GDPR Compliance
How ZARZOOM processes personal data under the UK and EU General Data Protection Regulation.
Last updated: 10 June 2026
1. Data Controller
ZARZOOM Ltd, a company registered in the United Kingdom, is the data controller for personal data processed through the zarzoom.com website and the ZARZOOM platform. For all data protection matters you can contact us at privacy@zarzoom.com.
2. Scope of This Statement
This statement explains how we process personal data under the UK GDPR and the EU GDPR. It supplements our Privacy Policy and Cookie Policy; where this statement is more specific, it takes precedence for data protection matters.
3. Lawful Bases for Processing
We process personal data on the following lawful bases: performance of a contract (providing the ZARZOOM service you signed up for, including account management and billing); legitimate interests (securing the platform, preventing abuse, and improving the service); consent (marketing communications and optional features that use your likeness or voice, such as presenter avatars and voice cloning — consent is recorded and can be withdrawn at any time); and legal obligation (tax, accounting, and regulatory record-keeping).
4. Categories of Personal Data
Depending on how you use ZARZOOM, we process: account data (name, email address, hashed credentials); billing data (subscription and payment records — card details are handled by Stripe and never stored on our systems); content and workspace data (posts, articles, images, brand profiles, and — where you choose to use these features — photographs and voice recordings you upload as presenter avatar or voice-clone reference material); technical and usage data (IP address, browser type, device information, log and analytics data); and support communications (tickets, messages, and related correspondence).
5. Sub-processors
We use a limited set of service providers to operate ZARZOOM, each bound by data processing agreements: Supabase (database and authentication hosting), Vercel (website hosting and content delivery), Cloudflare R2 (file storage), Stripe (payment processing), OpenRouter (AI text generation, operated with Zero Data Retention so prompts and outputs are not stored by the provider), Upload-Post (publishing to connected social platforms), fal.ai (AI image and video generation), Inworld and ElevenLabs (AI voice synthesis), and Groq (AI inference). We review sub-processors for GDPR compliance before engaging them.
6. Your Rights
You have the right to access your personal data; to have inaccurate data rectified; to erasure ('right to be forgotten'); to restrict processing; to data portability; to object to processing based on legitimate interests; and to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To exercise any of these rights, contact privacy@zarzoom.com. We respond to requests within one month as required by law.
7. Data Retention
We retain personal data only for as long as necessary: account and workspace data is kept while your account is active and deleted or anonymised after account closure, subject to statutory retention requirements; billing records are kept for the period required by tax law; compliance moderation audit records are retained for 90 days; and content retention follows the limits described in our Privacy Policy. You may request deletion of your data at any time.
8. International Transfers
Some of our sub-processors process data outside the United Kingdom and the European Economic Area, including in the United States. Where this happens, we rely on appropriate safeguards: UK adequacy regulations, the EU-US and UK-US data bridge frameworks where applicable, and standard contractual clauses (including the UK International Data Transfer Addendum).
9. Security Measures
We apply appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, row-level security on our databases, audit logging, and regular security reviews. No system is completely secure, and we maintain incident response procedures including breach notification to the relevant supervisory authority within 72 hours where required.
10. Automated Processing and AI Features
ZARZOOM uses AI systems to generate and validate content on your behalf, including automated suitability checks on uploaded avatar photographs. These automated checks assist our processes but do not produce legal effects concerning you; significant decisions (such as account suspension) always involve human review. AI-generated content is created under your direction and remains under your control before publication on plans that include review steps.
11. Changes to This Statement
We may update this statement as our processing activities or legal obligations change. Material changes will be notified via email or through the platform, and the 'Last updated' date above will always reflect the current version.
12. Contact and Complaints
Questions, requests, and complaints about data protection can be sent to privacy@zarzoom.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, if you are in the EU/EEA, with your local supervisory authority.