Privacy Policy for ZESTRA

1. Overview and Purpose

This Privacy Policy outlines the data handling practices for ZESTRA (Zenex Enhanced Solution for Tracking, Reporting, and Automation). ZESTRA is an internal mobile and web application developed, owned, and maintained exclusively by Zenex Technologies Limited ("Zenex", "We", "Us", "Our"). This policy aims to ensure transparency regarding how information is managed within this internal system, even though its scope is limited to authorized personnel.

The application is used strictly by authorized employees, agents, and representatives of Zenex for specific internal business functions, including but not limited to: recording and managing mobile phone sales, tracking stock allocations, calculating and managing commissions, and performing related operational tasks necessary for Zenex's business activities. Access to ZESTRA is a privilege granted under employment or contractual agreements.

It is critical to understand that ZESTRA does not collect, process, share, or transmit any personal or sensitive user data of its users to any third parties. The application is designed for, and strictly limited to, internal operational use. All individuals granted access to the ZESTRA platform have previously executed formal agreements concerning system usage, data confidentiality, and privacy obligations as an integral part of their employment or contractual engagement with Zenex Technologies Limited.

2. Information We Explicitly Do NOT Collect via ZESTRA

To maintain clarity and user confidence, ZESTRA is designed to minimize data interaction and does not collect any of the following types of personal or sensitive information from its users through the application interface:

• Personally Identifiable Information (PII): This includes, but is not limited to, personal names, personal email addresses, personal phone numbers, national ID numbers, residential addresses, or any other direct identifiers of the user being collected *through the app itself*. User identification for login is managed via pre-assigned credentials linked to offline employment records.
• Location Data: The application does not request, track, or store GPS coordinates (precise or coarse) or any form of background location information from the user's device.
• Device Native Data: Access to contacts, calendar events, call logs, SMS logs, photo galleries (except for specific, user-initiated actions like uploading a receipt as described under 'Permissions'), or other native device data is not sought or utilized.
• Extensive Device Information or Diagnostics: Beyond basic technical information essential for application functionality and troubleshooting (e.g., app version, OS type for compatibility, secure session tokens), ZESTRA does not collect extensive device identifiers (like IMEI, MAC address for user device identification), or detailed diagnostic data from the user's device. Note: IMEI numbers of *products* being sold are collected as operational data, not from the user's device itself.
• Financial Data: No personal financial data, credit card details, bank account numbers, or payment credentials of the users are collected or processed through ZESTRA.
• Biometric Data: The application does not collect, store, or process any biometric data such as fingerprints, facial recognition data, or voiceprints.
• Other Sensitive Personal Information: This includes data related to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, or data concerning a natural person's sex life or sexual orientation.

3. Internal User Identity and Access Management

Access to ZESTRA is strictly controlled and managed by Zenex administrators. Users do not self-register or create personal profiles within the application.

• Pre-registration and Authorization: All user accounts are pre-registered by Zenex administrators. Access is granted based on the individual's role and responsibilities within the company.
• Offline Identity Verification: The identity verification, including Know Your Customer (KYC) documents and other relevant employment or contractual paperwork, is collected, verified, and managed entirely offline during the employee onboarding process or contractual engagement with Zenex. This information resides within Zenex's secure Human Resources or contractor management systems, separate from ZESTRA's operational database.
• No In-App Profile Creation: ZESTRA users do not create personal profiles, submit personal details through forms, or voluntarily input personal data beyond what is strictly necessary for logging in (i.e., pre-assigned username and password/token). The application interface does not provide fields for users to enter or manage personal profile information.
• Role-Based Access: User access to ZESTRA functionalities and data is governed by role-based access controls (RBAC) determined by Zenex administrators, ensuring users only have access to information and tools necessary for their designated tasks.

4. Data Handling, Storage, and Security

ZESTRA is designed with data security and integrity as core principles. This section details how operational data is handled and secured, distinguishing it from the non-collection of personal user data.

Operational Data: ZESTRA processes operational data related to Zenex's business activities, such as sales transaction logs, product IMEI numbers (of items being sold or managed), stock levels, commission calculations, and agent performance metrics. This data is owned and controlled entirely by Zenex Technologies Limited and is crucial for business operations.

Data Storage:

• No Personal Data Storage on Mobile Devices: ZESTRA does not store any personal data on users' mobile devices, other than secure session tokens or temporary cached data essential for login persistence and system continuity during an active session. This temporary data is typically encrypted and cleared upon logout or session expiry.
• Centralized Secure Servers: All operational data processed by ZESTRA is transmitted and stored on Zenex-managed or contracted servers. These servers are hosted in secure, access-controlled data centers.

Security Measures: Zenex implements a range of security measures to protect the data within ZESTRA and its supporting infrastructure. These include, but are not limited to:

• Secure Communication: The platform operates exclusively over secure HTTPS connections, ensuring that data transmitted between the user's device and Zenex servers is encrypted in transit.
• Encryption at Rest: Sensitive operational data stored on servers is protected using industry-standard encryption mechanisms.
• Access Controls: Strict access controls, including multi-factor authentication (MFA) where appropriate for administrative access, and role-based access (RBAC) within the application, are enforced to limit data access to authorized personnel only.
• Internal IT Policies: Adherence to comprehensive internal IT security policies for data management, incident response, access logging, and regular security audits.
• Regular Security Assessments: Periodic vulnerability assessments and penetration testing may be conducted to identify and address potential security weaknesses.
• Data Backup and Recovery: Robust data backup and disaster recovery procedures are in place to ensure business continuity and data integrity.

Data Ownership and Control: All operational data recorded and managed within ZESTRA (e.g., sales logs, IMEI numbers of products, product records, commission data) is the exclusive property of Zenex Technologies Limited and is controlled entirely by Zenex.

No Sale of Data: Zenex Technologies does not, under any circumstances, expose or sell operational or any other data from ZESTRA to any third parties for monetary gain or other purposes outside of its legitimate business operations.

5. No Third-Party Data Sharing or Integrations

ZESTRA is a closed-loop system designed for internal Zenex operations. As such, it does not share data with or integrate with external third-party services in a way that would expose user or operational data.

• No Third-Party Analytics or Advertising: The application does not integrate with third-party analytics services (e.g., Google Analytics, Firebase Analytics for profiling user behavior), advertising networks, or social media platforms.
• No External Service Providers with Data Access: ZESTRA does not utilize external service providers that would require or gain access to the operational data or any (non-existent) personal user data within the system, except for core infrastructure providers (e.g., secure cloud hosting) who are bound by strict confidentiality and data protection agreements and do not have permission to access or use the content of the data.
• No Sale or Unauthorized Disclosure: No personal data (as none is collected via the app) and no sensitive operational data is sold, rented, leased, shared, or otherwise disclosed to any external entity, advertiser, business partner, or government body.
• Exception for Legal Obligations: The only exception to the no-sharing rule is if Zenex Technologies Limited is explicitly required to disclose specific information by applicable law, regulation, or a valid and binding legal process (e.g., a court order from a competent authority). Any such disclosure will be narrowly tailored to comply with the legal obligation and, where permissible, affected parties may be notified.

6. Cookies and Tracking Technologies

ZESTRA does not employ cookies, tracking pixels, web beacons, device fingerprinting, or any similar online tracking technologies typically used for monitoring user behavior across websites or for advertising purposes. As a closed-system, internal business application, user behavior is not monitored, profiled, or analyzed for marketing or non-operational purposes.

• Session Management: The application may use essential session tokens or similar mechanisms strictly for maintaining a logged-in state, ensuring system security, and enabling core application functionality during an active session. These are not used for tracking users outside the application or for behavioral analysis.
• Operational Logs: The system maintains standard operational logs for purposes such as troubleshooting technical issues, security incident investigation, ensuring system integrity, and internal audits. These logs capture system events, API calls, and errors, and may include user IDs associated with actions for accountability, but are not used for profiling individual user behavior patterns for other means. Access to these logs is restricted to authorized technical and administrative personnel.

7. Application Permissions

For ZESTRA to perform its designated operational functions, it may request certain permissions on the user's mobile device. These permissions are requested solely to enable specific application features and are not used for collecting or extracting personal user information beyond the stated purpose.

• Camera: This permission is used strictly and solely for scanning IMEI barcodes on mobile phone product boxes, QR codes related to stock items, or other operational codes necessary for inventory management, sales recording, or logistics. The camera is activated only upon user initiation of a scanning feature. No images or videos are stored beyond the immediate processing of the barcode/QR code unless explicitly related to an operational task like capturing proof of delivery.
• Storage (Optional): Access to device storage may be requested optionally. This is typically required if a user needs to temporarily save or upload transaction receipts, images for delivery verification, agent verification documents, or other operational attachments. The app will only access files selected by the user or save files to a designated application folder with user consent.
• Internet Access: This permission is fundamental for the application's operation. ZESTRA requires internet connectivity (Wi-Fi or mobile data) to communicate with the main Zenex servers for syncing operational data, authenticating users, and receiving updates. All such communication is secured via HTTPS.

Users can typically manage application permissions through their device's settings. However, denying essential permissions may limit or disable certain ZESTRA functionalities critical for performing assigned tasks.

8. User Rights, Access, and Responsibilities

Given that ZESTRA is an internal operational tool and explicitly does not collect personal data from users *via the application itself* for user profiling or external sharing, certain data subject rights typical for consumer-facing applications (like the right to data portability or erasure of app-collected personal profile data) are not directly applicable in the same context.

However, Zenex Technologies Limited acknowledges the rights of its employees and contracted agents regarding their personal data processed by Zenex as an employer or contracting entity. These rights are managed according to applicable labor laws and contractual agreements, typically through Human Resources or direct managerial channels.

• Access to ZESTRA Roles and Permissions: Users can direct inquiries regarding their specific access levels, roles, or permissions within the ZESTRA application to their designated system administrator or line manager within Zenex.
• Employment Data: For inquiries related to personal data collected during employment or contractual engagement (managed offline and separate from ZESTRA's primary function), individuals should contact the Zenex Human Resources department or their designated Zenex contact person. This includes requests for access to, or correction of, their employment records.
• Reporting Concerns: Any concerns about data handling within ZESTRA or potential misuse should be reported immediately to the Zenex system administrator or through established internal reporting channels.

User Responsibilities: Users of ZESTRA are responsible for:

• Maintaining the confidentiality of their login credentials (usernames, passwords, tokens).
• Using ZESTRA solely for authorized Zenex business purposes in accordance with company policies.
• Ensuring the accuracy of operational data they input into the system.
• Reporting any suspected security vulnerabilities or incidents to the appropriate Zenex personnel without delay.

9. Data Retention (Operational Data)

Operational data processed and stored by ZESTRA (such as sales records, stock information, commission data, and system logs) is retained by Zenex Technologies Limited in accordance with internal data retention policies and applicable legal, regulatory, and business requirements.

• Purpose-Bound Retention: Retention periods for different types of operational data are determined by their necessity for ongoing business operations, financial auditing, commission processing, dispute resolution, compliance with tax laws, and other legitimate business purposes.
• Varying Schedules: Specific retention schedules may vary depending on the nature of the data and any overriding legal or regulatory mandates.
• Secure Disposal: Once operational data is no longer required for the purposes for which it was collected and its retention period has expired, it will be securely disposed of or anonymized in a manner that prevents unauthorized access or use, following Zenex's data disposal procedures.
• System Logs: Technical and security logs are retained for a defined period necessary for system monitoring, security analysis, and troubleshooting, after which they are archived or securely deleted.

This section pertains to operational data within ZESTRA, not personal user data, as the latter is not collected by the application for its user base.

10. Changes to This Privacy Policy

Zenex Technologies Limited reserves the right to update or modify this Privacy Policy from time to time. This may be necessary to reflect changes in our internal systems (including ZESTRA itself), operational processes, evolving best practices, regulatory compliance requirements, or internal policy updates.

• Notification of Changes: Any material changes to this Privacy Policy will be communicated to all ZESTRA users through appropriate internal channels. This may include notifications via company email, posts on the Zenex internal intranet, direct messages within the ZESTRA application, or during team briefings.
• Review and Acceptance: We encourage users to periodically review this Privacy Policy, which will be accessible within the ZESTRA application or on the company intranet. The "Last Updated" date at the top of this policy will indicate when it was last revised.
• Continued Use: Continued use of the ZESTRA application after any such changes have been communicated and the updated policy has been made available will constitute acknowledgment and acceptance of the revised Privacy Policy.