ZETA USA INC. Data Privacy Policy

IMPORTANT NOTICE: This Policy applies to all individuals whose personal data is processed by ZETA USA Inc. globally, including customers, users, employees, contractors, and business partners. Where applicable, this Policy satisfies the notice requirements of the GDPR (EU), the Austrian Data Protection Act (DSG), the Delaware Personal Data Privacy Act (DPDPA), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data privacy laws. This declaration applies both to data processing within ZETA USA Inc. and its group affiliates, and to the use of our website in the U.S.

This Data Privacy Policy (“Policy”) governs the collection, use, storage, transfer, and disposal of personal data by ZETA USA Inc. (“ZETA USA,” “we,” “us,” or “our”), a corporation organized under the laws of the State of Delaware, with principal operations in Pennsylvania, USA. This Policy applies to information collected through the ZETA USA website and through related communications such as inquiries, event registrations, and requests for technical resources, as well as to data processing within ZETA USA and its group affiliates.

1.1 Who This Policy Covers
This Policy applies to customers, end users, and website visitors located anywhere in the world; interested parties, business partners, and suppliers; newsletter recipients and white paper downloaders; employees, contractors, and job applicants in the U.S. and internationally; and any individual whose personal data we receive from ZETA GmbH, or group affiliates.

1.2 Legal Framework
Due to our corporate structure — a Delaware incorporation with Pennsylvania operations, ZETA GmbH, and a global customer base — this Policy is designed to comply simultaneously with multiple legal frameworks. The EU General Data Protection Regulation (GDPR) applies to all EU/EEA residents’ data, including data transferred from ZETA GmbH. The Austrian Data Protection Act (DSG) applies to processing activities connected to ZETA GmbH’s operations. The California Consumer Privacy Act and its amendment, the CPRA (together, the CCPA), provide the baseline standard for U.S. consumer rights. The privacy laws of Colorado, Connecticut, Virginia, Texas, New Jersey, Maryland, Minnesota, and more than a dozen additional U.S. states apply to residents of those states who are our customers. The FTC Act Section 5 on unfair and deceptive practices applies to all our U.S. commercial activity. The EU-U.S. Data Privacy Framework governs cross-border transfers from the EU/EEA to the U.S. The NLRA imposes employment-related data and protected activity obligations applicable to all U.S. employees.

The following terms have the meanings set out below throughout this Policy.

2.1. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, location data, device identifiers, and any data that can be linked to an individual. Throughout this Policy, “personal data” and “personal information” are used interchangeably; “personal data” is used primarily in EU/EEA and GDPR contexts, and “personal information” is used primarily in U.S. state law contexts, consistent with the terminology of the applicable legal framework.
2.2. “Sensitive Personal Data” means a subset of personal data requiring heightened protection, including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sexual orientation, precise geolocation data, Social Security Numbers, and children’s data.
2.3. “Processing” means any operation performed on personal data, including collection, recording, storage, use, disclosure, transfer, deletion, or destruction.
2.4. “Controller” means the entity that determines the purposes and means of processing personal data. ZETA USA acts as controller for customer and website data.
2.5. “Processor” means an entity that processes data on behalf of a controller. ZETA USA may act as processor for EU/EEA data received from ZETA GmbH.
2.6. “Data Subject” or “Consumer” means the individual whose personal data is being processed. The term “Consumer” is used in U.S. state law contexts.
2.7. “Sale of Personal Data” means, under U.S. state laws, sharing personal data for monetary or other valuable consideration, including for targeted advertising purposes.
2.8. “Consent” means, under GDPR, a freely given, specific, informed, and unambiguous indication of the data subject’s agreement. Under U.S. law, consent is generally an opt-out model except for sensitive data, where opt-in applies.
2.9. “Joint Controllers” means two or more entities that jointly determine the purposes and means of processing personal data, such as ZETA website and certain social media platforms under GDPR Article 26.

3.1 Data Collected by Category of Data Subject
The personal data we process depends on your relationship with us. For interested parties and prospects, we process the entity name, the name of the contact person, and their professional contact and address data. For customers, we process the company name, title and names of contact persons, professional address and contact details, bank details (last four digits only, with full card data processed exclusively by PCI-compliant vendors), and contract data. For suppliers and business partners, we process the same categories as for customers; in addition, we process image data for publication in print media and on our website on the basis of consent. For newsletter recipients, we process the e-mail address and name. For white paper downloaders, we process the first and last name, e-mail address, company name, and optionally the telephone number.

For website visitors, we collect the data technically necessary to display our website and ensure its stability and security. This includes the IP address, the date and time of the request and the time zone difference to Coordinated Universal Time, the content of the request and the HTTP status code, the website from which the request originates, and the browser type, operating system, language, and browser version. This data is not merged with other personal data sources. For job applicants, we collect CV and resume data, name, contact details, professional history, and qualifications, as described further in Section 12. Employee and contractor data is governed by a separate HR privacy notice where applicable.

3.2 Additional Categories Collected Automatically
In addition to the above, we may collect identifiers such as names, email addresses, phone numbers, IP addresses, device IDs, and account numbers; commercial information including purchase history, products or services considered, and transaction records; internet and network activity data such as clickstream data, pages visited, time on site, and interactions with cookies and tracking technologies; geolocation data in the form of general location derived from an IP address, with precise geolocation collected only with explicit consent; communications including customer service inquiries, feedback, and survey responses; and inferences drawn from the above categories to understand preferences and improve our services.

3.3 How We Collect Data
We collect personal data directly from you when you register an account, complete a form, make a purchase, sign up for our newsletter, download a white paper, contact us by e-mail, telephone, contact form, or social media, or submit a job application. We also collect data automatically through your use of our website and services via server log files, cookies, and analytics tools described in Section 11. In some cases, we receive data that is not provided directly by the data subject, for example when management bodies provide us with the names and contact details of their employees as part of projects or business relationships. We also receive personal data from ZETA GmbH pursuant to a Data Processing Agreement, and from third-party online application platforms in the context of recruitment.

3.4 Data Minimization
We collect only the personal data that is necessary for the specific, identified purposes described in this Policy. We do not collect personal data speculatively or beyond what is proportionate to those purposes, consistent with the principle of data minimization under GDPR Article 5(1)(c) and applicable U.S. state law.

3.5 Anonymized, Aggregated, and De-identified Data

Where we anonymize, aggregate, or de-identify personal data such that it can no longer reasonably be used to identify an individual, the resulting data is not personal data and is not subject to this Policy or to individual rights requests. We use such data for purposes including website analytics, product and service improvement, internal research, and business reporting. We implement and maintain technical and organizational safeguards designed to prevent re-identification of anonymized or de-identified data, and we do not attempt to re-identify such data. Where we share anonymized, aggregated, or de-identified data with third parties, we require by contract that those recipients likewise refrain from attempting to re-identify the data and maintain appropriate safeguards. For the avoidance of doubt, pseudonymized data — that is, data from which identifying information has been replaced with a pseudonym but which could be re-linked to an individual using additional information we hold — remains personal data and is subject to this Policy.

4.1 GDPR Legal Bases for EU/EEA Users
For individuals in the EU/EEA, we process personal data only when we have a valid legal basis under GDPR Article 6. The legal bases applicable to each category of processing activity are identified in the paragraphs that follow and in Section 4.2 of this Policy.

We rely on consent under Article 6(1)(a) where we process your e-mail address for advertising or newsletter purposes, where we set non-essential cookies or conduct consent-based analytics, where we publish image data, and where we transfer data to third countries in circumstances requiring explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

We rely on contract performance under Article 6(1)(b) when processing is necessary to deliver a purchased service or product, for contract initiation and fulfilment, and for providing white paper access in exchange for contact data.

We rely on legal obligation under Article 6(1)(c) when processing is required to comply with tax and regulatory obligations, statutory retention and documentation requirements including those under the Austrian Federal Fiscal Code (BAO), the Austrian Commercial Code (UGB), the Trade, Commerce and Industry Regulation Act (GewO), the General Civil Code (ABGB), the Value Added Tax Act (UStG), the Whistleblower Protection Act (HSchG), the Network and Information System Security Act (NISG), the Austrian Data Protection Act (DSG), and the GDPR itself, as well as for the operation of our whistleblower reporting channel.

We rely on legitimate interests under Article 6(1)(f) for fraud prevention, network and website security, server log analysis, technical cookie operation, use of the Amazon CloudFront CDN, processing contact enquiry data, retaining rejected job applicant records for a limited period, operating the LinkedIn Insight Tag for B2B analytics, and maintaining our social media presence.

For sensitive personal data under GDPR Article 9, we rely on explicit consent or another applicable Article 9 exception.

4.2 Purposes of Processing
We process personal data to provide, operate, and improve our products and services; to process transactions and fulfil orders and contracts; for customer support and communications by e-mail, telephone, contact form, and social media; to send newsletters and personalized marketing communications on a consent basis; for white paper distribution and associated marketing; for fraud prevention, security, and abuse detection; to meet our legal compliance and regulatory obligations; for analytics and website improvement; for recruitment and HR administration; for intragroup business operations with ZETA GmbH; and for whistleblower and compliance reporting.

4.3 U.S. Notice
For U.S. consumers, the following constitutes our notice at collection as required by the CCPA/CPRA and applicable state privacy laws. We collect the categories of personal information described in Section 3, including: identifiers such as name, email address, phone number, IP address, and device ID; commercial information including purchase history and transaction records; internet and network activity data such as pages visited and clickstream data; geolocation data (general location derived from IP address; precise geolocation only with explicit opt-in consent); communications data such as customer service inquiries and survey responses; and inferences drawn from the foregoing to understand preferences and improve our services. The purposes for which we collect each category of personal information are described in Section 4.2. We do not sell personal information for monetary consideration. Where we share personal information for cross-context behavioral advertising or targeted advertising, you have the right to opt out as described in Section 7. Where collected, sensitive personal information is used only for the purposes permitted by applicable law or with your explicit opt-in consent. Retention periods for each category of personal information are described in Section 8.

5.1 Categories of Recipients
We share personal data only with the categories of recipients described below, and only to the extent necessary for the stated purpose.

We share data with ZETA GmbH pursuant to a Data Processing Agreement and applicable transfer mechanisms as described in Section 6. Various companies within the group provide IT services and collaborate on joint projects, making intragroup transfers necessary.

We work with service providers and data processors who process data on our behalf, including vendors handling contract fulfilment, payment processing, account management, newsletter distribution, IT services, and analytics. All processors are bound by data processing agreements that impose binding security and confidentiality obligations.

In connection with recruitment, we use third-party online application platforms that forward applicant data to us. Both the platform operator and we act as independent controllers under GDPR for this data. We refer you to the privacy policy of the relevant platform operator for further information.

Where we operate social media pages, joint controller arrangements exist with those platform providers as further described in Section 13. We may disclose personal data to legal and regulatory authorities when required by law, court order, or regulatory demand. In connection with a merger, acquisition, or asset sale, personal data may be transferred subject to data protection obligations being carried over to the new entity. Any other sharing beyond the above will only occur with your explicit consent.

5.2 No Sale of Personal Data
We do not sell your personal data for monetary consideration. We do not share personal information with third parties for cross-context behavioral advertising or targeted advertising purposes.

6.1 Transfers from the EU/EEA to the United States
As a U.S. company with an Austrian parent, personal data originating in the EU/EEA is transferred to and processed in the United States. All such transfers are conducted only using lawful mechanisms under GDPR Chapter V.

For transfers of personal data from the European Economic Area (“EEA”) to the United States, we rely primarily on the European Commission’s Standard Contractual Clauses (“SCCs”), as incorporated into our agreements with affiliates, service providers, and vendors, as appropriate.
To the extent applicable, we may also rely on the EU-U.S. Data Privacy Framework (“DPF”) where a recipient has certified to the DPF and such certification remains valid, in accordance with Article 45 of the GDPR.
In limited circumstances where neither SCCs nor another valid transfer mechanism is available, we may rely on a derogation under Article 49 GDPR, such as explicit consent, only where permitted by applicable law and generally on a non-routine basis.
We are also evaluating the use of Binding Corporate Rules (BCRs) for intragroup transfers as the business scales.

We conduct Transfer Impact Assessments (TIAs) where required to verify that transferred data will receive adequate protection in the destination country.

Where third-party service providers such as Google, Microsoft, and HubSpot transfer data to the U.S. or other third countries, these are disclosed individually in Section 14. Google, YouTube, and other certified providers rely on the EU-U.S. DPF adequacy decision under GDPR Article 45.

6.2 Third-Country Transfer Risks
Where personal data is processed by recipients in countries outside the EEA that do not benefit from an adequacy decision and have not self-certified under the DPF, certain risks cannot be fully excluded: data may be passed to further third parties beyond the original purpose; your rights may be difficult to enforce against the service provider; and technical and organizational measures may not fully meet GDPR standards. Where we rely on consent for such transfers under Article 6(1)(a), this is stated in the relevant section. You may withdraw your consent at any time.

6.3 Intragroup Data Processing Agreement
A formal Data Processing Agreement governs all personal data flows between ZETA USA and ZETA GmbH. This agreement defines the respective controller and processor responsibilities of each entity, the categories of data transferred, the purposes for which data is processed, the security measures in place, and the procedures for handling individual rights requests.

Depending on your location, you may have the following rights regarding your personal data. We honor all applicable rights regardless of jurisdiction. If you believe we have violated applicable data protection law in the processing of your data and thereby violated your rights, we ask you to contact us first so that we can clarify any questions.

You have the right to know and access the personal data we hold about you and to obtain information about how it is processed, under GDPR Article 15, the CCPA, the DPDPA, and most U.S. state laws.

You have the right to correct or rectify inaccurate or incomplete personal data we hold about you, under GDPR Article 16, the CCPA, the DPDPA, and most U.S. state laws.

You have the right to request deletion or erasure of your personal data, subject to legal exceptions such as statutory retention obligations or legal hold requirements, under GDPR Article 17, the CCPA, the DPDPA, and most U.S. state laws.

You have the right to data portability, meaning you may receive your personal data in a structured, commonly used, machine-readable format, under GDPR Article 20, the CCPA, the DPDPA, and most U.S. state laws.

U.S. consumers have the right to opt out of the sale of their personal data and its use for targeted advertising. Please see Appendix A for state-specific details, including the “Do Not Sell or Share My Personal Information” link available on our website footer.

You have the right to restrict the processing of your personal data in certain circumstances under GDPR Article 18, for example while the accuracy of data is contested or while an objection is being assessed.

You have the right to object to processing based on our legitimate interests or to processing for direct marketing purposes under GDPR Article 21. Where you object to direct marketing, we will cease that processing immediately.

Where we rely on consent as the legal basis for processing, you have the right to withdraw that consent at any time under GDPR Article 7. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You have the right not to be discriminated against for exercising your privacy rights, in particular under the CCPA, the DPDPA, and most U.S. state laws.

You have the right to appeal our decision on a rights request or to lodge a complaint with a supervisory authority as described in Section 18.

7.1 How to Exercise Your Rights
Please send your enquiries and concerns by e-mail to datenschutz@zeta.com or by post to ZETA USA Inc., 2200 Renaissance Boulevard, Suite 170, King of Prussia, PA 19406, USA. We will verify your identity before processing your request using a reasonably reliable method, which may include matching information you provide against information we maintain about you. Authorized agents may submit requests on your behalf provided the agent presents written authorization signed by you or a valid power of attorney. We reserve the right to require you to directly verify your own identity and confirm that you have authorized the agent to act on your behalf, consistent with CCPA/CPRA and applicable state law requirements.

We will respond within the applicable statutory period: for GDPR requests, within 30 days extendable by a further two months in complex cases with prior notice; for CCPA requests, within 45 days extendable by an additional 45 days with notice; and for DPDPA and most other U.S. state law requests, within 45 days extendable by an additional 45 days with notice, subject to any shorter or different timeframe mandated by the applicable state law.

7.2 U.S. State Law Appeal Process
If we deny your privacy rights request in whole or in part, you have the right to appeal our decision depending on your state of residence. To submit an appeal, please contact privacy@[ZETA].com within 30 days of receiving our response and describe the basis for your appeal. We will review and respond to your appeal within the timeframe required by applicable law. Where permitted, we may extend the response period as reasonably necessary and will notify you if an extension applies. If we deny your appeal, you may have the right to contact the attorney general or other regulatory authority in your state of residence.

We retain personal data only for as long as is necessary to fulfil the purposes described in this Policy, or as required or permitted by applicable law. Our retention decisions take into account the nature and sensitivity of the data, the purpose for which it was collected, our legal and regulatory obligations, contractual requirements, and whether the data may be needed to defend or pursue legal claims.

After termination of a contractual relationship or after the end of contractually agreed periods, personal data will be deleted or anonymized as soon as there are no statutory retention obligations to the contrary. If consent to the processing of personal data is withdrawn, the data will be deleted or anonymized unless there is another legal basis for continued processing. It is possible that personal data must be retained for legal reasons despite the revocation of consent or expiry of a contractual period and will only be deleted at a later date after the expiry of the respective statutory period.

Customer account and transaction data is retained for the duration of the business relationship plus seven years, consistent with Austrian Federal Fiscal Code (BAO) and Austrian Commercial Code (UGB) requirements and equivalent U.S. tax record-keeping obligations. Contract data is retained for the duration of the contract plus the applicable statutory limitation period. Marketing and newsletter data is retained until you opt out or withdraw consent, after which it is deleted within 30 days, provided no other business relationship or retention obligation applies. White paper download data follows the same principle as newsletter data. Website server logs and analytics data are retained on a rolling 13-month basis. For automatically collected personal information described in Section 3.2, the following retention periods apply: identifiers collected automatically (such as IP addresses and device IDs) are retained as part of server logs on a rolling 13-month basis; commercial information is retained for the duration of the business relationship plus seven years consistent with tax and record-keeping obligations; and inferences drawn from personal information are retained until no longer necessary for the purpose for which they were created.

Rejected job applicant data is deleted seven months after the rejection notice is sent, consistent with Austrian anti-discrimination law practice. Where U.S. law requires a longer period, up to 12 months, the longer period is applied. Where you have given consent for your application to be retained for future consideration, your documents will be stored for up to one year from the date of consent and deleted if no suitable position arises. Employee records are retained for the duration of employment plus the period required by applicable employment law in each relevant jurisdiction. Security and fraud prevention logs are retained for 12 to 24 months. Whistleblower reports are retained for the duration of any related investigation plus the applicable statutory period, with strict access controls in place.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, consistent with GDPR Article 32 and the FTC’s reasonable security standard. Our security program includes, without limitation: encryption of personal data in transit and at rest using current industry-standard protocols and algorithms; access controls and role-based permissions applying the principle of least privilege; multi-factor authentication for systems containing personal data; regular security risk assessments and penetration testing; employee privacy and security training; Data Processing Agreements with all third-party processors containing binding security obligations; and incident response and data breach notification procedures. The specific technical and organizational security measures we apply are documented in our internal Information Security Policy, which is reviewed and updated on a regular basis to reflect evolving best practices and applicable regulatory guidance.

No security system is impenetrable. In the event of a personal data breach affecting your data, we will notify you and applicable regulatory authorities as required by law, as described in Section 10.

In the event of a personal data breach, we will fulfil our notification obligations as follows.

Under GDPR Articles 33 and 34 and the Austrian DSG, we will notify the Austrian Data Protection Authority (DSB) as our lead supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk to individuals, we will also notify the affected data subjects without undue delay.

For U.S.-based individuals, we will notify affected individuals and applicable state attorneys general or regulatory agencies within the timeframe required by each state’s breach notification law. In Delaware, notification is required within 60 days. In California, notification must be made expeditiously and in some circumstances within 30 days. Most U.S. states require notification within 30 to 60 days of discovery.

Internally, any potential breach will trigger immediate escalation to the Privacy Lead, the Data Protection Officer, the Legal team, and the Executive team upon discovery.

11.1 Informational Use of the Website
When you visit our website for information purposes only, we collect only the personal data that your browser transmits to our server in the form of server log files. This data is technically necessary for us to display our website to you and to ensure its stability and security. The data collected includes the IP address, the date and time of the request and the time zone difference to Coordinated Universal Time, the content of the request and the HTTP status code, the website from which the request originates, and the browser type, operating system, language, and browser version. This data is not merged with other personal data sources. We reserve the right to review this data retrospectively if we become aware of specific indications of unlawful use and, in the event of a cyber-attack, to pass the data to law enforcement authorities. The data is not otherwise passed to third parties.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security and stability)

11.2 Cookies
Cookies are small text files that are assigned to the browser you are using and stored on your device. They enable us or third-party providers to collect certain information about your visit. Cookies cannot execute programs or transfer viruses to your computer. The information contained in cookies is used, for example, to determine whether you are logged in, to recall data you have entered, or to recognize you as a returning user.

We distinguish between technical cookies, which are used exclusively to ensure the operation of our website, and which require no consent, and cookies requiring consent, which are set by us or third-party providers for the purposes of statistical analysis, tracking, or advertising and marketing. Strictly necessary cookies are essential for the website to function and operate on the basis of our legitimate interest under Article 6(1)(f) GDPR. Functional and preference cookies, which remember your settings, analytics and performance cookies, which help us understand how users interact with our website, and marketing or advertising cookies used for targeted advertising, all require your consent under Article 6(1)(a) GDPR. For U.S. visitors, our cookie preference center is designed to provide clear and symmetrical choices regarding cookie preferences, including opt-in and opt-out mechanisms where required by applicable law, and to avoid the use of interfaces or design elements that subvert or impair user autonomy, decision-making, or choice (“dark patterns”), consistent with guidance issued by the California Privacy Protection Agency and applicable U.S. state privacy laws, including the Colorado Privacy Act and the Connecticut Data Privacy Act.

Opt-Out Preference Signals. We recognize and honor opt-out preference signals transmitted through browser- or device-based technologies, including the Global Privacy Control (“GPC”), in accordance with applicable privacy laws. Where your browser or device is configured to transmit a GPC or similar opt-out preference signal, we will treat that signal as a valid request to opt out of the sale or sharing of personal information and/or the use of personal information for targeted advertising, as applicable, for the specific browser, device, or user associated with the signal. You are not required to submit a separate opt-out request through our website in addition to enabling a compatible signal. To learn more about GPC or to activate a compatible signal, visit https://globalprivacycontrol.org. Please note that our response to opt-out preference signals may vary depending on your state of residence and the legal requirements applicable to that jurisdiction.

EU/EEA visitors are presented with a cookie consent banner upon their first visit, consistent with GDPR and ePrivacy Directive requirements. U.S. visitors may opt out of non-essential cookies and tracking through our cookie preference center. Where required by applicable law, including the California Consumer Privacy Act / California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Delaware Personal Data Privacy Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the New Hampshire Privacy Act, and the New Jersey Data Protection Act, we recognize and process Global Privacy Control (“GPC”) signals and other legally recognized universal opt-out mechanisms as requests to opt out of the sale or sharing of personal information and/or the use of personal information for targeted advertising, as applicable under state law.
To the extent we engage in the sale, sharing, or use of personal information for targeted advertising through cookies or similar tracking technologies, you may also exercise your opt-out rights by using the “Do Not Sell or Share My Personal Information” link available in the footer of our website or through our cookie preference center, where available.

To manage your cookie preferences, visit the cookie banner. Note: certain session recording and analytics tools integrated on our website, including Microsoft Clarity, collect user interaction data through cookies and scripts. These tools are configured to exclude sensitive form fields. Consent to their use is requested through our cookie banner. If you have concerns about the use of such tools in connection with your session data, please contact us at datenschutz@zeta.com.
For information on how to manage or disable cookies in your browser, please refer to the following resources (provided for convenience only; we do not actively monitor these third-party links):

Google Chrome: https://support.google.com/chrome/answer/95647

Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Internet Explorer: http://windows.microsoft.com/en-GB/windows-vista/Block-or-allow-cookies

Safari (desktop): https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

Safari (iOS): https://support.apple.com/en-us/HT201265

Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

Adobe Flash: https://www.macromedia.com/support/documentation/en/flashplayer/help09.html

For general information about managing cookies, visit http://www.aboutcookies.org or http://www.networkadvertising.org/choices. You may also learn more about internet advertising practices and related consumer resources at https://youradchoices.com/control and https://thenai.org/about-online-advertising/faq.

Do Not Track. Some browsers may be configured to send “Do Not Track” signals to websites you visit. We will respond to “Do Not Track” and similar signals in a manner consistent with applicable law. For more information about “Do Not Track,” please visit http://www.allaboutdnt.com.

11.3 Data Transfer to Third Countries via Cookies
It cannot be ruled out that personal data may be transferred to third countries outside the EEA when you visit our website and interact with external services. Where this is the case, we identify the specific service and the applicable legal basis in Section 14. By giving your consent via the cookie consent banner, you consent to any associated data transfers to the extent that consent is the applicable basis. You may withdraw this consent at any time through the cookie preference center.

11.4 Newsletter Registration
You can subscribe to our newsletter by providing your e-mail address and name. You can unsubscribe at any time by using the unsubscribe link found in each newsletter or by sending an e-mail to marketing@zeta.com After unsubscribing, we will no longer use your data to send newsletters. If we have no other business relationship with you and are not subject to any statutory retention obligations, your data will be deleted following unsubscription.

For newsletter distribution and analysis, we use HubSpot Inc., whose European headquarters is in Dublin, Ireland, and whose global headquarters is in Massachusetts, USA. HubSpot enables us to analyze recipients’ reading behavior, including whether and which links are clicked, in order to better tailor future content. This evaluation is carried out exclusively for internal analysis purposes. HubSpot relies on the EU-U.S. Data Privacy Framework for transfers of EU/EEA data to the United States. Legal basis: Art. 6(1)(a) GDPR (consent)

11.5 White Paper Downloads
You can download a selection of white papers free of charge by providing your first and last name, e-mail address, company name, and optionally your telephone number. When you download a white paper, a contract is concluded between you and us: we provide high-quality specialist content and in return you provide your contact data for the purpose of receiving newsletters and advertising communications. You have the right to unsubscribe from our newsletter at any time. If we have no other business relationship with you and no statutory retention obligations apply, your data will be deleted after you unsubscribe. Legal basis: Art. 6(1)(b) GDPR (contract initiation and fulfilment)

11.6 Tracking Pixels
In addition to cookies, we use tracking pixels — small, transparent image files or code snippets embedded in web pages or emails — to collect information about how you interact with our website and communications. Pixels may be used to measure website traffic, track conversions, analyze user behavior, and enable targeted advertising on third-party platforms. Unlike cookies, pixels do not store information on your device; instead, they transmit data to the server of the pixel operator at the time of the interaction. The specific pixels we use, including the Meta Pixel, Google Ads Conversion Tracking, and the LinkedIn Insight Tag, are described individually in Section 14. Where a pixel transfers personal data to a third country outside the EEA, the applicable transfer mechanism is identified in the relevant Section 14 entry.

11.7 Interest-Based Advertising
Some of the advertising networks we use for interest-based advertising may be members of the Digital Advertising Alliance (“DAA”) or the Network Advertising Initiative (“NAI”). You may learn more about interest-based advertising and opt out of receiving personalized advertising from participating third-party companies by visiting the following resources:

Digital Advertising Alliance: https://optout.aboutads.info

Network Advertising Initiative: https://optout.networkadvertising.org

YourAdChoices: https://youradchoices.com/control

Please note that if you opt out of interest-based advertising, you may still receive online advertising from us; however, such advertising will not be tailored to your interests based on online behavioral information. To successfully opt out using these tools, you must have cookies enabled in your web browser. Your opt-out applies only to the specific browser you use, on the specific device you are using at the time. If you delete your browser’s saved cookies after opting out, you will need to opt out again.

12.1 Recruitment Processing
If you send us your application documents, we will process the personal data contained therein for the purpose of personnel selection and recruitment. This includes your CV or resume, names, contact details, professional history, and qualifications.
Legal basis: Art. 6(1)(b) GDPR (contract initiation and fulfilment)

12.2 Rejection and Deletion
In the event of rejection, we will delete your application documents seven months after sending the rejection notice to you, consistent with Austrian anti-discrimination law practice. Where applicable U.S. law requires a longer retention period of up to 12 months, the longer period will apply.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in defending against potential anti-discrimination claims)

12.3 Retention for Future Consideration
If we wish to retain your application for the purpose of contacting you at a later date should a suitable position arise, we will approach you with a separate request for your consent. If you give us this consent, we will store your application documents. If no suitable position arises within one year of receiving your consent, we will delete all your application documents.
Legal basis: Art. 6(1)(a) GDPR (consent)

12.4 Applicant Portal
All applications for ZETA USA Inc. and our group affiliates are processed via our applicant portal. For further information, please refer to the privacy policy available at https://zeta.onlyfy.jobs/policy

12.5 Third-Party Application Platforms
We use various online application platforms to recruit employees. Applicants decide which data they provide when using such a platform. Personal data entered and documents uploaded are forwarded to us by the platform operator. Both the application platform and we process this data as controllers within the meaning of the GDPR. Please note the privacy policies of the respective platform operators.
Legal basis: Art. 6(1)(b) GDPR (contract initiation and fulfilment)

We operate social media pages on X (Twitter), Instagram, TikTok, LinkedIn, Xing, Vimeo, Facebook, and YouTube. When you visit our social media presence or our YouTube and Vimeo channels, personal data including your IP address is processed by the respective platform provider and cookies are used for data collection. Please refer to the privacy policy of each service for information on exactly what data is transmitted and for details of your rights and available settings.

Your use of these services and their functions is at your own risk. This applies in particular to interactive functions such as sharing, commenting, and rating. The providers of these social media services have provided us with corresponding agreements — in most cases agreements on joint responsibility for data processing under GDPR Article 26. The use of social media platforms is based on our legitimate business interests. If you have data subject rights requests relating to jointly processed data, you may contact us as well as the relevant platform provider.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

U.S. Note: Our use of social media platforms is also subject to FTC endorsement and disclosure guidelines. Where we publish sponsored content or endorsements, these will be clearly and conspicuously disclosed in accordance with FTC requirements.

We use the following third-party services on our website and in our operations. Each may process personal data as described below. Where data is transferred to the United States or another third country, the applicable legal basis and transfer mechanism is noted. In all cases where consent is the legal basis, you may withdraw consent at any time through our cookie preference center.

14.1 Google Services
We use services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google has self-certified under the EU-U.S. Data Privacy Framework; accordingly, transfers to Google entities in the United States are governed by the DPF adequacy decision under GDPR Article 45. For further information, see policies.google.com/privacy.

Google Analytics
Where you have explicitly consented through our cookie banner, or have not disabled third-party advertising cookies (depending on your location), we use Google Analytics on our website to analyze how it is used and to better understand how visitors find and use our Services. This website uses the IP anonymization function, meaning that Google Analytics has been extended by the code gat._anonymizeIp() to ensure anonymized collection of IP addresses. As a result, your IP address is truncated by Google within member states of the European Union or in other signatory states to the EEA Agreement before any processing takes place. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. The data collected includes data related to your device and browser, your IP address, and on-site activities to measure and report statistics about user interactions. The information stored is reduced to a random identifier. Google uses the information collected to analyze your use of the website, to compile reports on website activity, and to provide other services relating to website use. Your IP address as transmitted from your browser to Google Analytics is not merged with other Google data without your consent. Google may also show advertisements for us across the internet and uses cookies and other similar technologies to serve ads based on your past visits to our website. Any data collected is used in accordance with this Policy and Google’s Privacy Policy. You can learn more about Google’s restrictions on data use by visiting policies.google.com/privacy, and more about Google’s advertising services by visiting Google’s Technologies page. To opt out of Google’s use of cookies or device identifiers for advertising purposes, please visit Google’s Ads Settings at adssettings.google.com. You may also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout.
Legal basis: Art. 6(1)(a) GDPR (consent)

Google Ads Conversion Tracking
Our website uses Google Ads Conversion Tracking. If you arrive at our website via a Google advertisement, Google Ads places a cookie on your device. These cookies lose their validity after 30 days and are not used for personal identification. The information collected via the conversion cookie enables us to see the total number of users who clicked on our advertisement and were redirected to our website, without being able to identify individual users personally. You may opt out of conversion tracking by adjusting your browser settings to block cookies from googleadservices.com.
Legal basis: Art. 6(1)(a) GDPR (consent)

Google AdSense
Our website uses Google AdSense for displaying advertisements automatically selected by Google based on our website content and visitor interests. Google AdSense collects data through cookies, web beacons, and usage data including information about pages visited, advertisements clicked, IP address, browser type, and language settings. This information is used to measure advertising effectiveness and may be combined with other data Google holds about you. Legal basis: Art. 6(1)(a) GDPR (consent)

Google Tag Manager
We use Google Tag Manager to integrate and manage website tags such as tracking codes and conversion pixels. The Google Tag Manager collects the IP address but does not store it and has no access to the data itself. It acts solely as an interface between our website and the associated analytics and advertising software.
Legal basis: Art. 6(1)(a) GDPR (consent)

Google Fonts
We use Google Fonts on our website to ensure that fonts and icons are displayed in a uniform and appealing manner. Your browser loads the required fonts from Google Fonts servers, which means that Google becomes aware that our website was accessed via your IP address. For further information, please visit the Google Fonts privacy page.
Legal basis: Art. 6(1)(a) GDPR (consent)

Google Maps
We use the Google Maps service on this website to display interactive maps. When the map loads, Google receives information that you have accessed the relevant page of our website, together with the technical log data described in Section 11.1. If you are logged in to a Google account, your data will be associated with that account. You can prevent this by logging out of Google before activating the map.
Legal basis: Art. 6(1)(a) GDPR (consent)

Google Photos
For a user-friendly experience, we use the cloud-based storage service Google Photos to host images displayed on our website. When you access these images, your browser establishes a connection to Google’s servers and your IP address is transmitted.
Legal basis: Art. 6(1)(a) GDPR (consent)

YouTube
We operate a YouTube channel and have integrated YouTube videos on our website. YouTube is operated by YouTube LLC, 901 Cherry Avenue, San Bruno, California 94066, USA, a subsidiary of Google Ireland Limited. We use YouTube in extended data protection mode, which means that YouTube does not store cookies on your device when you visit our website. A connection to YouTube’s servers is only established when you choose to play an embedded video. Once playback begins, YouTube uses cookies and other tracking technologies for data collection and statistical analysis and may use your data for advertising and market research purposes. These tracking technologies enable us to understand and improve our marketing efforts and track the performance of video content. YouTube may also collect information relating to your visit to our website, including the referring IP address, device, and pages you accessed. If you are logged into a YouTube account, your activity will be associated with that account. By viewing any video embedded on our website, you consent to the disclosure of information to YouTube through its tracking technologies. YouTube LLC has self-certified under the EU-U.S. Data Privacy Framework; data transfers to the United States are therefore permitted under GDPR Article 45. For further information, see https://policies.google.com/privacy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.2 Microsoft Services
We use services provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For further information, see privacy.microsoft.com.

Microsoft Advertising (formerly Bing Ads)
Microsoft Advertising enables us to place targeted advertisements in the Bing search results and on other Microsoft properties. When Microsoft Advertising is active, data such as IP addresses, browser information, search queries, device types, and click behavior may be collected to measure the effectiveness of advertising campaigns and to serve personalized advertisements. Microsoft does not share directly identifiable information such as usernames or addresses with us.
Legal basis: Art. 6(1)(a) GDPR (consent)

Microsoft Clarity
We use the Microsoft Clarity analysis tool to understand user behavior on our website and to improve the user experience. Microsoft Clarity uses cookies and other tracking technologies to collect information such as user interactions, mouse movements, scrolling activity, and keystrokes. This data is anonymized and aggregated to help us improve the performance and effectiveness of our website.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.3 Amazon CloudFront CDN
We use Amazon CloudFront, a content delivery network operated by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, to deliver website content quickly and securely. The CDN service processes the IP address of the website visitor. The IP address is automatically deleted from CloudFront logs after processing. For further information, see aws.amazon.com/privacy.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website performance and security)

14.4 HubSpot
Our website uses the services of HubSpot Inc., whose European headquarters is at 1 Sir John Rogerson’s Quay, Dublin 2, Ireland, for the analysis, optimization, and automation of marketing and sales processes. HubSpot enables us to analyze website visitors and deliver targeted marketing measures. Data such as IP address, visitor behavior, and submitted form data may be recorded and stored. HubSpot relies on the EU-U.S. Data Privacy Framework for transfers of EU/EEA data to the United States. For further information, see hubspot.com/data-privacy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.5 Hotjar
We use Hotjar, provided by Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville, St Julian’s, STJ 3141, Malta, to analyze user behavior and improve usability. Hotjar collects data including mouse clicks, mouse movements, and scrolling behavior. IP addresses are processed in anonymized form. Hotjar also records screen size, device type, browser information, and country of origin. This information is not used to identify individual users and is not merged with other personal data. For further information, see hotjar.com/legal/privacy-policy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.6 Leadfeeder / Dealfront
We use the analytics tool Leadfeeder provided by Dealfront Group GmbH, Durlacher Allee 73, 76131 Karlsruhe, Germany, to manage existing B2B customer contacts and to generate new ones. Dealfront accesses analyses from Google Analytics by matching anonymized IP addresses of website visitors with publicly available company information. Because Google Analytics anonymizes IP addresses by default, no direct personal reference is established through this process, though one may arise when reviewing company-level information. For further information, see dealfront.com/privacy-policy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.7 LinkedIn Insight Tag
Our website uses the LinkedIn Insight Tag, a tracking pixel provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The Insight Tag is a JavaScript code snippet embedded on our website that functions as a tracking pixel, enabling collection of data about visits to our website, including URL, referral URL, IP address, device and browser characteristics, timestamps, and page views, and enabling us to track page view and conversion data – including post-click and view-through conversions – for our LinkedIn advertising campaigns. This data is encrypted, anonymized within seven days, and deleted within 90 days. LinkedIn does not share personal data with us; we receive only aggregated reports on website audiences and advertising performance. However, LinkedIn may use the collected information to serve you advertisements on LinkedIn and other platforms. LinkedIn members can control the use of their information for advertising purposes through their LinkedIn account settings. Where the Insight Tag transfers personal data to the United States, such transfers are governed by Standard Contractual Clauses or, where applicable, LinkedIn’s self-certification under the EU-U.S. Data Privacy Framework. For further information, see linkedin.com/legal/privacy-policy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.8 Matomo
We have integrated the web analytics service Matomo, provided by InnoCraft Limited, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand, on our own server for statistical analysis of user behavior and for optimization and marketing purposes. By hosting Matomo on our own server, we ensure that no data is passed to third parties. We operate Matomo with settings that ensure no cookies are set. The data processed includes browser type, browser version, operating system, country of origin, date and time of the server request, number of visits, time spent on the website, and external links clicked. The IP address is anonymized before it is saved. Pseudonymized user profiles may be created and evaluated but are not used to personally identify visitors and are not merged with other personal data. For further information, see matomo.org/privacy-policy.
Legal basis: Art. 6(1)(a) GDPR (consent)

14.9 Meta Pixel
Our website uses the Meta Pixel provided by Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland. The Meta Pixel enables us to determine website visitors as a target group for the display of advertisements on Meta platforms, including Facebook and Instagram, and to customize and display advertisements only to Facebook users who have shown an interest in our website or services or who have specific characteristics – such as certain demographics or interests in certain topics or products determined by websites visited – that we submit to Meta. The use of Meta Pixel helps ensure that our advertisements are in line with the potential interests of users and do not have a nuisance effect. The Meta Pixel also allows us to track the effectiveness of Facebook advertisements for statistical and market research purposes by seeing whether users have been redirected to our services after clicking on a Facebook advertisement. The pixel records user actions in cookies, which enables Meta to match your user data such as IP address and user ID with data in your Meta account. The data collected through the pixel is anonymous from our perspective and cannot be viewed by us; it can only be used in the context of advertisement targeting and conversion measurement. However, the information collected via the Meta Pixel, on our website as well as on other websites on which Meta Pixel is installed, is also stored and processed by Meta. Meta may link this information to your Facebook account and may also use it for its own promotional purposes in accordance with Meta’s Data Usage Policy. To understand more about Facebook advertising, please visit https://www.facebook.com/about/ads. You may deactivate the Meta Pixel via the Cookie Settings on Facebook, located at https://www.facebook.com/settings/?tab=ads#. If you do not wish the pixel to link your actions to your Meta account, you may also log out of Meta before taking any action on our website. For further information, see facebook.com/policy.php.
Legal basis: Art. 6(1)(a) GDPR (consent)

15.1 Reporting Channel
We have established a whistleblower online portal on our website to enable individuals to contact us and report compliance and legal violations without fear of reprisals. Further information is available at https://app.loupe.link/whistleblowing/45c1aae5-c5ac-4259-b46a-6af673ad74f2
EU/Austrian legal basis: Art. 6(1)(c) GDPR (legal obligation under the EU Whistleblower Directive and the Austrian Whistleblower Protection Act (HSchG))

residents consistent with GDPR Article 8. We do not knowingly collect personal data from children without verifiable parental consent. If you believe that we have inadvertently collected personal data from a child, please contact us immediately at datenschutz@zeta.com and we will promptly delete such data.

Where our services may be accessed by minors, we maintain heightened protections consistent with the Children’s Online Privacy Protection Act (COPPA) as amended by the FTC in January 2025, GDPR Article 8, and applicable U.S. state laws including the enhanced protections for children’s data under the Delaware Personal Data Privacy Act.

We do not use automated decision-making processes, including profiling or AI-based systems, to make decisions that produce legal effects or similarly significant effects on individuals.

While we may use artificial intelligence (AI) technologies internally to support and improve our business operations and services, such technologies are not used to make decisions about individuals or to conduct profiling within the meaning of Article 22 GDPR or applicable U.S. state privacy laws.

Accordingly, individuals are not subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them. If this practice changes in the future, we will provide appropriate notice and, where required by applicable law, obtain the necessary consent.

EU/EEA Users
You have the right to lodge a complaint with your local data protection supervisory authority if you believe that we have processed your personal data in violation of applicable law. Our lead supervisory authority under GDPR, due to our parent’s establishment in Austria, is the Austrian Data Protection Authority (Datenschutzbehörde, DSB), reachable at Barichgasse 40-42, 1030 Vienna, Austria; by telephone at +43 1 52 152-0; by e-mail at dsb@dsb.gv.at; and at dsb.gv.at. You may also contact the supervisory authority in your EU/EEA country of residence or work.

U.S. Users
You may contact your state attorney general’s office regarding violations of applicable state privacy law. Certain states provide a private right of action for specific violations, for example California residents may bring a private claim under the CCPA in connection with certain data breaches. If we deny or do not fully respond to a privacy rights request, you have the right to appeal our decision by contacting datenschutz@zeta.com within 30 days of receiving our response.

For general privacy inquiries and data subject rights requests, please contact us at datenschutz@zeta.com.

We reserve the right to make changes to this Policy from time to time to reflect changes in our practices, applicable law, or business operations. All changes will be published on this page with a revised effective date. For material changes, we will additionally notify account holders by e-mail and display a notice on our website or application. For EU/EEA users, where changes affect consent-based processing, we will seek fresh consent before the change takes effect.

A.1 California Residents (CCPA / CPRA)
In addition to the rights described in Section 7, California residents have the following specific rights. You have the right to know the specific pieces of personal information we have collected about you. You have the right to correct inaccurate personal information we maintain about you. You have the right to limit our use and disclosure of sensitive personal information to purposes necessary for providing our services. You have the right to opt out of the sale or sharing of your personal information, including for targeted advertising purposes, by using the “Do Not Sell or Share My Personal Information” link available in the footer of our website. We do not discriminate against California residents who exercise any of these rights.

California Shine the Light. Under California Civil Code Section 1798.83, California residents who provide personal information in obtaining products or services for personal, family, or household use may be entitled to request and obtain from us once a calendar year information about the information we shared, if any, with other businesses for direct marketing uses. Please be aware that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing, if any, will be included in our response. As part of the California Online Privacy Protection Act, all users of our Services may make any changes to their information at any time by contacting us at datenschutz@zeta.com.

A.2 Delaware Residents (DPDPA)
Delaware residents have all the rights described in Section 7. The Delaware Personal Data Privacy Act (DPDPA), effective January 1, 2025, applies to the extent that we conduct business in Delaware or produce products or services targeted to Delaware residents and meet the applicable statutory volume or revenue thresholds, as described in Section 1.2. Where the DPDPA applies, it includes enhanced protections for children’s data and broader definitions of sensitive personal data. If we deny your rights request in whole or in part, you may appeal our decision by contacting datenschutz@zeta.com within 30 days of receiving our response, and we will respond to the appeal within 60 days.

A.3 Other State Residents
Residents of Colorado, Connecticut, Virginia, Texas, New Jersey, Maryland, Minnesota, New Hampshire, Montana, Nebraska, Oregon, Tennessee, Iowa, Utah, Indiana, Kentucky, Rhode Island, and other states with applicable comprehensive privacy laws have the rights described in Section 7 to the extent required by their state’s law. Where a state law provides rights or protections beyond those described in Section 7, we will honor those additional rights. To exercise any of these rights, please contact us at datenschutz@zeta.com.

This Appendix constitutes the formal information notice required by GDPR Articles 13 and 14 for EU/EEA data subjects. Thank you for visiting our website. The protection of your data is a top priority for us.

The purposes and legal bases for processing your personal data are set out in full in Section 4 of this Policy. Where we process data on the basis of our legitimate interests, those interests are fraud prevention, network and website security, website analytics, intragroup business operations, and maintaining our social media presence. The categories of recipients to whom your data may be disclosed are described in Sections 5 and 14. International transfers of your data and the safeguards applicable to those transfers are described in Section 6; our primary transfer mechanism is Standard Contractual Clauses (SCCs) in the form approved by the EU Commission, supplemented where applicable by the EU-U.S. Data Privacy Framework to the extent ZETA USA has completed or completes DPF self-certification.

Retention periods applicable to your personal data are set out in Section 8. Your rights as a data subject — including the rights of access, rectification, erasure, portability, restriction, and objection — are described in Section 7. You have the right to withdraw consent at any time by contacting datenschutz@zeta.com; withdrawal does not affect the lawfulness of prior processing. You have the right to lodge a complaint with the Austrian Data Protection Authority (DSB) at dsb@dsb.gv.at or dsb.gv.at, or with the supervisory authority in your country of residence or work.

Whether providing your personal data is a statutory or contractual requirement, or a condition necessary for entering into a contract, is disclosed at the point of collection for each processing activity. Where automated decision-making takes place, this is described in Section 17. Where we process personal data that was not collected directly from you, for example where management bodies have provided us with contact details of their employees as part of a business relationship, the relevant information is set out in Section 3.3.