Privacy Policy

1. Introduction

Zyvora is developed and operated by ShadowPing LLC ("ShadowPing", "we", "us", or "our"). This Privacy Policy describes how we collect, use, store, and protect information when you use the Zyvora platform (the "Platform").

This Policy covers two categories of people: (1) Subscribers — businesses and their staff who use Zyvora to run their operations, and (2) End Customers — the clients of those businesses whose data is entered into the Platform by Subscribers.

2. Information We Collect

Subscriber Account Data: When you register, we collect your business name, contact information, billing details, and account credentials. This is used to create and maintain your account.

Business Operational Data: Data you enter to operate your business — including staff profiles, service catalogs, schedules, appointment records, point-of-sale transactions, inventory records, payroll data, and business settings. You own this data.

End Customer Data: Information about your clients that you enter into the Platform — including names, contact details, appointment history, payment records, loyalty points, consent records, and (if clinical features are enabled) health-related information. You are the data controller for your customers' data; ShadowPing acts as a data processor on your behalf.

Visual & Biometric-Adjacent Data: If you use Zyvora's nail identification or before/after photo features, the Platform collects and stores photographs of customers' nails, skin, or other physical characteristics. These images may be associated with a customer's identity in the Platform. You are responsible for obtaining appropriate consent from your customers before collecting such imagery.

Audio & Video Surveillance Data: If you connect a camera or security system integration (such as Solink, Verkada, Eagle Eye, or Spot AI), audio and video recordings of your business premises — including recordings of end customers who visit your salon — may be captured and processed through that integration. ShadowPing does not directly store camera footage; it is processed and stored by the third-party camera provider under their own terms. You are responsible for complying with all applicable recording consent laws and posting required notices in your premises.

Communications Data: SMS, RCS, email, and voice communications sent through the Platform (via Twilio and Azure Communication Services). Message content, delivery status, and timestamps are stored for inbox management and compliance.

Payment Data: Payment transactions processed through integrated payment processors (Square, Stripe, etc.). Raw card numbers are never stored by ShadowPing — only tokenized references provided by the payment processor.

Usage & Analytics Data: Log data, feature usage patterns, error reports, and performance metrics. This data is used to improve the Platform and is not shared with third parties for advertising.

Device & Hardware Data: IP addresses, browser/app type, device identifiers, and session data collected when you access the Platform. If you use integrated hardware (iPads, card readers, barcode scanners, receipt printers), device identifiers and hardware interaction data may be collected.

Clinical Data (if applicable): If you use Zyvora's clinical features (SOAP notes, HIPAA-flagged forms), protected health information (PHI) is stored with enhanced security controls and strict access logging. A Business Associate Agreement (BAA) is required for clinical feature use.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Zyvora Platform and its features
• Process and manage your subscription, billing, and payments
• Send transactional communications (invoices, account alerts, payment failure notices)
• Enable the AI-powered features of the Platform (scheduling, smart assistant, risk scoring, coaching notes)
• Provide customer support and respond to your inquiries
• Monitor Platform security, detect fraud, and ensure integrity of the system
• Comply with legal obligations

We do not use your data or your customers' data for advertising, third-party marketing, or any purpose unrelated to providing the Platform.

4. Data Sharing & Third Parties

We do not sell your data. We share data only as necessary to operate the Platform:

• Payment Processors: Square, Stripe, PayPal, Global Payments, TSYS, Chase — to process customer transactions. Your processor credentials are stored in Azure Key Vault, never in the database.
• Payment Hardware SDKs: Stripe Terminal and Square Terminal SDKs are used for in-person card-present payments. These SDKs process card data directly on the hardware device and transmit it to the respective payment processor.
• Communication Providers: Twilio (SMS, MMS, RCS, voice) and Azure Communication Services (email) — to deliver messages sent through the Platform.
• AI Providers: Requests to AI services (including Anthropic Claude, Google Gemini, Groq, and OpenAI, routed through ShadowPing's AI proxy layer) are limited to what is needed to generate the requested output. For clinical and HIPAA-scoped features specifically, ShadowPing uses Azure OpenAI Service — a separate Microsoft-hosted service governed by a Business Associate Agreement (BAA) with Microsoft — rather than OpenAI's consumer API. Data sent to AI providers is not stored by those providers for model training under our enterprise agreements.
• Cloud Infrastructure: Microsoft Azure — the Platform is hosted on Azure (Azure SQL, Azure Functions, Azure Blob Storage, Azure Key Vault, SignalR). Data is stored in secure, access-controlled Azure environments.
• Image Delivery: Imgix is used to serve customer photos (including before/after images and profile photos). Images stored in Azure Blob Storage are delivered through Imgix's CDN for optimized display.
• Push Notifications: Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM) are used to deliver push notifications to mobile devices. Device tokens and notification content are transmitted to these providers for delivery.
• Camera & Security Integrations: If you enable a camera or security system integration (Solink, Verkada, Eagle Eye, Spot AI), customer names, staff names, transaction metadata, timestamps, event data, and audio captured where camera hardware supports it from the Platform may be transmitted to the camera provider to enable event linking and AI-powered video review features. These providers process and store video and audio recordings under their own privacy policies. API credentials for camera integrations are stored in Azure Key Vault and are permanently deleted when you disconnect the integration or terminate your account.
• Hardware SDKs: Star Micronics (receipt printer SDK) and Zebra (barcode scanner SDK) are used for hardware integrations. Print jobs may contain customer and transaction data; barcode scan data (including gift card numbers and customer barcodes) is processed locally by these SDKs.
• Financial Integrations: Plaid may be used to link bank accounts for reconciliation purposes. QuickBooks, Xero, and similar accounting integrations receive financial transaction data per your configuration.
• Payroll Integrations: If you connect a payroll integration (such as Gusto, ADP, or Paychex), staff personal information including names, hours, compensation, and tax data is transmitted to the payroll provider to process payroll on your behalf.
• Reputation & Marketing Integrations: If you connect reputation management tools (such as Birdeye or Podium) or marketing platforms (such as Google, Meta, Mailchimp, or TikTok Business), customer data relevant to those integrations (such as contact details and review requests) is shared with the respective provider per your configuration.
• Procurement Integrations: If you connect procurement or supplier integrations (such as SalonInteractive or Shopify), inventory and order data is shared with those providers per your configuration.
• Legal Requirements: We may disclose data if required by law, court order, or to protect the rights, property, or safety of ShadowPing, our users, or others.

5. Data Storage & Security

All Platform data is stored on Microsoft Azure infrastructure with enterprise-grade security controls. We implement the following security measures:

• Multi-tenant row-level security on all database tables — your data is isolated from other tenants
• Azure Key Vault for all sensitive credentials (payment processor keys, API tokens, OAuth tokens)
• AES-256 encryption for data at rest and TLS 1.2+ for data in transit
• Immutable, append-only audit log for all data access and modifications
• Role-based access control with 250+ granular permissions
• SAS token access with 15-minute expiry for file/media access
• Automated security monitoring, anomaly detection, and rate limiting

No raw payment card data is ever stored on our servers. Processor credentials are stored exclusively in Azure Key Vault.

6. End Customer Data & Your Responsibilities

As a Subscriber, you are the data controller for the personal information of your clients stored in the Platform. ShadowPing processes this data as a data processor on your behalf, only to provide the Platform services.

You are responsible for:

• Obtaining any legally required consents from your customers before collecting their data, including consent for photographs, biometric-adjacent imagery, and any data collected through connected integrations
• Informing your customers if your business premises are subject to audio or video recording through any connected camera integration, and posting any legally required recording notices
• Responding to your customers' data subject rights requests (access, correction, deletion)
• Complying with applicable data protection laws in your jurisdiction, including GDPR, CCPA, and any other applicable regulations

Zyvora provides tools to support GDPR compliance, including customer data export, right-to-erasure workflows with audit trails, and per-salon consent tracking with legal text versioning.

7. GDPR & International Data Transfers

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you may have specific rights regarding your personal data. These may include the right to access, rectify, erase, restrict processing of, or port your data, and the right to object to certain processing.

Data transfers outside the EEA are conducted under appropriate safeguards, including Standard Contractual Clauses where applicable. Please contact us at privacy@zyvora.app if you have questions about international data transfers.

8. CCPA (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of your personal information.

ShadowPing does not sell personal information. To exercise your CCPA rights, contact us at privacy@zyvora.app.

9. Data Retention

We retain Subscriber Data for as long as your subscription is active. After cancellation, data is accessible in read-only mode for 90 days, then archived to cold storage. Archived data is retained for a minimum of 7 years for legal and compliance purposes unless you request earlier deletion.

End customer data is retained per the configurable retention policies within the Platform (default 7-year retention for customer documents). Clinical data is subject to healthcare record retention requirements in your jurisdiction.

Camera integration metadata — including VideoBookmark records, event metadata, and expiring access URLs associated with camera integrations such as Solink — is retained while the integration is active and for 90 days after disconnection or account cancellation, after which it is permanently deleted. Actual video footage is not stored by ShadowPing; it remains with the third-party camera provider under their own retention policies. Camera integration credentials stored in Azure Key Vault are destroyed upon disconnection of the integration or termination of your account.

Audit log data is retained for 12 months in active storage and archived to long-term storage thereafter.

10. Cookies & Tracking

The Zyvora web application uses session cookies and local storage for authentication and application state. We do not use third-party advertising cookies or tracking pixels.

The Zyvora marketing website (zyvora.app) may use analytics tools to understand visitor behavior. No personally identifiable information is collected through these analytics.

11. Children's Privacy

The Platform is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If a Subscriber collects information about minors (e.g., for youth services), the Subscriber is responsible for obtaining appropriate parental consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or within the Platform. The "Effective Date" at the top of this page reflects when the current version was published.

13. Contact Us

For privacy-related questions, data subject requests, or to request a Business Associate Agreement (BAA) for clinical feature use, please contact us:

ShadowPing LLC (Ohio, USA) — privacy@zyvora.app | support@zyvora.app