products, totals, shipping address) | Import orders to the COD system for delivery management |
read_draft_orders | Draft orders / abandoned carts | Capture abandoned cart leads for sales recovery |
read_products | Catalog (name, SKU, price, variants) | Keep your catalog synchronized to link orders to products |
We do not request write permissions. Zentro cannot modify, delete, or create orders, products, or customers in your Shopify store.
As a Shopify App Store app, we comply with the mandatory privacy webhooks:
customers/data_request— we deliver the customer's data to the merchant within 30 days.customers/redact— we delete the customer's data when the merchant requests it.shop/redact— we delete all shop data 48 hours after uninstallation.
10. Data from Google APIs
Zentro accesses Google APIs only when the merchant explicitly authorizes the integration. Scope is limited to files the user selects via Google Picker:
| Scope | Data accessed | Purpose |
|---|---|---|
openid, email | Your Google email address | Identify the account connecting the integration |
https://www.googleapis.com/auth/drive.file | Only the spreadsheets you explicitly select via Google Picker | Synchronize orders with courier spreadsheets (e.g. Fenix) |
We do not access Gmail, Calendar, Contacts, or other Google services. The drive.file scope limits us strictly to files the user explicitly authorizes one by one.
Zentro's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We do not transfer data obtained from Google to third parties for advertising, retargeting, or personalized ad purposes.
- We do not sell data obtained from Google.
- We do not use Google data to train generalized AI or ML models.
- Human review only occurs with explicit user consent or for security, legal compliance, or abuse investigation.
11. Data from Meta (Facebook/Instagram Ads)
Zentro requests the following read-only permission from Meta:
| Permission | Data accessed | Purpose |
|---|---|---|
ads_read | Campaign metrics (spend, impressions, clicks, conversions) | Display your ad performance in the Zentro dashboard |
We do not post content, send messages, or create or modify campaigns. We only read metrics for in-app reporting.
12. Data from TikTok Marketing API
Zentro accesses the TikTok Marketing API exclusively to read metrics from advertiser accounts the merchant authorizes:
| Permission | Data accessed | Purpose |
|---|---|---|
Reporting (Read) | Campaign metrics (spend, impressions, conversions, CPC, CTR) | Calculate ROAS by combining ad spend with delivered COD revenue |
We do not access private videos, direct messages, or personal data of the TikTok account. TikTok data is not permanently stored; it is fetched on demand when the dashboard is opened.
13. Cookies
We use strictly necessary cookies for sessions (authentication) and aggregated analytics cookies (Vercel Analytics, Speed Insights). We do not use advertising or third-party tracking cookies. Full details at Cookie Policy.
14. Children
The service is not directed to children under 14. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact us to delete it.
15. Security breaches
In case of a breach affecting personal data, we will notify the Peruvian Data Protection Authority (ANPDP) and affected data subjects within the timeframes set by Law 29733 and applicable regulations (e.g., 72 hours under GDPR).
16. Changes to this policy
We may update this policy. Material changes will be notified by email or visible notice on the platform with at least 30 days' prior notice. The last updated date appears at the top.
17. Contact
Privacy questions: privacy@zentro.one. You can also request data deletion at /en/data-deletion.