Privacy Policy

Last updated: September 8, 2025

1. Introduction

Zest Desk ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service that enhances the BigCommerce ordering experience for customer service teams.

2. Information We Collect

Personal Information

We may collect personal information that you provide directly to us, including:

• Name and contact information (email address, phone number)
• Account credentials
• Company information
• Payment information (processed securely through third-party payment processors)

Usage Information

We automatically collect certain information about your use of our Service, including:

• Log data (IP address, browser type, access times)
• Device information
• Usage patterns and preferences
• Performance data

BigCommerce Integration Data

When you connect your BigCommerce store to our Service, we may access and process:

• Product information
• Customer data (as authorized by you)
• Order information
• Store configuration data necessary for our Service to function

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process transactions and manage your account
• Communicate with you about your account and our Service
• Provide customer support
• Analyze usage patterns to improve our Service
• Comply with legal obligations
• Protect against fraud and abuse

4. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except as described in this policy:

• Service Providers: We may share information with trusted third-party service providers who assist us in operating our Service
• BigCommerce: We integrate with BigCommerce APIs and may share data as necessary for the Service to function
• Legal Requirements: We may disclose information if required by law or to protect our rights
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is 100% secure.

6. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Our specific retention periods vary by data type and jurisdiction:

General Data Retention

• Account Information: Retained for the duration of your account plus 7 years after closure for business records
• Transaction Data: Retained for 7 years from the date of transaction for tax and accounting purposes
• Usage Logs: Retained for 2 years for security and service improvement purposes
• Support Communications: Retained for 3 years from last contact

United States Data Retention

For customers in the United States, we comply with federal and state data retention requirements:

• Business records are retained for 7 years as required by IRS regulations
• Employee data (if applicable) is retained per federal employment law requirements
• We follow industry-standard practices for data deletion and anonymization

California Data Retention (CCPA/CPRA)

For California residents, in addition to the rights listed below, we:

• Retain personal information only as long as reasonably necessary for the purposes disclosed
• Delete personal information upon verified request unless an exception applies
• Maintain records of deletion requests and actions taken for at least 24 months
• Provide specific retention period information upon request

European Union Data Retention (GDPR)

For EU residents, we comply with GDPR data minimization and retention principles:

• Personal data is retained only for as long as necessary for the specific purposes for which it was collected
• We conduct regular reviews of stored data to ensure compliance with retention limits
• Data is automatically deleted or anonymized when retention periods expire
• Legal basis for processing expires, data is deleted unless another lawful basis exists

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information. We are committed to honoring these rights in accordance with applicable laws.

General Rights (All Users)

• Access: Request access to your personal information
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Portability: Request a copy of your data in a structured, machine-readable format

California Residents (CCPA/CPRA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information (with certain exceptions)
• Right to Opt-Out: Opt-out of the sale or sharing of personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at info@zestdesk.com with "California Privacy Request" in the subject line.

European Union Residents (GDPR Rights)

If you are located in the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: Obtain confirmation of whether we process your personal data and access to such data
• Right of Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data under certain circumstances
• Right to Restrict Processing: Request restriction of processing under certain circumstances
• Right to Data Portability: Receive your personal data in a structured, commonly used format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at info@zestdesk.com with "GDPR Request" in the subject line. We will respond within 30 days as required by GDPR.

Verification Process

To protect your privacy, we may need to verify your identity before processing certain requests. This may include:

• Confirming your email address associated with your account
• Providing additional identification information
• Answering security questions related to your account

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience with our Service. You can control cookie preferences through your browser settings, though this may affect the functionality of our Service.

9. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies.

10. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers:

For EU Residents (GDPR Compliance)

• We only transfer personal data to countries with an adequacy decision from the European Commission
• Where no adequacy decision exists, we use Standard Contractual Clauses (SCCs) approved by the European Commission
• We conduct Transfer Impact Assessments where required
• Additional safeguards may include encryption, pseudonymization, and access controls

For US and Other International Transfers

• We use industry-standard security measures for all data transfers
• Contractual protections are in place with all data processors and service providers
• Regular audits ensure compliance with our data protection standards

12. Legal Basis for Processing (EU Users)

For users in the European Union, we process personal data only when we have a legal basis to do so:

• Contract Performance: Processing necessary to provide our Service under our Terms of Service
• Legitimate Interests: Processing for our legitimate business interests (e.g., fraud prevention, service improvement)
• Consent: Processing based on your explicit consent (which you may withdraw at any time)
• Legal Obligation: Processing required to comply with legal requirements
• Vital Interests: Processing necessary to protect vital interests of individuals

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page and updating the "Last updated" date
• Sending email notification to your registered email address for significant changes
• Providing prominent notice on our website for material changes affecting your rights

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Data Protection Officer and Contact Information

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us:

• Email: info@zestdesk.com
• Subject Line for Privacy Requests:
  • "GDPR Request" for EU residents
  • "California Privacy Request" for CA residents
  • "Privacy Request" for all other inquiries

Response Time: We will respond to your privacy requests within 30 days (or as required by applicable law).