Frequently Asked Questions on Privacy

  • Do you have a privacy policy?

  • What is your GDPR commitment?

    In order to understand our GDPR commitment, please refer to https://www.zoho.com/gdpr.html

  • What are your terms of service?

    Our terms of service can be accessed at https://www.zoho.com/terms.html

  • Do you have a dedicated person or team responsible for Privacy?

    Yes, we have dedicated privacy team who manage the privacy program at Zoho. We have also appointed a Data Protection Officer (DPO).

  • Where is my data stored?

    The Data Center where your data is stored is selected automatically based on the Country chosen by you while signing up for Zoho services. The information regarding which Data Center has been selected is displayed right below the Country picklist in the sign-up form. To know which Data Center is associated with a particular Country, click here. Alternatively, at any instant, you can know which Data Center your data resides in by looking at the URL on the browser when you are logged in to Zoho and are using our applications.

    1. If the URL is in the format of *.zoho.com (where * indicates the name of a Zoho Application such as crm, people, one), then your data is stored in the US(United States) DC.

    2. If the URL is in the format of *.zoho.eu, then your data is stored in the EU(European) DC.

    3. If the URL is in the format of *.zoho.in, then your data is stored in the IN(Indian) DC.

    4. If the URL is in the format of *.zoho.com.au, then your data is stored in the AU(Australian) DC.

  • How can I exercise my rights that the GDPR provides for?

    If you believe that Zoho owns, controls, or processes information pertaining to you, then send an email to privacy@zohocorp.com to exercise the rights that the GDPR grant.

    If you are from the European Economic Area and you believe that we store, use, or process your personal data on behalf of one of our customers, please contact the corresponding customer to access, rectify, erase, restrict, or object to the process, or to export your personal data as our customers will be the controllers. Controllers will usually be the administrator of the account. Any request for the data that is held by our customers will be forwarded to the respective customers. We will extend our support to our customer in responding to your request within a reasonable time frame.

  • Is your US data center GDPR compliant?

    Yes. Our GDPR compliance program covers both our EU and US data centres. However, when using the US data centre, there is the additional requirement of compliance with data transfer requirements for transfer from the EU to US, such as a Standard Contractual Clauses based agreement, which you can access from here. Zoho also has certified its compliance with the EU-U.S Privacy Shield Framework.

  • Who owns service data?

    As mentioned in part II of our Privacy Policy, you are the owner of the service data(which means that you are the Data Controller). We process your service data based on instructions provided through the User Interface or API of the applicable Zoho service(i.e, we are the Data Processor). The individuals whose data you may process in our applications are your Data Subjects. We provide you complete control of your service data by providing you the ability to (i) access your service data, (ii) share your service data through supported third-party integrations, and (iii) request export or deletion of your service data.

  • How secure is my data with Zoho?

    At Zoho, we take data security very seriously. That's why we have been audited for industry standards certifications such as ISO 27001, ISO 27017, ISO 27018 and compliance with the SOC 2 Type II. We have taken steps to implement appropriate administrative, technical & physical safeguards to prevent unauthorized access, use, modification, disclosure or destruction of the information you entrust to us. If you have any concerns regarding the security of your data, we encourage you to check our Security Whitepaper or write to us at security@zohocorp.com with any questions.

  • How do you ensure that the cross-border transfer is conducted according to applicable laws and regulations?

    The transfer (access) of data by and between our group entities is based on the intra-company agreement which is mutually signed by all our group entities. This agreement references the model contractual clauses approved by the European Commission. Zoho also has certified its compliance with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Please refer here for more details.

  • Do you comply with the EU-US privacy shield Framework and the Swiss-US Privacy Shield Framework?

    Yes. Zoho Corporation participates in and has certified its compliance with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Please refer here for more details.

  • Have you appointed a Data Protection Officer?

    Yes, we have appointed a Data Protection Officer (DPO) to oversee our management of your personal data in accordance with our Privacy Policy. If you have any questions or concerns about our privacy practices with respect to your personal data, you can reach out to our DPO, whose contact details are provided in our Privacy Policy under the 'Data Protection Officer' heading.

  • How do I delete or close my Zoho account, and delete the data associated with it?

    If you wish to close your Zoho account, kindly refer to this FAQ: "How do I close my Zoho account? "

    Once you close your Zoho account, the data associated with it will be deleted as per our retention policy mentioned in Part II of our Privacy Policy under the ' Retention of Information' heading.

  • How do I opt out of marketing emails from Zoho?

    You can opt out of receiving newsletters and other non-essential messages by using the Unsubscribe function included in all such messages.

    You can also send an email to privacy@zohocorp.com, and we will remove you from our mailing list.

    Certain legislations may require us to provide this option more explicitly for users of certain geographies. This has been fittingly incorporated into our sign up forms and likewise reflects in our related processes. However, please note that you will continue to receive notices and essential transactional emails . For example, updates regarding your Zoho account, subscription reminders, and other such important updates.

  • What kind of emails are sent by Zoho?

    Zoho, in our capacity of a Data Controller, send you emails providing you with information you've requested us for. We also send mails inviting you to our events, webinars and the like which we think may be of interest to you. This communication is based on the preference you've provided us with. Emails are also generated through your use of our application. These emails are generated by the actions done by you. For example, if you share a document through Zoho Docs or invite one of your data subjects to join your Zoho organisation by adding their email ID through the UI or via the API(through your use of our application), they receive an auto-generated email from the respective service notifying the recipient that you've shared a document with them or that you've invited them to join your Zoho organisation. This is done in our capacity of a Data Processor.

    In all cases, if you or your recipient thinks the email is inappropriate or that it has been received in error, you can report it to us at abuse@zoho.com and we will take the necessary action

  • What personal data do you, as a company, collect and process?

    Zoho, in its capacity as a data controller, collects information from you either directly or indirectly, which includes the data we collect from you during the sign up process, and the data generated automatically by the devices you use. A detailed explanation of the types of data we collect and the purpose for which it is collected is mentioned in Part 1 of our Privacy Policy.

  • How and whom do you notify in case of a data breach? What is your breach notification timeline?

    Breach notifications to our customers are performed in accordance with our internal Privacy Incident Response Policy. Zoho Group will notify the customers, without undue delay after becoming aware of the incident. For general incidents that affect all our customers, we will notify customers through our blogs, forums, and social media. With respect to incidents that relate to a specific customer or organization, we will notify the concerned customer or organization through their primary email address.

  • Does Zoho employees have access to my data?

    Access to your data is restricted to a small number of employees on a need-to-know basis in order to provide you technical support. This access is reviewed periodically.

  • If I sign up for Zoho services from zoho.eu, will my data be stored and processed only within the EU? Is there a scenario where my data will be transferred out of the EU?

    The data may be accessed by the employees of our Indian entity (Zoho Corporation Private Limited), in order to provide you technical support on the basis of the Model Contractual Clauses between Zoho Netherlands and Zoho India. We have a data processing agreement in place based on Standard Contractual Clauses that provides for access to the EU data center by the employees of Zoho India. However, there is no physical transfer of data out of the EU.

  • How can I get a copy of your data processing addendum(DPA)?

    If you are the organization administrator and would like to sign a DPA with us for your organization, we’ve made it available to be signed electronically in just a few easy steps.

    If you've signed up in www.zoho.com, click here to initiate the signing process. If you'd like to see a preview, click here.

    If you've signed up in www.zoho.eu, click here to initiate the signing process. If you'd like to see a preview, click here.

    Note: Make sure that you have logged into your Zoho account before initiating the signing process.

  • Who should I contact in case of questions regarding the DPA?

    If you have any questions regarding the DPA, please drop an email to legal@zohocorp.com

  • Does the GDPR require EU personal data to stay within the EU?

    No. GDPR does not mandate that the personal data reside within the EU. Instead, it facilitates international data transfers to countries outside of EU that have appropriate safeguards in place. Our Data Processing Addendum that references the EU Model Contractual Clauses will continue to legalize the data transfers to countries outside of the EU territory.

    Our GDPR compliance program covers both our EU and US data centers. We are also considering to expand those to our India and Australian data centers as well.

  • Do you share my data with your reselling partners? If so, how can I opt-out?

    We may share your personal data with our authorized reselling partners in your region, solely for the purpose of contacting you about products that you have downloaded or services that you have signed up for in the cases where we do not have expertise in assisting you in your regional language. However, we would notify you through email before we share your details with them. Our partners are carefully evaluated before we on-board them. We also execute written agreements with them which defines their responsibilities and ours.

    If you do not wish to work with our partners, you can drop us an email at privacy@zohocorp.com and we will do the needful.

  • Does Zoho use cookies? If so, can I disable them?

    Yes, we use cookies for multiple purposes. We've provided this information in detail in our Cookie policy.

    In Zoho's capacity of a Data Controller, we use cookies to maintain the security of our websites and products, remember your choices, analyse how our users interact with our websites and to improve our services. However, we do not use third-party cookies for the purpose of analytics and tracking user behaviour in our websites.

    In our capacity of a Data Processor, cookies are set by our applications for the purposes of maintaining the security of the applications, to manage some configurations, and to provide a smooth user experience.

    You can disable the cookies in your browser by following the steps provided by the respective internet browsers(more information in our Cookie policy). However, if you choose to disable it, some of the above features may not work as intended and could lead to increased issues with the usability of our website and applications.

  • How long is my data retained after deletion? When will my data be deleted?

    We hold the data in your account as long as you choose to use Zoho services. Once you terminate your Zoho account, your data will eventually get deleted from active database during the next clean-up that occurs once in six months. The data deleted from the active database will be deleted from backups after three months.

  • What is the policy for Inactive accounts?

    We reserve the right to terminate unpaid user accounts that are inactive for a continuous period of 120 days. In the event of such a termination, all data associated with such user account will be deleted. We will provide you prior notice of such a termination and option to back-up your data. Please refer to the section 'Inactive User Accounts Policy' in our Terms of Service.

  • Do you sell my data to advertisers?

    As mentioned in our Privacy Policy, Zoho will never sell your information to third parties for advertising, or make money by showing you other people's ads. This has been our approach for almost 20 years, and we remain committed to it. We don't make a single dollar from advertising revenue, even from the free editions of our services. This means we avoid the fundamental conflict of interest between gathering customer information and fuelling advertising revenue, and the unavoidable compromises in customer privacy that it brings. Check out our CEO's commitment on your Privacy.

  • How is my service data handled?

    We process your service data(all of the information that you store and process in and through Zoho's application softwares is collectively referred to as Service Data) based on the instructions provided through the various modules of Zoho services. For example, when you generate an invoice, information such as the name and address of your customer will be used to generate the invoice; when you use our campaign management service for email marketing, the email addresses of the people on your mailing list will be used for sending the emails. For more details on how your service data is handled, please refer to Part II of our Privacy Policy.

  • Are sub-contractors or vendors involved in the processing of my service data?

    Yes, sub-contractors and vendors are involved in the processing of service data. However, sub-contractors and vendors may vary based on the Zoho service you are using. Different Zoho services may use different sub-processors or vendors for various purposes. Involvement of a sub-contractor or vendor in the processing of your data depends on your usage of a particular feature within the applicable Zoho service. The current list of the sub-processors is available here. You can always verify this list to learn about the sub-processors used in each Zoho service.

  • Is there an option to export all my service data?

    The export option is provided within the user interface of each service. You can find information on how to export your data and the formats available for exporting your data through the user interface by referring to the help pages of the respective services.

  • Do you provide an option for deleting any or all of my service data?

    The option to delete the data is provided within the user interface of each Zoho service. While some data may be deleted immediately from the active database, some data might be moved to the recycle bin and will be deleted subsequently. However, the data will remain in the backups for 3 months in encrypted form.

  • Do any other entities in the Zoho group have access to or use our data?

    Yes, other entities in the Zoho Group may have access to your data for the purpose of providing you technical support and during disaster recovery operations. Please refer to ‘Who we share service data with’ in Part II – Information that Zoho processes on your behalf of our Privacy Policy.

  • Does Zoho disclose our data to law enforcement authorities?

    Yes, if required by law, your personal data and service data may be disclosed or preserved in order to comply with any applicable law, legal process, regulation or governmental request, including to meet national security requirements

  • Are you registered with any Data Protection Authority?

    We are registered with the Netherlands Data Protection Authority. Our registration numbers are m164347o and m1648926. You can check our registration at the public register maintained by the Authority for Personal Data records on its website www.autoriteitpersoonsgegevens.nl

For any other queries related to data privacy, please contact privacy@zohocorp.com