Privacy Policy

How we collect, use, share and protect your personal data.

KEY DETAILS — the only place these values appear. To update the company, country, product, contact or date, change them here and nowhere else in this document.

FieldValue
Company / Data ControllerZARSK Ltd (referred to in this document as "the Company", "we", "us" or "our")
Company registration[COMPANY NUMBER]
Registered address[REGISTERED ADDRESS]
Product / Service nameZARZOOM (the "Service")
Website[WEBSITE URL]
Governing lawEngland & Wales, United Kingdom
Privacy / data contact[PRIVACY EMAIL]
Data protection representative (if appointed)[EU/UK REPRESENTATIVE, IF ANY]
Last updated[DATE]

1. About this Policy

1.1 This Privacy Policy explains how we collect, use, share and protect personal data when you use the Service, visit our website, or otherwise interact with us. It applies alongside our Terms of Service and Cookie Policy.

1.2 We act in two different roles depending on the data:

  • As a controller — for personal data about you as our customer, your account, billing, support, and our website visitors. This Policy covers that role.
  • As a processor — for personal data you put into the Service, or that we handle on your behalf when generating and publishing Content and operating your Connected Accounts. For that role, you are the controller and our Data Processing Agreement governs how we handle it. Section 9 explains this split.

1.3 We comply with the UK GDPR and Data Protection Act 2018, the EU GDPR where it applies, and applicable US state privacy laws including the CCPA/CPRA, as relevant to where you are.

2. The personal data we collect

We collect the following categories of personal data:

(a) Account and identity data — name, email address, password (stored hashed), organisation name, and account settings.

(b) Billing and transaction data — billing name, billing address, country, currency, plan, subscription and payment history. Card details are handled by our payment processor; we do not store full card numbers.

(c) Workspace and content data — the brands, prompts, instructions, Content, schedules and configuration you create within Workspaces. This may contain personal data if you choose to include it.

(d) Connected Account data — the access tokens and identifiers needed to publish to your Connected Accounts, the platforms you connect, and post and performance data returned by those platforms (for example, post status, impressions and engagement metrics).

(e) Avatar and likeness data — where you use Avatar features, the face or image references you provide and the synthetic likenesses generated from them. Depending on how it is used, image data of an identifiable person may be sensitive. You are responsible for having the rights and consents to provide it (see your warranties in the Terms of Service), and we process it only to provide the feature to you.

(f) Support and communications data — the content of your messages to us, support tickets, and our responses, including any interactions with our AI customer-service agents.

(g) Technical and usage data — IP address, device and browser information, log data, pages and features used, and analytics about how the Service is used.

(h) Cookie and similar data — as described in the Cookie Policy.

We use personal data for the purposes below. Where the UK/EU GDPR applies, our legal basis is shown.

PurposeLegal basis
Creating and managing your account; providing the ServicePerformance of a contract with you
Generating, scheduling and publishing Content to your Connected Accounts on your instructionPerformance of a contract; and, for data of third parties, processing on your behalf (see DPA)
Billing, taking payment, preventing fraudPerformance of a contract; legal obligation; legitimate interests (fraud prevention)
Providing support and responding to youPerformance of a contract; legitimate interests
Securing, maintaining, monitoring and improving the ServiceLegitimate interests (running a safe, reliable Service)
Compliance and content moderation within our PlatformLegitimate interests; legal obligation
Sending service and transactional messagesPerformance of a contract; legitimate interests
Sending marketing (where permitted)Consent, or legitimate interests where allowed by law; you can opt out at any time
Complying with law and enforcing our termsLegal obligation; legitimate interests

3.2 Where we rely on legitimate interests, we have considered your rights and interests and you can ask us about that assessment. Where we rely on consent, you can withdraw it at any time without affecting prior processing.

3.3 We do not use your private Workspace Content or your customers' data to train our own or third parties' general-purpose AI models. AI providers process Content to deliver outputs to you, under the terms in section 7 and our DPA.

4. Avatar, face and voice data — extra care

4.1 Some features generate synthetic likenesses from a face or image reference, and synthetic voice. Where image or voice data relates to an identifiable individual and is used to uniquely identify them, it may be special category (biometric) data requiring additional protection and a specific legal basis.

4.2 We rely on you to ensure you have the necessary rights and explicit consents before providing any such reference, as required by the Terms of Service. We process this data only to provide the Avatar and voice features you request, retain it only as long as needed for that purpose, and apply appropriate safeguards. If you do not have the right to provide such data, you must not use these features.

5. Children

The Service is not intended for anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

6. Who we share personal data with

We share personal data with:

(a) Service providers / sub-processors who help us run the Service, under contracts that require them to protect it and use it only on our instructions. These currently include providers of:

  • hosting and database (e.g. Vercel; Supabase);
  • file and content storage (e.g. Cloudflare R2);
  • AI model routing and generation (e.g. OpenRouter; fal.ai);
  • text-to-speech (e.g. Inworld; ElevenLabs);
  • social publishing routing (our Publishing Partner, e.g. Upload-Post / Ayrshare);
  • payments (e.g. Stripe);
  • email delivery, analytics and support tooling.

A current list of sub-processors is available on request and is maintained for Business Customers under the DPA.

(b) Third-Party Platforms — when you publish, the relevant Content and associated data are sent to the Connected Accounts and platforms you have chosen. Those platforms are independent controllers of the data once it reaches them, under their own privacy policies.

(c) Professional advisers, authorities and acquirers — our advisers; authorities where required by law; and a buyer or successor in a merger, acquisition or reorganisation (with your data protected on equivalent terms).

We do not sell your personal data.

7. AI providers and how Content is processed

7.1 To generate Content, we send your prompts, instructions and related material to AI model providers via secure connections. They process it to return outputs to us, which we deliver to you. We use providers that contractually limit their use of this data to providing the service and (where applicable) do not use it to train their general models, and we configure their services to that effect where the option exists.

7.2 You should not include in prompts or Content any personal or confidential data you are not entitled to process, and you should avoid putting sensitive personal data into the Service unless you have a lawful basis and have configured the Service appropriately.

8. International transfers

8.1 Some providers are located outside the UK/EEA. Where we transfer personal data internationally, we use a lawful transfer mechanism, such as UK and EU adequacy decisions, the UK International Data Transfer Agreement / Addendum, or the EU Standard Contractual Clauses, together with appropriate safeguards. You can ask us for details of the safeguards used.

9. Controller vs processor — your data vs your customers' data

9.1 For data about you as our customer (account, billing, support, website usage), we are the controller and this Policy applies.

9.2 For data you put into the Service or that belongs to your audience and customers — including the personal data of people who follow or engage with your Connected Accounts, and any personal data within your Content — you are the controller and we act as your processor. You are responsible for having a lawful basis and for your own privacy notices to those individuals. Our Data Processing Agreement governs that processing, including our security and sub-processor commitments. If you are a Business Customer, the DPA forms part of your agreement with us.

10. How long we keep personal data

10.1 We keep personal data for as long as needed for the purposes above: for the life of your account and a reasonable period afterwards; longer where required for legal, tax, accounting, security or dispute-resolution reasons; and shorter where you ask us to delete it and we are able to. Specific retention periods (for example, compliance audit logs) are set by the relevant feature and law.

10.2 On account closure we delete or anonymise personal data after a reasonable period, except data we must retain.

11. How we protect personal data

We use appropriate technical and organisational measures, including encryption in transit, access controls, secret management for credentials and tokens, network controls, and monitoring. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents, and we will notify you and any regulator where the law requires.

12. Your rights

12.1 Subject to the law that applies to you, you have rights to:

  • access your personal data and get a copy;
  • rectify inaccurate or incomplete data;
  • erase data in certain circumstances;
  • restrict or object to certain processing, including objecting to direct marketing at any time;
  • data portability for certain data;
  • withdraw consent where we rely on it; and
  • not be subject to solely automated decisions with legal or similarly significant effects, except as the law allows.

12.2 If the CCPA/CPRA applies to you (California), you also have rights to know what personal information we collect and how we use and disclose it, to access and delete it, to correct it, to opt out of any "sale" or "sharing" (we do not sell personal data), and not to be discriminated against for exercising your rights.

12.3 To exercise any right, contact us using the privacy contact in the Key Details. We may need to verify your identity. We respond within the timeframes required by law.

12.4 Where we act as processor (section 9.2), requests from your audience or customers should usually be directed to you as controller; we will assist you as set out in the DPA.

13. Marketing

We only send marketing where the law allows, and you can opt out at any time using the unsubscribe link or by contacting us. Opting out of marketing does not stop essential service messages.

14. Complaints

If you have a concern, please contact us first using the Key Details. You also have the right to complain to a data protection authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your local supervisory authority.

15. Changes to this Policy

We may update this Policy. Where changes are material we will give reasonable notice. The "Last updated" date in the Key Details shows the current version.

16. Language

16.1 The authoritative version of this Policy is the English version. Translations are provided for convenience only.

16.2 In the event of any conflict, inconsistency, ambiguity, or question of interpretation between the English version and any translation, the English version prevails.


End of Privacy Policy.