Privacy Notice

ZRY Privacy Policy

Last updated November 21, 2025

We take a privacy-by-design approach to watermarking and provenance tooling. This policy describes what we collect, how we use it, and the controls available to you. The dashboard provides automated GDPR tools for data access, portability, and erasure; enterprise administrators can extend these workflows through our API.

Who We Are

ZRY provides watermarking, provenance, and verification services for digital media. We operate this application as the data controller for customers who sign up directly with us.

Personal Data We Process

  • Account details: email address, Firebase user identifier, tenant metadata and company name (optional).
  • Billing information: Stripe customer identifiers, subscription status, and invoicing events.
  • Service usage: API key metadata, webhook endpoints, audit logs (timestamp, action, IP, user agent), processing jobs and usage aggregates.
  • Uploaded content: files and manifests stored in Google Cloud Storage for watermarking and verification workflows.

How We Use Your Data

  • Deliver core watermarking, signing, and verification functionality.
  • Provide customer support, security monitoring, and fraud prevention.
  • Generate aggregated, pseudonymised metrics for capacity planning.
  • Comply with legal obligations, including audit logging and incident response.

Lawful Bases

  • Contract: enabling authenticated access to the watermarking platform and fulfilment of paid subscriptions.
  • Legitimate interests: maintaining platform security, preventing abuse, and improving reliability.
  • Consent: optional marketing communications, research programmes, and anonymised AI evaluation.

Retention

Tenant configuration and audit records are retained for the lifetime of the account. Usage analytics and Redis-derived metrics are stored for 90 days. Uploaded assets follow customer-managed lifecycle policies; deletion requests remove them immediately.

Data Subject Rights

  • Access & Portability: download a structured ZIP archive via the dashboard (“Settings → Data Subject Controls”) or the /api/v1/privacy/dsr/export endpoint.
  • Rectification: update account metadata from the dashboard or contact support for complex changes.
  • Erasure: submit a self-service deletion from the dashboard. Requests enter a minimum 7-day grace period (configurable by contract) before we permanently remove Firestore documents, Redis caches, stored assets, and the Firebase account. Contact the privacy team during the grace period to halt processing.
  • Restriction & Objection: pause data processing by emailing the privacy team; your tenant will be marked as restricted within 24 hours.
  • Consent withdrawal: toggle optional consents at any time under “Privacy & Consent”.

Sub-processors

  • Google Cloud Platform (hosting, storage, Firebase Auth).
  • Upstash (managed Redis for rate limiting).
  • Stripe (payments and billing).
  • Sentry (error monitoring).

Contact & DPO

Questions or requests can be sent to privacy@watermarking.app. Our Data Protection Officer can be reached at privacy@watermarking.app.

If you believe we have not addressed your concern, you may lodge a complaint with your local supervisory authority. We will cooperate with regulators and data subjects to resolve any outstanding issues promptly.

Change Log

  • November 2025: Added automated GDPR API endpoints, consent registry, and Article 30 processing records.
  • September 2025: Clarified sub-processor list and retention periods.
ZRY | Privacy Policy | ZRY