/01Introduction
This Privacy Policy explains how Blackmass Enterprises Ltd (UK Company Registration No. 16124799), trading as ZIMX® Finance ("we", "us", "our"), collects, uses, and protects information when you use ZiRA — Zimbabwe Intelligent Resource Assistant — at askzira.ai ("the Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
/02Data Controller
The data controller for the purposes of applicable data protection law is Blackmass Enterprises Ltd, registered in England and Wales (Company No. 16124799). If you have any questions about this policy or how we handle your data, you can contact us at privacy@askzira.ai or at our registered business address.
/03Information We Collect
When you use ZiRA, we may collect the following categories of information: conversation data (the messages you send to ZiRA and the responses generated); voice data (if you use voice input, the audio you record, which is processed to transcribe your speech; if you use voice output, the text of a response is processed to synthesise speech); technical data including your IP address, browser type, device information, and access times; session identifiers used to maintain conversation continuity; usage data such as which modes you use, message frequency, and session duration; and if you join our waitlist or contact us, your email address. We do not require you to create an account or provide personal information to use ZiRA's chat functionality.
/04How We Use Your Information
We use the information we collect to provide and operate the ZiRA service; to maintain conversation continuity within a session; to monitor and enforce rate limits and usage policies; to detect and prevent abuse, spam, and harmful content; to monitor service costs and performance; to communicate with waitlist subscribers about service updates; and to comply with legal obligations. We process your data on the following legal bases under UK GDPR: legitimate interests (to operate, secure, and improve the Service), consent (for waitlist communications), and legal obligation (where required by law).
/05Third-Party Processors
ZiRA relies on the following third-party service providers to operate. Each processes data on our behalf under its data-processing terms. We are putting Data Processing Agreements in place with these providers and, for transfers outside the UK/EEA, rely on appropriate safeguards such as the UK IDTA or EU Standard Contractual Clauses with the UK Addendum, or a provider's Data Privacy Framework certification. A full, current list of our sub-processors — including the data they handle, their location, and the transfer safeguard relied on — is maintained at
askzira.ai/subprocessors, which we update when a provider is added or removed.
5.1 Anthropic PBC (AI Chat — Primary)
When you send a message to ZiRA, your message and the recent conversation context are transmitted to Anthropic's API servers in the United States to generate a response. Anthropic is our primary model provider. We minimise the data sent by trimming conversation history and not transmitting unnecessary personal information, and we access Anthropic through its commercial API, under which submissions are not used to train its models. We recommend reviewing Anthropic's privacy policy at anthropic.com.
5.2 OpenAI, L.L.C. (AI Chat Failover & Search)
OpenAI is used in two ways. First, as a failover provider: if Anthropic is unavailable, your message and recent conversation context may instead be sent to OpenAI's API (in the United States) to generate a response. Second, when you use knowledge-base search, your search query is sent to OpenAI to compute a numerical embedding used to find relevant content. OpenAI processes this data under its API data-processing terms, under which API submissions are not used to train its models. See openai.com for details.
5.3 Google LLC (Voice — Speech & Synthesis)
ZiRA's voice features rely on Google Cloud. If you use voice input, the audio you record is sent to Google Cloud Speech-to-Text (in the United States) to transcribe it into text. If you use voice output, the text of a response is sent to Google Cloud Text-to-Speech to synthesise spoken audio. These transfers only happen when you actively use the voice features. Google processes this data as a processor under the Google Cloud Data Processing Addendum. See cloud.google.com for details.
5.4 Supabase, Inc (Database & Storage)
Conversation records, session data, knowledge base content, and usage analytics are stored in a PostgreSQL database hosted by Supabase, Inc. Supabase acts as a data processor on our behalf. Supabase makes available a Data Processing Addendum incorporating the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) and the UK Addendum, which we rely on for this processing. Data is hosted on Amazon Web Services infrastructure. All data is encrypted at rest using AES-256 encryption with per-project keys protected by FIPS 140-2 compliant hardware security modules, and encrypted in transit using TLS 1.2 with modern ciphersuites. Supabase's sub-processors are listed in their DPA and include AWS, Google LLC, Fly.io, and Cloudflare, among others.
5.5 Vercel, Inc (Hosting & Analytics)
askzira.ai is hosted on Vercel's platform in the United States. Vercel may process technical data such as IP addresses, request headers, and performance metrics in connection with serving the application. Vercel Analytics and Speed Insights are used for performance monitoring.
5.6 Brevo (Email Communications)
If you join our waitlist or use our contact form, your email address (and any message you send) is processed by Brevo (formerly Sendinblue), an EU-based provider, to manage the waitlist and to send or receive related communications. You can unsubscribe from marketing communications at any time.
/06Data Storage and Security
We use technical and organisational controls to protect service data. Chat sessions use secure HTTP-only cookies. Server-side systems store conversation records to support continuity, abuse prevention, and service analytics. Database access is restricted using row-level security policies and service-role authentication, ensuring that public API keys cannot access stored data. All data at rest is encrypted using industry-standard AES-256 algorithms, and all data in transit is protected by TLS 1.2 encryption. Supabase maintains daily encrypted backups of all project data.
/07Data Retention
We keep personal data only as long as we need it, and an automated nightly job enforces the following retention periods: conversation records are deleted 90 days after the last message in that conversation; the session cookie uses a 30-day sliding window, and expired session records are deleted automatically; per-session usage counters are kept for 90 days; security and abuse-prevention logs are kept for up to 180 days; and waitlist or contact email addresses are retained (by Brevo) until you unsubscribe or ask us to delete them. Shared answer links you create are retained until you request their deletion. You can ask us to delete your data sooner at any time — see Section 10.
/08International Data Transfers
Several of our service providers, including Anthropic, OpenAI, Google, and Vercel, are based in the United States, and Supabase stores data in the EU (Ireland). Personal data is transferred from the UK to the US in connection with the operation of the Service. We rely on, and where not already in place are putting in place, appropriate safeguards for these transfers, including: the UK Extension to the EU-US Data Privacy Framework (the UK Secretary of State designated the US as an adequate jurisdiction for the purposes of the UK GDPR on 21 September 2023); Standard Contractual Clauses approved by the European Commission (Decision 2021/914), as supplemented by the UK Approved Addendum issued by the ICO under S119A(1) of the Data Protection Act 2018; and Supabase's published Transfer Impact Assessment in relation to its processing activities, which concluded that the risk of access to personal data by US authorities is low given the nature of the data processed. As of the date of Supabase's most recent Transfer Impact Assessment (March 2025), Supabase has not received any US government requests for customer data under FISA 702 or Executive Order 12333.
/09Data Sharing
We do not sell your personal data to third parties. We may share data with the following categories of recipients: our third-party processors as described in Section 5, solely for the purposes of operating the Service; and law enforcement or regulatory authorities where required by law. All third-party service providers are required to process data in accordance with applicable data protection laws and under appropriate contractual safeguards.
/10Your Rights
Under UK GDPR, you have the following rights regarding your personal data: the right of access (to request a copy of the personal data we hold about you); the right to rectification (to request correction of inaccurate data); the right to erasure (to request deletion of your data, also known as the "right to be forgotten"); the right to restrict processing; the right to data portability; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time where processing is based on consent. To exercise any of these rights, please contact us at privacy@askzira.ai or using the details in Section 2. We will respond to your request within one month. Because ZiRA has no user accounts and your data is linked to an anonymous session identifier (the "zira_session" cookie) rather than your name, please contact us from the same browser you used with ZiRA, or include your session reference, so that we can locate and act on the records that relate to you.
/11Cookies and Analytics
askzira.ai uses essential cookies for chat session continuity and rate-limiting enforcement. These are HTTP-only secure cookies and cannot be accessed by client-side scripts. We also use Vercel Analytics and Vercel Speed Insights to measure site performance and usage trends. These tools collect anonymised performance metrics and do not track individual users across sites. Some pages display interactive maps, which load map tiles from a third-party provider (CARTO, using OpenStreetMap data); your IP address is shared with that provider in order to deliver the tiles. We do not run third-party advertising trackers or sell data to advertisers.
/12Children's Privacy
ZiRA is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.
/13Sensitive Information
We strongly advise you not to share sensitive personal information in your conversations with ZiRA, including but not limited to: financial account numbers, passwords or security credentials, national insurance or social security numbers, medical or health information, or any other information you would not want to be processed by a third-party AI provider. ZiRA's content filtering systems are designed to detect and handle crisis-related messages with appropriate care, but the Service is not a substitute for professional support.
/14AI-Specific Disclosures
ZiRA is an AI assistant powered by large language models. AI responses may be inaccurate, incomplete, or outdated and should not be relied upon as financial, legal, medical, or professional advice. To generate responses, your messages are processed by Anthropic's API (and, if Anthropic is unavailable, by OpenAI's API); voice features additionally send your audio to Google Cloud Speech-to-Text and send response text to Google Cloud Text-to-Speech. We access these providers through their commercial or developer APIs, under which your submissions are not used to train their models, although a provider may retain data briefly for abuse monitoring as described in its own terms. We do not use your conversation data to train or fine-tune AI models ourselves.
/15Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
/16Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
/17Contact
For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact Blackmass Enterprises Ltd, registered in England and Wales (Company No. 16124799), at privacy@askzira.ai.