Zettlab Memo Privacy Policy

Version date: June 3, 2026

This Policy applies to users outside Chinese Mainland who use the Zettlab Memo App, Zettlab Memo / Zettlab Memo Pro devices, Web/Electron clients, cloud services, IoT services, remote access, Skill/template marketplace, AI features and connectors. If a feature has not been released, the related clauses apply when the feature becomes available.

This Privacy Policy explains how we collect, use, disclose, and process your personal data when you use Zettlab Memo. This Privacy Policy also describes yourlegal rights on data protectionand privacy. This Policy is a supplementary document to the Zettlab Memo User Service Agreement (Non-ChineseMainland Version). The terms used in this Policy shall have the same meanings as those defined in the Service Agreement.

We fully understand that personal information is of utmost importance to you, and we are committed to strictly complying with laws and regulations while adhering to privacy protection principles. By reading this policy, you can gain a detailed understanding of how we collect and process personal information, so that you can better understand our services and make informed choices accordingly.

If you have any questions, comments or suggestions regarding this Policy or how to exercise or safeguard your data rights or privacy protection rights, please contact us via the following contacts.

Data controller / service provider: ZETTLAB TECHNOLOGY LIMITED (76758839)
Address: Room 701, Unit 108, 7/F, Block B, New Mandarin Plaza, 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong
Contact: support@zettlab.com

Summary

1. Zettlab Memo is a combined local device (including your Network Attached Storage device (“NAS”)), app/web/desktop and cloud service. NAS files are generally stored on your local device, but data may be transmitted outward from your local device when you enable cloud AI models, remote access, sharing, diagnostics, log upload, Skill publishing/review or third-party connectors.

2. We do not sell your personal information for money. We may disclose or make available information to service providers and partners necessary for account, device binding, remote access, AI models, object storage, logs, security, customer support and app distribution.

3. Bluetooth provisioning may require Bluetooth and, on some Android versions, location permission. We do not use that permission to actively locate you.

4. Wi-Fi passwords are used for provisioning and are normally processed only on the App and device. If future diagnostic or backup features require uploading them, we will provide separate notice and obtain required authorization.

5. AI output may be inaccurate or incomplete. Do not send identity documents, payment card data, passwords, health information, precise location, unreleased business secrets, third-party private information or data you have no right to process to third-party AI models.

6. Account deletion, device unbinding or authorization revocation does not automatically delete local files, thumbnails, indexes, logs, AI chats or settings stored on your NAS device.

1. Information We Collect

We may process the following categories of information depending on the features you use:

1. Account information: email, verification code, user ID, nickname, login state, access token, refresh token, login method, login device and account status.

2. Region and entitlement information: account region, service region, free credits, usage records, risk status and account state.

3. Third-party login information: Google ID token, third-party account ID, email, avatar or nickname if you enable third-party sign-in.

4. Device information: device SN, device name, binding relationship, role, LAN IP, peerId, cloud host/port, gatewayId, appToken, relaySecret, access token, connection status, connection time, IP and port.

5. Bluetooth and network provisioning information: Bluetooth device ID, device name, RSSI, nearby Wi-Fi SSID and the Wi-Fi password you enter.

6. Device control and automation information: commands, sync tasks, scheduled tasks, shared users, custom directories, device settings, Agent configuration, tool-call results and execution status.

7. Files and media: images, videos, audio, documents, code, file name, path, size, type, thumbnails, tags, favorites, rating, recycle-bin records, search records, EXIF/capture time and derived metadata.

8. AI information: prompts, context, chat history, AI output, images, file attachments, model choice, model parameters, Agent configuration, Memory/Skill configuration, tool-call results, request metadata and credit usage.

9. Skill/template marketplace information: packages, author ID, version, cover, description, upload status, review status, download/install records and automated review results.

10. Device diagnostics: model, device SN, IP/MAC, CPU, memory, disk model/serial number/temperature/SMART status, firmware version, update status, network status, service state, error logs and crash information.

11. Usage, analytics and stability data: event names, feature/page, region, device type, connection mode, latency, error codes, status codes, attachment type/size, file category/size and pseudonymous user/device IDs.

12. Customer support and after-sales information: contact details, issue description, screenshots, logs, device information, repair records, shipping/on-site service information and communication records.

If you configure or agree to invoke third-party services (including third-party models, Skills, plugins, APIs, programs, software, etc.), such third-party services and the data processing rules will be governed by the privacy policy between you and the provider of such third-party service. We solely act as a service invoker, providing technical support for the interaction between you and the third-party service. If you have any questions regarding the third-party service provider's data processing practices, you may review the relevant third-party service provider's privacy policy or contact the third party directly.

2. How We Use Information

We use information to:

1. create accounts, authenticate users, maintain sessions and protect accounts;

2. bind, identify and manage devices;

3. provision devices, connect to LAN/P2P/cloud relay and enable remote access;

4. provide file management, preview, search, upload, download and media processing;

5. provide AI responses, model selection, continuous chats, tool calls and credit management;

6. publish, review, distribute and install Skills/templates;

7. provide OTA, device diagnostics, security updates and customer support;

8. detect abuse, fraud, attacks, unauthorized access and service instability;

9. analyze performance, reliability and user flows with minimized or pseudonymized fields;

10. comply with applicable laws, enforce agreements and protect rights.

3. Legal Bases

Where applicable law requires a legal basis, we process personal information based on:

1. performance of a contract, including account, device, AI, remote access and file services;

2. your consent, including optional permissions, marketing, certain cookies, third-party connectors and some AI or cross-border features;

3. legitimate interests, including security, fraud prevention, service improvement, diagnostics and abuse prevention, balanced against your rights;

4. compliance with legal obligations, including tax, consumer protection, security incident handling, regulatory requests and dispute resolution;

5. protection of vital interests or public interest where applicable and legally permitted.

You may withdraw consent where processing is based on consent. Withdrawal does not affect processing already conducted before withdrawal.

4. Device Permissions

Platform

Permission

Purpose

Trigger

Impact if disabled

Android

Camera

QR scanning, taking photos, avatar and image attachments

Requested when used

QR scan/photo unavailable

Android

Bluetooth / Nearby devices

Discover and provision Zettlab devices

Requested during onboarding

Bluetooth provisioning unavailable

Android

Fine location

Required by some Android versions for Bluetooth scanning

Requested with Bluetooth scan

Bluetooth scan may fail; we do not actively locate you

Android

Local network / cleartext LAN traffic

Communicate with NAS over LAN HTTP/WS

Used during device connection

LAN direct connection unavailable

Android

Photos/media or system picker

Select images/videos/avatar/attachments

Requested or picker-triggered when used

Media selection unavailable

Android

Document picker/file access

Select files for NAS upload or AI

Triggered when used

File selection unavailable

Android

Notifications

Device status, task completion, alerts

Requested when enabled

Notifications unavailable

iOS

Camera

QR scanning, taking photos, avatar and image attachments

Requested when used

QR scan/photo unavailable

iOS

Bluetooth

Discover and provision Zettlab devices

Requested during onboarding

Bluetooth provisioning unavailable

iOS

Location When In Use

Bluetooth scanning compatibility or system requirement

Requested when needed

Bluetooth scan may be affected; we do not actively locate you

iOS

Photos / Photo Library

Select images/videos/avatar/attachments

Requested or picker-triggered when used

Media selection unavailable

iOS

Local Network / LAN access

Communicate with NAS over LAN

Used during device connection

LAN direct connection unavailable

iOS

Document picker

Select files for NAS upload or AI

Triggered when used

File selection unavailable

Web/Electron

Cookies/local storage

Session, region, preferences and device connection

Used when using services

Login/preferences may not persist

Electron

Shenzhen Peergine Technologies Co.,Ltd. P2P native module

Desktop P2P and remote access

Enabled during remote access

P2P may be unavailable

For links to the privacy policies of third-party AI model providers and information on their latest updates, please visit the Third-Party AI Models page.

5. Cookies and Similar Technologies

We may use cookies, local storage, IndexedDB, pixels and similar technologies in embedded pages, help pages, Web services and Electron clients to maintain sessions, remember preferences, measure performance and troubleshoot issues. You can manage cookies and storage through browser or system settings. Some features may not work properly if disabled.

6. AI Models and Third-Party Processing

6.1 We may provide local models, cloud models and user-provided API keys. Actual models, providers, regions and retention/training settings depend on product configuration and provider policies. Different model providers may apply different rules regarding data retention, logging, training, abuse monitoring, and security review; however, models that have not been enabled will not process your data.

Model/service

Scenario

Data processed

Destination

Notes

Local model / local Agent

Local chat, file Q&A, device assistance

prompts, output, attachments, file snippets, tool results

primarily your device

data may leave device if you enable remote access, sharing, logs or third-party tools

DeepSeek/Qwen/Volcengine

Cloud AI, default model or review

prompts, output, attachments, context, model parameters, metadata

provider region

policy depends on provider and product configuration

Zhipu BigModel / GLM

Mainland-compatible cloud AI or review

prompts, output, attachments, context, metadata

provider region

used where enabled

OpenAI API / Anthropic / Google AI

Optional overseas models or user API keys

prompts, output, attachments, context, metadata

outside your country/region

subject to provider terms and settings

User custom model

User configured endpoint

data sent by user

user selected provider

user is responsible for provider choice and legality

6.2 Sensitive Personal Information and Separate Consent

Passwords, precise location data, identity documents, bank card details, health information, financial information, photos, videos, audio recordings, file contents, chat contents, home network information, undisclosed trade secrets, other individuals’ private information, and personal information of children under the age of 16, especially a Minor, that you upload or input may constitute sensitive personal information. We will process such information only to the extent necessary to provide the specific features you have selected and, where required, obtain your separate consent through pop-up notices, checkbox confirmations, secondary confirmations, or other appropriate means. If you refuse to provide such information, your use of other unrelated features will not be affected; however, you may be unable to use the corresponding functions. 

7. Information Sharing, Third-Party Processors and Service Providers

We do not sell or trade your personal information. We may share, disclose or make available information to the following categories of recipients  (specific third-party services shall be subject to the services actually deployed and integrated in the latest versionof Zettlab Memo) as necessary:

Category

Provider/service

Purpose

Information

Account/IAM

Zettlab IAM, Logto, Frank IAM or equivalent identity service

account, login, tokens, social sign-in

email, verification code, token, user ID, third-party account ID

Third-party sign-in

Google Sign-In if enabled

Google sign-in and account linking

Google id_token, email, third-party ID, avatar/nickname

Cloud infrastructure

US/Hong Kong or other cloud hosting, database, CDN, logs, security

APIs, account, device, relay, OTA, security

account, device, connection, logs, metadata

Object storage

GCS, Alibaba Cloud OSS or equivalent storage

Skill packages, avatars, media, logs or user uploads

files, media, packages, metadata, upload records

P2P traversal

Shenzhen Peergine Technologies Co.,Ltd. P2P traversal/connectivity technology provider

P2P, remote access, connection keepalive

No personal information or device data is collected or processed by the provider.

AI models

DeepSeek, Qwen, Zhipu, Volcengine, OpenAI, Anthropic, Google AI or custom provider 

AI replies, file Q&A, review

prompts, output, attachments, context, metadata

Connectors

Feishu, Slack, GitHub, Notion, Gmail, MCP services if enabled

integrations, messaging and automation

authorization token, account ID, messages, files, tool results

Analytics/logging

Zettlab analytics/logging, ClickHouse or equivalent

performance, errors, funnel analysis

events, latency, error codes, pseudonymous IDs

Support/after-sales

support, repair and logistics providers

support, repair, complaint handling

contact details, issue, screenshots, logs, repair/shipping data

We may also disclose information if required by law, regulators, courts or to protect users, Zettlab, third parties, security and rights. If there is a merger, acquisition, reorganization, asset transfer or insolvency, information may be transferred subject to appropriate notice and protections.

We may provide necessary information to third parties when you actively invoke third-party models, third-party connectors, sharing, collaboration, device sharing, payment or after-sales services; where it is necessary to provide such information to third parties in order to fulfill the functionality you request; or in other circumstances permitted by applicable laws and regulations. We have also provided a detailed description of third-party information collection and sharing involved in the course of providing the services in the Zettlab Memo Personal Information Collection List (Non-Chinese Mainland Version). Please read it carefully before deciding to provide the relevant authorizations or selections as required.

7A. Third-Party Connectors and Custom Connections

When you actively authorize a third-party connector or create a custom API/MCP connection, we may process connector-related information including provider name/ID, third-party account ID, account alias, external account ID, authorized scopes, connection status, OAuth state/code during authorization, OAuth access tokens, refresh tokens or equivalent authorization credentials, user-entered API keys, bearer tokens, authentication headers, OAuth client secrets or token JSON, mTLS certificates and private keys, endpoint URLs, bridge configuration, tool definitions, Agent/workspace/team/conversation context, tool invocation status and security/audit metadata.

We use this information to establish and maintain the connector, refresh authorization, authenticate connector requests, invoke tools at your request or according to an Agent/Skill configuration you enable, apply permission controls, troubleshoot errors, maintain security audit records, and revoke or delete connections. Connector credentials are not intended to be shown back to you after saving except as connection status, configured/expiry indicators or other non-secret metadata.

Connector credential storage and runtime tokens: third-party connector authorization credentials are stored by Zettlab cloud services for the account connection. The mobile App does not persist third-party connector OAuth access tokens or refresh tokens. During a local device/Agent session, Zettlab cloud may issue a short-lived connector_runtime token; the App and local-server use it temporarily in process memory, and it is not written to App SecureStore/MMKV or local-server database/files. The token is cleared or becomes unusable after expiry, disconnect, revocation, deletion, or cache clearing. File contents, messages, and other data that have already been transmitted to third-party service providers via connectors are not covered by the deletion scope of this service. To request by a third party, please follow that service provider’s data deletion procedures.

Connector sharing and protection: when you invoke a connector, necessary requests, tool inputs, files, messages, tool results and metadata may be sent to the selected provider or to a custom endpoint configured by you. Where we engage service providers or partners to process connector-related personal data for us, we require contractual commitments to provide the same or equal protection required by this Policy and applicable law. Independent third-party providers or custom endpoints selected by you may process data under their own terms and privacy policies.

When you authorize connectors or configure custom API/MCP connections, you should confirm that you have lawful rights to connect to, access, and process the relevant third-party accounts, endpoints, files, messages, and data, and ensure that your use complies with the third party’s terms of service, API rules, rate limits, and privacy requirements.You understand that, in order to maintain connections and complete the actions you request or enable through Agents/Skills, Zettlab may retain and use necessary connector credentials, including OAuth tokens or API credentials, and may send necessary requests, tool inputs, messages, files, tool results, and metadata to the third-party service providers or custom endpoints you have selected. You may revoke or delete connectors within the scope of product support; data already processed by third parties is handled in accordance with that third party’s terms and privacy policy.

8. Analytics and Logs

We may collect product usage, performance and error events such as sign-in status, device discovery, binding result, connection mode, message latency, time to first token, attachment type/size, file category/size, error code and API latency. We do not intentionally record email plaintext, chat content, file content, search keywords, Wi-Fi passwords or full tokens in analytics events. When troubleshooting requires logs, we use user-submitted logs, minimization and redaction where feasible.

9. Storage, Retention and International Transfers

Non-Chinese Mainland cloud services are primarily hosted in the United States, but information may be accessed, processed or stored in your country/region, the United States, Hong Kong, AI provider regions or other service-provider locations. 

For users in the EEA or UK, cross-border transfers may rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms where applicable. Transfer impact assessments and supplementary technical measures may also be implemented where required.

Where applicable, we use reasonable safeguards for international transfers, such as contractual commitments, technical security measures, access controls and provider due diligence. You acknowledge that countries may have different data protection laws from your location. 

Typical retention criteria: 

Data category

Retention

account and login data

during account life; limited records retained as needed for law, security and disputes

device binding and remote access data

during binding; deleted or anonymized after unbinding/revocation where feasible

AI chats and credit records

as needed for history, continuity and credit management; deleted/anonymized after deletion or account closure subject to exceptions

NAS local files, thumbnails, indexes and logs

controlled by you on the device; not automatically deleted by account closure

support and repair records

as needed for support, warranty, disputes and legal obligations

security logs and risk records

as needed for security audit, abuse prevention and compliance

analytics data

minimized, pseudonymized or anonymized where feasible

10. Your Rights

Depending on your location, you may have rights to access, correct, delete, copy, port, restrict processing, object to processing, withdraw consent, opt out of certain disclosures, lodge a complaint with a supervisory authority, or request information about automated decision-making. 

You may exercise rights by using in-product tools or contacting support@zettlab.com. We may verify your identity before responding. We will respond within the timeframe required by applicable law.

We may decline or limit a request where permitted by law, including when the request is unrelated to you, excessive, technically disproportionate, conflicts with legal obligations, affects others' rights, or is needed for security, fraud prevention or disputes.

11. California and Other US State Privacy Notice

If applicable state privacy laws apply to you:

1. Categories of personal information we collect are described in Sections 1 and 4.

2. Purposes are described in Section 2.

3. Categories of recipients are described in Section 7.

4. We do not sell personal information for money.

5. We do not knowingly sell or share personal information of children under 16.

6. We do not use sensitive personal information for purposes that would require a “limit use” right beyond providing and securing the service, unless separately disclosed.

7. If future advertising or cross-context behavioral advertising is introduced, we will provide required opt-out controls, including “Do Not Sell or Share” where applicable.

8. We will not discriminate against you for exercising privacy rights.

12. Minors

The Service is directed solely at adult users. Our Services are not directed towards, and we do not knowingly collect or process any information of any person under the age of 18.

If you are under the age of 18, especially if youare a Minor, you must obtain consent from your parent or legal guardian before using the Services. “Minor” means a user who is under 16 or the applicable age of digital consent in the user's jurisdiction.

 If you believe a child provided personal information without appropriate consent, contact support@zettlab.com. If we identify that an account is actually used by a Minor under the age of 16 without appropriate consent from their guardian, we reserve the right to suspend or terminate such account and delete the relevant personal information. 

13. Automated Decisions

We do not use AI output to make decisions that produce legal or similarly significant effects about you without human involvement. If we introduce such processing, we will provide required notices and rights.

14. Security

We use access controls, encryption in transit, permission separation, token protection, key management, log redaction, audit, least privilege and security updates to protect information. However, no internet, LAN, P2P, physical device environment, third-party model or user-installed Skill/MCP service is perfectly secure. Please protect your account, device, Wi-Fi, access tokens, API keys and sharing permissions.

15. Policy Updates

We may update this Policy due to legal, business, technical, model-provider, cloud-vendor, SDK or regional service changes. Material changes will be notified through App, website, pop-up, in-product notice, email or other reasonable means. Where consent or separate consent is required by applicable laws and regulations, we will obtain your consent through pop-up notices, checkbox confirmations, secondary confirmations, or other appropriate means.  We will not process the relevant personal information before obtaining the necessary authorization. If you do not agree to the relevant updates, you may be unable to continue using the corresponding features. By continuing to access and use Zettlab Memoafter receiving and checking such notices on policy updates or confirmations, such updates and authorization confirmation will take effect and be binding accordingly.

16. Contact Us

If you have any questions regarding this Policy, personal information protection, complaints or reports, the exercise of your rights, or our handling results, please contact us via email at support@zettlab.com. We will respond within 15 working days. If the matter is complex and requires an extension, we will inform you of the reasons accordingly.