Zettlab Memo Privacy Policy
Version date: June 3, 2026
This Policy applies to users outside Chinese Mainland who use the Zettlab Memo App, Zettlab Memo / Zettlab Memo Pro devices, Web/Electron clients, cloud services, IoT services, remote access, Skill/template marketplace, AI features and connectors. If a feature has not been released, the related clauses apply when the feature becomes available.
This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use Zettlab Memo. This Privacy Policy also describes yourlegal rights on data protectionand privacy. This Policy is a supplementary document to the Zettlab Memo User Service Agreement (Non-ChineseMainland Version). The terms used in this Policy shall have the same meanings as those defined in the Service Agreement.
We fully understand that personal information is of utmost importance to you, and we are committed to strictly complying with laws and regulations while adhering to privacy protection principles. By reading this policy, you can gain a detailed understanding of how we collect and process personal information, so that you can better understand our services and make informed choices accordingly.
If you have any questions, comments or suggestions regarding this Policy or how to exercise or safeguard your data rights or privacy protection rights, please contact us via the following contacts.
Data controller / service provider: ZETTLAB TECHNOLOGY LIMITED (76758839)
Address: Room 701, Unit 108, 7/F, Block B, New Mandarin Plaza, 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong
Contact: support@zettlab.com
Summary
1. Zettlab Memo is a combined local device (including your Network Attached Storage device (“NAS”)), app/web/desktop and cloud service. NAS files are generally stored on your local device, but data may be transmitted outward from your local device when you enable cloud AI models, remote access, sharing, diagnostics, log upload, Skill publishing/review or third-party connectors.
2. We do not sell your personal information for money. We may disclose or make available information to service providers and partners necessary for account, device binding, remote access, AI models, object storage, logs, security, customer support and app distribution.
3. Bluetooth provisioning may require Bluetooth and, on some Android versions, location permission. We do not use that permission to actively locate you.
4. Wi-Fi passwords are used for provisioning and are normally processed only on the App and device. If future diagnostic or backup features require uploading them, we will provide separate notice and obtain required authorization.
5. AI output may be inaccurate or incomplete. Do not send identity documents, payment card data, passwords, health information, precise location, unreleased business secrets, third-party private information or data you have no right to process to third-party AI models.
6. Account deletion, device unbinding or authorization revocation does not automatically delete local files, thumbnails, indexes, logs, AI chats or settings stored on your NAS device.
1. Information We Collect
We may process the following categories of information depending on the features you use:
1. Account information: email, verification code, user ID, nickname, login state, access token, refresh token, login method, login device and account status.
2. Region and entitlement information: account region, service region, free credits, usage records, risk status and account state.
3. Third-party login information: Google ID token, third-party account ID, email, avatar or nickname if you enable third-party sign-in.
4. Device information: device SN, device name, binding relationship, role, LAN IP, peerId, cloud host/port, gatewayId, appToken, relaySecret, access token, connection status, connection time, IP and port.
5. Bluetooth and network provisioning information: Bluetooth device ID, device name, RSSI, nearby Wi-Fi SSID and the Wi-Fi password you enter.
6. Device control and automation information: commands, sync tasks, scheduled tasks, shared users, custom directories, device settings, Agent configuration, tool-call results and execution status.
7. Files and media: images, videos, audio, documents, code, file name, path, size, type, thumbnails, tags, favorites, rating, recycle-bin records, search records, EXIF/capture time and derived metadata.
8. AI information: prompts, context, chat history, AI output, images, file attachments, model choice, model parameters, Agent configuration, Memory/Skill configuration, tool-call results, request metadata and credit usage.
9. Skill/template marketplace information: packages, author ID, version, cover, description, upload status, review status, download/install records and automated review results.
10. Device diagnostics: model, device SN, IP/MAC, CPU, memory, disk model/serial number/temperature/SMART status, firmware version, update status, network status, service state, error logs and crash information.
11. Usage, analytics and stability data: event names, feature/page, region, device type, connection mode, latency, error codes, status codes, attachment type/size, file category/size and pseudonymous user/device IDs.
12. Customer support and after-sales information: contact details, issue description, screenshots, logs, device information, repair records, shipping/on-site service information and communication records.
If you configure or agree to invoke third-party services (including third-party models, Skills, plugins, APIs, programs, software, etc.), such third-party services and the data processing rules will be governed by the privacy policy between you and the provider of such third-party service. We solely act as a service invoker, providing technical support for the interaction between you and the third-party service. If you have any questions regarding the third-party service provider's data processing practices, you may review the relevant third-party service provider's privacy policy or contact the third party directly.
2. How We Use Information
We use information to:
1. create accounts, authenticate users, maintain sessions and protect accounts;
2. bind, identify and manage devices;
3. provision devices, connect to LAN/P2P/cloud relay and enable remote access;
4. provide file management, preview, search, upload, download and media processing;
5. provide AI responses, model selection, continuous chats, tool calls and credit management;
6. publish, review, distribute and install Skills/templates;
7. provide OTA, device diagnostics, security updates and customer support;
8. detect abuse, fraud, attacks, unauthorized access and service instability;
9. analyze performance, reliability and user flows with minimized or pseudonymized fields;
10. comply with applicable laws, enforce agreements and protect rights.
3. Legal Bases
Where applicable law requires a legal basis, we process personal information based on:
1. performance of a contract, including account, device, AI, remote access and file services;
2. your consent, including optional permissions, marketing, certain cookies, third-party connectors and some AI or cross-border features;
3. legitimate interests, including security, fraud prevention, service improvement, diagnostics and abuse prevention, balanced against your rights;
4. compliance with legal obligations, including tax, consumer protection, security incident handling, regulatory requests and dispute resolution;
5. protection of vital interests or public interest where applicable and legally permitted.
You may withdraw consent where processing is based on consent. Withdrawal does not affect processing already conducted before withdrawal.
4. Device Permissions
|
Platform |
Permission |
Purpose |
Trigger |
Impact if disabled |
|
Android |
Camera |
QR scanning, taking photos, avatar and image attachments |
Requested when used |
QR scan/photo unavailable |
|
Android |
Bluetooth / Nearby devices |
Discover and provision Zettlab devices |
Requested during onboarding |
Bluetooth provisioning unavailable |
|
Android |
Fine location |
Required by some Android versions for Bluetooth scanning |
Requested with Bluetooth scan |
Bluetooth scan may fail; we do not actively locate you |
|
Android |
Local network / cleartext LAN traffic |
Communicate with NAS over LAN HTTP/WS |
Used during device connection |
LAN direct connection unavailable |
|
Android |
Photos/media or system picker |
Select images/videos/avatar/attachments |
Requested or picker-triggered when used |
Media selection unavailable |
|
Android |
Document picker/file access |
Select files for NAS upload or AI |
Triggered when used |
File selection unavailable |
|
Android |
Notifications |
Device status, task completion, alerts |
Requested when enabled |
Notifications unavailable |
|
iOS |
Camera |
QR scanning, taking photos, avatar and image attachments |
Requested when used |
QR scan/photo unavailable |
|
iOS |
Bluetooth |
Discover and provision Zettlab devices |
Requested during onboarding |
Bluetooth provisioning unavailable |
|
iOS |
Location When In Use |
Bluetooth scanning compatibility or system requirement |
Requested when needed |
Bluetooth scan may be affected; we do not actively locate you |
|
iOS |
Photos / Photo Library |
Select images/videos/avatar/attachments |
Requested or picker-triggered when used |
Media selection unavailable |
|
iOS |
Local Network / LAN access |
Communicate with NAS over LAN |
Used during device connection |
LAN direct connection unavailable |
|
iOS |
Document picker |
Select files for NAS upload or AI |
Triggered when used |
File selection unavailable |
|
Web/Electron |
Cookies/local storage |
Session, region, preferences and device connection |
Used when using services |
Login/preferences may not persist |
|
Electron |
Shenzhen Peergine Technologies Co.,Ltd. P2P native module |
Desktop P2P and remote access |
Enabled during remote access |
P2P may be unavailable |
For links to the privacy policies of third-party AI model providers and information on their latest updates, please visit the Third-Party AI Models page.
5. Cookies and Similar Technologies
We may use cookies, local storage, IndexedDB, pixels and similar technologies in embedded pages, help pages, Web services and Electron clients to maintain sessions, remember preferences, measure performance and troubleshoot issues. You can manage cookies and storage through browser or system settings. Some features may not work properly if disabled.
6. AI Models and Third-Party Processing
6.1 We may provide local models, cloud models and user-provided API keys. Actual models, providers, regions and retention/training settings depend on product configuration and provider policies. Different model providers may apply different rules regarding data retention, logging, training, abuse monitoring, and security review; however, models that have not been enabled will not process your data.
|
Model/service |
Scenario |
Data processed |
Destination |
Notes |
|
Local model / local Agent |
Local chat, file Q&A, device assistance |
prompts, output, attachments, file snippets, tool results |
primarily your device |
data may leave device if you enable remote access, sharing, logs or third-party tools |
|
DeepSeek/Qwen/Volcengine |
Cloud AI, default model or review |
prompts, output, attachments, context, model parameters, metadata |
provider region |
policy depends on provider and product configuration |
|
Zhipu BigModel / GLM |
Mainland-compatible cloud AI or review |
prompts, output, attachments, context, metadata |
provider region |
used where enabled |
|
OpenAI API / Anthropic / Google AI |
Optional overseas models or user API keys |
prompts, output, attachments, context, metadata |
outside your country/region |
subject to provider terms and settings |
|
User custom model |
User configured endpoint |
data sent by user |
user selected provider |
user is responsible for provider choice and legality |
6.2 Sensitive Personal Information and Separate Consent
Passwords, precise location data, identity documents, bank card details, health information, financial information, photos, videos, audio recordings, file contents, chat contents, home network information, undisclosed trade secrets, other individuals’ private information, and personal information of children under the age of 16, especially a Minor, that you upload or input may constitute sensitive personal information. We will process such information only to the extent necessary to provide the specific features you have selected and, where required, obtain your separate consent through pop-up notices, checkbox confirmations, secondary confirmations, or other appropriate means. If you refuse to provide such information, your use of other unrelated features will not be affected; however, you may be unable to use the corresponding functions.
7. Information Sharing, Third-Party Processors and Service Providers
We do not sell or trade your personal information. We may share, disclose or make available information to the following categories of recipients (specific third-party services shall be subject to the services actually deployed and integrated in the latest versionof Zettlab Memo) as necessary:
|
Category |
Provider/service |
Purpose |
Information |
|
Account/IAM |
Zettlab IAM, Logto, Frank IAM or equivalent identity service |
account, login, tokens, social sign-in |
email, verification code, token, user ID, third-party account ID |
|
Third-party sign-in |
Google Sign-In if enabled |
Google sign-in and account linking |
Google id_token, email, third-party ID, avatar/nickname |
|
Cloud infrastructure |
US/Hong Kong or other cloud hosting, database, CDN, logs, security |
APIs, account, device, relay, OTA, security |
account, device, connection, logs, metadata |
|
Object storage |
GCS, Alibaba Cloud OSS or equivalent storage |
Skill packages, avatars, media, logs or user uploads |
files, media, packages, metadata, upload records |
|
P2P traversal |
Shenzhen Peergine Technologies Co.,Ltd. P2P traversal/connectivity technology provider |
P2P, remote access, connection keepalive |
No personal information or device data is collected or processed by the provider. |
|
AI models |
DeepSeek, Qwen, Zhipu, Volcengine, OpenAI, Anthropic, Google AI or custom provider |
AI replies, file Q&A, review |
prompts, output, attachments, context, metadata |
|
Connectors |
Feishu, Slack, GitHub, Notion, Gmail, MCP services if enabled |
integrations, messaging and automation |
authorization token, account ID, messages, files, tool results |
|
Analytics/logging |
Zettlab analytics/logging, ClickHouse or equivalent |
performance, errors, funnel analysis |
events, latency, error codes, pseudonymous IDs |
|
Support/after-sales |
support, repair and logistics providers |
support, repair, complaint handling |
contact details, issue, screenshots, logs, repair/shipping data |
We may also disclose information if required by law, regulators, courts or to protect users, Zettlab, third parties, security and rights. If there is a merger, acquisition, reorganization, asset transfer or insolvency, information may be transferred subject to appropriate notice and protections.
We may provide necessary information to third parties when you actively invoke third-party models, third-party connectors, sharing, collaboration, device sharing, payment or after-sales services; where it is necessary to provide such information to third parties in order to fulfill the functionality you request; or in other circumstances permitted by applicable laws and regulations. We have also provided a detailed description of third-party information collection and sharing involved in the course of providing the services in the Zettlab Memo Personal Information Collection List (Non-Chinese Mainland Version). Please read it carefully before deciding to provide the relevant authorizations or selections as required.
7A. Third-Party Connectors and Custom Connections
When you actively authorize a third-party connector or create a custom API/MCP connection, we may process connector-related information including provider name/ID, third-party account ID, account alias, external account ID, authorized scopes, connection status, OAuth state/code during authorization, OAuth access tokens, refresh tokens or equivalent authorization credentials, user-entered API keys, bearer tokens, authentication headers, OAuth client secrets or token JSON, mTLS certificates and private keys, endpoint URLs, bridge configuration, tool definitions, Agent/workspace/team/conversation context, tool invocation status and security/audit metadata.
We use this information to establish and maintain the connector, refresh authorization, authenticate connector requests, invoke tools at your request or according to an Agent/Skill configuration you enable, apply permission controls, troubleshoot errors, maintain security audit records, and revoke or delete connections. Connector credentials are not intended to be shown back to you after saving except as connection status, configured/expiry indicators or other non-secret metadata.
Connector credential storage and runtime tokens: third-party connector authorization credentials are stored by Zettlab cloud services for the account connection. The mobile App does not persist third-party connector OAuth access tokens or refresh tokens. During a local device/Agent session, Zettlab cloud may issue a short-lived connector_runtime token; the App and local-server use it temporarily in process memory, and it is not written to App SecureStore/MMKV or local-server database/files. The token is cleared or becomes unusable after expiry, disconnect, revocation, deletion, or cache clearing. File contents, messages, and other data that have already been transmitted to third-party service providers via connectors are not covered by the deletion scope of this service. To request by a third party, please follow that service provider’s data deletion procedures.
Connector sharing and protection: when you invoke a connector, necessary requests, tool inputs, files, messages, tool results and metadata may be sent to the selected provider or to a custom endpoint configured by you. Where we engage service providers or partners to process connector-related personal data for us, we require contractual commitments to provide the same or equal protection required by this Policy and applicable law. Independent third-party providers or custom endpoints selected by you may process data under their own terms and privacy policies.
When you authorize connectors or configure custom API/MCP connections, you should confirm that you have lawful rights to connect to, access, and process the relevant third-party accounts, endpoints, files, messages, and data, and ensure that your use complies with the third party’s terms of service, API rules, rate limits, and privacy requirements.You understand that, in order to maintain connections and complete the actions you request or enable through Agents/Skills, Zettlab may retain and use necessary connector credentials, including OAuth tokens or API credentials, and may send necessary requests, tool inputs, messages, files, tool results, and metadata to the third-party service providers or custom endpoints you have selected. You may revoke or delete connectors within the scope of product support; data already processed by third parties is handled in accordance with that third party’s terms and privacy policy.
8. Analytics and Logs
We may collect product usage, performance and error events such as sign-in status, device discovery, binding result, connection mode, message latency, time to first token, attachment type/size, file category/size, error code and API latency. We do not intentionally record email plaintext, chat content, file content, search keywords, Wi-Fi passwords or full tokens in analytics events. When troubleshooting requires logs, we use user-submitted logs, minimization and redaction where feasible.
9. Storage, Retention and International Transfers
Non-Chinese Mainland cloud services are primarily hosted in the United States, but information may be accessed, processed or stored in your country/region, the United States, Hong Kong, AI provider regions or other service-provider locations.
For users in the EEA or UK, cross-border transfers may rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms where applicable. Transfer impact assessments and supplementary technical measures may also be implemented where required.
Where applicable, we use reasonable safeguards for international transfers, such as contractual commitments, technical security measures, access controls and provider due diligence. You acknowledge that countries may have different data protection laws from your location.
Typical retention criteria:
|
Data category |
Retention |
|
account and login data |
during account life; limited records retained as needed for law, security and disputes |
|
device binding and remote access data |
during binding; deleted or anonymized after unbinding/revocation where feasible |
|
AI chats and credit records |
as needed for history, continuity and credit management; deleted/anonymized after deletion or account closure subject to exceptions |
|
NAS local files, thumbnails, indexes and logs |
controlled by you on the device; not automatically deleted by account closure |
|
support and repair records |
as needed for support, warranty, disputes and legal obligations |
|
security logs and risk records |
as needed for security audit, abuse prevention and compliance |
|
analytics data |
minimized, pseudonymized or anonymized where feasible |
10. Your Rights
Depending on your location, you may have rights to access, correct, delete, copy, port, restrict processing, object to processing, withdraw consent, opt out of certain disclosures, lodge a complaint with a supervisory authority, or request information about automated decision-making.
You may exercise rights by using in-product tools or contacting support@zettlab.com. We may verify your identity before responding. We will respond within the timeframe required by applicable law.
We may decline or limit a request where permitted by law, including when the request is unrelated to you, excessive, technically disproportionate, conflicts with legal obligations, affects others' rights, or is needed for security, fraud prevention or disputes.
11. California and Other US State Privacy Notice
If applicable state privacy laws apply to you:
1. Categories of personal information we collect are described in Sections 1 and 4.
2. Purposes are described in Section 2.
3. Categories of recipients are described in Section 7.
4. We do not sell personal information for money.
5. We do not knowingly sell or share personal information of children under 16.
6. We do not use sensitive personal information for purposes that would require a “limit use” right beyond providing and securing the service, unless separately disclosed.
7. If future advertising or cross-context behavioral advertising is introduced, we will provide required opt-out controls, including “Do Not Sell or Share” where applicable.
8. We will not discriminate against you for exercising privacy rights.
12. Minors
The Service is directed solely at adult users. Our Services are not directed towards, and we do not knowingly collect or process any information of any person under the age of 18.
If you are under the age of 18, especially if youare a Minor, you must obtain consent from your parent or legal guardian before using the Services. “Minor” means a user who is under 16 or the applicable age of digital consent in the user's jurisdiction.
If you believe a child provided personal information without appropriate consent, contact support@zettlab.com. If we identify that an account is actually used by a Minor under the age of 16 without appropriate consent from their guardian, we reserve the right to suspend or terminate such account and delete the relevant personal information.
13. Automated Decisions
We do not use AI output to make decisions that produce legal or similarly significant effects about you without human involvement. If we introduce such processing, we will provide required notices and rights.
14. Security
We use access controls, encryption in transit, permission separation, token protection, key management, log redaction, audit, least privilege and security updates to protect information. However, no internet, LAN, P2P, physical device environment, third-party model or user-installed Skill/MCP service is perfectly secure. Please protect your account, device, Wi-Fi, access tokens, API keys and sharing permissions.
15. Policy Updates
We may update this Policy due to legal, business, technical, model-provider, cloud-vendor, SDK or regional service changes. Material changes will be notified through App, website, pop-up, in-product notice, email or other reasonable means. Where consent or separate consent is required by applicable laws and regulations, we will obtain your consent through pop-up notices, checkbox confirmations, secondary confirmations, or other appropriate means. We will not process the relevant personal information before obtaining the necessary authorization. If you do not agree to the relevant updates, you may be unable to continue using the corresponding features. By continuing to access and use Zettlab Memoafter receiving and checking such notices on policy updates or confirmations, such updates and authorization confirmation will take effect and be binding accordingly.
16. Contact Us
If you have any questions regarding this Policy, personal information protection, complaints or reports, the exercise of your rights, or our handling results, please contact us via email at support@zettlab.com. We will respond within 15 working days. If the matter is complex and requires an extension, we will inform you of the reasons accordingly.




