TL;DR
- How to maintain GDPR compliance with Zoho
- Do I need a cookie banner with Zoho?
- What Zoho’s Privacy Policy/GDPR page says
- About Zoho
Zoho provides a suite of business tools and can be GDPR-compliant if the right steps are followed.
How to maintain GDPR compliance with Zoho
Because Zoho offers a wide range of services (CRM, mail, analytics, HR, etc.), it’s vital to understand which products you use and what data is being sent to Zoho’s servers.
If you’re only using Zoho for email or basic collaboration, Zoho mainly processes business communication data and user information. If you use its marketing, analytics, or tracking features, much more user data may be involved.
Follow these steps to help ensure GDPR compliance when using Zoho:
Request user consent (if applicable)
If you use Zoho applications (such as Zoho Analytics, Marketing Automation, or SalesIQ) that set cookies or collect visitor data, you must obtain user consent—usually via a cookie opt-in banner.
A free CMP tool like Termly or Cookiebot can be used for this.
Provide option to opt out
Users should have the ability to opt out of data collection or tracking. This is commonly managed through your CMP tool or built-in privacy settings within the Zoho product you use.
Add Zoho to your list of data processors
Under GDPR, it’s mandatory to list Zoho as a data sub-processor in your privacy policy. This is relevant no matter which Zoho products you use.
Here’s an example of what to include in your privacy policy:
Monitor data security
GDPR Article 33 requires notifying users about personal data breaches. Monitor your Zoho services for breach notifications—even if rare, it is required by law.
Additionally, make sure to use strong passwords and enable Multi-Factor Authentication (MFA) for your Zoho admin accounts to minimize security risks.
Do I need a cookie banner with Zoho?
Yes—if you are using Zoho products that set cookies or track visitor behavior (like Zoho Analytics, SalesIQ, etc.), you must display a cookie consent banner.
What Zoho’s Privacy Policy/GDPR page says
- Source: https://www.zoho.com/privacy.html*
Source: https://www.zoho.com/gdpr.html
The Zoho Privacy Policy explains how Zoho collects, processes, and protects user data in line with GDPR and other privacy frameworks.
Policy Scope:
Zoho's policy applies to all Zoho services, users, customers, and website visitors. It covers situations where Zoho acts as both a controller (for its own users’ information) and a processor (for customer data managed through Zoho products).
Data Collection:
Zoho collects information such as contact details, usage statistics, device and IP information, transaction data, and (if enabled) data from website visitors using Zoho tools like SalesIQ, PageSense, or Analytics.
Use of Information:
Collected data is used to operate, improve, and personalize Zoho’s services. It also supports processing transactions, customer support, marketing, and service notifications. Zoho states explicitly that it does not sell personal information.
Data Sharing:
Zoho shares data only as needed:
- With trusted third-party service providers under strict terms
- Internally within the Zoho Corporation
- In connection with legal requirements, mergers, or business transfers No data is sold to advertisers or third parties for profit.
EU, UK, and Swiss Residents:
Zoho details the rights of data subjects in these regions, including access, correction, deletion, and restriction of processing. Zoho’s DPA and standard contractual clauses help facilitate international transfers in line with GDPR.
International Data Transfers:
Zoho ensures adequate protections for data transfers outside the EEA, including Standard Contractual Clauses (SCCs), and it regularly audits for compliance.
Data Subject Rights:
Individuals have the right to:
- Access their personal data
- Request corrections or deletion
- Object to or restrict processing
- Receive data in a portable format
Zoho outlines the procedure for exercising these rights and maintains compliance with regional laws.
Data Security and Retention:
Zoho uses technical and organizational measures to safeguard personal data and retains it only for as long as necessary for business or legal requirements.
Dispute Resolution and Updates:
The privacy policy has mechanisms for addressing privacy concerns, including contacting Zoho’s Data Protection Officer (DPO), and states that users will be informed about material policy updates.
Contact Information:
Zoho publishes contact information for privacy matters and has a dedicated DPO for EU data subjects.
Points to Highlight:
- Strong privacy stance: Zoho does not monetize user data.
- Comprehensive coverage: Policy applies to all Zoho products and scenarios.
- International compliance: Adopts GDPR rules and supports SCCs.
- User empowerment: Easy mechanisms to exercise data rights.
- Clear security practices: Commitment to data privacy and breach notification.
About Zoho
Zoho is a global technology company offering a comprehensive suite of cloud-based business software. Established in 1996, Zoho’s mission is to enable organizations of all sizes to run their business operations securely, efficiently, and affordably.
Key Features:
- CRM (Customer Relationship Management): Zoho CRM streamlines sales, marketing, and customer support for businesses of any size.
- Productivity Suite: Includes email, calendars, document editing, chat, and project management tools.
- Finance & Accounting: Zoho Books, Invoice, Expense, and more help automate financial operations.
- Marketing & Analytics: Products like Zoho Campaigns and Analytics provide advanced customer insights, marketing automation, and analytics.
- Human Resources: Zoho People and Recruit simplify employee and recruitment management.
- Support & Helpdesk: Zoho Desk offers a comprehensive platform for customer service and support center management.
- Developer Platform: Tools and APIs for building custom applications and integrations.
Zoho is renowned for its commitment to privacy, reliable performance, and continuous innovation, serving millions of users worldwide across multiple sectors.