Privacy Policy

01 Introduction

This Privacy Policy ("Policy") describes how Esprito Tech QFZ LLC ("Esprito Tech QFZ LLC," "Zeono," "Company," "we," "us," or "our"), a company incorporated under the laws of the State of Qatar and registered in the Ras Bufontas Free Zone, collects, uses, stores, shares, and protects information obtained from and about users ("User," "you," or "your") of the Zeono platform, including the website at zeono.app, mobile applications, APIs, and all related services (collectively, the "Platform" or "Services").

We are committed to protecting your privacy and handling your data with transparency. By accessing or using the Platform, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree with this Policy, please do not use the Services.

02 Data Controller

The data controller responsible for the processing of your personal data is:

Esprito Tech QFZ LLC
Registered Address: Office 62, Ras Bufontas Admin Building, Building 43, Street 517, Zone 49, Ras Bufontas Free Zone, Doha, Qatar
Email: support@esprito.app

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), or another jurisdiction that requires the appointment of a data protection representative, our representative can be contacted at: support@esprito.app.

03 Scope of This Policy

This Policy applies to all personal data processed in connection with your use of the Platform, regardless of how you access it (web browser, mobile application, or API). This Policy does not apply to the practices of third parties that we do not own or control, including but not limited to Brokerage Providers, market data providers, and AI service providers. We encourage you to review the privacy policies of any third-party services you interact with through the Platform.

04 Information We Collect

4.1 Information You Provide Directly

Account Registration Data: Name, email address, phone number (if provided), username, and password when you create an account
Profile Information: Investment experience level, trading preferences, language preferences, and other optional profile details
Trading Commands and Communications: The text commands, queries, and instructions you submit to the AI Agent through the Platform's natural language interface
Brokerage Account Connection Data: When you connect a Brokerage Account, we receive an API access token and limited account information. We do not receive or store your Brokerage Account login credentials (username/password)
Payment Information: If you subscribe to a paid tier, we collect information necessary to process your payment. We do not directly store full payment card numbers; payment processing is handled by PCI-DSS compliant third-party payment processors
Support Communications: Information you provide when contacting our support team, including your messages and email address
Feedback and Survey Data: Any feedback, suggestions, survey responses, or other voluntary information you provide to us

4.2 Information Collected Automatically

Device and Browser Information: Device type, operating system, browser type and version, screen resolution, device identifiers, and language settings
Usage Data: Pages visited, features used, commands entered (in anonymized/aggregated form), frequency and duration of use, click patterns, and navigation paths
Log Data: IP address, access timestamps, referring URLs, error logs, and server response codes
Location Data: Approximate geographic location derived from your IP address (country/region level only; we do not collect precise GPS location)
Performance Data: Platform load times, latency metrics, error rates, and other technical performance indicators

4.3 Information from Connected Brokerage Accounts

When you connect a Brokerage Account, the Platform may access the following information via authorized API, depending on the permissions you grant:

Portfolio Holdings: Securities held, quantities, cost basis, and current market values
Account Balances: Cash balances, buying power, margin balances (if applicable)
Order History: Past and pending orders, including order type, status, fill prices, and timestamps
Account Type: Individual, joint, IRA, margin, or other account types

4.4 Information from Third Parties

Market Data Providers: Price feeds, trading volume data, financial statements, analyst estimates, and news (generally non-personal data)
AI Service Providers: Responses generated by third-party AI models in connection with processing your commands
Analytics Providers: Aggregated usage and performance data from third-party analytics services

05 How We Use Your Information

We process your information for the following purposes:

Service Delivery: To provide, operate, and maintain the Platform; interpret your trading commands via the AI Agent; prepare and submit Orders to your Brokerage Provider; deliver notifications and alerts; display portfolio analytics; and provide customer support
AI and NLP Processing: To process your text commands through our AI models to interpret your trading intentions and generate appropriate responses, analysis, and actions
Analytics and Improvement: To analyze usage patterns, optimize Platform performance, improve the accuracy of our AI models and financial analytics, develop new features, and conduct research
Security and Fraud Prevention: To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity; monitor for potential market manipulation or insider trading; and enforce our Terms of Use
Communications: To send service-related communications, including order confirmations, alert notifications, system updates, security notices, and (with your consent where required) promotional communications
Legal Compliance: To comply with applicable laws, regulations, and governmental requests, including securities regulations, AML requirements, and tax reporting obligations
Payment Processing: To process subscription payments and manage your billing account
Personalization: To personalize your experience based on your trading history, preferences, and portfolio context

06 Legal Basis for Processing (GDPR)

If you are located in the EEA, the UK, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR): Processing is necessary for the performance of our contract with you, including providing the Services, processing your commands, and managing your account
Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for our legitimate interests, including improving and securing the Platform, conducting analytics, preventing fraud, and marketing our Services
Consent (Article 6(1)(a) GDPR): Where we rely on your consent for specific processing activities (e.g., optional marketing communications, non-essential cookies), you may withdraw your consent at any time
Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary to comply with a legal obligation to which we are subject, including securities regulatory requirements, AML obligations, and tax reporting

07 Information Sharing and Disclosure

We may share your information with the following categories of recipients:

Brokerage Providers: When you connect a Brokerage Account and submit Orders, your order details are transmitted to your Brokerage Provider via authorized API. Your Brokerage Provider receives the information necessary to execute your Orders
AI Service Providers: Your trading commands and related contextual data are transmitted to third-party AI providers (e.g., OpenAI) for natural language processing. We strive to minimize the personal data included in AI processing requests
Payment Processors: If you subscribe to a paid tier, your payment information is shared with our third-party payment processors, who process payments in accordance with PCI-DSS standards
Analytics and Infrastructure Providers: We use third-party services for hosting, analytics, monitoring, and infrastructure. These providers process data on our behalf under contractual data processing agreements
Legal and Regulatory Authorities: We may disclose your information to law enforcement, securities regulators (including the SEC, FINRA, and equivalent foreign regulators), courts, or other governmental authorities when required by law
Business Transfers: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring or successor entity, subject to applicable privacy laws
With Your Consent: We may share your information with third parties when you have given your explicit consent to do so

We do not sell your personal data to third parties for their own marketing purposes.

08 Third-Party Services and Integrations

Brokerage Providers

When you connect your Brokerage Account, the Platform accesses account data and submits Orders through the Brokerage Provider's API. Data shared with your Brokerage Provider is governed by its own privacy policy and regulatory obligations. US Brokerage Providers are subject to SEC Regulation S-P, which governs the protection of customer information.

AI Service Providers (OpenAI / Others)

Your text commands are processed by AI models hosted by third-party providers. We send the minimum data necessary for command interpretation and do not include personally identifiable information such as your name, email, or brokerage credentials in AI processing requests. We have data processing agreements with our AI providers.

Market Data Providers

Market Data displayed on the Platform is sourced from third-party providers and Exchanges. These providers may have their own terms regarding the use of their data.

09 Financial Data and Regulatory Considerations

9.1 Securities Account Information

Information accessed from your connected Brokerage Account (portfolio holdings, balances, order history) is treated as sensitive financial data. We implement enhanced security measures for this data, including encryption, access controls, and audit logging.

9.2 Regulatory Inquiries

As a platform that facilitates interaction with securities markets, we may be required to provide information to securities regulators (including the SEC, FINRA, or equivalent foreign regulators) in connection with regulatory examinations, investigations, or enforcement proceedings. We will comply with lawful regulatory requests and may be prohibited from notifying you of such requests in certain circumstances.

9.3 Tax Reporting

Zeono does not issue tax documents (such as Forms 1099). Tax reporting for your Securities transactions is the responsibility of your Brokerage Provider. However, we may retain transaction-related data that could be relevant to your tax obligations.

10 AI Processing and Data Use

10.1 How AI Processes Your Data

When you submit a text command to the Platform, the AI Agent processes your input to understand your intent and generate the appropriate response or action. This processing involves transmitting your command text (and potentially recent conversational context and relevant portfolio data) to AI model providers for inference. We do not include your name, email, brokerage credentials, or other directly identifying information in AI processing requests.

10.2 AI Training and Improvement

We may use anonymized and aggregated data derived from User commands to improve the Platform's AI models and command interpretation accuracy. We do not use your personal data or identifiable trading commands to train third-party AI models without your explicit consent.

10.3 Automated Decision-Making

The Platform uses automated processing to interpret your commands, generate market analysis, and prepare Orders. However, Order submission to your Brokerage Provider requires your explicit confirmation. You have the right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significant effects on you, except where authorized by law or based on your explicit consent.

11 Cookies and Tracking Technologies

11.1 Types of Technologies Used

Strictly Necessary Cookies: Essential for the Platform to function properly, including session management, security tokens, and authentication. These cannot be disabled
Functional Cookies: Used to remember your preferences, language settings, and interface customizations
Analytics Cookies: Used to collect information about how you interact with the Platform, which helps us improve the user experience
Performance Cookies: Used to monitor Platform performance and error tracking

11.2 Cookie Management

When required by applicable law (e.g., in the EEA/UK), we will obtain your consent before placing non-essential cookies. You can manage your cookie preferences through the cookie consent banner on the Platform or through your browser settings. Disabling certain cookies may limit the functionality of the Platform.

11.3 Do Not Track

The Platform does not currently respond to "Do Not Track" (DNT) signals transmitted by web browsers. However, you can manage tracking through the cookie and privacy controls described above.

12 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

Data Type	Retention Period
Account Data	Duration of active use + 5 years (or as required by law)
Trading Commands & AI Interaction Logs	12 months, then anonymized or deleted
Order and Transaction Data	7 years (securities record-keeping requirements)
Brokerage Account Connection Data	While connected; promptly revoked and deleted upon disconnection
Support Communications	3 years from date of resolution
Analytics and Usage Data (identifiable)	24 months; anonymized/aggregated data retained indefinitely
Payment Data	As required by applicable tax and accounting regulations

13 Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/SSL) and at rest
Access controls and authentication mechanisms for internal systems
Secure handling of Brokerage Account API tokens with encryption and scoped permissions
Regular security assessments, penetration testing, and vulnerability scanning
Incident response procedures and breach notification protocols
Employee training on data protection and security best practices
Monitoring and logging of access to sensitive financial data

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. You are responsible for maintaining the security of your account credentials and connected Brokerage Account.

14 International Data Transfers

Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction. When we transfer personal data internationally, we implement appropriate safeguards, which may include:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with adequate data protection obligations
Transfer to countries with an adequate level of data protection as determined by the European Commission or other relevant authority
Other appropriate safeguards as permitted by applicable law

By using the Platform, you consent to the transfer of your information to jurisdictions outside your country of residence, subject to the safeguards described above.

15 Your Rights

Depending on your location and applicable data protection laws (including the GDPR, UK GDPR, CCPA/CPRA, and other applicable legislation), you may have the following rights:

Right of Access Request a copy of the personal data we hold about you and information about how we process it

Right to Rectification Request the correction of inaccurate or incomplete personal data

Right to Erasure Request the deletion of your personal data, subject to certain legal exceptions

Right to Restriction Request that we restrict the processing of your personal data in certain circumstances

Right to Data Portability Receive your personal data in a structured, machine-readable format and transmit it to another controller

Right to Object Object to the processing of your personal data based on our legitimate interests or for direct marketing

Right to Withdraw Consent Where processing is based on your consent, withdraw it at any time without affecting prior processing

California Rights (CCPA/CPRA) California residents may know, delete, and opt-out. We do not sell personal information

To exercise any of these rights, please contact us using the information provided in Section 18. We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection laws.

16 Children's Privacy

The Platform is not intended for, and we do not knowingly collect personal data from, individuals under the age of eighteen (18) or the age of legal majority in their jurisdiction, whichever is higher. If we become aware that we have collected personal data from a minor without appropriate parental or guardian consent, we will take reasonable steps to delete such data. If you believe that we may have collected data from a minor, please contact us immediately.

17 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Policy on the Platform with a revised "Last Updated" date and, where required by law, by providing additional notice (e.g., in-app notification or email). Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.