This Privacy Policy (“Policy”) describes how Greenbax, Inc. d/b/a ZipHQ (“Zip”, “we,” “us” or
“our”) collects, uses, and discloses personal data, and the choices you have related to this.
Zip provides a pioneering platform that offers one place for employees to initiate a purchase or
vendor request. This Privacy Policy does not apply to information that we process on behalf of
our enterprise customers while providing the Zip platform to them. Our use of such information
is governed by our Master Subscription Agreement (“MSA”) with those enterprise customers,
including any data imported into the Solution by a customer. If you have concerns regarding
personal information that we process on behalf of an enterprise customer, for example if you
are an employee of such an enterprise customer, please direct your concerns to that enterprise
Our websites, products, and services are primarily designed for enterprise organizations and
their representatives. We do not offer products or services for use by individuals for their
personal, family, or household purposes. Accordingly, we treat all personal information we
collect as pertaining to individuals in their capacities as enterprise organization representatives
and not their individual capacities.
Zip may provide additional or supplemental privacy policies for specific products or services
that we offer at the time we collect personal information or as otherwise notified to you.
Please review this Policy carefully to understand our practices regarding your personal data. If
you do not agree with the practices described in this Policy, please do not access or use our
Websites or Solution (defined below).
Privacy Policy Applicability
This Policy is applicable to data collected through, and any other websites managed
by Zip (collectively, the “Websites”), through our software products (the “Solution”) and
through any other interactions you might have with us, such as through email newsletters,
online and in person events, and other interactive features and communications.
This Policy does not apply to any third party websites, applications or businesses to which we
link or who may link to us. You should review the privacy policies of those third parties to
understand how they may collect and use your personal data.
How We Collect
We may collect your personal data when you:
Visit our Websites, through automated cookies
Use our Websites or Solution
Interact with us by communicating through the Solution, Websites, by email, by social
media, or by telephone
Participate in our online communities, blogs or other forums
Register for or attend an online or in person event sponsored by us
What We Collect
The types of information we collect from you may differ depending on how you interact with
Contact data - such as your first and last name, email address, billing and mailing
addresses, professional title and company name, and phone number.
Demographic Information - such as your city, state, country of residence, and postal
Profile data - such as the username and password that you may set to establish an
online account with us and any other information that you add to your account profile.
Communications data - that we exchange with you, including when you contact us with
questions or feedback, through the Solution, social media, or otherwise. When you
contact us, we may also keep a record of your communication to better support you in
the future.
Transactional data - such as information relating to or needed to complete your orders
on or through the Solution, including order numbers and transaction history.
Marketing data - such as your preferences for receiving our marketing communications
and details about your engagement with them.
User-generated content - such as comments, questions, messages, works of authorship,
and other content or information that you generate, transmit or otherwise make
available on the Solution, as well as associated metadata. Metadata includes
information on how, when, where, and by whom a piece of content was collected and
how that content has been formatted or edited.
Financial information - such as your financial account numbers or payment card
Payment information needed to complete transactions, including payment card
information or bank account number.
Other data not specifically listed here, which we will use as described in this Privacy
Policy or as otherwise disclosed at the time of collection.
Third-party sources. We may combine personal information we receive from you with personal
information we obtain from other sources, such as:
Public and private sources - such as government agencies, public records, social media
platforms, and other publicly or privately available sources.
Data providers - such as information services and data licensors.
Our affiliate partners - such as our affiliate network provider and publishers, influencers,
and promoters who participate in our paid affiliate programs.
Marketing partners - such as joint marketing partners and event co-sponsors.
Automatic data collection. We, our service providers, and our business partners may
automatically log information about you, your computer or mobile device, and your interaction
over time with the Solution, our communications, and other online services, such as:
Device data - such as your computer’s or mobile device’s operating system type and
version, manufacturer and model, browser type, screen resolution, RAM and disk size,
CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including
identifiers used for advertising purposes), language settings, mobile device carrier,
radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such
as city, state or geographic area.
Online activity data - such as pages or screens you viewed, how long you spent on a
page or screen, the website you visited before browsing to the Solution, navigation
paths between pages or screens, information about your activity on a page or screen,
access times and duration of access, and whether you have opened our marketing
emails or clicked links within them.
Cookies and similar technologies. Like many online services, we may use the following
Cookies, which are text files that websites store on a visitor’s device to uniquely identify
the visitor’s browser or to store information or settings in the browser for the purpose
of helping you navigate between pages efficiently, remembering your preferences,
enabling functionality, helping us understand user activity and patterns, and facilitating
analytics and online advertising.
Local storage technologies, like HTML5 and Flash, that provide cookie equivalent
functionality but can store larger amounts of data, including on your device outside of
your browser in connection with specific applications.
Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate
that a webpage or email address was accessed or opened, or that certain content was
viewed or clicked.
Data about others. Users of the Solution may have the opportunity to refer other contacts to us
and share their contact information with us. Please do not refer someone to us or share their
contact information with us unless you have their permission to do so.
How we use your personal data depends on how you interact with us. The specific purposes for
which we use the data we collect about you are listed below. In some jurisdictions, including
those subject to the EU General Data Protection Regulation (“GDPR”) or UK General Data
Protection Regulation (“UK GDPR”), we may only process your personal data when we have a
legal basis to do so. Our legal basis for processing your personal data is listed with each purpose
for processing below.
To provide and support the Solution and Websites. We use your personal data to
provide and support the Solution and Websites. As part of doing so, we may send you
service announcements, technical notices, security alerts, billing and support-related
messages related to your account or transactions with us, through the Solution or by
email. You may not opt out of these messages, as they are considered part of the
Legal Basis for Processing: We may have a contractual obligation to you, or to your
company, to provide you with access to and support for the Solution, which requires the
processing of your personal contact data. Otherwise, we have a legitimate interest in
providing you access to and support for our Websites.
To provide an individualized experience on the Solution and Websites. We use the
information we collect to personalize content and experiences on our Solution and
Websites, to better understand your interests and make personalized recommendations
based on your interests, and tailor your experience with us to your preferences.
Legal Basis for Processing: We have a legitimate interest in processing your personal
data to improve your experience with us.
To understand and manage our relationship with you. We use your personal data to
understand your use of the Solution and Websites so that we can monitor the health of
our relationship with you, and for our enterprise users, identify usage trends and
suggest new services or features based on your company’s usage of the Solution. We
also report this data back to our enterprise customers, so that you can maximize your
company’s use of our Solution.
Legal Basis for Processing: We have a legitimate interest in making sure that you are
getting the full value out of your use of the Solution and Websites, identifying product
champions, and making suggestions to optimize your usage or subscriptions.
To communicate with you. We will send you emails or otherwise communicate with you
in response to your questions, feedback or comments. For example, we will respond to
comments on applicable community boards, and answer questions sent to us through
the Websites. We may also contact you with personalized messages via email,
telephone, or on social media if we identify that because of your experience or
background that our Solution might be of particular interest to you. You can also opt
into receiving emails about new product features and services. You can always opt out
of these communications by following the opt out instructions in the message or by
contacting us through the contact information listed below.
Legal Basis for Processing: We have a legitimate interest in corresponding with you
when you have contacted us, or when we have identified you may have a particular
interest in the Solution (when not prohibited by law). Otherwise, when processing your
personal data for marketing communications, we rely on your consent.
To create anonymous data for use in product development. We may remove personal
identifiers from data containing personal information so that it cannot be traced back to
an individual, and aggregate it by combining it with the data from multiple sources
and/or individuals. We may use this data to understand feature adoption and feature
gaps, make product depreciation decisions, and make product development decisions.
When using collected data for product development, we will always remove all personal
data and Customer Data.
Legal Basis for Processing: We have a legitimate interest in creating anonymized data so
that we can use that data to improve the Solution.
For security, compliance, fraud prevention and safety. We may use your personal data
as we believe appropriate to investigate or prevent violation of the law, our MSA, to
secure the Solution, to protect our, your or others’ rights, privacy, safety or property;
and to protect, investigate and deter against fraudulent, harmful, unauthorized,
unethical or illegal activity. We may also use the information we collect about your
device to detect users violating our MSA and prevent further violations.
Legal Basis for Processing: We have a legitimate interest in protecting ourselves and our
users against unauthorized use of our Solution and Websites to ensure the security of
the data processed within them. We are also obligated to process certain personal data
to monitor compliance with our MSA and performance of other agreements we may
have with you.
For compliance with law or to investigate legal claims. We may use your personal data
to comply with applicable laws, lawful requests and legal process, such as to respond to
subpoenas or requests from government authorities. We may also use your personal
data where permitted by law in connection with any legal investigation and to prosecute
or defend legal claims.
Legal Basis for Processing: In certain rare circumstances, we may rely on compliance
with a legal obligation or protection of vital interests in the event of a legal investigation
or request from a law enforcement or governmental entity. As a global company, there
are a wide variety of laws that might compel processing of your data under this legal
basis, but they may include the following types of laws: civil and commercial laws,
criminal laws, consumer laws, and corporate and taxation laws.
With your consent. In some cases we may ask for your consent to collect, use or share
your personal data in ways we have not described here. When we do that, we will
always record your consent and you may change your mind and opt out by contacting us
via the methods listed in the Contact Us section.
Anonymization is a data processing technique that modifies personal information so that it
cannot be associated with a specific individual. Except for this section, none of the other
provisions of this Privacy Policy apply to anonymized, aggregated (i.e., information about our
customers that we combine so that it no longer identifies or references an individual customer)
or de-identified data. We may use this anonymized, aggregated, or de-identified data and share
it with third parties for our lawful business purposes, including to analyze and improve the
Solution and promote our business.
Except for as mentioned below, we do not share your personal data with any other companies.
We will not sell or rent your personal data as part of a customer list or similar transaction.
We may share your personal data as follows:
With Affiliates. We may share your personal data with our subsidiaries, joint ventures,
or other companies under common control, in which case we will require those entities
to honor this Privacy Policy. As a global company, we have employees employed by
subsidiary companies across the world. We may share any of the data listed above with
any of these affiliated companies.
With Business Partners. We may share your personal data with our business partners
with whom we develop product integrations for our users, or partners who help us host
our events. For our event partners, we will only share your contact data, and only if you
have consented to it at the time of registration. If you would like to withdraw your
consent you can contact us as provided in the Contact Us section.
With Third Party Agents and Service Providers. We have third party agents and service
providers that perform functions on our behalf, such as hosting, billing, push
notifications, storage, bandwidth, content management tools, analytics, customer
service, fraud protection, etc. These entities may have access to your personal data to
the extent needed to perform their services. All such third parties are contractually
obligated to maintain the confidentiality and security of your personal data, and are
restricted from using your personal data other than to provide their services.
By Linking to Third Party Sites. Our Websites may link to other websites or services
operated by third parties, whose privacy practices may differ from ours and are
governed by their own privacy policies, not this Policy. We do not control or endorse
any of these third party websites or services, and we encourage you to carefully review
the privacy policy of any website you visit.
With Law Enforcement, Government Entities, and Other Companies and
Organizations. In rare circumstances, we may share your personal data with law
enforcement or governmental entities for compliance with the law or to investigate
legal claims. In the event of confirmed fraudulent activity, we may also exchange
information with other companies and organizations for fraud protection.
Through Business Transfers. We may sell, transfer or otherwise share some or all of our
business or assets, including your personal data, in connection with a business deal (or
potential business deal) such as a merger, consolidation, acquisition, reorganization,
sale of assets or in the event of bankruptcy.
Other users and the public. Your profile and other user-generated content (except for
messages) may be visible to other users of the Solution and the public. For example,
other users of the Solution or the public may have access to your information if you
choose to make your profile or other personal information available to them through
the Solution, such as when you provide comments, reviews, survey responses, or share
other content. This information can be seen, collected, and used by others, including
being cached, copied, screen captured, or stored elsewhere by others (e.g., search
engines), and we are not responsible for any such use of information.
The Solution may be used to process personal data on behalf of you, our customer. We may not
have any direct relationship with the individuals to whom the data belongs. Individuals who
would like to access, correct or delete personal data processed by us on behalf of our
customers should direct their questions to our customers, who are the data controllers. We use
and disclose this personal data as permitted by our customer agreements and as required by
We will retain your personal data as needed to fulfill the purposes for which it was collected.
We may retain your information as needed to provide you services, comply with our business
requirements and legal obligations, resolve disputes and enforce our rights and agreements.
Following termination or deactivation of your account, we will delete your Customer Data, but
may retain your contact information, user profile, and other personal data in our records. When
the purpose for which your personal data was collected no longer exists and there is not a
business or legal reason to retain your personal data, Zip will securely delete or anonymize your
data. To request deletion of your personal data before the expiry of our retention period,
please see the Contact Us section.
We take security very seriously. We take appropriate measures, including organizational,
technical, and physical precautions to help protect against unauthorized access to, alteration of,
or destruction of your personal data.
While we follow industry standards and best practices to protect your data, no transmission of
data over the Internet or any public network can be guaranteed to be 100% secure.
The Solution and Websites are not directed to anyone under the age of 16. A parent or
guardian who becomes aware that his or her child under the age of 16 has provided us with
personal data may Contact Us and we will delete the child’s data.
We respect your control over your personal data and, upon request, we will confirm whether
we hold or are processing data that we have collected from you. You also have the right to
amend or update inaccurate or incomplete personal data, request deletion of your personal
data, or request that we no longer use it. Under certain circumstances we will not be able to
fulfill your request, such as if it interferes with our regulatory obligations, affects legal matters,
we cannot verify your identity, or fulfillment involves disproportionate cost or effort, but in any
event we will respond to your request within a reasonable timeframe and provide you an
You can always contact us as provided in the Contact Us section to exercise these rights. You
may also be able to take action yourself through the methods listed below.
View, correct and delete your account information. If you use the Solution or have an
account through our Websites, you can view, update and delete certain information
directly through your account.
Opt out of communications. You can opt out of receiving future marketing
communications from us by clicking the unsubscribe link within a marketing email, by
responding to our emails with the subject line “Opt Out,” or by updating your profile
settings. Please note that you generally can’t opt out of service related communications.
Deactivate your account. If you would like to stop using our Solution, you or your
administrator may be able to deactivate your account. Please be aware that depending
on how you use our Solution and Websites, this may not delete all of your information.
You also have the following choices with respect to your personal information.
Cookies. Most browsers let you remove or reject cookies. To do this, follow the
instructions in your browser settings. Many browsers accept cookies by default until you
change your settings. Please note that if you set your browser to disable cookies, the
Service may not work properly. For more information about cookies, including how to
see what cookies have been set on your browser and how to manage and delete them,
Advertising choices. You may be able to limit use of your information for interest-based
advertising by:
o Browser settings. Blocking third-party cookies in your browser settings.
o Privacy browsers/plug-ins. By using privacy browsers or ad-blocking browser
plug-ins that let you block tracking technologies.
o Platform settings. Google and Facebook offer opt-out features that let you opt-
out of use of your information for interest-based advertising:
§ Google:
§ Facebook:
o Ad industry tools. Opting out of interest-based ads from companies participating
in the following industry opt-out programs:
§ Network Advertising Initiative:
§ Digital Advertising Alliance:
§ AppChoices mobile app, available at, which will allow you to
opt-out of interest-based ads in mobile apps served by participating
members of the Digital Advertising Alliance.
o Mobile settings. Using your mobile device settings to limit use of the advertising
ID associated with your mobile device for interest-based advertising purposes.
You will need to apply these opt-out settings on each device from which you wish to opt-out.
Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the
online services that you visit. We currently do not respond to “Do Not Track” or similar signals.
To find out more about “Do Not Track,” please visit
Declining to provide information. We need to collect personal information to provide certain
services. If you do not provide the information we identify as required or mandatory, we may
not be able to provide those services.
We are a global company headquartered in the United States, with entities, operations and
service providers situated around the world. Your personal data may be transferred outside of
your local jurisdiction, to countries without an adequacy decision by the European Commission.
We have put appropriate safeguards in place to ensure that your personal data receives an
adequate level of security regardless of the country in which it is processed. This includes
entering into agreements with written assurances from our services providers, including, as
required, standard contractual clauses for the transfer of personal data as approved by the
European Commission and the British Information Commissioner’s Office. Depending on the
particular circumstances of the transfer, we may use the GDPR Standard Contractual Clauses
Controller – Controller, Controller – Processor, or Processor – Processor, and/or the UK
Standard Contractual Clauses Controller – Controller or Controller to Processor. Our standard
contractual clauses can be provided upon request.
If you are located in the European Economic Area, Switzerland, or United Kingdom, you have
additional data privacy rights that include the right to:
Access, correct update or request deletion of your personal information
Object to the processing of your personal information, ask us to restrict processing of
your personal information, or request portability of your personal information
Opt out of marketing communications we send you at any time
Withdraw your consent for processing, if we are processing your personal data based on
consent. Note that withdrawing consent does not affect the lawfulness of processing
based on consent before its withdrawal; and
Make a complaint to a data protection authority about or collection and use of your
personal data.
To exercise these rights, please contact us as provided in the Contact Us section below.
This Policy contains a list of the categories of personal data we collect and have collected for
the past twelve months.
If you are a California resident, you may have additional rights under the California Consumer
Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) that include the right to:
Request access, correction and deletion of your personal information;
Opt out of the sale of your personal information; and
Not be discriminated against for exercising one of your CCPA/CPRA privacy rights.
Please note that we do not sell the personal data that we collect.
To exercise your rights, please contact us as provided in the Contact Us section. You will not be
discriminated against for exercising your privacy rights under the CCPA and CPRA. In order to
protect your personal data from unauthorized access or deletion, we may require you to
provide additional information for verification. If we can’t verify your identity, we will not
provide or delete your data.
We reserve the right to modify this Privacy Policy at any time. If we make material changes to
this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it
on the Websites. If required by law we will also provide notification of changes in another way
that we believe is reasonably likely to reach you, such as via email or another manner through
the Solution or Websites. Any modifications to this Privacy Policy will be effective upon our
posting the modified version (or as otherwise indicated at the time of posting). In all cases, your
use of the Solution or Websites after the effective date of any modified Privacy Policy indicates
your acceptance of the modified Privacy Policy.
If you have any questions about this Policy, or to exercise any of your data privacy rights, please
email us at [email protected]. You can also contact us at our mailing address below:
33 New Montgomery St
Suite 1420
San Francisco, CA 94105
Attn: Legal
Last updated: August 2, 2022