Zensory← Back to sign in

Privacy Policy

Effective date: April 2026  ·  Last updated: April 2026

1. Who We Are

The Zensory (“we”, “us”, “our”) is the data controller responsible for your personal data processed through the Zensory platform (“Service”).

If you have any questions about this Privacy Policy or how we handle your data, please contact us at privacy@thezensory.com.

2. Data We Collect

We collect the following categories of personal data:

Account and identity data

When you sign in via Microsoft Azure Active Directory, we receive your name, email address, and a unique Microsoft account identifier. We do not receive your password.

Wellbeing and assessment data

Responses you provide to the Zensory questionnaires, including chronotype assessment (sleep and wake patterns, daily rhythm preferences), Z-SEM sensory profiling (visual, auditory, and kinaesthetic preferences), and everyday experience questionnaires. We also store your computed scores and personalised profile.

This data may constitute data concerning health or lifestyle within the meaning of UK GDPR. We process it on the basis of your explicit consent (given when you complete the assessments) and to perform the contract for wellbeing services between your Organisation and us.

Usage and activity data

Pages you visit, session duration, active time on the platform, and login timestamps. This data is used to calculate your activity statistics and to provide features such as your streak and usage summary on the dashboard.

Technical data

IP address (used temporarily for login rate-limiting and security), browser type, and device type. We do not build persistent profiles from technical data.

3. How We Use Your Data

PurposeLegal basis (UK GDPR)
Authenticating your identity and providing access to the ServicePerformance of a contract (Art. 6(1)(b))
Delivering personalised chronotype and sensory wellness assessmentsPerformance of a contract; Explicit consent (Art. 9(2)(a)) for health-related data
Displaying your activity statistics and engagement streakPerformance of a contract (Art. 6(1)(b))
Sending you assessment result reports by emailConsent (Art. 6(1)(a))
Security monitoring and rate-limiting to prevent abuseLegitimate interests (Art. 6(1)(f)) — protecting our platform and users
Providing your Organisation's administrators with aggregated usage dataLegitimate interests (Art. 6(1)(f)) — contract with your Organisation
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

4. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following third-party processors, each bound by data processing agreements and appropriate safeguards:

Microsoft Corporation (Azure Active Directory)

Provides identity and authentication services. When you sign in, Microsoft processes your account credentials and issues a secure token to our platform. Microsoft acts as an independent data controller for the authentication process. See Microsoft's Privacy Statement.

Twilio SendGrid (email delivery)

Used to deliver assessment result reports to your email address when you request them. SendGrid processes only your email address and the content of the report for this purpose.

Your Organisation

Your Organisation's administrators may access aggregated and individual usage data (activity statistics, assessment completion status) as part of the Organisation's subscription to the Service. Your Organisation is an independent data controller in relation to your employment data.

Infrastructure and hosting

The Service is hosted on servers located in the United Kingdom. We engage infrastructure providers who process data only on our documented instructions.

5. International Data Transfers

Microsoft and SendGrid operate globally. Where your data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses, and adequacy decisions where applicable.

6. Data Retention

We retain your personal data only for as long as necessary:

  • Account and assessment data— retained for the duration of your Organisation's active subscription and deleted within 90 days of subscription termination or your account closure, whichever is earlier.
  • Activity and usage data — retained for 12 months on a rolling basis, then anonymised or deleted.
  • Security logs (IP addresses) — retained for up to 30 days for fraud prevention and platform security purposes.
  • Backup copies — may be retained for up to an additional 30 days in encrypted backup storage, then permanently deleted.

You may request early deletion of your data at any time (see Section 8 below).

7. Cookies and Local Storage

The Zensory platform uses browser storage to deliver the Service. We do not use third-party advertising or tracking cookies.

  • localStorage — zensory_api_token: Stores your authentication token to keep you signed in between page loads. Cleared on sign-out.
  • localStorage — zensory-theme: Remembers your light/dark mode preference.
  • sessionStorage — session identifier: A temporary random ID used to group your activity within a single browser session. Cleared when you close your browser tab.
  • Cookie — zensory-theme: Used server-side during page rendering to apply your theme preference before the page loads, preventing a flash of the wrong theme.

These storage mechanisms are strictly necessary for the operation of the Service and do not require separate consent under UK PECR.

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@thezensory.com. We will respond within one calendar month.

  • Right of access — request a copy of the personal data we hold about you (a Subject Access Request).
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — request deletion of your data where we no longer have a lawful basis to retain it.
  • Right to restriction — ask us to pause processing of your data in certain circumstances.
  • Right to data portability — receive your assessment responses in a structured, machine-readable format (where processing is based on consent or contract and is automated).
  • Right to object — object to processing based on our legitimate interests.
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
  • Rights related to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Authentication via Microsoft Azure Active Directory with organisation-managed credentials
  • Cryptographically signed session tokens with short expiry periods (24 hours)
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Access controls restricting data access to authorised personnel only

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay, as required by UK GDPR.

10. Children's Privacy

The Service is intended for use by adults (18 years and over) in a professional workplace context. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the revised policy on this page with an updated “Last updated” date. Where changes are material, we will notify you via the platform or by email.

12. Complaints

If you are unhappy with how we handle your personal data, please contact us first at privacy@thezensory.com and we will do our best to resolve your concern.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

Also see our Terms of Service · Back to sign in