Zettlab Memo IoT Device Privacy Notice
Version date: May 15, 2026
This Notice supplements the Zettlab Memo Privacy Policy (Non-Chinese Mainland Version) and applies to Zettlab Memo / Zettlab Memo Pro devices, NAS local services, Bluetooth provisioning, LAN access, P2P, remote access, cloud relay, MQTT/WebSocket, device diagnostics, logs, OTA, Agent/Skill and device AI features. The terms (including abbreviations) used in this Notice shall have the same meanings as those defined in the Zettlab Memo User Service Agreement (Non-Chinese Mainland Version).
Key Points
1. NAS files are generally stored on your local device. When enabling remote access, cloud-based AI services, sharing features, log uploads, Skill publishing/review, object storage, or third-party connectors, relevant data or information may be transmitted from your local device for external processing, storage, or use.
2. Remote access, P2P, cloud relay and third-party automation increase device exposure. Protect your account, access tokens, shared users, router, firewall and LAN environment carefully.
3. Account deletion, device unbinding or authorization revocation does not automatically delete local files, thumbnails, indexes, logs, Wi-Fi configuration, API keys, AI chats and cache. Before transfer, repair, return or disposal, back up and erase local data.
4. If you store or send photos, videos, files, chats, work materials or customer data involving family members, guests, colleagues, customers or other people, make sure you have lawful authority.
1. Device Binding and Authorization
When you bind a device, we process device SN, user ID, binding relationship, device name, role, connection address, access token, gatewayId and necessary keys to verify access rights, establish cloud-device relationships, provide remote access, OTA and status sync.
Devices may support owners, shared users, family members or collaborators. The administrator should confirm who has access and what permissions they have. Shared users may access device files, thumbnails, indexes, AI chats, system status, Agent configuration, automation tasks or other local resources depending on product permissions.
You may unbind a device or revoke authorization to stop cloud-based device control and remote access. Revocation may also remove owner, shared-user and third-party control relationships and delete or anonymize cloud device business data. This action may be irreversible.
2. Bluetooth Provisioning and Wi-Fi Information
During first setup or network reconfiguration, the App may scan nearby Bluetooth devices and send the selected Wi-Fi SSID and password to the device. The Wi-Fi password is used for network provisioning and not for other purposes.
The Wi-Fi password is normally stored only in the App and device. If future support diagnostics, cloud backup or other features require uploading it, we will provide separate notice and obtain required authorization.
Please make sure you are authorized to configure the relevant Wi-Fi network. Public, enterprise or shared networks may be subject to additional rules.
3. LAN, P2P, Cloud Relay and MQTT/WebSocket
To enable LAN connection, P2P and remote access, the system may use LAN IP, device SN, peerId, cloud host/port, gatewayId, relay token, P2P node ID, connection time, IP, port and connection status. Where Shenzhen Peergine Technologies Co.,Ltd. is used for P2P traversal, it provides network connectivity only and does not collect or process personal information or device data. If a cloud relay path is used, necessary network connection information may be processed by Zettlab or the configured relay service as described in the applicable notice.
Cloud services may send commands, OTA notices, status subscriptions and events through WebSocket, MQTT or equivalent channels. Such messages may include device SN, status, error code, task ID, connection status, update status and necessary control parameters.
Remote access increases exposure. Use strong credentials, keep firmware updated, review shared users, avoid leaking tokens/API keys and maintain router, firewall and LAN security.
4. Device Control and Automation
When you control a device through App, Web, Electron, AI assistant, connectors or other authorized entry points, the device may process commands, sync tasks, scheduled tasks, device names, custom directories, sharing settings, Agent configuration, tool calls, execution results and failure reasons. These are used to execute commands, sync files, automate tasks and collaborate.
If more complex automation, MCP, open APIs, smart speakers or third-party control are supported, review triggers, permission scope, accessible data and executable actions before enabling them.
5. NAS Files, Local Indexes and Media Metadata
Your file content is generally stored on the NAS device. To provide browsing, search, preview, thumbnails and AI processing, the device may generate file indexes, thumbnails, tags, favorites, rating, recycle-bin records, search records, media metadata, EXIF/capture time, media duration and transcoding/compression results.
When you send files/images/content to AI, upload to cloud, publish Skills/templates, share with others, enable remote access, use connectors or submit logs, related content may be transmitted from your local device for external processing, storage, or use.
Connector runtime tokens on local devices: when a connector is used through a local device or Agent runtime, the local-server may receive a short-lived connector_runtime token from Zettlab cloud. This token is held in process memory only to broker connector calls, is not saved to the device database or files, and cloud connector bearer tokens are not injected into Agent child-process environment. Local connector audit records, where enabled, are limited to metadata such as Agent, provider, connection, tool name, status, error code and time; we do not intentionally store connector secrets, tokens, full requests or full responses in those audit records.
6. Hardware, Sensors and Media Capabilities
The device may process CPU, memory, network, storage, power, temperature, SMART, fan, ports, service processes, uptime, disk model/serial number and system version for status display, troubleshooting, performance, security and support.
If a model or future feature supports cameras, microphones, voice, video calls, image recognition or live preview, we will explain the purpose in that feature and process data under system permissions or product authorization. We do not actively read your camera, photos or microphone content unless you trigger related features.
7. Diagnostics, Logs and Analytics
The device may collect device SN, IP/MAC, CPU, memory, disk model/serial/temperature/SMART, network state, service state, error logs, power/running state, request latency, error codes, connection mode and crash information for status display, troubleshooting, security, performance and support.
The product may provide “upload logs”, “request logs”, “developer diagnostics” or similar features. Logs you submit may include device information, error stacks, request paths, connection state, partial configuration or debugging fields. We use redaction where feasible and avoid intentionally collecting Wi-Fi passwords, full tokens, API keys, chat content, file content and file names, but screenshots or user-submitted logs may contain sensitive data. Please review before submitting.
Analytics events generally record event names, latency, error codes, attachment type/size, file category/size, connection mode and pseudonymous user/device IDs, not chat content, file content, search keywords or Wi-Fi passwords.
8. OTA and Security Updates
For firmware updates, version checks, security fixes and maintenance, the device may request OTA services and report device model, version, device SN, update status, error code and network state.
You may manage some update settings where supported. If not updating would create significant risks to device security, data security, personal safety or property safety, we may perform necessary mandatory security updates.
9. Device AI and Skill/MCP Risks
Zettlab Memo / Zettlab Memo Pro may, based on your choices and authorizations, provide local or cloud AI for natural language interaction, file Q&A, image understanding, automation assistance, device status analysis, Skill execution or third-party MCP calls. These features may process prompts, file contents, images, chat history, tool results, model choices, Agent configuration and authorization tokens based on your choices and authorizations.
Before installing third-party Skills, connecting MCP services, configuring third-party API keys or enabling local tools, verify that the source is trustworthy and permissions are reasonable. Third-party Skills/MCP services may read files, access networks, run commands or call external services, and their behavior may be outside Zettlab's direct control.
10. Multiple Users and Third-Party Information
Device administrators should grant only necessary permissions to shared users, family members, guests, repair personnel or collaborators. Before storing or sending other people's photos, videos, files, chats, work materials, customer data or other personal information to NAS or AI, make sure you have lawful authority and provide any required notices.
11. Third-Party Control and Automation
If smart speakers, home automation platforms, Feishu, Slack, GitHub, Notion, Gmail, MCP, open APIs or other automation services can control the device, such control and data sharing will be based on your authorization and subject to third-party terms and privacy policies. After authorization is revoked, the third party may no longer control the device, but data already processed by that party is governed by its policies.
12. Transfer, Repair, Return and Disposal
Before transferring, repairing, returning, disposing of or lending a device, back up and delete local files, account bindings, Wi-Fi configuration, access tokens, API keys, thumbnails, indexes, logs, cache, AI chats, Agent configuration and connector authorizations. Restore factory settings or format storage media where necessary. Account deletion, device unbinding or authorization revocation does not necessarily erase local data.
13. Special Notice Regarding Sensitive Information
We do not proactively request, nor do we encourage you to provide, sensitive information to integrated third-party service providers, including but not limited to identification documents, bank card information, passwords, health information, precise location data, undisclosed trade secrets, other individuals’ private information, personal information of Minors aged under 16, or any information that you are not authorized to process. If such content is highly sensitive to you, please do not enter or upload it. Where processing is truly necessary, we will process such information only to the extent necessary to provide the relevant functions and, where required by applicable laws and regulations, obtain your separate consent.
14. Contact
If you have questions about IoT device data processing, contact support@zettlab.com.