Rzzro Intelligence ("Rzzro," "we," "us," or "our") operates rzzro.com, a commodity intelligence platform serving procurement professionals, CPOs, CFOs, and supply chain executives. This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have — regardless of where you are located.
This Policy applies to all visitors, registered users, and subscribers of rzzro.com, its subdomains, and any related services (collectively, the "Platform"). By accessing or using the Platform, you acknowledge that you have read and understood this Policy.
01 — Data We Collect
1.1 Data you provide directly
- Account registration: name, work email address, company name, job title, country.
- Subscription and payment: billing name, billing address, payment method details — processed by Stripe; we do not store full card numbers.
- Communications: messages sent via email, contact forms, or support channels.
- Preferences: notification settings, alert thresholds, saved scenarios, and dashboard configurations.
1.2 Data collected automatically
- Usage data: pages visited, features used, search queries, report downloads, API calls made, timestamps.
- Device and technical data: browser type, operating system, screen resolution, referring URL. GoatCounter (our analytics tool) processes this data in anonymised, aggregate form — no IP addresses are stored, no cookies are placed, no persistent identifiers are used. See Section 8.
1.3 Data we do not collect
- Sensitive personal data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) through normal use of the Platform.
- Personal data of children under 16. The Platform is not directed at minors.
02 — Legal Basis for Processing
- Contract performance (GDPR Art. 6(1)(b) / LFPDPPP Art. 10): processing necessary to provide the subscribed service — account creation, delivering reports, API access, billing.
- Legitimate interests (GDPR Art. 6(1)(f)): improving the Platform, preventing fraud, ensuring security, conducting anonymised analytics. We balance these against your rights and do not override them.
- Legal obligation (GDPR Art. 6(1)(c)): complying with applicable laws and responding to lawful requests from public authorities.
- Consent (GDPR Art. 6(1)(a)): for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
03 — How We Use Your Data
- Providing and operating the Platform: delivering reports, price data, tools, and API services.
- Processing payments and managing your subscription.
- Sending transactional communications: account confirmations, receipts, password resets, service alerts, and price notifications you have configured.
- Sending marketing communications about new features or products — only if you have opted in. You can unsubscribe at any time via the link in any email.
- Improving the Platform through aggregated, anonymised usage analytics.
- Detecting, investigating, and preventing fraud, abuse, and security incidents.
- Complying with legal obligations.
We do not sell your personal data to third parties. We do not use your account data to create advertising profiles or share it with data brokers. Advertising partners (Google AdSense) may use cookies to serve interest-based advertisements — see Section 10 for full disclosure and opt-out instructions.
04 — Data Sharing and Disclosure
4.1 Service providers
We share personal data only with carefully selected processors under data processing agreements that require them to protect your data:
- Payment processing: Stripe, Inc. — processes payment card data under its own privacy policy and PCI DSS compliance. We never store full card numbers.
- Infrastructure: Cloud providers (e.g., Supabase, AWS, or equivalent) used to store account data and serve the Platform.
- Analytics: GoatCounter — receives anonymised, aggregated usage data. No personal data is shared with GoatCounter.
4.2 Legal disclosures
We may disclose personal data if required to do so by law or in response to valid legal requests by public authorities (e.g., a court order, law enforcement request, or regulatory investigation).
We will notify you of such requests where permitted and will oppose overly broad or inappropriate requests.
4.3 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will require the acquiring entity to honor this Privacy Policy or provide you with notice and an opportunity to opt out.
05 — Data Retention
- Account data: retained for the duration of your account plus 12 months after account deletion, or as required by applicable law.
- Usage data (anonymised): retained indefinitely in aggregate form.
- Payment data: processed and retained by Stripe under its own data retention policy. We retain only transaction references (date, amount, plan tier) for billing records.
- Communications: retained for the duration of the inquiry plus 24 months.
Upon account deletion, we delete or anonymise your personal data within 30 days, except where retention is required by law.
06 — Data Security
- Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: personal data is encrypted at rest using AES-256.
- Authentication: Supabase Auth handles user authentication with industry-standard password hashing (bcrypt) and optional multi-factor authentication.
- Access controls: database access is restricted to authenticated services only. No direct database access from the public internet.
- API security: API access requires valid authentication tokens. Rate limiting and usage monitoring are applied to all API endpoints.
07 — Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
| Right | Description |
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Restriction | Request restriction of processing in certain circumstances. |
| Portability | Receive your data in a structured, commonly used, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent | Withdraw consent at any time where processing is based on consent. |
To exercise any of these rights: email contact@rzzro.com with subject "Data Rights Request." We will respond within 30 days (or the period required by applicable law).
CCPA-specific rights (California residents)
- Right to know: request disclosure of the categories and specific pieces of personal data we have collected about you.
- Right to delete: request deletion of personal data we have collected, subject to certain exceptions.
- Right to opt out of sale: we do not sell personal data. No opt-out is necessary.
- Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.
LFPDPPP-specific (Mexico)
- ARCO rights: Access, Rectification, Cancellation, and Opposition — exercised by emailing contact@rzzro.com.
- Revocation of consent: you may revoke your consent to data processing at any time. Revocation may affect the Platform's ability to provide the subscribed service.
08 — Analytics (GoatCounter)
Rzzro uses GoatCounter for web analytics. GoatCounter is a privacy-first analytics platform that:
- Processes data in anonymised, aggregate form only.
- Does not store IP addresses.
- Does not place cookies.
- Does not use persistent identifiers.
- Does not track users across websites.
No personal data is sent to GoatCounter. The data collected includes page views, referrer patterns, browser type, and screen size — all anonymised and aggregated. You can learn more at goatcounter.com/privacy.
09 — International Data Transfers
Your personal data may be processed in any country where Rzzro or its service providers operate. We ensure appropriate safeguards are in place for international data transfers:
- EU/EEA to third countries: Standard Contractual Clauses (SCCs) adopted by the European Commission.
- Mexico to third countries: Binding corporate rules or contractual clauses consistent with LFPDPPP requirements.
- UK to third countries: International Data Transfer Agreement (IDTA) or SCCs as recognized by the ICO.
Our primary infrastructure providers (Supabase, AWS, or equivalent) maintain data centers in multiple regions. Data is stored in the region closest to you where technically feasible.
10 — Advertising and Cookies
Last updated: June 24, 2026. This section discloses how advertising partners, including Google, use cookies and similar technologies on rzzro.com.
10.1 What Are Cookies
Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to site operators. Cookies may be “first-party” (set by rzzro.com) or “third-party” (set by a domain other than rzzro.com, such as Google).
10.2 Advertising Cookies (Google AdSense)
Rzzro uses Google AdSense to display advertisements. Google and its advertising partners use cookies and similar technologies (such as web beacons) to serve ads based on your prior visits to rzzro.com and other websites. This is known as interest-based advertising or personalized advertising.
Specifically, Google AdSense may:
- Place and read third-party cookies on your browser to collect information about your browsing activity across websites.
- Use web beacons (small invisible images) to collect information about ad impressions and interactions.
- Use advertising identifiers on mobile devices (IDFA on iOS, AAID on Android) for ad serving and measurement.
- Combine data from your visits to rzzro.com with data from other sites in Google’s advertising network to show you more relevant ads.
Data collected via advertising cookies may include: your device type, browser type, approximate location (derived from IP address), pages visited on rzzro.com, time of visit, interactions with advertisements, and referring URLs. This data is processed by Google under its own privacy policy, not Rzzro’s.
10.3 Why We Use Advertising Cookies
Advertising revenue supports Rzzro’s ability to provide free content, including commodity market news, public price data, and select intelligence tools. Advertising cookies help:
- Deliver ads that are more relevant to your interests (personalized advertising).
- Measure ad performance — how many users see or click on an ad.
- Prevent the same ad from being shown to you repeatedly (frequency capping).
- Detect and prevent click fraud and invalid traffic.
10.4 Your Choices — How to Control Advertising Cookies
You have control over advertising cookies. You can opt out of personalized advertising at any time through the following methods:
- Google Ad Settings: Visit adssettings.google.com to manage your Google ad preferences and opt out of personalized ads served by Google.
- Network Advertising Initiative (NAI): Visit optout.networkadvertising.org to opt out of interest-based advertising from NAI member companies.
- Digital Advertising Alliance (DAA): Visit optout.aboutads.info for the DAA consumer choice tool.
- Browser settings: Most browsers allow you to block or delete cookies through their settings. See your browser’s help section: Chrome, Firefox, Safari, Edge.
- Mobile device settings: iOS: Settings > Privacy → Tracking (Limit Ad Tracking). Android: Settings > Google > Ads → Opt out of Ads Personalization.
Important: Opting out of personalized advertising does not mean you will stop seeing ads. You will still see ads, but they will be less relevant to your interests. Opt-out preferences are stored in cookies — if you clear your browser cookies, you may need to opt out again.
10.5 Cookie Consent Banner
Rzzro displays a cookie consent banner on your first visit. This banner provides clear disclosure of cookie usage and allows you to manage your preferences. By clicking “Accept” or continuing to use the Platform after seeing the banner, you consent to the use of advertising cookies as described in this section. You may change your preferences at any time via the methods listed in Section 10.4.
10.6 Google’s Data Processing
Google acts as an independent data controller for the personal data it collects through AdSense cookies. Google’s use of advertising cookies is governed by the Google Advertising Privacy Policy. Google may share aggregated, non-personally identifiable data with publishers like Rzzro for reporting purposes (e.g., impression counts, click-through rates). Rzzro does not receive any personally identifiable information about individual ad viewers from Google.
10.7 Compliance with Google’s February 2025 Policy Update
This section complies with Google’s updated publisher policies effective February 2025, which require clear disclosure of:
- The collection, sharing, and use of data in connection with Google services.
- How modern privacy technologies (beyond traditional cookies) are used for ad serving across devices.
- The range of devices and platforms where advertisements may appear alongside Google services.
10.8 No Sale of Personal Data
Rzzro does not sell your personal data to Google, advertisers, or any other third party. The advertising cookies placed by Google are set and controlled by Google, not Rzzro. We share no account data, subscription data, or any personally identifiable information with Google for advertising purposes.
11 — Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email to the address associated with your account (for registered users).
- A notice on the Platform (rzzro.com).
- Updating the "Effective Date" at the top of this Policy.
We encourage you to review this Policy periodically. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.
12 — Contact and Supervisory Authorities
For any questions, requests, or complaints regarding this Privacy Policy or our data practices, contact us at:
| Detail | Information |
| Email | contact@rzzro.com |
| Subject | "Data Rights Request" for rights exercises |
| Operator | Rzzro Intelligence — Hermosillo, Sonora, México |
| Response time | 30 days (or period required by applicable law) |
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:
| Jurisdiction | Authority | Website |
| Mexico | INAI | inai.org.mx |
| European EEA | Your national data protection authority | edpb.europa.eu |
| United Kingdom | ICO | ico.org.uk |
| California, USA | CPPA | cppa.ca.gov |
This Privacy Policy covers all data processing activities conducted by Rzzro Intelligence at rzzro.com. It does not apply to third-party websites linked from the Platform. Where there is any conflict between this Policy and applicable law, applicable law prevails.