Privacy Policy

The data controller (controlador) responsible for your personal data is Zion Enterprises Ltda., a sociedade limitada registered in the Comarca de Curitiba, State of Paraná, Brazil, reachable at www.enterpriseszion.com.

The designated Data Protection Officer (Encarregado de Dados under LGPD Art. 41) can be contacted at privacy@enterpriseszion.com for all privacy inquiries, data subject access requests (DSAR), LGPD requests, GDPR requests, and COPPA parental requests.

We collect information that you provide directly to us during account registration and use of the Application, as well as limited data collected automatically.

We do NOT collect: (a) biometric data; (b) precise GPS or geolocation data; (c) contacts or address book data; (d) photos, camera, or gallery data; (e) browsing history; (f) cross-app tracking data; (g) advertising identifiers; (h) financial or payment card data (all payments processed by app stores); (i) health or medical data.

We do NOT collect any data from, about, or on behalf of infants or children who may be in proximity to the device during use of the Baby Frequencies feature.

The Application does not contain third-party advertising SDKs, behavioral tracking pixels, or social media tracking scripts.

Zion Enterprises Ltda. is fully committed to compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6506, the FTC COPPA Rule (16 C.F.R. Part 312), the EU General Data Protection Regulation (GDPR) Article 8 (child consent), the UK Age Appropriate Design Code, Brazil's LGPD, and all equivalent international child privacy regulations.

THE APPLICATION IS NOT DIRECTED AT CHILDREN UNDER 13. We do not knowingly collect, solicit, maintain, use, or disclose personal information from children under 13 years of age.

BABY FREQUENCIES FEATURE — ZERO CHILD DATA COLLECTION: The Baby Frequencies feature is operated exclusively by adult parents and guardians on their own adult accounts. This feature: (a) collects ZERO data from infants or children; (b) uses ZERO persistent identifiers linked to infants or children; (c) does NOT permit infants or children to interact with, operate, or input data into the Application; (d) does NOT display targeted advertising to children; (e) does NOT use child-directed behavioral tracking of any kind; (f) stores playback history only under the adult user's account and profile.

The Baby Frequencies feature is functionally equivalent to a parent playing a radio in a nursery — the infant is a passive bystander, not a user. No data flows to or from the infant.

PARENTAL RIGHTS UNDER COPPA: Parents and guardians have the right to: (a) review any personal information collected from their child (if inadvertently collected); (b) request deletion of their child's personal information; (c) refuse further collection of their child's information; (d) revoke consent at any time. To exercise these rights, contact privacy@enterpriseszion.com with the subject line "COPPA Parental Request."

If we discover or are notified that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will: (a) immediately cease using that information; (b) permanently delete all such information from our active databases within 48 hours; (c) confirm deletion to the notifying parent or guardian.

We do not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.

We use the personal information we collect for the following purposes:

(a) To provide, maintain, and improve the Application and its features.

(b) To create and manage your user account and authenticate your identity.

(c) To communicate with you regarding your account, service updates, security alerts, and support.

(d) To analyze aggregated, anonymized usage patterns to improve the Application.

(e) To detect, prevent, and address technical issues, security threats, fraud, and abuse.

(f) To comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of Zion Enterprises Ltda. and users.

We do NOT use your personal information for: automated decision-making or profiling that produces legal effects; sale to third parties; targeted advertising; cross-app behavioral tracking.

If you are in the EEA, United Kingdom, or a jurisdiction requiring a legal basis for data processing:

Contractual Necessity: Processing required to provide the Application's services under our agreement with you.

Legitimate Interests: Processing for service improvement, security, and fraud prevention, where not overridden by your fundamental rights.

Consent: Where you have given explicit consent (e.g., marketing). Withdraw consent at any time by contacting privacy@enterpriseszion.com.

Legal Obligation: Processing necessary to comply with legal requirements applicable to Zion Enterprises Ltda..

Zion Enterprises Ltda. DOES NOT SELL, RENT, TRADE, OR SHARE YOUR PERSONAL INFORMATION WITH THIRD PARTIES FOR THEIR MARKETING OR ADVERTISING PURPOSES. We have never sold personal information and will never sell personal information.

We may share your information only in these limited circumstances:

Sub-processors (Operadores under LGPD Art. 39): Limited set of technical service providers who process data strictly on our written instructions. Each sub-processor is bound by a written data processing agreement imposing confidentiality, security, and audit obligations substantially equivalent to those in this Policy. The current list of sub-processors is disclosed in Section 7.1 below.

Legal Requirements: When required by law, subpoena, court order, or regulation, or to protect rights, safety, or property.

Business Transfers: In connection with a merger, acquisition, or asset sale, subject to the same privacy protections. You will be notified of any such transfer.

COPPA Note: We do not share any information collected from or about children with any third party, except as required by law enforcement or to protect child safety.

The following sub-processors currently process personal data on behalf of Zion Enterprises Ltda.. This list constitutes the disclosure required by LGPD Article 9, inciso I (specific purpose of processing) and inciso IV (shared use of data).

We will provide advance notice (not less than thirty days, unless operational urgency requires otherwise) before adding or replacing any sub-processor that processes personal data of identifiable natural persons. Users may, at any time, withdraw consent to international data transfers by requesting account deletion (see Section 19).

Specific retention periods, as required by LGPD Art. 9, II (form and duration of processing):

Account Data (identity, contact, location): Retained for the active life of your account. Upon deletion request, the account is immediately deactivated and marked for purge. Permanent, irreversible deletion from the active database occurs within 30 days of the deletion request; automated backup copies are purged within 90 days.

Session and Refresh Tokens: Refresh tokens expire automatically 30 days after issuance and are deleted on logout, password change, or token rotation. Expired tokens are purged daily.

Password Reset Tokens: Single-use tokens with a hard 30-minute expiry, automatically invalidated upon use or account password change.

Audit Log: Security-relevant events (login attempts, password changes, profile updates, account deletion, token refresh) are retained for 90 days in a dedicated audit table, then automatically purged. Audit entries contain the event type, user ID, truncated IP address, user-agent string, and an event timestamp. Audit data is NOT used for behavioral profiling or analytics.

Anonymized, aggregated analytics data (which cannot identify you) may be retained indefinitely for service improvement.

If we discover we hold data from a child under 13, that data is deleted within 48 hours of discovery, independent of the above periods.

We implement technical and organizational measures (medidas técnicas e administrativas de segurança, LGPD Art. 46) reasonably designed to protect personal data against unauthorized access, accidental or unlawful destruction, loss, alteration, or disclosure.

Encryption in Transit: All communications between the Application and our servers use TLS 1.3 (minimum TLS 1.2). HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age. No personal data is transmitted over unencrypted channels.

Encryption at Rest: Sensitive identifiers (email address, telephone number) are encrypted at rest in the production database using AES-256-GCM with authenticated encryption. Database-level encryption is additionally provided by the cloud sub-processor (Section 7.1).

Password Hashing: Passwords are hashed on the server using the bcrypt algorithm at work factor 12. Plaintext passwords are never persisted, logged, or transmitted to sub-processors. Password changes trigger automatic revocation of all existing sessions.

Authentication Tokens: Access tokens are RS256-signed JSON Web Tokens with a 15-minute lifetime. Refresh tokens are bcrypt-hashed at rest, rotated on every use, and revocable server-side. Every successful login revokes prior sessions for the same account on the same tenant (single-device sign-in).

Rate Limiting: Authentication endpoints (login, registration, password reset, account deletion) are rate-limited to mitigate credential-stuffing and enumeration attacks.

Access Controls: Production infrastructure access is restricted to a minimum set of authorized personnel, protected by multi-factor authentication (TOTP) and logged for audit review.

Sub-processor Security Posture: Our primary hosting sub-processor operates under SOC 2 Type II controls and runs on underlying infrastructure certified under ISO 27001, SOC 1, SOC 2, SOC 3, PCI DSS, and HIPAA.

Transparency Note: We are not a zero-knowledge provider. Personal data you submit is processed server-side for authentication, account recovery, and service delivery. We do, however, minimize identifiable data collection, encrypt identifiers at rest, and restrict access strictly to what is operationally necessary (LGPD Art. 6, III — "necessity").

No system is impervious to all threats. In the event of an incident affecting your personal data, we will comply with the breach notification obligations described in Section 17.

Depending on your jurisdiction, you have the following rights:

Right of Access: Request a copy of the personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.

Right to Restriction: Request restriction of processing in certain circumstances.

Right to Data Portability: Receive your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.

Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any right, contact privacy@enterpriseszion.com. We respond within 30 days (or as required by your applicable law). Identity verification may be required.

California residents have additional rights under the CCPA and CPRA:

Right to Know: Request categories and specific pieces of personal information collected in the past 12 months.

Right to Delete: Request deletion of personal information.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing: Zion Enterprises Ltda. does not sell or share personal information. No opt-out is necessary, but you may submit a request for confirmation.

Right to Limit Use of Sensitive Personal Information: We use sensitive personal information only for purposes permitted under the CPRA.

Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights.

To submit a verifiable consumer request: legal@enterpriseszion.com with subject "CCPA/CPRA Request."

Authorized agents may submit requests on your behalf with signed written authorization.

Zion Enterprises Ltda. is headquartered in Brazil and is fully subject to the Lei Geral de Proteção de Dados (LGPD — Lei nº 13.709/2018). As a Brazilian data controller (controlador), we comply with all LGPD requirements, including:

(a) Legal Basis (Art. 7): We process personal data based on: consent (Art. 7, I); contractual necessity (Art. 7, V); legitimate interest (Art. 7, IX); and legal obligation (Art. 7, II).

(b) Your LGPD Rights (Art. 18): You have the right to: confirmation of processing; access to your data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; information about public and private entities with which your data has been shared; information about the possibility of denying consent and the consequences thereof; revocation of consent at any time.

(c) Children's Data (Art. 14): Processing of children's and adolescents' personal data shall be carried out in their best interest, with specific and prominent consent given by at least one parent or legal guardian. We do not knowingly process children's data.

(d) Data Protection Officer (Art. 41): Our Encarregado de Dados can be reached at privacy@enterpriseszion.com.

(e) Regulatory Authority: The ANPD (Autoridade Nacional de Proteção de Dados) is the competent authority for LGPD enforcement. You may lodge complaints with the ANPD at www.gov.br/anpd.

Your personal data is stored and processed in the United States of America by our hosting sub-processor (Section 7.1), regardless of your country of residence. This constitutes an international data transfer for the purposes of LGPD Chapter V, GDPR Chapter V, and equivalent frameworks.

Legal Basis for Transfer under LGPD (Lei nº 13.709/2018, Art. 33): Zion Enterprises Ltda. relies on (a) Art. 33, V — specific and highlighted consent of the data subject, given prior to registration through acceptance of this Privacy Policy, and (b) Art. 33, II — necessity for the performance of the contract between the data subject and Zion Enterprises Ltda. (account-based delivery of the Application). To date, the ANPD (Autoridade Nacional de Proteção de Dados) has not issued an adequacy decision in respect of the United States; we monitor this position and will update our safeguards accordingly.

Legal Basis for Transfer under GDPR / UK GDPR: For data subjects in the EEA or United Kingdom, transfers to the United States are carried out under (a) the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914, incorporated into our agreements with U.S.-based sub-processors, and (b) supplementary technical and organizational measures (encryption at rest and in transit, key management, access controls) where the Schrems II analysis so requires.

Data Subject Rights During Transfer: Your LGPD, GDPR, CCPA, and other statutory rights travel with your data. You may exercise all rights described in Section 10 regardless of where the data is physically stored.

Withdrawal of Consent: You may withdraw consent to international data transfers at any time by deleting your account (Section 19). Upon deletion, your personal data is purged in accordance with the retention schedule in Section 8.

By creating an account and using the Application, you acknowledge that your personal data will be transferred to, stored in, and processed in the jurisdictions listed in Section 7.1, and you grant the specific and highlighted consent required by LGPD Art. 33, V for such transfers.

The Application uses only essential local storage to maintain your session, preferences, and authentication state.

We do NOT use: advertising cookies; cross-application tracking; behavioral tracking pixels; social media tracking scripts; third-party advertising SDKs; fingerprinting technologies.

You may clear local storage through your device settings, which may require re-authentication.

We may use privacy-respecting analytics services to collect anonymized, aggregated usage data (app opens, screen views, crash reports).

Analytics data cannot be used to personally identify you. We do not share personally identifiable information with analytics providers. We do not use analytics tools that collect data from children.

The Application honors Do Not Track (DNT) browser signals where applicable. We do not engage in cross-site tracking or behavioral advertising.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Zion Enterprises Ltda. will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33); (b) notify affected users without undue delay; (c) document the nature of the breach, categories of data affected, approximate number of users affected, and remedial measures taken.

If a breach involves any data inadvertently collected from a child under 13, we will notify the child's parent or guardian directly in addition to the above measures.

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) update the "Effective Date" at the top of this Policy; (b) notify you through the Application or by email prior to changes taking effect; (c) where required by law, obtain your renewed consent.

Your continued use after the effective date of any revised Policy constitutes acceptance.

You have the right to permanently and irreversibly delete your account and all associated personal data at any time.

To delete your account, visit: https://admin.enterpriseszion.com/account/delete

The web deletion flow is reachable even if you have already uninstalled the Application. Enter your email, confirm with a 6-digit PIN we send to that address, and every account registered with that email is permanently deleted across every Zion Enterprises app.

Upon deletion: (a) your account is immediately deactivated and all sessions terminated; (b) all personally identifiable data is permanently purged from active databases within 72 hours; (c) all user-created presets, favorites, journal entries, playback history, and settings are permanently deleted; (d) anonymized aggregate analytics (non-identifiable) may be retained; (e) backup purges complete within 90 days.

You will receive email confirmation when deletion is complete. If not received within 7 business days, contact support@enterpriseszion.com.

Zion Enterprises Ltda. is a sociedade limitada (LTDA) duly organized under Brazilian law, registered in the Comarca de Curitiba, State of Paraná. In accordance with Article 1.052 of the Brazilian Civil Code, the liability of quotaholders is limited to the value of their quotas.

The privacy and data protection obligations described in this Policy are obligations of Zion Enterprises Ltda. as a legal entity (pessoa jurídica). No individual quotaholder, administrator, officer, or employee of Zion Enterprises Ltda. bears personal liability for data protection obligations beyond what is strictly required by the LGPD, GDPR, or other applicable data protection law.

For privacy inquiries, data subject requests, COPPA parental requests, or any questions about this Policy:

Zion Enterprises Ltda. Privacy Officer: privacy@enterpriseszion.com Legal: legal@enterpriseszion.com Support: support@enterpriseszion.com Website: www.enterpriseszion.com Account Deletion: https://admin.enterpriseszion.com/account/delete

For COPPA-related parental requests, please use the subject line "COPPA Parental Request" when contacting privacy@enterpriseszion.com.