Privacy Policy
Last updated: April 2026
1. Introduction
Zenith SAS, trading as ToneFlag, is a company registered in France with its registered office at 21 rue des Geais, Moulins, France. We provide a B2B SaaS platform that monitors internal emails for compliance with the Worker Protection Act 2023.
We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this Privacy Policy, please contact us at contact@automatik-by-zenith.com.
2. Data Controller and Processor
When ToneFlag processes data on behalf of an employer using our platform, the employer acts as the data controller and ToneFlag acts as the data processor. A Data Processing Agreement (DPA) is available upon request and forms part of our standard subscription terms.
For personal data collected through this website (e.g. contact form submissions), Zenith SAS is the data controller.
3. What Data We Collect
3.1 Product Data
When an employer deploys ToneFlag, we may process the following categories of data:
- Email metadata — sender, recipient, timestamp, subject line
- Email content — the body text of internal emails
- Organisational structure — department, team, and reporting-line data
- Usage logs — platform access times, feature usage, and administrative actions
ToneFlag only processes internal emails. External emails sent to or received from parties outside the organisation are excluded from analysis.
3.2 Website Data
When you visit our website, we may collect:
- Contact form submissions — name, email address, company, and message content
- Analytics data — pages visited, time on site, referral source
- Technical data — IP address, browser type, device type, operating system
4. Legal Basis for Processing
4.1 Product Data
Processing of product data is carried out under the following legal bases:
- Legitimate interest — Article 6(1)(f) UK GDPR. The employer has a legitimate interest in maintaining a safe and respectful workplace.
- Legal obligation — Article 6(1)(c) UK GDPR. Employers have a legal obligation under the Worker Protection Act 2023 to take reasonable steps to prevent harassment.
Where special category data may be processed, this is done under Article 9(2)(g) — processing necessary for reasons of substantial public interest.
4.2 Website Data
- Consent — Article 6(1)(a) for analytics cookies and marketing communications
- Legitimate interest — Article 6(1)(f) for website security and improvement
- Contract — Article 6(1)(b) for responding to enquiries and providing requested information
5. How We Use Your Data
5.1 Product Data
- AI-powered analysis of email tone and content for compliance risks
- Generating alerts when potential issues are detected
- Producing compliance reports for authorised personnel
- Trend analysis to identify patterns across teams or departments
We do not use customer data to train our AI models. All analysis is performed using pre-trained models, and customer data is never used to improve or fine-tune our algorithms.
5.2 Website Data
- Responding to your enquiries and requests
- Improving our website and user experience
- Sending marketing communications where you have opted in
6. Data Sharing
We do not sell your personal data to third parties. We may share data with the following categories of recipients:
- Cloud infrastructure providers — AWS (eu-west-2, London region) for hosting and data storage
- AI providers — for natural language processing capabilities
- Professional advisers — legal, audit, and insurance advisers as necessary
- Law enforcement — where required by law or in response to a valid legal request
A full list of sub-processors is available on request at contact@automatik-by-zenith.com.
7. Data Retention
7.1 Product Data
- Email content — retained for 12 months by default (configurable by the employer)
- Email metadata — retained for the subscription duration plus 90 days
- Compliance reports — retained for the duration of the subscription
- Post-termination — all customer data is deleted within 30 days of subscription termination
7.2 Website Data
- Contact form data — retained for 24 months
- Analytics data — retained for 26 months
8. International Data Transfers
We primarily store and process data within the UK and EEA. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including:
- International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
- Transfer risk assessments to evaluate the level of data protection in the recipient country
9. Your Rights
Under the UK GDPR, you have the following rights:
- Right of access — to request a copy of your personal data
- Right to rectification — to request correction of inaccurate data
- Right to erasure — to request deletion of your data
- Right to restriction — to request limited processing of your data
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on legitimate interest
- Rights related to automated decision-making — to request human review of automated decisions that significantly affect you
If you are an employee whose data is processed through ToneFlag, please contact your employer in the first instance, as they are the data controller. Your employer will liaise with us to fulfil your request.
10. Security
We implement robust technical and organisational measures to protect your data, including:
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Role-based access control (RBAC)
- Comprehensive audit logging
- ISO 27001 and SOC 2 Type II certification
- Regular penetration testing
- Employee security awareness training
11. Cookies
Our website uses the following types of cookies:
- Strictly necessary cookies — required for the website to function correctly
- Functional cookies — used to remember your preferences
- Analytics cookies — used to understand how visitors interact with our website (requires your consent)
We do not use advertising or tracking cookies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify our clients directly and, where required, seek additional consent.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: contact@automatik-by-zenith.com
- Post: Zenith SAS, 21 rue des Geais, Moulins, France
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF