Privacy Policy

1. Introduction

Zanzai ("we", "us", "our") takes your privacy seriously. This policy explains what data we collect when you use the Zanzai platform, how we use it, who we share it with, and the rights you have over your information.

Where local privacy laws apply to you — for example, POPIA in South Africa, PIPEDA and Quebec's Law 25 in Canada, the GDPR in the European Union and United Kingdom, or the CCPA/CPRA in California — this policy is intended to comply with them and to give you the rights those laws grant. Section 7 lists rights that vary by jurisdiction.

2. Information We Collect

Business Owners

When you sign up, we collect your email address, name, and password (stored securely hashed using bcrypt). If you sign in with Google, we receive your name, email, and profile picture from Google. When you onboard your business, we collect business name, address (including geolocation from Google Places), phone number, WhatsApp number, public email, booking link, services and pricing, staff details, operating hours, bio, and photos and logos you upload.

Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. We do not see or store your full card details — only a Stripe customer reference, the last four digits, the card brand, billing email, and your subscription status. Stripe's own privacy policy governs the payment data they hold on your behalf.

Chat Customers

When you use the chat feature on a business listing, your messages are stored. If you want the business to follow up — for example to confirm a booking or send a quote — the AI assistant will present a short form for you to fill in with your name and a phone number or email. Only the details you type into that form are shared with the business as a lead. The AI never reads contact details out of your chat messages and never passes anyone else's contact details on your behalf.

If you tick the optional "OK to send me occasional offers" box on the form, the business may also contact you with marketing messages. This is separate from the booking reply: the booking reply is transactional and is sent without that tick; only marketing reuse requires it. You can withdraw marketing consent at any time by replying to the business or by emailing us (see "Contact & Complaints").

Audit record. Every lead-capture form submission is recorded in a lead_form_requests row with the form's reason, your IP address, your browser's user-agent string, the timestamp, and whether you ticked the marketing box. This row is our canonical consent audit record under POPIA section 11/69 and Quebec Law 25 — it is what we point to if a regulator asks "when and how did this person consent to being contacted?".

Automatically Collected

We collect browser session identifiers, referring page URLs, IP addresses, and user-agent strings. IP addresses are used for rate limiting, abuse prevention, and bot detection. We may also log basic request metadata for security monitoring.

3. How We Use Your Information

• Display your business listing to potential customers
• Power the AI chat assistant with your business information
• Generate AI-assisted content suggestions for sellers (for example, suggested service descriptions or bio drafts) — sellers always review and approve these suggestions before they are published
• Capture leads (customer name, phone, email) — only when you submit the inline lead-capture form on a chat, never by parsing the contents of chat messages
• Send transactional emails (account verification, password resets, login alerts, billing receipts)
• Process subscription payments and enforce plan limits
• Detect and prevent abuse, fraud, spam, and bot traffic
• Monitor usage for billing and plan enforcement
• Improve the platform and fix issues

4. Third-Party Service Providers

We use trusted third-party service providers ("sub-processors") to operate the platform. Some are named because you have an independent relationship and rights with them; others are described by category so we can change providers as the platform evolves without re-issuing this policy.

Named providers

• Stripe — subscription billing and payment processing. We do not see or store your full card details; only a Stripe customer reference, the last four digits, the card brand, billing email, and your subscription status. Stripe's own privacy policy governs the payment data they hold on your behalf.
• Google — OAuth sign-in (if you choose to sign in with Google), the Places API for address autocomplete and geolocation, and Maps for embedded location maps on listings. Google processes this data under its own privacy policy.

Categorical providers

All categorical providers are based in the United States or the European Union and process data under appropriate contractual safeguards:

• An AI provider that generates chat responses and AI-assisted content suggestions from messages and seller inputs.
• A cloud hosting and serverless compute provider that runs the application.
• A managed Postgres database provider that stores application data.
• A cloud object-storage provider that holds the photos and logos you upload.
• A transactional email delivery service that sends account, security, and billing emails.
• An in-memory cache provider used for rate limiting and abuse prevention.

We will email registered users at least 30 days before adding or replacing a sub-processor that materially changes how your data is handled. You can request the current named list at any time by emailing hello@zanzai.app with the subject line "Privacy Request".

5. Cross-Border Data Transfers

Our application and the sub-processors listed above operate on cloud infrastructure based in the United States and the European Union. By using the Service from outside those regions, you consent to your data being transferred to and processed in those jurisdictions. We rely on contractual safeguards with each sub-processor to maintain a level of protection consistent with applicable law.

6. Data Retention

We retain your account, business, conversation, customer, services, staff, and uploaded file data for as long as your account is active. Chat conversations are retained for lead management and conversation history.

When you delete your account, this data is permanently deleted immediately — there is no recovery period and no post-deletion export window. If you want a copy of your data, request it via hello@zanzai.app (subject line: "Privacy Request") before you delete your account; we respond within 30 days.

Some records held by our sub-processors may be retained under their own retention policies for legal or audit reasons — for example, Stripe retains payment metadata in line with their financial-records obligations. You can contact those providers directly to exercise rights over the data they hold.

7. Your Rights

Depending on where you live, different privacy laws give you different rights. The rights below apply to anyone who uses the Service; jurisdiction-specific rights follow.

Common rights (all users)

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate information
• Deletion — request deletion of your personal information
• Objection — object to particular uses of your information
• Withdraw consent — where we rely on your consent, you can withdraw it at any time

If you are in South Africa (POPIA)

You can lodge a complaint with the Information Regulator of South Africa.

If you are in Canada (PIPEDA)

You can lodge a complaint with the Office of the Privacy Commissioner of Canada. If you live in Quebec, you also have rights under Law 25, including data portability (a structured, commonly used copy of your data) and the right to be informed about decisions made about you by automated processing. We currently handle portability requests manually — email us and we will provide your data in CSV form.

If you are in the European Union or United Kingdom (GDPR)

You also have the right to data portability, the right to restrict processing, and the right to lodge a complaint with your national data protection authority.

If you are in California (CCPA / CPRA)

You have the right to know what we collect, to delete it, and to opt out of the sale or sharing of your personal information. We do not sell or share personal information with third parties for advertising purposes. We will not discriminate against you for exercising these rights.

To exercise any of these rights, email us at hello@zanzai.app with the subject line "Privacy Request". We respond within 30 days.

8. Security & Breach Notification

We protect your data with encryption in transit (HTTPS/TLS), hashed passwords (bcrypt), authentication on all sensitive endpoints, cross-tenant data isolation, and rate limiting on public APIs. No method of transmission over the internet is 100% secure, but we take reasonable measures to protect your information.

If a security incident creates a real risk of significant harm to you, we will notify affected users and the relevant regulator(s) without undue delay, in accordance with applicable law.

9. Cookies, Storage, and Analytics

Authentication cookies. Better Auth, our authentication provider, sets two cookies (better-auth.session_token and better-auth.session_data) to keep you signed in. They expire after 30 days, are cleared when you sign out, and are essential to the Service — you cannot opt out while logged in.

Chat session storage. On public listing pages we use browser session storage to maintain a chat session for unauthenticated visitors. It clears when you close the tab.

Analytics (Mixpanel). We use Mixpanel to understand how the platform is used so we can improve it. Mixpanel records product events such as listing views (listing.viewed), chat starts (chat.started), and action clicks like calls or booking-link taps (listing.action). For signed-in sellers these events are linked to your user ID; for anonymous visitors they are linked to an anonymous session identifier stored in your browser's local storage. We do not sell your data, run advertising trackers, or build profiles for advertising purposes. If you are signed in and want your Mixpanel profile deleted, email hello@zanzai.app with the subject line "Privacy Request".

10. Children

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will give registered users at least 30 days notice via email before the changes take effect. Continued use of the Service after that notice period constitutes acceptance.

12. Contact & Complaints

For privacy-related questions or to exercise your data rights, contact our Privacy & Information Officer at hello@zanzai.app with the subject line "Privacy Request". We respond within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the data protection authority in your jurisdiction:

• South Africa — Information Regulator of South Africa: inforegulator.org.za, POPIAComplaints@inforegulator.org.za, +27 10 023 5200
• Canada — Office of the Privacy Commissioner of Canada: priv.gc.ca
• Quebec — Commission d'accès à l'information du Québec: cai.gouv.qc.ca
• Other jurisdictions — contact your national or state data protection authority.