Privacy Policy

2.1 Applicable Laws

• Nigeria (NDPA/NDPR): rights to confirmation, access, correction, erasure, consent withdrawal, objection, restriction, portability and protection from solely automated decisions. Cross-border transfers require adequacy decisions or alternative safeguards.
• UK GDPR: access, rectification, erasure, restriction, portability, objection. One-month response period. International transfer safeguards required.
• EU GDPR: as UK GDPR, plus mandatory DPIAs for high-risk processing.
• CCPA/CPRA: rights to know, delete, correct, opt out of sale or sharing, limit sensitive data use.
• PIPEDA: meaningful consent, purpose limitation, access on request.

Where multiple laws apply, Zana complies with the most protective. Zana maintains a Record of Processing Activities per GDPR Article 30 and the NDPA, available to supervisory authorities on request.

2.2 Lawful Bases

Primary bases: contract performance (providing the Services); legitimate interests (improving the platform, enabling job search and professional outreach, preventing fraud); consent (special category data, marketing, email account access, non-essential cookies); legal obligations (tax, anti-fraud, regulatory compliance).

3.1 Identity and Contact Information

• Name, email address, phone number, postal address, nationality, countries of interest.
• Purpose: account creation, verification, communications, service customisation.
• Lawful basis: contract performance, legitimate interest, legal obligation.

3.2 CV and Professional Profile Data

• CVs and résumés (Users may store multiple versions), portfolio links, LinkedIn profile data, professional biography and related professional documents.
• AI-generated insights: assessments of CV quality, identified areas for improvement, and recommendations.
• Purpose: document management, AI-powered analysis and optimisation, and generating tailored application materials.
• Lawful basis: contract performance, legitimate interests.

3.3 Application, Outreach and Campaign Data

• Cover letters, pitch materials, application documents, outreach messages and other professional communications generated through or uploaded to the platform.
• User preferences: job and outreach targeting criteria, salary expectations, industry preferences, company preferences, location preferences and visa requirements.
• History: records of applications submitted, outreach campaigns sent, and associated statuses and outcomes.
• Correspondence with employers, recruiters, investors, professors and other professional contacts.
• This may include diversity, equity and inclusion ("DEI") information or other sensitive data voluntarily provided.
• Purpose: matching Users with opportunities, generating tailored materials, submitting applications and outreach, tracking outcomes, and improving our services.
• Lawful basis: contract performance, legitimate interests, consent (for DEI or special category data).

3.4 AI Coaching and Conversational Data

• All conversational data from our AI coaching features, including questions, responses, career guidance sessions, interview preparation and professional advice exchanges.
• Purpose: providing personalised guidance, maintaining conversation context, and improving AI quality.
• Lawful basis: contract performance, legitimate interests.
• Note: coaching conversations may contain sensitive personal disclosures. Such data is processed solely for service delivery and AI improvement. It is never shared with employers, used for advertising, or analysed for purposes unrelated to providing the coaching service.

3.5 Email Account Data

• Where the User connects an email account (e.g. Gmail) via OAuth, Zana accesses: (a) the ability to send outreach emails on the User's behalf; and (b) where the User enables our email monitoring feature, the ability to detect application-related incoming messages (such as interview invitations, rejections and offers).
• Zana does not access, read, store or process personal emails beyond what is strictly necessary for sending approved outreach and detecting application-related responses. Zana does not access drafts, contacts, or email content unrelated to job applications or outreach.
• For application outcome detection, we store only the extracted status information (e.g. "Interview scheduled with [Employer] on [Date]"), not full email content.
• Lawful basis: explicit consent (OAuth authorisation plus in-app confirmation). Revocable at any time via Settings or via the email provider's account permissions.
• OAuth access tokens are deleted immediately upon disconnection.

3.6 Prospect Data

• Professional identity: name, job title, employer, seniority level, professional biography.
• Public professional activity: published content, social media posts, press mentions, professional contributions and similar publicly available information.
• Contact information: business email addresses, professional social media profile URLs, professional website URLs. Obtained from third-party data providers and publicly available sources.
• Organisational context: publicly available information about the Prospect's employer relevant to the outreach purpose.
• AI-generated insights: relevance assessments and suggested talking points based on publicly available data.
• Purpose: identifying relevant contacts, researching them, generating personalised outreach and enabling delivery.
• Lawful basis: legitimate interests (see Section 5.3).

3.7 Employer and Job Listing Data

• Company names, job titles, descriptions, salary ranges, locations, benefits, application URLs, and visa sponsorship information.
• Sources: public job boards, employer career pages, government databases and licensed third-party aggregation services.
• Purpose: presenting job opportunities, providing visa sponsorship information, powering recommendations, and enabling application submission.
• Lawful basis: legitimate interests.

3.8 Usage and Device Data

• IP address, browser type, device identifiers, operating system, timestamps, usage logs, feature usage patterns.
• Purpose: service operation, security, analytics, fraud prevention, product improvement.
• Lawful basis: legitimate interest, legal obligation.

3.9 Aggregated Analytics Data

• Zana generates anonymised, aggregated performance insights by analysing patterns across its user base. No individual User's data is disclosed to other Users.
• Purpose: providing Users with contextual career insights.
• Lawful basis: legitimate interests. Users may opt out of inclusion by contacting us.

3.10 Other Data Categories

• Location: country or city from IP address or direct input. For regional recommendations, visa-relevant filtering and jurisdictional compliance.
• Payment: processed by Paystack, Stripe and PayPal. Zana never stores full card numbers or security codes.
• Cookies: see Section 8.
• Support communications: emails, in-app messages, support tickets.
• Children: our Services are not directed at children under 16 (or under 13 where COPPA applies). We promptly delete children's data if discovered.

4.1 Job Search and Recommendations

• Aggregation and matching: we aggregate job listings from multiple sources and use AI to recommend opportunities based on your profile and preferences.
• Visa information: we provide visa sponsorship data by cross-referencing listings with publicly available government and employer records.
• Personalisation: our AI improves recommendations over time based on your activity and feedback. You can reset preferences at any time.

4.2 CV Management and Optimisation

• Storage: we store multiple CV versions and maintain version history.
• AI analysis: our AI evaluates your CV to provide quality assessments, identify areas for improvement and suggest enhancements.
• Version selection: for automated applications and outreach, our AI selects the most appropriate CV version for each opportunity.

4.3 Application Material Generation

• Tailored documents: our AI generates application materials (CVs, cover letters, supporting notes) tailored to specific opportunities.
• Storage: generated materials are stored and downloadable, linked to the corresponding opportunity.

4.4 Automated Application Submission

• How it works: where enabled, Zana identifies matching opportunities and submits applications on your behalf, using appropriate AI-generated materials. Submission records are maintained for transparency.
• Destinations: applications are submitted to third-party job boards, employer systems and recruitment platforms. Those parties' own privacy policies govern subsequent handling of your data.
• Controls: you configure the parameters for automated submission (including volume limits, targeting criteria and exclusions) and can pause or override the feature at any time.

4.5 AI Coaching

• Guidance: personalised career advice, interview preparation, salary guidance and professional analysis.
• Proactive insights: Zana may proactively provide relevant alerts and suggestions based on your profile and activity.
• Isolation: coaching data is not shared with employers, recruiters or other external parties.

4.6 Application Tracking and Reporting

• Tracking: we track the status of applications across their lifecycle. Where email monitoring is enabled, status updates are detected automatically.
• Analytics: we provide performance metrics including response rates and outcome summaries.
• Reports: periodic AI-generated reports analyse your activity and provide contextual insights. These may include anonymised benchmarks; no individual User data is disclosed.

4.7 Email Monitoring (Application Outcomes)

• Purpose: where enabled, monitors the connected email account to detect application-related messages and update the application tracker.
• Scope: application-related emails only. Personal, social and commercial emails are not accessed or stored.
• Stored data: extracted status information only, not full email content.
• Consent: explicit consent required (OAuth plus in-app). Revocable at any time. Tokens deleted on disconnection.

4.8 Professional Outreach

• Discovery and research: AI identifies and researches relevant professional contacts based on your criteria, using publicly available information.
• Content generation: AI generates personalised outreach content for each contact.
• Delivery: outreach is sent from your connected email account.
• Tracking: we track delivery and engagement status. You can disable engagement tracking in Settings.
• Follow-up: Zana notifies you when recipients engage, so you can decide whether and how to follow up.

4.9 Platform Operations

• Analytics and improvement: usage analysis, testing and algorithm improvement.
• Payments: subscription processing via Paystack, Stripe and PayPal.
• Security: abuse monitoring, rate limiting, platform protection.
• Legal compliance: applicable laws, regulations and legal processes.

4.10 Communications

• Transactional: account updates, status notifications, security alerts. Cannot be opted out.
• Marketing: explicit opt-in only. Withdrawable at any time.

5.1 AI-Powered Processing

Zana uses artificial intelligence to power key features of the Services. The following table summarises our AI processing activities, the categories of data involved and the individuals affected:

5.2 Automated Decision-Making and Profiling

User Profiling

Zana generates automated recommendations (job suggestions, CV assessments, application insights) based on analysis of your professional data. These are recommendations only; you retain full control over all actions. Where Zana submits applications automatically, it operates within parameters you have set and the feature is pausable at any time. You have the right to request human review of any automated decision.

Prospect Profiling

Zana assesses the relevance of Prospects to a User's outreach criteria using automated analysis of publicly available professional data. This does not produce legal effects on Prospects or similarly significantly affect them, as the outcome is a professional communication. Safeguards include human review of outreach content before delivery, User override capability, Prospect inquiry rights, and the absence of solely automated binding decisions about Prospects.

5.3 Legitimate Interest Assessment for Prospect Data

• Purpose: legitimate interest in professional outreach (recruitment, business development, investment, academic collaboration).
• Necessity: essential to the outreach Services.
• Balancing: only publicly available professional data is processed. Outreach is professional in nature and does not cause material detriment.
• Safeguards: limited retention, accessible opt-out, frequency limits, contractual prohibition on misuse by Users.

The full Legitimate Interest Assessment is available from the Data Protection Officer on request.

5.4 Transparency for Prospects (GDPR Article 14)

• At first contact: outreach communications include a link to this Privacy Policy and identify Zana's involvement.
• Uncontacted Prospects: where providing individual notice would involve disproportionate effort (Article 14(5)(b)), we rely on the public availability of this Policy, short retention periods and an accessible inquiry mechanism as safeguards.
• We maintain records of Prospect categories, data sources and volumes for accountability.

5.5 Public Data Collection

Zana collects publicly available professional information from the internet, including professional networks, academic databases, company websites and public filings. We:

• collect only professional data that individuals have voluntarily made public;
• respect robots.txt directives where technically feasible;
• supplement with data from licensed third-party providers who warrant lawful collection;
• apply rate limiting and access controls to minimise impact on source websites; and
• honour Prospect rights requests (including objection and erasure) promptly.

5.6 AI Service Providers

Zana transmits data to third-party AI model providers for content generation and analysis. These providers process data under contractual terms that prohibit them from using Zana's data for model training and that require deletion after processing. A list of current AI sub-processors is available on request.

AI-generated content may contain errors. Users are solely responsible for reviewing all content before use or distribution.

9.1 Service Providers

9.2 Application and Outreach Recipients

• Job boards, employer systems and recruitment platforms (for application submissions).
• Employers, recruiters, investors, professors and other outreach recipients.
• These recipients are independent controllers; their own privacy policies apply.

9.3 Other Disclosures

• Professional advisors (legal, audit, consultancy).
• Regulators and law enforcement (where required by law).
• Corporate transactions (mergers, acquisitions, asset sales), subject to confidentiality.

We maintain a list of current sub-processors at tryzana.com/sub-processors. We provide at least 30 days' notice before adding or replacing sub-processors. Users may object to changes as specified in our Data Processing Agreement.

11.1 User Data

• Active accounts: retained for the duration of the account.
• Closed accounts: profile, documents, history and correspondence retained for 24 months, then securely deleted or anonymised.
• Transaction records: retained per applicable financial regulations (typically 6 to 7 years).
• Email tokens: deleted immediately upon disconnection.
• Coaching data: account duration plus 12 months, then deleted.

11.2 Prospect Data

• Active campaigns: campaign duration plus 90 days.
• Unengaged prospects: deleted or anonymised within 90 days of campaign conclusion.
• Engaged prospects: 12 months after last interaction, then deleted.
• Opted-out prospects: minimum identifying data (email and name) retained on a suppression list to prevent future contact (lawful basis: legitimate interest and anti-spam obligations). All other data deleted within 30 days.

11.3 Employer and Job Listing Data

• Active listings: listing duration plus 90 days.
• Expired listings: anonymised or deleted within 6 months.
• Visa records: retained for up to 12 months, refreshed periodically.

11.4 Anonymised Data

Aggregated, anonymised data may be retained indefinitely for analytics and research. Anonymised per EDPB guidance; it cannot be re-identified through reasonably available means.

13.1 CCPA/CPRA (California Residents)

• Rights to know, delete, correct, opt out of sale or sharing, limit sensitive data use, and non-discrimination.

Zana does not "sell" personal information under the CCPA. Certain sharing with analytics or advertising partners may constitute "sharing" under the CPRA. California residents may opt out via our website or by contacting us.

13.2 Exercising Your Rights

Contact privacy@tryzana.com or the Data Protection Officer (Section 20). We verify identity and respond within 30 days. Complaints may be lodged with the Nigeria Data Protection Commission, UK ICO, EU supervisory authorities, the California Attorney General, or the Canadian Privacy Commissioner.

CASL (Canada)

CASL requires express consent before sending commercial electronic messages. Zana screens recipient jurisdictions and applies CASL-compliant rules. For business email addresses that have been conspicuously published without a no-solicitation statement, Zana permits outreach under the Section 10(9)(b) exemption where the message is relevant to the recipient's professional role. Users are responsible for ensuring valid consent or an applicable exemption.

PECR (United Kingdom)

PECR requires consent for unsolicited direct marketing to individual subscribers. Outreach to corporate email addresses is permitted under the Regulation 22(3) corporate subscriber exemption. Outreach to sole traders, partnerships or personal addresses may require consent, and Zana provides jurisdiction-aware compliance checks. Users bear primary PECR responsibility; Zana may restrict sends where regulatory risk is identified.