Privacy Policy

1. Introduction

Zana Intelligence Limited (also trading as Zana Intelligence Limited) provides an AI‑powered platform that helps users prepare, tailor and sometimes submit job applications. This Privacy Policy explains how we collect, use, disclose and safeguard your personal information.

Zana Intelligence Limited is currently incorporated in Nigeria and intends to incorporate in other countries in the future. For now this Policy is governed by Nigerian law, including the Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA), and is also designed to comply with the UK/EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other applicable privacy laws. If we incorporate or become regulated in another jurisdiction, we will update this Policy and notify you accordingly.

This Policy applies to personal data collected from individuals located in Nigeria, the United States, the United Kingdom, Canada and other countries. Zana Intelligence Limited acts as the “data controller” (or “business” under the CCPA) when determining how and why your personal data is processed and as a “data processor” when acting on behalf of employers and job boards.

2. Scope, Governance and Legal Basis

This Policy covers all personal information Zana Intelligence Limited collects via our website, mobile applications, platform and associated services (collectively, the Services). It applies to applicants, visitors, business contacts and any person who interacts with us. By using our Services you consent to the practices described in this Policy.

Zana Intelligence Limited is subject to Nigerian law, and our data processing is governed by the NDPR/NDPA. However, we also comply with other jurisdictions when applicable: UK/EU GDPR (incorporating the UK’s version following Brexit): provides rights such as access, rectification, erasure, restriction, portability and objection; controllers must respond to requests within one month (edpb.europa.eu) and implement appropriate safeguards for international transfers (dentons.com). California CCPA/CPRA: California residents have rights to know what personal information is collected and how it is used, to request deletion, to opt out of sale or sharing of personal data and to be free from discrimination when exercising their rights (oag.ca.gov). The CPRA expands rights to correct inaccurate data and to limit use of sensitive information (oag.ca.gov). Nigeria NDPR/NDPA: Similar to GDPR, the NDPA grants rights to confirmation of processing, access, correction, erasure, withdrawal of consent, objection, restriction, portability and not to be subject to automated decision‑making (securiti.ai). Cross‑border transfers require an “adequacy decision” by the Nigerian authority or fulfilment of specific conditions (such as the data subject’s consent, contract necessity or vital interests) (dentons.com). Where more than one law applies, we will comply with the most protective requirement for you.

3. Information We Collect

We collect the categories of personal data listed below. Some of this information is provided directly by you, while some is collected automatically or from third parties.

Identity & Contact Information: Name, email address, phone number, postal address, nationality, countries of interest for work. Purpose/legal basis: To create and manage your account; communicate about your applications; customise the Services; legal basis: contract performance, legitimate interest (communication), legal obligation (e.g., know‑your‑customer or tax laws).

Application & Professional Data: Curriculum vitae (CV), résumé, portfolio links, cover letters, job preferences, salary expectations, application history, interview notes and correspondence with employers and recruiters. This may include diversity, equity and inclusion (DEI) information or other sensitive personal data you voluntarily provide. Purpose/legal basis: To match you with job opportunities, tailor your CV/cover letters using AI, submit applications, manage correspondence and store records. Legal basis: contract performance (to provide the Services), legitimate interests (to improve our matching algorithms), consent (where you provide DEI or other special category data).

Usage & Device Data: Internet Protocol (IP) address, browser type, device identifiers, operating system, date/time stamps and usage logs. Purpose/legal basis: To operate and secure our Services, conduct analytics, prevent fraud and detect bugs. Legal basis: legitimate interest (service security and improvement), legal obligation (e.g., to prevent fraud).

Location Data: Your country or city derived from your IP address or provided by you directly. Purpose/legal basis: To suggest jobs in your preferred region and comply with jurisdiction‑specific obligations. Legal basis: contract performance, consent (where required), legitimate interest.

Payment Information: When you purchase premium features, your payment information (payment card type, partial card digits, billing address) is collected by our payment processors—Paystack, Stripe and PayPal. Zana Intelligence Limited does not store full payment card numbers or security codes. Purpose/legal basis: To process payments, validate transactions and comply with anti‑fraud obligations. Legal basis: contract performance, legal obligation (financial regulations), legitimate interest (fraud prevention).

Cookies & Tracking Data: Cookies, pixels and similar technologies that collect information about your device and browsing activities, including analytics and marketing cookies. Under GDPR and e‑Privacy rules, non‑essential cookies require prior consent and must be easy to decline (gdpr.eu). Purpose/legal basis: To provide essential site functions, remember preferences, analyse traffic, deliver marketing and measure campaign effectiveness. Legal basis: legitimate interest (necessary cookies), consent (analytics/marketing cookies).

Correspondence & Support Data: Communications with us (emails, chat conversations, support requests). Purpose/legal basis: To respond to inquiries, provide customer support and improve services. Legal basis: contract performance, legitimate interest.

Children’s Data: Our Services are not intended for children under the age of 16. We do not intentionally collect or process personal data about children and do not request age data. If we learn that a child under 16 has provided us with personal data, we will promptly delete such information. Parents or guardians who believe their child has provided us with information should contact us at the email below.

4. How We Use Your Information and Our Lawful Bases

Zana Intelligence Limited processes your personal data only when there is a valid lawful basis. We may rely on more than one lawful basis depending on the purpose.

Account creation and service delivery: We use your identity, contact and application data to create your account, match you with job opportunities, tailor your CV and cover letters using AI and automatically submit applications on your behalf. The lawful basis is performance of a contract (providing the Services you request).

AI‑powered résumé and cover‑letter tailoring: We may send your information to AI model providers to generate enhanced application materials. The lawful basis is performance of a contract and legitimate interests (enhancing user experience). We obtain explicit consent for processing sensitive DEI data.

Application submission and employer communications: We automatically submit job applications and send correspondence on your behalf. The lawful basis is performance of a contract and legitimate interests (efficient matching). You remain responsible for verifying the accuracy of the information you provide, and we do not guarantee job placement.

Payment processing: If you purchase premium Services, we share your payment details with Paystack, Stripe or PayPal. The lawful basis is contract performance and legal obligations (e.g., tax and anti‑fraud laws).

Analytics and improvements: We analyse usage patterns, monitor performance and perform troubleshooting to improve our Services. The lawful basis is legitimate interests.

Marketing communications: We use your contact information to send newsletters and marketing messages. We offer two options: Version A – Explicit opt‑in (GDPR‑compliant): We will only send marketing communications when you actively consent (e.g., by checking a box). Version B – Implied consent with unsubscribe: If local law permits, we may send marketing emails based on our legitimate interest in promoting similar services. You may opt out at any time by clicking “unsubscribe” in the email or contacting us.

Legal compliance and fraud prevention: We process data to comply with legal obligations, enforce our Terms of Use, protect our rights and prevent fraud or misuse. The lawful basis is legal obligations and legitimate interests.

Transfers to third parties and cross‑border processing: We may transfer your personal data to third‑party service providers (see Section 8) and across borders. We rely on Standard Contractual Clauses approved by the European Commission and other safeguards (commission.europa.eu), or we will obtain your consent or rely on other exceptions allowed under the NDPR/NDPA (dentons.com).

5. AI Processing and Automated Decision‑Making

Zana Intelligence Limited leverages artificial intelligence to tailor CVs and cover letters and to suggest and automatically submit job applications. While AI can improve efficiency, it may produce errors. You are responsible for ensuring that the information you provide is accurate. Zana Intelligence Limited cannot guarantee the outcome of job applications, and we will not be liable for any errors or omissions generated by the AI.

We do not make legally binding decisions solely by automated means that produce legal or similarly significant effects without human involvement; however, our services may result in automated matching or ranking. You have the right to request human review of automated decisions under applicable law.

6. Special Category Data and Sensitive Information

We recognise that some information you provide, such as DEI data (race, ethnicity, gender identity, disability status) or sensitive details contained in your CV or cover letters, may be considered special category data under the GDPR and other laws. We process such data only with your explicit consent, obtained via a clear affirmative action (for example, by voluntarily providing DEI information or selecting a checkbox), for the specific purposes for which it was provided (e.g., to promote diversity in recruitment or to comply with equal opportunity reporting obligations), with enhanced security measures (encryption, restricted access) and adherence to data minimisation and purpose limitation requirements. You may withdraw your consent to the processing of special category data at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.

7. Payment Information

If you choose to purchase premium features or services, we collect your name, billing address and payment details (e.g., card type, masked card number and expiration date). Payments are processed by third‑party payment processors Paystack, Stripe and PayPal, which operate under their own privacy policies. Zana Intelligence Limited does not store full payment card numbers or security codes. We require these processors to use industry‑standard security and comply with data protection laws. We may store transaction records and partial payment information as required by financial regulations and for fraud detection.

8. Cookies and Tracking Technologies

We use cookies, pixels and similar technologies to provide and improve our Services. A cookie is a small text file stored on your device when you visit our website; it may be first‑party (set by Zana Intelligence Limited) or third‑party (set by service providers) and may be a session cookie that expires when you close your browser or a persistent cookie that remains until its expiration date. Cookies can be categorised as necessary (essential for the website to function), preferences (remembering choices), statistics/analytics (measuring performance) and marketing (targeting advertising).

Under GDPR/e‑Privacy rules, we must obtain your consent before using non‑essential cookies, provide clear information about each cookie’s purpose and duration, keep proof of consent, allow you to refuse without detriment and make withdrawing consent as easy as giving it. We may use tools such as Google Analytics, Metamap or similar analytics services to collect aggregated statistics about visitors, and we may use marketing pixels (e.g., from social media platforms) to measure the effectiveness of our campaigns. You can manage your cookie preferences through our cookie banner or by adjusting your browser settings. If you opt out of marketing cookies, you may still see advertising, but it will not be tailored to your interests.

9. Sharing Your Information

We share personal data only with third parties necessary to fulfil the purposes described above and in accordance with this Policy.

AI model providers: We send portions of your CV, cover letters and job preferences to AI providers to generate tailored documents. These providers process data on our behalf and must adhere to their own privacy and security commitments.

Job boards, recruitment agencies and employers: We share your application materials and relevant contact information with third‑party job boards, recruiters and potential employers when automatically submitting applications or when you ask us to do so.

Analytics and marketing partners: We share aggregated or pseudonymised data with analytics services (e.g., Metamap, Google Analytics) and marketing partners to evaluate performance and improve services.

Cloud and hosting providers: Our Services are hosted on cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). These providers operate globally through “regions,” each consisting of multiple independent data centres designed to provide resilience, reduce latency and comply with data residency regulations (portworx.com, learn.microsoft.com, bgiri-gcloud.medium.com).

Payment processors: Paystack, Stripe and PayPal process payment transactions and handle your payment data.

Service providers and professional advisors: We may share data with consultants, auditors, legal advisers and other vendors who support our operations.

Regulators and law enforcement: We may disclose information if required by law or to protect our rights, users, partners or the public (e.g., in response to subpoenas, court orders or regulatory audits).

We require our service providers to process personal data only in accordance with our instructions and to protect it in a manner consistent with this Policy. Where third parties act as independent controllers (for example, employers or job boards), their own privacy policies apply.

10. International Transfers and Data Storage

Your personal data may be processed and stored in countries other than where you reside, including Nigeria, the United States, the United Kingdom, Canada and the European Economic Area (EEA). For example, our cloud providers host data in multiple regions worldwide, such as AWS regions or Azure geographies, which are geographically isolated and consist of multiple data centres. Each region is independent and connected by low‑latency networks to ensure resilience and compliance. Google Cloud regions consist of three or more zones, each physically separated for disaster recovery and data residency purposes.

Whenever we transfer personal data out of Nigeria or the EEA, we ensure that it is protected by one of the following mechanisms:

Adequacy decisions: transfers to countries recognised by Nigerian or EU authorities as providing an adequate level of protection. Standard Contractual Clauses (SCCs): pre‑approved contractual terms adopted by the European Commission and recognised in the NDPR/NDPA that provide safeguards for personal data transferred internationally (commission.europa.eu). We incorporate the SCCs into our agreements with service providers and partners.

Explicit consent: where required, we obtain your explicit consent to transfer your data to recipients in countries without adequacy decisions (dentons.com). Other permitted exceptions: such as transfers necessary for the performance of a contract, for important reasons of public interest, to establish or defend legal claims or to protect the vital interests of individuals (dentons.com).

We also employ encryption, secure transmission protocols and strict access controls to protect your data during transit and storage.

11. Data Retention and Deletion

We keep your personal data only as long as necessary for the purposes described in this Policy, unless we are required to retain it for a longer period by law or to resolve disputes.

Active account: While your account remains active, we keep your personal data to provide the Services.

Account closure: Upon account closure, we retain your CV, cover letters, application data and related correspondence for 24 months, after which we securely delete or anonymise the data unless retention is required by law, regulatory reasons or to resolve legal claims. This period allows users to return to the platform without losing their historical application information.

Legal and regulatory requirements: We may retain certain records (including transaction details) for longer if needed to comply with tax, audit or legal obligations.

Anonymised data: We may retain aggregated and anonymised data indefinitely for analytical and research purposes. When deletion is required, we take reasonable steps to ensure that personal data is irretrievably erased from our active systems and backups, or is anonymised so that it can no longer be associated with an individual.

12. Security Measures

We take security seriously and implement technical and organisational measures to protect your personal data: Encryption (TLS in transit and where supported at rest), access controls (need‑to‑know access, multi‑factor authentication, role‑based access controls, logging), monitoring and testing (vulnerability monitoring, security assessments and penetration tests), and policies/training (data protection, confidentiality and incident response).

While we endeavour to protect personal data, no method of transmission or storage is completely secure. Accordingly, we cannot guarantee absolute security, and you use our Services at your own risk.

13. Your Rights and Choices

You have rights regarding your personal data under the NDPA/NDPR, GDPR, CCPA and other applicable laws. We respect these rights and provide mechanisms to exercise them. Depending on your location, these rights may include: the right to be informed; the right of access and confirmation; the right to rectification; the right to erasure (“right to be forgotten”); the right to withdraw consent; the right to object and restrict processing; the right to data portability; the right not to be subject to automated decisions; the right to opt out of sale/sharing (CCPA); and the right to non‑discrimination (CCPA).

Exercising Your Rights: To exercise your rights, please contact us by email at privacy@tryzana.com (replace with the actual address) or write to the Data Protection Officer at our registered address (see Section 16). We may need to verify your identity before processing your request, and we may ask for additional information to ensure we respond to the correct individual. We will respond within 30 days of receiving your request (or within the time allowed under applicable law). If we need more time, we will inform you of the reason and the extension period. You may also lodge a complaint with the relevant data protection authority (e.g., Nigeria Data Protection Commission, UK Information Commissioner’s Office, EU supervisory authority or your local regulator). We encourage you to contact us first so we can address your concerns.

14. Data Breach and Incident Response

Zana Intelligence Limited has procedures to detect, report and investigate personal data breaches. In the event of a breach that poses a risk to your rights and freedoms, we will notify the appropriate regulators and affected individuals without undue delay, and in any event within the timeframes required by the NDPR/NDPA, GDPR, CCPA and other applicable laws. Notifications will describe the nature of the breach, likely consequences and measures taken or proposed to mitigate the effects.

15. Email Marketing & Communications Options

We provide two alternatives for marketing communications depending on the jurisdiction and implementation:

Version A – Explicit Opt‑In: We will only send marketing emails or text messages when you actively opt in (e.g., by ticking a box during registration). This model complies with GDPR’s requirement for prior consent and ensures that no marketing messages are sent without your permission. You can withdraw consent at any time by using the unsubscribe link or contacting us.

Version B – Implied Consent with Unsubscribe: In jurisdictions where implied consent is permitted, we may send marketing communications about Zana Intelligence Limited and similar products/services based on our legitimate interest. We will provide a clear opt‑out mechanism in every message. If you do not wish to receive such communications, please use the unsubscribe link or email us. We will honour your request promptly.

Regardless of the version, transactional emails (e.g., account updates, service announcements, legal notices) are not marketing communications and you may not opt out of them if you use our Services.

16. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

Data Protection Officer (DPO) — Zana Intelligence Limited / Zana Intelligence Limited

86-90 Paul Street, London, EC2A 4NE, United Kingdom

Email: dataprotection@tryzana.com

We encourage you to contact us first with any concerns so we can address them directly.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements or industry best practices. If we make material changes, we will provide notice (for example, by email or through our website) and indicate the effective date at the top of the Policy. Continued use of the Services after the updated Policy becomes effective means that you accept the changes. When Zana Intelligence Limited incorporates or registers in a new jurisdiction, we will update the governing law and relevant sections accordingly.

18. Indemnity and Limitation of Liability

By using our Services you agree that Zana Intelligence Limited is not responsible for losses or damages arising from your reliance on the Services or the content generated by our AI. We do not guarantee that using our platform will result in a job offer or any particular outcome.

To the maximum extent permitted by law, Zana Intelligence Limited will not be liable for indirect, incidental, special or consequential damages or lost profits, even if we have been advised of the possibility of such damages. Our total liability arising out of or relating to this Policy or the Services will not exceed the amount you paid to use our Services in the preceding twelve months, unless otherwise required by law.

19. Governing Law and Dispute Resolution

This Privacy Policy and any dispute arising under it are governed by the laws of Nigeria. Unless prohibited by applicable law, any dispute shall be resolved through good‑faith negotiations; if unresolved, it shall be submitted to confidential arbitration in Lagos, Nigeria, subject to the rules of the Nigerian arbitration body, without prejudice to your right to lodge complaints with a supervisory authority.

When Zana Intelligence Limited becomes incorporated in another jurisdiction, we may designate that jurisdiction’s laws and courts for governing disputes, and we will update this section accordingly.

This policy was last updated on 11 August 2025. It may be translated into other languages for convenience; the English version shall prevail in case of conflict.