Privacy Policy

The Short Version

1. What We Collect

Account information

• Name, email address, and password when you sign up
• Business name, phone number, and location entered during setup
• Billing information processed by Stripe (we never see or store your full card number)

Business data you enter

• Customer records — names, addresses, phone numbers, service history
• Route stops, job notes, and scheduled appointments
• Door knock logs including GPS coordinates and outcomes
• Invoices and payment records
• Before and after photos captured at job completion
• Canvassing session data and territory maps

Usage data

• Pages visited within the app and actions taken
• Device type, browser, and IP address
• Error logs and performance data to keep the platform running smoothly

2. How We Use Your Data

• To operate and improve the ZyloBase platform
• To send automated SMS and email messages to your customers on your behalf
• To process payments and manage your subscription
• To send you product updates, billing notices, and support communications
• To detect and prevent fraud or unauthorized access
• To comply with legal obligations

We do not use your data to train AI models. We do not use your customer data for any purpose other than operating the platform for your organization.

3. SMS and Email Communications

ZyloBase sends transactional SMS messages to your customers on your behalf — including appointment confirmations, "tech on the way" notifications, job completion alerts, invoice delivery, payment receipts, Google Review requests, and follow-up service reminders.

• Each organization gets a dedicated phone number for SMS — your customers always see the same number.
• Message frequency varies based on the services your business is providing — typically 1–6 messages per service event (appointment, completion, invoice, follow-up).
• Message and data rates may apply. Standard carrier charges apply to all SMS sent or received.
• Customers can reply STOP at any time to opt out of all future messages from that business. Reply HELP for assistance.
• Opt-out requests are recorded and honored automatically across all message types.
• You (the operating business) are responsible for obtaining and documenting end-user consent before any number is messaged through ZyloBase. Consent is collected by your business directly from your customer at the point of sale, service signup, or inbound contact — never transferred from another sender or list.

Mobile information non-sharing. No mobile information collected through ZyloBase will be shared with third parties or affiliates for marketing or promotional purposes. The categories of personal information listed in this Privacy Policy excluded from sharing are: text messaging originator opt-in data and consent. This information will not be shared with any third parties.

4. Who We Share Data With

We work with a small number of trusted service providers to operate ZyloBase:

Each provider is bound by data processing agreements. None of them may use your data for their own purposes.

We do not share your data with advertisers, data brokers, or any third party not listed above. We will never sell your data.

4a. BookSync™ (QuickBooks Online integration)

BookSync™ is an optional integration that syncs invoices, payments, and customer records from your ZyloBase account into your QuickBooks Online company. It only operates when you explicitly connect QuickBooks Online from Settings → Integrations.

What we send to QuickBooks Online when you use BookSync™:

• Customer name, email, phone, and billing address — created or matched as a Customer record in your QBO company
• Invoice details — line items, total, due date, your invoice number
• Payment records — amount and the linked Invoice when you mark an invoice paid in ZyloBase

What we receive from QuickBooks Online:

• Your QBO Company name and Company ID (realmId), to identify which company is connected
• Confirmation that an Invoice / Payment / Customer was successfully created or updated
• OAuth access tokens and refresh tokens needed to authorize future syncs

How tokens are stored: Access and refresh tokens are encrypted at rest in our database using PostgreSQL pgcrypto symmetric encryption (AES). The encryption key is held only as a server-side environment variable. Plaintext tokens never persist in database logs or replication.

How to disconnect: You can disconnect BookSync™ at any time from Settings → Integrations → Disconnect. We revoke the OAuth tokens with Intuit and delete them from our database. Records already synced into your QuickBooks Online company stay in QuickBooks Online — they belong to you.

What we do NOT do: We do not read or store your QuickBooks Online accounting data (your chart of accounts, journal entries, bank balances, payroll, etc.) beyond what is needed to verify that an invoice or customer push succeeded. ZyloBase is not a substitute for QuickBooks Online and does not display or analyze your QBO accounting data inside our app.

BookSync™ is built and maintained by ZyloBase. It is not produced by, endorsed by, or affiliated with Intuit beyond Intuit's standard developer-program approval. Intuit, QuickBooks, and QuickBooks Online are trademarks of Intuit Inc.

4b. Google Calendar integration

The Google Calendar integration is an optional sync that publishes your scheduled jobs to a dedicated ZyloBase calendar inside your Google account, so techs can see their day on the calendar they already use. It only operates when you explicitly connect a Google account from Settings → Integrations.

Scope requested: https://www.googleapis.com/auth/calendar. We request this single restricted scope and no others. We do not request access to Gmail, Drive, Contacts, or any other Google service.

What we send to Google Calendar when you use the integration:

• Event title (job service type and customer first name)
• Event start and end time (your scheduled job time and duration)
• Event location (the customer's service address)
• An idempotency tag (extended_properties.private.zylobase_job_id) so updates and deletes target the right event

What we receive from Google:

• The connecting account's email address and the chosen Calendar ID, to identify which calendar is connected
• OAuth access tokens and refresh tokens needed to authorize future syncs
• Confirmation that an event was successfully created, updated, or deleted

How tokens are stored: Access and refresh tokens are encrypted at rest in our database using PostgreSQL pgcrypto symmetric encryption (AES). The encryption key is held only as a server-side environment variable. Plaintext tokens never persist in database logs or replication.

How to disconnect: You can disconnect Google Calendar at any time from Settings → Integrations → Disconnect. We revoke the OAuth tokens with Google and delete them from our database. You can also revoke ZyloBase's access at any time from your Google Account permissions page (myaccount.google.com/permissions) — the next sync attempt will fail gracefully and the integration will mark itself disconnected.

What we do NOT do: We do not read your existing calendar events, do not analyze your calendar contents, do not share Google data with third parties, do not use Google data for advertising, and do not allow human access to Google data except as explicitly required to provide and improve the integration's user-facing features. ZyloBase's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

The Google Calendar integration is built and maintained by ZyloBase. It is not produced by, endorsed by, or affiliated with Google beyond Google's standard developer-program approval. Google and Google Calendar are trademarks of Google LLC.

5. Data Retention

• Your data is retained as long as your account is active
• Upon cancellation, data is retained for 30 days to allow export, then permanently deleted
• Door knock GPS logs are retained for 12 months, then anonymized
• Billing records are retained for 7 years as required by law

6. Your Rights

You have the right to:

• Access all data we hold about you and your organization
• Export your data at any time from the Reports section of the app
• Correct inaccurate information in your account
• Delete your account and all associated data
• Opt out of non-essential communications from us

To exercise any of these rights, email jeremy@zylobase.com. We'll respond within 5 business days.

7. Security

We take security seriously.

• All data is encrypted in transit (TLS) and at rest (AES-256)
• Row-level security ensures no organization can access another's data
• Passwords are hashed and never stored in plain text
• API keys are scoped and can be rotated at any time from your settings
• Access to production systems is restricted to authorized personnel only

If you discover a security vulnerability, please email jeremy@zylobase.com immediately. We take all reports seriously and will respond within 24 hours.

8. Cookies

ZyloBase uses minimal cookies — only what's necessary to keep you logged in and remember your preferences. We do not use advertising cookies or third-party tracking pixels.

9. Children's Privacy

ZyloBase is a business software platform. We do not knowingly collect information from anyone under 18. If you believe a minor has created an account, contact us and we will delete it immediately.

10. Changes to This Policy

We'll notify you by email at least 14 days before making material changes to this Privacy Policy. The most current version is always available at zylobase.com/privacy.

11. Contact

ZyloBase LLC
Alpharetta, Georgia, USA
jeremy@zylobase.com

We respond to privacy inquiries within 5 business days.