Privacy Policy

1 Introduction

This Privacy Policy describes how Ventana LLC ("Ventana," "we," "us," or "our") collects, uses, stores, and protects personal information when you use the Ventana platform, visit our website at getventana.com, or otherwise interact with our services (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2 Who We Are

Ventana is a white-label customer portal platform that provides businesses with a branded interface to their Zoho ecosystem — including Zoho CRM, Zoho Books, Zoho WorkDrive, Zoho Desk, Zoho Sign, and Zoho Analytics. The Service is delivered on a managed basis: Ventana builds, configures, and maintains each portal on behalf of its customers.

Ventana LLC is a limited liability company organized under the laws of the State of Utah, United States.

3 Data Controller vs. Data Processor

Understanding who is responsible for your data depends on how you interact with Ventana:

When Ventana is the Data Controller

We act as the data controller when we collect and process information directly from you — for example, when you visit our marketing website, submit a contact form, create an account to manage your portal, or communicate with us via email. In these cases, Ventana determines the purposes and means of processing your personal data.

When Ventana is the Data Processor

When a business ("Customer") uses Ventana to provide a portal to its own clients ("End Users"), the Customer is the data controller for the End User data that flows through the portal. Ventana acts as the data processor, handling that data solely on the Customer's behalf and according to their instructions. End User data originates from the Customer's Zoho ecosystem and is displayed, cached, or transmitted through the Ventana platform.

If you are an End User accessing a portal built by a Ventana Customer, that Customer's own privacy policy governs how your data is collected and used. Ventana processes your data only to provide the Service to that Customer.

4 Information We Collect

Account Information

When an account is created on the Ventana platform (either by a Customer or on behalf of an End User), we collect:

• First and last name
• Email address
• Phone number (optional)
• Organization and role assignment
• Authentication credentials (passwords are hashed; we never store plaintext passwords)

Marketing Site Inquiries

When you submit a contact form on our website, we collect:

• First and last name
• Email address
• Company name
• Estimated number of portal users
• A description of your needs

Zoho Ecosystem Data (Processed on Behalf of Customers)

When the Service connects to a Customer's Zoho account, data from Zoho CRM, Zoho Books, Zoho WorkDrive, Zoho Desk, Zoho Sign, and Zoho Analytics may be retrieved, displayed, or transmitted through the portal. This may include contact records, invoices, documents, support tickets, contract statuses, and analytics views. Ventana processes this data solely to provide the portal functionality and does not use it for any other purpose.

Authentication and Security Data

We collect and store data related to authentication and platform security, including:

• Multi-factor authentication (MFA) enrollment status
• Trusted device identifiers and tokens
• Session information
• Encrypted Zoho OAuth tokens (used to connect to the Customer's Zoho account on their behalf)

Automatically Collected Information

When you use the Service, our infrastructure providers (such as Supabase and Netlify) may automatically collect standard server log data, including IP addresses, browser type, and access timestamps. We do not currently use any third-party analytics or tracking tools on our marketing site or portal.

5 How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service
• To create and manage user accounts
• To authenticate users and enforce security measures (including MFA and session management)
• To connect to and retrieve data from Customers' Zoho ecosystems
• To respond to inquiries submitted through our contact form
• To send transactional communications (such as password resets, account confirmations, and upload notifications)
• To process billing and payments
• To comply with legal obligations
• To detect, prevent, and address technical issues or security threats

We do not use your personal data for targeted advertising. We do not sell your personal data.

6 Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases to process your personal data:

• Performance of a contract: Processing necessary to provide the Service you or your organization has subscribed to, including account creation, authentication, and portal functionality.
• Legitimate interests: Processing necessary for our legitimate business interests, such as maintaining platform security, preventing fraud, improving the Service, and responding to support inquiries — provided these interests are not overridden by your rights.
• Consent: Where you have provided explicit consent, such as when submitting a contact form. You may withdraw consent at any time by contacting us.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.

7 Information Sharing

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Service Providers

We use trusted third-party providers to operate the Service. These providers process data on our behalf and are contractually obligated to protect it:

• Supabase — database hosting, user authentication, and file storage
• Zoho — CRM, invoicing, document storage, support tickets, e-signatures, and analytics (accessed via API on behalf of Customers)
• Netlify — marketing site hosting and contact form submissions
• Namecheap — domain registration and DNS management

Ventana Customers (for End User Data)

If you are an End User, the data displayed in your portal originates from and is controlled by the Ventana Customer (the business that set up the portal for you). That Customer has access to your portal activity and account information as part of their use of the Service.

Legal Requirements

We may disclose personal information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of their personal information.

8 Cookies & Tracking Technologies

Ventana uses minimal cookies and browser storage, limited to what is necessary to operate the Service:

• Session cookies: Set by Supabase Auth to maintain your login session. These are essential for the platform to function and cannot be disabled.
• Trusted device tokens: Stored in your browser's local storage to remember devices you have verified through multi-factor authentication, reducing repeated MFA prompts.

We do not use any third-party analytics cookies, advertising pixels, social media trackers, or similar tracking technologies. If this changes in the future, we will update this Privacy Policy and, where required, obtain your consent before deploying such technologies.

9 Data Security

We take the security of your data seriously and implement industry-standard measures to protect it, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of sensitive credentials at rest (Zoho OAuth tokens are encrypted using AES-256-GCM)
• Hashed and salted password storage via Supabase Auth
• Multi-factor authentication (MFA) support for all portal users
• Role-based access controls within the platform
• Configurable session timeouts and password expiry policies

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

10 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.

• Active accounts: Account data is retained for the duration of the subscription.
• After termination: Following termination of a Customer's subscription, Ventana may retain data for up to thirty (30) days. During this period, Customers may request a data export. After this period, data may be permanently deleted.
• Contact form submissions: Inquiry data is retained for as long as needed to respond to and follow up on the inquiry, and then deleted.
• Zoho ecosystem data: Data retrieved from a Customer's Zoho account is cached temporarily to provide portal functionality and is not retained beyond what is necessary for Service operation. Ventana does not maintain a separate long-term copy of Customer Zoho data.

11 International Data Transfers

Ventana is based in the United States. If you are accessing the Service from outside the United States — including from the European Economic Area (EEA), the United Kingdom, or Switzerland — your personal data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you acknowledge this transfer. Where required by applicable law, we implement appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Reliance on service providers' compliance frameworks (e.g., Supabase's and Zoho's own data processing agreements and international transfer mechanisms)

If you have questions about the specific safeguards applied to your data, please contact us.

12 Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to erasure: You may request that we delete your personal data, subject to certain legal exceptions.
• Right to restrict processing: You may request that we limit how we process your personal data in certain circumstances.
• Right to data portability: You may request that we provide your personal data in a structured, commonly used, machine-readable format.
• Right to object: You may object to our processing of your personal data where we rely on legitimate interests as the legal basis.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at admin@getventana.com. We will respond to your request within thirty (30) days, or as required by applicable law.

Note for End Users: If you are an End User accessing a portal operated by a Ventana Customer, please direct data rights requests to that Customer first, as they are the data controller for your information. We will assist the Customer in fulfilling such requests as needed.

13 Your Rights Under the CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights regarding your personal information:

• Right to know: You may request that we disclose what categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request the deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing: Ventana does not sell or share your personal information as defined under the CCPA/CPRA. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, contact us at admin@getventana.com. We may need to verify your identity before fulfilling your request.

14 Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at admin@getventana.com.

15 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the "Effective Date" at the top of this page and, where appropriate, provide additional notice (such as via email or an in-platform notification).

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

16 Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us: