Meet Zap 2: the AI agent that can handle your entire frontline support Learn more

Contact sales Get Started
megamenu-blog-image
New Release

Why Effective Procurement is the Jedi Master of Supply Chain

Zapro empowers every person in the procurement process to achieve their goals.

Read now
By Industry

Our adaptable procurement solution delivers efficiency and cost savings for every industry.

By Personas

Zapro empowers every person in the procurement process to achieve their goals.

megamenu-blog-image
New Release

Buy from Amazon. Approve in Zapro. Track everything.

Punch-In or Punch-Out, every order flows through your approvals, budgets, and books without you lifting a finger.

Read now
  • Terms of service
  • Privacy Policy
  • Acceptable Use Policy
  • Security Policy
  • GDPR
  • Responsible Disclosure

Privacy Policy

Effective Date:August 31, 2025

Entity: Zapro AI Pvt. Ltd. (“Zapro AI,” “we,” “our,” or “us”)

Zapro AI is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our websites (zapro.ai, gozapro.com, thevendor.ai), applications, APIs, and related services (collectively, the “Services”).

If you have signed a Master Services Agreement (MSA) or Enterprise SLA with Zapro AI, that agreement will govern in case of conflict with this Privacy Policy.

1. Information We Collect

We collect the following categories of information:

  • Account Information: Name, email, phone, job title, billing and payment details.
  • Customer Data: Vendor data, procurement records, contracts, or other business information you upload or generate in the Services.
  • Usage Data: Log files, IP addresses, browser/device details, product usage metrics, cookies, and telemetry.
  • Support & Communications: Information you provide in emails, chats, or calls with our support team.
  • Cookies & Tracking: We use cookies, pixels, and analytics tools to understand usage and improve services. See our Cookie Policy for details.

2. How We Use Your Information

We use information to:

  1. Provide, operate, and secure the Services.
  2. Deliver AI-based features and Outputs (with safeguards).
  3. Communicate with you about your account, updates, and support.
  4. Send marketing emails and newsletters only with your prior consent; you may unsubscribe at any time via the link in our emails.
  5. Improve performance, reliability, and user experience.
  6. Detects fraud, abuse, or security risks.
  7. Comply with applicable laws and legal processes.

We do not sell or rent personal information.

Where applicable, our processing is based on:

  • Contractual necessity – providing Services you requested.
  • Legitimate interests – improving security, preventing fraud.
  • Consent – for marketing emails, optional cookies, and certain AI processing.
  • Legal obligations – tax, compliance, government requests.

4. How We Share Information

We may share information with:

  • Subprocessors: Cloud hosting, analytics, communications, and AI infrastructure providers (listed here).
  • Resellers/Partners: If you purchased through an authorized reseller, limited information is shared to support billing and provisioning.
  • Legal Authorities: When required by law, valid court order, or mutual legal assistance treaty.
  • Corporate Transactions: If Zapro AI undergoes a merger, acquisition, or reorganization.

We never sell Customer Data to third parties.

5. Data Retention

  • Customer Data is deleted from active systems within 30 days of account termination.
  • Backups are purged within 60 days.
  • Logs may be retained longer for security, audit, or compliance reasons.
  • Customers may request deletion of their data at any time by contacting infosec@zapro.ai.

6. Security

  • Zapro AI maintains ISO 27001:2022 certified ISMS and SOC 2 Type II audited controls.
  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • We apply least-privilege access controls, monitoring, vulnerability management, and incident response procedures.

⚠️ Important: The Services are not designed to process highly sensitive regulated data such as health information (PHI under HIPAA), payment card data (PCI DSS), or children’s data unless explicitly covered by a signed agreement.

7. International Data Transfers

  • Data may be processed in India, the US, or other jurisdictions where we or our subprocessors operate.
  • For EU/UK transfers, we rely on Standard Contractual Clauses (SCCs) and UK IDTA.
  • For India, we comply with the Digital Personal Data Protection Act (DPDP), 2023.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • GDPR/UK GDPR: Access, rectify, erase, restrict, object, portability.
  • CCPA/CPRA: Know, access, delete, opt-out of “sale/share” of data (not applicable; Zapro AI does not sell personal data).
  • DPDP (India): Access, correction, erasure, consent withdrawal, grievance redressal.

You may exercise rights by contacting us at privacy@zapro.ai. We may need to verify your identity before fulfilling requests.

9. Children’s Privacy

The Services are not directed to children under 16 (or minimum age in your country). We do not knowingly collect children’s data. If we learn we have, we will delete it promptly.

10. AI-Specific Disclosures

  • Inputs & Outputs: You control your prompts and Customer Data. Outputs are generated based on your inputs and are your responsibility to validate.
  • Model Training: We do not use Customer Data to train generalized AI models unless you provide explicit written opt-in consent.
  • Responsible Use: Outputs should not be used as the sole basis for medical, legal, financial, or safety-critical decisions.

11. Subprocessors and Third Parties

We maintain an updated subprocessor list here. We will notify customers before adding new subprocessors.

12. Cookies & Tracking

We use:

  • Strictly Necessary Cookies: Required for basic functionality.
  • Analytics Cookies: To understand usage and improve services.
  • Functional Cookies: To remember preferences.
  • Advertising/Retargeting Cookies: Only if you consent.

You can manage cookies via your browser settings or our cookie banner. See our Cookie Policy.

13. Changes to this Privacy Policy

We may update this Privacy Policy periodically. Updates will be posted on our website with a revised “Effective Date.” Where required by law, we will provide advance notice and obtain consent.

14. Contact Us

For questions or privacy requests:

📧 privacy@zapro.ai
📧 legal@zapro.ai
📍 Zapro AI Pvt. Ltd., WeWork Prestige Atlanta, Koramangala, Bengaluru, Karnataka, India

If you are in the EU/UK, you may also contact our appointed EU/UK Representative at:
📧 eu-privacy@zapro.ai

If you are in India, you may contact our appointed Grievance Officer at:
📧 privacy@zapro.ai

If you are not satisfied, you may escalate complaints to your local Data Protection Authority (EU/UK) or to the Data Protection Board of India (DPB).

Terms of Service

Last Updated: August 31, 2025

These Terms of Service (“Terms”) govern access to and use of the Services (defined below) provided by Zapro AI Pvt. Ltd., a company incorporated in India (“Zapro AI”, “we”, “us”, or “our”). By creating an account, clicking “I agree,” or using the Services, you agree to these Terms. 

If you use the Services on behalf of an organization, you represent that you have authority to bind that organization to these Terms; “Customer,” “you,” or “your” will refer to that organization.

These Terms form a binding contract. If you do not agree, do not use the Services.

1) Definitions

  • “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • “Services” means our websites and SaaS products, including zapro.ai, gozapro.com, thevendor.ai, related mobile/desktop apps, APIs, documentation, support portals, and any features or modules made available by Zapro AI.
  • “Customer Data” means data, content, files, records, and other information submitted to or processed by the Services by or on behalf of Customer (including by its users).
  • “Outputs” means machine-generated text, summaries, insights, or other results produced by AI or non-AI features of the Services based on Customer prompts or inputs.
  • “Order” means any online sign-up, order form, SOW, or MSA referencing these Terms.
  • “Users” means individuals Customer authorizes to use the Services.

2) Changes to the Terms

We may update these Terms from time to time. If we make material changes, we will update the “Last Updated” date and, where appropriate, notify the account owner by email or in-product notice. Your continued use after changes become effective constitutes acceptance of the updated Terms. The current version controls.

3) Eligibility & Account Registration

3.1 Business Use. The Services are intended for business use, not consumer use.

3.2 Age. You must be the age of majority in your jurisdiction and authorized by your organization.

3.3 Account Security. You are responsible for maintaining the confidentiality of account credentials and for all activity under your accounts. Enable multi-factor authentication where available. Notify us promptly of any unauthorized access or security incident involving your accounts.

3.4 Accuracy. You will keep registration and billing information complete and accurate.

3.5 No Bots. Automated account registration (e.g., bots) is prohibited.

4) Orders; Free Trials; Beta Features

4.1 Orders. Access to paid Services is obtained via an Order specifying plan, term, quantities, and fees.

4.2 Free Trials / Free Plans. We may offer free plans or trials. Trials may be limited in duration or functionality. At the end of a trial, continued use requires payment. We do not sell Customer Data.

4.3 Beta/Pre-Release. We may offer alpha, beta, labs, or pre-release features (“Beta”). Beta is provided AS IS, may be changed or discontinued at any time, and is excluded from SLAs, warranties, and indemnities. Do not rely on Beta for production or high-risk use.

5) Fees, Billing & Taxes

5.1 Fees. Fees are specified in the applicable Order and are payable in advance unless stated otherwise. All fees are non-cancellable and, except as expressly set out in these Terms or an Order, non-refundable.

5.2 Billing. We may charge your payment method on file or invoice you. Invoices are due Net 15 (or as stated in your Order). Late amounts may accrue interest at 1.5% per month (or the maximum allowed by law), plus reasonable collection costs.

5.3 Changes. Upgrades are effective immediately and billed pro-rata for the remainder of the current term; downgrades take effect at the next renewal. We may change pricing for renewals; if so, we’ll give at least 30 days’ notice.

5.4 Taxes. Fees are exclusive of taxes. You are responsible for all sales, use, VAT/GST, withholding, and similar taxes, excluding taxes on our net income. Where required, we will collect and remit taxes and will identify those taxes on your invoice.

6) Term; Renewal; Cancellation & Suspension

6.1 Term & Renewal. Subscriptions run for the term stated in the Order and renew automatically for successive terms of equal length unless either party gives non-renewal notice at least 30 days before the end of the then-current term.

6.2 Customer Cancellation. You may cancel using the in-app cancellation mechanism or by following our published instructions. Upon cancellation or non-renewal, access ends at the close of the paid term.

6.3 Suspension. We may suspend access immediately if: (a) you fail to pay fees when due; (b) we detect security risks, suspected fraud, or violations of these Terms or law; or (c) your use materially degrades the Services for others. We will notify the account owner where practicable.

6.4 Termination for Cause. Either party may terminate on written notice if the other party materially breaches these Terms and fails to cure within 30 days (10 days for non-payment).

6.5 Effect of Termination. Upon termination or expiration: (a) your right to use the Services ceases; (b) you will pay all amounts due; and (c) Section 5.1 applies (no refunds except as expressly stated).

6.6 Data Return & Deletion. After termination or cancellation, you may export Customer Data via available self-service tools until access ends. Following termination, your Customer Data becomes inaccessible. We delete Customer Data from active systems within 30 days and from backups within 60 days. Residual copies in logs or archives may persist for a limited period consistent with our backup cycles and security policies.

7) Customer Data; Privacy; Data Processing

7.1 Ownership. Customer retains all right, title, and interest in and to Customer Data.

7.2 License to Provide Services. You grant us and our Affiliates a non-exclusive, worldwide, royalty-free license to host, copy, process, transmit, display, and otherwise use Customer Data as necessary to provide and support the Services, prevent or address service or technical issues, and as otherwise permitted by these Terms.

7.3 Privacy & DPA. Our processing of personal data is described in our Privacy Policy. Where required by applicable data protection laws (e.g., GDPR/UK GDPR/CCPA/CPRA), our Data Processing Addendum (DPA) applies and is incorporated by reference, including applicable Standard Contractual Clauses (SCCs) or other transfer mechanisms for international data transfers.

7.4 Subprocessors. We use trusted third-party sub processors (e.g., cloud hosting, AI model providers) to support the Services. Our current list of sub processors is available with us; we may provide it if deemed necessary and may be updated from time to time.

7.5 Security. We maintain administrative, physical, and technical safeguards designed to protect Customer Data commensurate with risk, including encryption in transit, logical access controls, and vulnerability management. We follow industry-standard practices and maintain business continuity and disaster recovery measures.

7.6 Data Incidents. If we become aware of a confirmed unauthorized access to, or disclosure of, personal data in our possession (“Security Incident”), we will notify the account owner without undue delay (and in any event within timeframes required by law) and provide information reasonably available to help you meet your obligations.

7.7 Government & Law Enforcement Requests. We disclose Customer Data only in accordance with applicable law and our policies. As an Indian company with infrastructure in India and the US, we respond to valid legal processes issued by competent authorities. Unless legally prohibited, we will notify you of requests that implicate your Customer Data.

8) AI-Specific Terms (Inputs, Outputs, and Responsible Use)

8.1 Inputs & Outputs. You control your prompts/inputs and Customer Data. Subject to these Terms, you may use Outputs for your business. You are responsible for evaluating the accuracy, legality, and appropriateness of Outputs for your use case and for implementing appropriate human review.

8.2 No Prohibited Data. Do not input data that you are not authorized to process, or data subject to heightened regulation (e.g., biometric identifiers, payment card PANs, PHI under HIPAA, children’s data) unless expressly permitted in an Order or DPA.

8.3 Model Training. We do not use Customer Data to train foundation models or to improve the generalized capabilities of third-party models unless you provide express, written opt-in consent. We may use de-identified, aggregated telemetry for service analytics, abuse detection, and reliability improvements.

8.4 High-Risk Use. The Services (including AI features) are not designed for life-critical or high-risk environments (e.g., medical diagnosis, autonomous vehicles, nuclear facilities). You must implement safeguards appropriate to your risk tolerance and regulatory obligations.

8.5 Third-Party AI & Terms. Some features may invoke third-party AI services as sub processors. Your use of those features is subject to these Terms and any pass-through terms we identify in the documentation or DPA.

9) Acceptable Use

You will not, and will not permit others to:
a) use the Services in violation of law or for fraudulent, harmful, defamatory, infringing, or privacy-invasive activities;
b) upload malware or attempt to gain unauthorized access to the Services;
c) bypass or breach security, rate limits, or access controls;
d) interfere with or degrade the Service or another customer’s use;
e) use the Services to survey individuals without lawful basis and notice;
f) send spam or unlawful communications;
g) process special categories of personal data without a lawful basis and our prior written consent;
h) reverse engineer, decompile, or attempt to derive source code (except to the extent permitted by law);
i) benchmark, publish, or disclose Service performance tests without our written consent;
j) resell or sublicense the Services except as expressly authorized;
k) misrepresent your identity or impersonate others.

10) APIs & Developer Terms

10.1 API License. Subject to these Terms, we grant a limited, revocable, non-exclusive, non-transferable license to use our APIs to build integrations with the Services.

10.2 Fair Use & Rate Limits. We may set or modify rate limits and quotas. Excessive or abusive use may result in throttling or suspension.

10.3 Monitoring / Surveillance. APIs may not be used to build tools that monitor users’ behavior beyond legitimate business purposes (e.g., reasonable time tracking) or in ways that violate privacy or employment laws.

10.4 Third-Party Integrations. We are not responsible for third-party services or integrations you enable. Your use of third-party services is governed by their terms and privacy policies.

11) Intellectual Property; Feedback; DMCA

11.1 Our IP. We and our licensors own all right, title, and interest in the Services, including software, UI/UX, designs, know-how, and trademarks. No rights are granted except as expressly stated.

11.2 Customer Marks. With your consent (email is sufficient), we may use your name and logo to identify you as a customer (e.g., on our website). You may revoke consent at any time by notifying us.

11.3 Feedback. You grant us a perpetual, irrevocable, royalty-free license to use and incorporate suggestions or feedback without restriction or obligation.

11.4 Copyright Complaints. If you believe content on the Services infringes your copyright, please send a notice to copyright@zapro.ai with: (a) your contact details; (b) identification of the work claimed to be infringed; (c) the allegedly infringing material and its location; (d) a statement of good-faith belief; (e) a statement under penalty of perjury regarding accuracy and authority; and (f) your physical or electronic signature. We will respond consistent with applicable law (including the DMCA for U.S. content).

12) Confidentiality

12.1 Confidential Information. Each party may receive non-public information from the other that is marked or reasonably understood to be confidential (“Confidential Information”). Customer Data is your Confidential Information; the Services and pricing are our Confidential Information.

12.2 Protection. The receiving party will protect the disclosing party’s confidential information using at least the same care it uses to protect its own (and no less than reasonable care) and will use it only to fulfill these Terms.

12.3 Exclusions. Confidential Information does not include information that is or becomes public through no fault of the receiving party, is independently developed, or is rightfully received from a third party without confidentiality obligations.

12.4 Compelled Disclosure. The receiving party may disclose confidential information to the extent required by law, provided it gives prompt notice (where lawful) to allow the disclosing party to seek protective measures.

13) Warranties & Disclaimers

13.1 Mutual Authority. Each party represents that it has the right and authority to enter into these Terms.

13.2 Compliance. You represent that you will use the Services in compliance with applicable laws (including anti-spam, privacy/data protection, export control, and anti-corruption laws).

13.3 AS IS. Except as expressly provided, the Services, Beta features, and Outputs are provided “AS IS” and “AS AVAILABLE”, without warranties of any kind, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not warrant that the Services or Outputs will be error-free, uninterrupted, accurate, or meet your requirements.

14) Indemnification

14.1 By Zapro AI (IP Infringement). We will defend and indemnify you against third-party claims alleging that the Services (as provided by us) infringe a patent, copyright, or trademark, or misappropriate a trade secret, and will pay damages and reasonable attorneys’ fees finally awarded by a court or agreed in settlement. 

If the Services become (or in our opinion are likely to become) subject to a claim, we may: (a) replace or modify the Services; (b) procure rights for continued use; or (c) terminate the affected Services and refund prepaid fees for the remaining term. We have no obligation for claims arising from: (i) your or a third party’s materials, data, or combination of the Services with non-Zapro products; (ii) modifications not made by us; (iii) use not in accordance with documentation; or (iv) Beta features.

14.2 By Customer. You will defend and indemnify us against third-party claims arising from: (a) Customer Data or your use of the Services in violation of law or these Terms; or (b) any content or instructions you provide.

14.3 Procedure. The indemnified party must: (a) promptly notify the indemnifying party; (b) allow control of the defense and settlement; and (c) provide reasonable cooperation. The indemnifying party will not settle a claim imposing obligations other than payment without the other party’s consent (not unreasonably withheld).

15) Limitation of Liability

15.1 Exclusion. To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, goodwill, or data, even if advised of the possibility of such damages.

15.2 Cap. Except for your payment obligations and each party’s indemnification obligations under Section 14, each party’s total aggregate liability for all claims arising out of or related to the Services or these Terms shall not exceed the amounts actually paid by you to us for the Services during the twelve (12) months immediately preceding the event giving rise to the claim.

15.3 Basis of the Bargain. The limitations in this Section are fundamental elements of the basis of the bargain between the parties.

16) Compliance; Export; Anti-Corruption; Sanctions

16.1 Export Controls. You will comply with all applicable export, re-export, and sanctions laws and regulations, including those of India, the United States, the United Kingdom, and the EU. 

You represent you are not located in or ordinarily resident of, and will not permit Users to access the Services from, any jurisdiction embargoed by these regimes, or on any restricted party list.

16.2 Anti-Corruption. You will comply with anti-bribery and anti-corruption laws (including the U.S. FCPA and UK Bribery Act). You will not offer, pay, request, or accept bribes or improper advantages in connection with the Services.

17) Service Levels, Support & Maintenance

17.1 Service Levels. Unless otherwise set out in a mutually signed SLA or MSA, no specific uptime or response metrics apply and the Services are provided on an AS AVAILABLE basis.
17.2 Support. Standard support is provided via our help centre and email: support@zapro.ai. Enhanced support may be purchased via Order.

17.3 Planned Maintenance. We may perform maintenance from time to time. Where practicable, we will schedule maintenance outside major business hours and provide notice for disruptive changes.

18) Professional Services & Deliverables (If Any)

Any professional services (e.g., configuration, onboarding, consulting) are provided pursuant to an Order or SOW. 

Unless expressly assigned, we retain ownership of pre-existing materials and generic know-how; we grant you a non-exclusive license to use deliverables internally with the Services.

19) Publicity

With your consent, we may identify you as a customer (name and logo) on our website and in marketing materials. 

You may revoke consent at any time by notifying support@zapro.ai; we will make commercially reasonable efforts to remove references going forward.

20) Government Use

If you are a government entity, you agree that the Services are “commercial computer software” and “commercial computer software documentation” and will be used solely in accordance with these Terms.

21) Force Majeure

Neither party is liable for delays or failures due to events beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riots, labor disputes, government actions, internet or utility failures (excluding payment obligations). 

The affected party will notify the other and resume performance as soon as practicable.

22) Assignment; Subcontracting

You may not assign these Terms without our prior written consent, except to an Affiliate or in connection with a merger, sale, or reorganization involving substantially all your assets or equity, provided the assignee is not our direct competitor and assumes all obligations. 

We may assign or subcontract in our discretion; we remain responsible for subcontractors’ performance.

23) Notices

Notices to Zapro AI must be sent to legal@zapro.ai and to our registered address:
Zapro AI Pvt. Ltd. Prestige Atlanta, Koramangala, Bengaluru, Karnataka, We may provide notices to you via email to the address on your account, in-product messages, or posting on our website.

24) Governing Law; Dispute Resolution; Arbitration

24.1 Governing Law & Venue. These Terms are governed by the laws of India, without regard to conflicts of law rules.

Subject to Section 24.2, courts located in Bengaluru, Karnataka, India have exclusive jurisdiction.

24.2 Arbitration. Any dispute arising out of or relating to these Terms will be finally resolved by arbitration under the Arbitration and Conciliation Act, 1996. The seat and venue of arbitration shall be Bengaluru, India; the proceedings shall be conducted in English by a sole arbitrator appointed jointly (or by the courts if the parties cannot agree). 

Nothing prevents either party from seeking interim or injunctive relief from a court of competent jurisdiction.

24.3 No Class Actions. To the extent permitted by law, disputes must be brought on an individual basis, not as a plaintiff or class member in any class or representative action.

25) Order of Precedence; Entire Agreement; Waiver; Severability

25.1 Precedence. If there is a conflict between these Terms and an Order, SOW, DPA, or MSA signed by both parties, the signed document controls for the conflicting subject matter (in this order: MSA → DPA → SLA/SOW/Order → these Terms → online policies).

25.2 Entire Agreement. These Terms (including documents incorporated by reference) constitute the entire agreement and supersede prior or contemporaneous understandings relating to the subject matter.

25.3 No Waiver. A party’s failure to enforce a provision is not a waiver of its right to do so later.

25.4 Severability. If any provision is unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remainder will remain in effect.

25.5 Independent Contractors. The parties are independent contractors; these Terms do not create a partnership, franchise, joint venture, or employment relationship.

25.6 Third-Party Beneficiaries. There are no third-party beneficiaries to these Terms.

26) Contact

Questions about these Terms?
Email: support@zapro.ai | Legal: legal@zapro.ai

Acceptable Use Policy (AUP)

Effective Date: August 31, 2025

Entity: Zapro AI Pvt. Ltd.

1. Purpose

This Acceptable Use Policy (“AUP”) sets the rules governing use of Zapro AI’s Services. It protects Zapro AI, its customers, and end-users by ensuring Services are used legally, responsibly, and ethically.

All customers, users, vendors, partners, contractors, and affiliates accessing Zapro AI Services must comply with this AUP.

2. Scope

This AUP applies to:

  • All Zapro AI Services (applications, APIs, mobile apps, websites: zapro.ai, gozapro.com, thevendor.ai)
  • Hosted infrastructure, storage, AI services, and integrations
  • Any Customer Data uploaded, processed, or transmitted via Zapro AI

3. Prohibited Activities

a) Illegal or Harmful Use

Users may not use the Services to:

  • Violate applicable laws or regulations, including GDPR, DPDP (India), CCPA/CPRA, HIPAA, PCI DSS, OFAC sanctions, and export control laws.
  • Upload or distribute material that is defamatory, obscene, discriminatory, harassing, violent, or promotes hate.
  • Engage in fraud, money laundering, human trafficking, terrorism, or organized crime.

b) Security Violations

Users may not:

  • Introduce malware, ransomware, trojans, or other malicious code.
  • Attempt unauthorized access (hacking, brute force, credential stuffing).
  • Conduct port scanning, vulnerability testing, or penetration testing without written authorization.
  • Interfere with or disrupt Services (e.g., DoS/DDoS, flooding, API abuse).
  • Circumvent authentication, encryption, or other security controls.

c) Data Misuse

Users may not:

  • Access, modify, or delete data belonging to another customer or user without consent.
  • Upload or process sensitive categories of data without a signed agreement:
    • PHI (Protected Health Information under HIPAA)
    • PCI DSS payment card data
    • Children’s data (COPPA)
    • Government-classified or export-controlled data
  • Use Customer Data for unlawful surveillance, discrimination, or profiling.

d) Spam & Abusive Messaging

Users may not:

  • Send unsolicited bulk emails, SMS, or chat messages.
  • Operate pyramid schemes, scams, or deceptive marketing campaigns.
  • Engage in phishing or impersonation.

e) AI & Content Misuse

Users may not:

  • Use Zapro AI outputs to create misleading, harmful, violent, or discriminatory content.
  • Use AI-generated outputs as the sole basis for critical decisions (medical, legal, financial, safety-related).
  • Attempt to extract, reverse-engineer, or train models using Zapro AI’s proprietary systems.
  • Submit prompts intended to generate unlawful or harmful content.

f) Intellectual Property Violations

Users may not:

  • Infringe copyrights, patents, trademarks, or trade secrets.
  • Upload or distribute pirated software, music, videos, or media.
  • Misuse Zapro AI’s brand, trademarks, or logos without authorization.

4. System & Network Integrity

To protect the platform, users must not:

  • Overload the Services (excessive API calls, abusive workloads)
  • Interfere with normal operations of servers, networks, or storage.
  • Use automated tools (bots, crawlers, scrapers) without authorization.
  • Attempt to reverse-engineer, decompile, or bypass platform security.

5. Fair Usage & Resource Limits

  • Zapro AI enforces rate limits, quotas, and usage thresholds to ensure system stability.
  • Excessive or abnormal usage patterns (e.g., sustained overuse beyond plan limits) may result in throttling, suspension, or additional fees.
  • Customers are responsible for monitoring their users’ activities.

6. Customer Responsibilities

Customers must:

  • Ensure all users comply with this AUP.
  • Keep account credentials secure and use MFA.
  • Configure user roles and access rights responsibly.
  • Comply with all industry regulations applicable to their sector (e.g., healthcare, finance, construction).
  • Notify Zapro AI immediately if they suspect account compromise or security issues.

7. Enforcement & Consequences

Zapro AI may take the following actions for AUP violations:

  1. Warning – Informal or formal notice to correct behavior.
  2. Suspension – Temporary restriction of access to Services.
  3. Termination – Permanent closure of account and deletion of data.
  4. Legal Action – Reporting violations to regulators or law enforcement.

8. Appeals Process

Customers may appeal suspensions or terminations by contacting security@zapro.ai within 10 business days. Appeals will be reviewed by Zapro AI’s Compliance team.

9. Changes to this AUP

Zapro AI may update this AUP to reflect changes in law, technology, or company practices. Updates will be posted at zapro.ai/aup, and continued use of the Services constitutes acceptance.

📧 Contact: security@zapro.ai
📍 Zapro AI Pvt. Ltd., Prestige Atlanta, Koramangala, Bengaluru, Karnataka, India

Security Policy

Effective Date: August 31, 2025

Entity: Zapro AI Pvt. Ltd.

This Security Policy defines Zapro AI’s commitment to protecting the confidentiality, integrity, and availability of Customer Data and company assets.


1. Purpose & Scope
Applies to all employees, contractors, affiliates, and subprocessors who have access to Zapro AI systems and Services.


2. Security Objectives
– Protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.
– Maintain resilience and availability of systems.
– Detect and respond effectively to threats and vulnerabilities.
– Align with SOC 2 Type II and ISO 27001:2022.


3. Governance & Responsibility
– Chief Security Officer (or Compliance Lead): Oversees security program.
– Security Team: Implements and monitors security controls.
– Employees/Contractors: Must comply with this policy and complete annual security training.


4. Data Protection & Encryption
– TLS 1.2+ for all external/internal communications.
– AES-256 encryption at rest for databases, storage, backups.
– Keys rotated and stored securely with KMS.
– Customer Data logically separated in multi-tenant environments.


5. Access Control & Identity Management
– Least Privilege: Access granted only as needed.
– MFA required for all accounts.
– RBAC enforced across infrastructure.
– Access reviewed quarterly; revoked upon termination.


6. Network & Infrastructure Security
– Hosting: Azure & AWS with native security services.
– DDoS Protection: Azure DDoS, AWS WAF, CloudFront.
– Firewalls & NAT at perimeter and VPC levels.
– Monitoring: Logs via EFK, metrics via Prometheus, APM via New Relic.
– Load Balancing with Azure/AWS.
– VPN required for internal access.


7. Application Security
– Secure Development Lifecycle (SDLC).
– GitHub with branch protections, code reviews, vulnerability scanning.
– Regular patching of Ruby, JS/TS, React, and libraries.
– Annual penetration tests.
– Vulnerability management with SLA-based patching.


8. Monitoring, Logging & Incident Response
– Monitoring via Prometheus, New Relic, EFK.
– Automated alerts for anomalies and unauthorized access.
– Incident Response plan with defined roles and communication.
– Customer notification within legal timelines.


9. Business Continuity & Disaster Recovery (BC/DR)
– Encrypted daily backups across availability zones.
– DR procedures tested annually.
– Redundant infrastructure with regional failover.


10. Employee Security Practices
– Background checks for sensitive access roles.
– Mandatory onboarding and annual training.
– Device security with encryption, EDR, and patching.
– Privileged access logged, reviewed, and revoked on exit.


11. Vendor & Subprocessor Security
– Subprocessors vetted for SOC 2/ISO/GDPR compliance.
– Bound by Data Processing Agreements (DPA).
– List published at zapro.ai/subprocessors.


12. Compliance Alignment
– SOC 2 Type II audit.
– ISO 27001:2022 certification.
– Aligned with GDPR, CCPA, DPDP.


13. Policy Review & Updates
Reviewed annually and updated for evolving threats, regulations, or certifications.Contact: security@zapro.ai | compliance@zapro.ai
Zapro AI Pvt. Ltd., Prestige Atlanta, Koramangala, Bengaluru, Karnataka, India

GDPR Compliance Policy

Effective Date: 31 August, 2025

Entity: Zapro AI Pvt. Ltd.

1. Purpose & Scope

This GDPR Compliance Policy describes how Zapro AI ensures that personal data of individuals located in the European Union (EU) and United Kingdom (UK) is collected, processed, stored, and protected in accordance with the General Data Protection Regulation (EU 2016/679) and the UK GDPR.

This policy applies to all Zapro AI employees, contractors, subprocessors, and affiliates involved in processing personal data.

2. Roles under GDPR

  • Customer (You): Data Controller – determines the purposes and means of processing.
  • Zapro AI: Data Processor – processes personal data on behalf of the Controller.
  • Subprocessors: Third-party providers engaged by Zapro AI to deliver Services.

For certain internal activities (e.g., marketing, recruitment), Zapro AI may act as a Data Controller.

Zapro AI only processes personal data where a lawful basis applies:

  • Contractual necessity – to deliver Services.
  • Consent – for marketing communications and optional cookies.
  • Legitimate interests – product improvements, security monitoring.
  • Legal obligations – compliance with tax, law enforcement, and regulatory requirements.

4. Data Subject Rights

Under GDPR/UK GDPR, individuals have the following rights:

  1. Right of Access – obtain a copy of personal data.
  2. Right to Rectification – correct inaccurate data.
  3. Right to Erasure (“Right to be Forgotten”) – request deletion.
  4. Right to Restrict Processing – limit processing under certain conditions.
  5. Right to Data Portability – receive data in a machine-readable format.
  6. Right to Object – object to processing based on legitimate interests or marketing.
  7. Rights related to Automated Decision-Making – request human review of decisions made solely by algorithms.

Requests can be made by emailing privacy@zapro.ai. We will respond within 30 days in accordance with GDPR timelines.

5. Data Transfers Outside the EU/UK

  • Zapro AI hosts data in India and the US (Microsoft Azure and AWS).
  • For international transfers, we rely on:
    • Standard Contractual Clauses (SCCs) approved by the European Commission.
    • UK International Data Transfer Agreement (IDTA) for UK transfers.
  • Zapro AI ensures equivalent protection standards for all data transferred outside the EU/UK.

6. Subprocessors

  • Zapro AI uses vetted subprocessors for infrastructure, analytics, AI processing, and collaboration tools.
  • A full list is published at zapro.ai/subprocessors.
  • Customers are notified in advance of material changes.

7. Security of Processing

Zapro AI implements technical and organizational measures (TOMs) aligned with SOC 2 and ISO 27001:

  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • Access Control: MFA, RBAC, least privilege.
  • Monitoring: Prometheus, EFK Stack, New Relic.
  • Resilience: Backups, DR testing, high availability infra.
  • Incident Response: Documented IR plan with customer notification obligations.

8. Data Retention

  • Customer Data is deleted from active systems within 30 days of account termination.
  • Backups are purged within 60 days.
  • Logs may be retained longer for security, audit, or compliance reasons.
  • Customers may request deletion of their data at any time by contacting infosec@zapro.ai.

9. Data Protection Officer (DPO) / EU-UK Representative

  • Zapro AI has appointed a Data Protection Lead reachable at: privacy@zapro.ai.
  • For EU/UK customers, Zapro AI maintains a representative for GDPR inquiries at: eu-privacy@zapro.ai.

10. Breach Notification

  • In the event of a personal data breach, Zapro AI will notify affected customers without undue delay and, where required, report to relevant supervisory authorities within 72 hours of becoming aware.

11. Training & Awareness

  • All employees undergo annual GDPR and data protection training.
  • Data handling practices are reinforced through policies, awareness campaigns, and periodic audits.

12. Accountability & Review

  • Zapro AI maintains documentation of all processing activities (Records of Processing Activities – ROPA).
  • This GDPR Policy is reviewed annually or when regulations/operations change.

📧 Contact: privacy@zapro.ai
📍 Zapro AI Pvt. Ltd., Prestige Atlanta, Koramangala, Bengaluru, Karnataka, India

Responsible Disclosure Policy

Effective Date: August 31, 2025

Entity: Zapro AI Pvt. Ltd.


1. Purpose
Zapro AI is committed to maintaining the highest security standards. We welcome input from the security community and our customers to help us identify and address vulnerabilities before they can be exploited.

This Responsible Disclosure Policy establishes a framework for reporting vulnerabilities safely, and outlines Zapro AI’s commitments to researchers who report in good faith.


2. Scope
This policy applies to:
– Zapro AI’s production Services:
 – zapro.ai, gozapro.com, thevendor.ai
 – Web applications, APIs, and cloud-hosted infrastructure
 – Mobile apps and integrations operated by Zapro AI
– Supporting infrastructure (Azure, AWS) as configured by Zapro AI
– Corporate applications that may impact security of customer data (e.g., Freshdesk, HubSpot)

Out of Scope:
– Denial-of-service (DoS/DDoS) and brute force attacks
– Social engineering against Zapro AI staff or contractors
– Physical security attacks against Zapro AI offices, employees, or facilities
– Issues affecting only outdated browsers, plugins, or unsupported platforms
– Vulnerabilities in third-party services not directly managed by Zapro AI


3. Reporting a Vulnerability
Researchers should report vulnerabilities responsibly by emailing security@zapro.ai.

Reports must include:
– Detailed description of the issue
– Steps to reproduce
– Proof-of-concept or screenshots/logs where possible
– Potential impact (confidentiality, integrity, or availability risk)

We encourage use of encrypted submissions. Our PGP key is available at zapro.ai/security-pgp.


4. Zapro AI’s Commitments
When a vulnerability is reported under this policy:
1. Acknowledgement – We will acknowledge receipt within 72 hours.
2. Assessment – We will investigate promptly and determine severity based on CVSS or equivalent.
3. Remediation – Critical/high issues will be prioritized for immediate remediation; medium/low will be remediated according to SLAs.
4. Transparency – We will update the researcher on progress and provide final remediation confirmation.
5. Safe Harbor – If you act in good faith, follow this policy, and avoid causing harm, Zapro AI will not pursue legal action.
6. Disclosure Timeline – We aim to remediate critical issues within 30 days; researchers must not disclose publicly until Zapro AI confirms remediation.


5. Researcher Guidelines
To ensure safety and legality, researchers must:
– Avoid exploiting beyond proof-of-concept.
– Avoid accessing, altering, or deleting Customer Data.
– Avoid actions that degrade performance (e.g., DoS tests, fuzzing at scale).
– Avoid privacy violations (e.g., attempting to access accounts of others).
– Provide reasonable time for Zapro AI to remediate before public disclosure.


6. Vulnerability Severity Handling
Zapro AI uses industry-standard severity classification (CVSS v3.1):
– Critical: Must be remediated immediately.
– High: Remediated within 30 days.
– Medium: Remediated within 60 days.
– Low: Addressed in next scheduled release.


7. Recognition & Rewards
– Researchers may be listed in our Security Hall of Fame (with consent).
– While Zapro AI does not currently operate a paid bug bounty program, we may launch one in the future.


8. Continuous Improvement
Every reported vulnerability is logged, reviewed, and fed into our security program to strengthen controls and prevent recurrence.—
Contact: security@zapro.ai
Zapro AI Pvt. Ltd., Prestige Atlanta, Koramangala,  Bengaluru, Karnataka, India