Privacy

How we handle your data

Lawful basis under PDPL

We process personal data under UAE Federal Decree-Law 45 of 2021 (PDPL) using the following lawful bases: performance of the contract you sign to use the platform, our legitimate interest in providing the service, and your explicit consent for any marketing communications.

Data residency

During the launch period (months 1-3 of public availability), personal data is stored on Supabase EU-central-1 with an adequacy argument under PDPL Article 22(1)(a). We will migrate to UAE-resident infrastructure at G42 Khazna (Abu Dhabi) by month 3 with at least 30 days' written notice. The public legal corpus contains no personal data and is hosted on AWS me-south-1 (Bahrain).

Your rights

  • Access. Export all your data in machine-readable form within 30 days.
  • Rectification. Correct any inaccurate data.
  • Deletion. Delete your account and all personal data within 30 days. Audit logs and provenance records may be retained for the period required by law, pseudonymised.
  • Portability. Export in JSON and your generated documents in PDF/DOCX.
  • Restriction or objection. Pause processing or object to processing based on legitimate interest.

To exercise any of these rights, email privacy@zanii.agency from the email associated with your account. We respond within 30 days.

Retention

We retain generated documents and the provenance log for 7 years, aligning with the UAE statute of limitations on commercial claims. AI Counsel conversation history defaults to 1 year and is user-controllable. Telemetry without personal data is kept for 2 years.

Cross-border transfers

Limited transfers occur to: Anthropic (United States) for AI generation; AWS Bahrain for the public corpus; Stripe for payments. Each transfer is subject to Standard Contractual Clauses or equivalent safeguards. No personal data is transferred to vendors located outside jurisdictions with adequate protection.

Data Protection Officer

Our DPO is our founder-advocate (dual-hatted during launch). For DPO matters specifically, email dpo@zanii.agency.

Breach notification

In the event of a personal data breach likely to result in risk to your rights, we will notify the UAE Data Office and affected individuals within 72 hours of discovery, in line with PDPL Article 9.