Data controller
Zerozonas, MB, company code 307224979, Sorbų g. 16A-2, LT-11330 Vilnius
Personal data processing information
Zerozon privacy policy
This privacy policy explains how Zerozon processes personal data when users visit the website, use the mobile app, create an account, scan QR codes, pay a deposit, initiate a return, or contact Zerozon.
Privacy contact
[email protected], www.zerozon.eu, +370 674 54013
Terms
Rules for platform use, QR identification, deposit payment, returns, and refunds are described in the separate Terms of Use.
TermsVersion
2.0, prepared on 2026-03-11.
Key purposes
Platform operations, deposit administration, fraud prevention, customer support, compliance with legal obligations, and service improvement.
01
Data controller
The data controller is Zerozonas, MB, company code 307224979, address Sorbų g. 16A-2, LT-11330 Vilnius, contact phone +370 674 54013.
At the time of publication of this version, the general and privacy contacts are [email protected] and www.zerozon.eu.
If Zerozon appoints a data protection officer in the future, the contact details will be published on the platform and in this policy.
02
What data we process
Zerozon processes only the personal data needed to operate the platform, administer deposits, ensure security, provide customer support, and meet legal requirements.
- Account and identification data: first name, last name or chosen user name, email address, phone number, login identifiers, account ID, and authentication logs.
- Payment and deposit data: payment transaction identifiers, payment method, partial card data or tokens, payment status, refund identifiers, chargeback or dispute information, deposit amounts, return dates, and statuses.
- Usage and technical data: device type, operating system, app version, browser, IP address, timestamps, session identifiers, crash logs, security and error logs, and geolocation information where the user grants permission for map functionality.
- QR and unit interaction data: scanned unit identifier, scan time, place, account link to the unit, return location, return-registration status, and technical error records.
- Communication data: inquiry content, correspondence, call notes, complaint materials, submitted documents, or screenshots.
- Partner and event interaction data: information about locations where the user collected or returned a unit, active locations, and service restrictions.
03
Sources of data
We receive data directly from you when you register, make a payment, complete forms, or submit inquiries.
Certain data is collected automatically from your device, the app, cookies, or similar technologies when you use the platform.
Some data may also be obtained from payment service providers, partners, IT service providers, fraud-prevention providers, or identity-assurance providers where necessary for a legitimate purpose.
04
Purposes and legal bases
We process personal data only for defined purposes and on applicable legal bases.
- Contract formation and performance: account creation, identification, linking QR scan events to a user, collecting the deposit, registering returns, initiating refunds, and supporting a specific transaction.
- Legal obligation: accounting records, tax and anti-money-laundering requirements, recording user requests and complaints, and responding to authority requests.
- Legitimate interests: service security, fraud prevention, technical monitoring, internal audits, business continuity, dispute handling, and the establishment, exercise, or defense of legal claims.
- Consent: optional marketing, push notifications, non-essential cookies, and precise location data where consent is required.
- Where partners or other entities act for their own purposes, they may rely on their own legal bases and inform users separately.
05
Whether you must provide data
Some data is necessary to perform the contract. If you do not provide essential account, payment, or transaction data, Zerozon cannot provide the relevant function, such as enabling deposit payment or initiating its return.
Optional data, such as marketing consents or precise location permissions, is provided voluntarily. Not providing it should not automatically block core platform functions, except where location data is objectively required for a feature.
06
Automated assessment and fraud prevention
Zerozon may use automated rules and risk indicators to detect unusual payment behavior, mass QR scanning, duplicated returns, linked accounts, device anomalies, and other possible abuse.
These assessments are generally used for security and legitimate-interest purposes. More significant decisions, such as long-term account blocking or refusal of a refund, should be reviewed by a human where required by the circumstances and applicable law.
07
Who we disclose data to
We disclose data only to the extent necessary for a specific lawful purpose.
- Payment service providers, such as Stripe and related infrastructure, to the extent needed for payments, refunds, dispute handling, and fraud prevention.
- Partners to the extent necessary for operating return locations, customer support, unit identification, dispute investigation, or incidents related to the partner's operations.
- IT, cloud, hosting, analytics, communications, customer support, legal, accounting, audit, and security service providers.
- Law-enforcement authorities, supervisory authorities, dispute-resolution bodies, courts, or other competent institutions where required by law or necessary to defend rights.
08
International data transfers
Where service providers or their subcontractors operate outside the European Economic Area, data may be transferred only using a lawful transfer mechanism, such as an adequacy decision by the European Commission, standard contractual clauses, or another valid safeguard.
This section should be read together with Zerozon's actual supplier infrastructure and real data flows.
09
Retention periods
Account data is stored while the account is active and for a reasonable period after closure where needed for complaints, disputes, security, or legal compliance.
Payment, refund, chargeback, and accounting data is stored for as long as required by accounting, tax, financial, and limitation rules.
Technical security logs are stored for a shorter, proportionate period unless a specific incident requires longer retention.
Marketing consents are stored until they are withdrawn and for a reasonable period afterwards in order to evidence the consent or its withdrawal.
10
Your rights
You may request access to your data, rectification of inaccurate data, erasure, restriction of processing, objection where applicable, data portability, and withdrawal of consent at any time where processing is based on consent.
Where processing is based on legitimate interests, you may object, and Zerozon will assess whether its interests override your rights and freedoms.
Requests can be submitted to [email protected] or another official channel indicated on the platform. Zerozon may request reasonably necessary additional information to verify your identity.
11
Children's data
The platform is not intended for children who cannot independently enter into the relevant agreements or use payment instruments under applicable law.
If Zerozon learns that data has been collected improperly from a minor, it may take reasonable steps to remove the data or restrict its processing.
12
Security measures
Zerozon applies technical and organizational measures such as access management, logs, pseudonymization, TLS protection, restricted vendor access, backups, and incident-management procedures to the extent proportionate to the risks and nature of the service.
No system can guarantee absolute security, so users must also protect their login details and devices.
13
Complaints to a supervisory authority
If you believe your personal data is processed improperly, you have the right to lodge a complaint with the State Data Protection Inspectorate or another competent supervisory authority in the place where you live or work.
14
Changes to this policy
This privacy policy may be updated when the service model, suppliers, laws, or data flows change.
The latest version is published on the platform and, where necessary, material changes are communicated separately.