Rzzro Intelligence ("Rzzro," "we," "us," or "our") operates rzzro.com, a commodity intelligence platform serving procurement professionals, CPOs, CFOs, and supply chain executives. This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have — regardless of where you are located.
This Policy applies to all visitors, registered users, and subscribers of rzzro.com, its subdomains, and any related services (collectively, the "Platform"). By accessing or using the Platform, you acknowledge that you have read and understood this Policy.
01 — Data We Collect
1.1 Data you provide directly
- Account registration: name, work email address, company name, job title, country.
- Subscription and payment: billing name, billing address, payment method details — processed by Stripe; we do not store full card numbers.
- Communications: messages sent via email, contact forms, or support channels.
- Preferences: notification settings, alert thresholds, saved scenarios, and dashboard configurations.
1.2 Data collected automatically
- Usage data: pages visited, features used, search queries, report downloads, API calls made, timestamps.
- Device and technical data: browser type, operating system, screen resolution, referring URL. GoatCounter (our analytics tool) processes this data in anonymised, aggregate form — no IP addresses are stored, no cookies are placed, no persistent identifiers are used. See Section 8.
1.3 Data we do not collect
- Sensitive personal data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) through normal use of the Platform.
- Personal data of children under 16. The Platform is not directed at minors.
02 — Legal Basis for Processing
- Contract performance (GDPR Art. 6(1)(b) / LFPDPPP Art. 10): processing necessary to provide the subscribed service — account creation, delivering reports, API access, billing.
- Legitimate interests (GDPR Art. 6(1)(f)): improving the Platform, preventing fraud, ensuring security, conducting anonymised analytics. We balance these against your rights and do not override them.
- Legal obligation (GDPR Art. 6(1)(c)): complying with applicable laws and responding to lawful requests from public authorities.
- Consent (GDPR Art. 6(1)(a)): for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
03 — How We Use Your Data
- Providing and operating the Platform: delivering reports, price data, tools, and API services.
- Processing payments and managing your subscription.
- Sending transactional communications: account confirmations, receipts, password resets, service alerts, and price notifications you have configured.
- Sending marketing communications about new features or products — only if you have opted in. You can unsubscribe at any time via the link in any email.
- Improving the Platform through aggregated, anonymised usage analytics.
- Detecting, investigating, and preventing fraud, abuse, and security incidents.
- Complying with legal obligations.
We do not sell your personal data. We do not use your data to create advertising profiles, sell access to it to advertisers, or share it with data brokers.
04 — Data Sharing and Disclosure
4.1 Service providers
We share personal data only with carefully selected processors under data processing agreements that require them to protect your data:
- Payment processing: Stripe, Inc. — processes payment card data under its own privacy policy and PCI DSS compliance. We never store full card numbers.
- Infrastructure: Cloud providers (e.g., Supabase, AWS, or equivalent) used to store account data and serve the Platform.
- Analytics: GoatCounter — receives anonymised, aggregated usage data. No personal data is shared with GoatCounter.
4.2 Legal disclosures
We may disclose personal data if required to do so by law or in response to valid legal requests by public authorities (e.g., a court order, law enforcement request, or regulatory investigation).
We will notify you of such requests where permitted and will oppose overly broad or inappropriate requests.
4.3 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will require the acquiring entity to honor this Privacy Policy or provide you with notice and an opportunity to opt out.
05 — Data Retention
- Account data: retained for the duration of your account plus 12 months after account deletion, or as required by applicable law.
- Usage data (anonymised): retained indefinitely in aggregate form.
- Payment data: processed and retained by Stripe under its own data retention policy. We retain only transaction references (date, amount, plan tier) for billing records.
- Communications: retained for the duration of the inquiry plus 24 months.
Upon account deletion, we delete or anonymise your personal data within 30 days, except where retention is required by law.
06 — Data Security
- Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: personal data is encrypted at rest using AES-256.
- Authentication: Supabase Auth handles user authentication with industry-standard password hashing (bcrypt) and optional multi-factor authentication.
- Access controls: database access is restricted to authenticated services only. No direct database access from the public internet.
- API security: API access requires valid authentication tokens. Rate limiting and usage monitoring are applied to all API endpoints.
07 — Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
| Right | Description |
|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Restriction | Request restriction of processing in certain circumstances. |
| Portability | Receive your data in a structured, commonly used, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent | Withdraw consent at any time where processing is based on consent. |
To exercise any of these rights: email jose.trejo@rzzro.com with subject "Data Rights Request." We will respond within 30 days (or the period required by applicable law).
CCPA-specific rights (California residents)
- Right to know: request disclosure of the categories and specific pieces of personal data we have collected about you.
- Right to delete: request deletion of personal data we have collected, subject to certain exceptions.
- Right to opt out of sale: we do not sell personal data. No opt-out is necessary.
- Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.
LFPDPPP-specific (Mexico)
- ARCO rights: Access, Rectification, Cancellation, and Opposition — exercised by emailing jose.trejo@rzzro.com.
- Revocation of consent: you may revoke your consent to data processing at any time. Revocation may affect the Platform's ability to provide the subscribed service.
08 — Analytics (GoatCounter)
Rzzro uses GoatCounter for web analytics. GoatCounter is a privacy-first analytics platform that:
- Processes data in anonymised, aggregate form only.
- Does not store IP addresses.
- Does not place cookies.
- Does not use persistent identifiers.
- Does not track users across websites.
No personal data is sent to GoatCounter. The data collected includes page views, referrer patterns, browser type, and screen size — all anonymised and aggregated. You can learn more at goatcounter.com/privacy.
09 — International Data Transfers
Your personal data may be processed in any country where Rzzro or its service providers operate. We ensure appropriate safeguards are in place for international data transfers:
- EU/EEA to third countries: Standard Contractual Clauses (SCCs) adopted by the European Commission.
- Mexico to third countries: Binding corporate rules or contractual clauses consistent with LFPDPPP requirements.
- UK to third countries: International Data Transfer Agreement (IDTA) or SCCs as recognized by the ICO.
Our primary infrastructure providers (Supabase, AWS, or equivalent) maintain data centers in multiple regions. Data is stored in the region closest to you where technically feasible.
10 — Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email to the address associated with your account (for registered users).
- A notice on the Platform (rzzro.com).
- Updating the "Effective Date" at the top of this Policy.
We encourage you to review this Policy periodically. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.
11 — Contact and Supervisory Authorities
For any questions, requests, or complaints regarding this Privacy Policy or our data practices, contact us at:
| Detail | Information |
|---|
| Email | jose.trejo@rzzro.com |
| Subject | "Data Rights Request" for rights exercises |
| Operator | Rzzro Intelligence — Hermosillo, Sonora, México |
| Response time | 30 days (or period required by applicable law) |
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:
| Jurisdiction | Authority | Website |
|---|
| Mexico | INAI | inai.org.mx |
| European EEA | Your national data protection authority | edpb.europa.eu |
| United Kingdom | ICO | ico.org.uk |
| California, USA | CPPA | cppa.ca.gov |
This Privacy Policy covers all data processing activities conducted by Rzzro Intelligence at rzzro.com. It does not apply to third-party websites linked from the Platform. Where there is any conflict between this Policy and applicable law, applicable law prevails.