Last updated: February 2026
This Privacy Policy explains how Blackmass Enterprises Ltd (UK Company Registration No. 16124799), trading as ZIMX® Finance ("we", "us", "our"), collects, uses, and protects information when you use ZiRA — Zimbabwe Intelligent Resource Assistant — at ZiRa.chat ("the Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller for the purposes of applicable data protection law is Blackmass Enterprises Ltd, registered in England and Wales (Company No. 16124799). If you have any questions about this policy or how we handle your data, you can contact us at privacy@zira.chat or at our registered business address.
When you use ZiRA, we may collect the following categories of information: conversation data (the messages you send to ZiRA and the responses generated); technical data including your IP address, browser type, device information, and access times; session identifiers used to maintain conversation continuity; usage data such as which modes you use, message frequency, and session duration; and if you join our waitlist, your email address. We do not require you to create an account or provide personal information to use ZiRA's chat functionality.
We use the information we collect to provide and operate the ZiRA service; to maintain conversation continuity within a session; to monitor and enforce rate limits and usage policies; to detect and prevent abuse, spam, and harmful content; to monitor service costs and performance; to communicate with waitlist subscribers about service updates; and to comply with legal obligations. We process your data on the following legal bases under UK GDPR: legitimate interests (to operate, secure, and improve the Service), consent (for waitlist communications), and legal obligation (where required by law).
ZiRA relies on the following third-party service providers to operate. Each processes data on our behalf in accordance with applicable data protection laws and, where relevant, under Data Processing Agreements incorporating Standard Contractual Clauses or equivalent safeguards for international transfers.
When you send a message to ZiRA, your message is transmitted to Anthropic's API servers in the United States for AI processing. Anthropic processes this data in accordance with their privacy policy and usage terms. We minimise the data sent by trimming conversation history and not transmitting unnecessary personal information. We recommend reviewing Anthropic's privacy policy at anthropic.com for details on how they handle data.
Conversation records, session data, knowledge base content, and usage analytics are stored in a PostgreSQL database hosted by Supabase, Inc. Supabase acts as a data processor on our behalf under the terms of a Data Processing Addendum (DPA) incorporating the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) and the UK Approved Addendum. Data is hosted on Amazon Web Services infrastructure. All data is encrypted at rest using AES-256 encryption with per-project keys protected by FIPS 140-2 compliant hardware security modules, and encrypted in transit using TLS 1.2 with modern ciphersuites. Supabase's sub-processors are listed in their DPA and include AWS, Google LLC, Fly.io, and Cloudflare, among others.
ZiRa.chat is hosted on Vercel's platform in the United States. Vercel may process technical data such as IP addresses, request headers, and performance metrics in connection with serving the application. Vercel Analytics and Speed Insights are used for performance monitoring.
If you join our waitlist, your email address is processed by Brevo (formerly Sendinblue) for the purpose of sending service updates and communications. You can unsubscribe at any time.
We use technical and organisational controls to protect service data. Chat sessions use secure HTTP-only cookies. Server-side systems store conversation records to support continuity, abuse prevention, and service analytics. Database access is restricted using row-level security policies and service-role authentication, ensuring that public API keys cannot access stored data. All data at rest is encrypted using industry-standard AES-256 algorithms, and all data in transit is protected by TLS 1.2 encryption. Supabase maintains daily encrypted backups of all project data.
Conversation records and related usage data are retained for product quality, abuse prevention, and operational reporting. Session cookies use a 30-day expiry window. Shared answer links are retained indefinitely unless deletion is requested. We periodically review stored data and may implement automated retention limits. You can contact us at any time to request deletion of your data where applicable.
Our service providers, including Anthropic, Supabase, and Vercel, are based in the United States. Personal data is transferred from the UK to the US in connection with the operation of the Service. We ensure appropriate safeguards are in place for these transfers, including: the UK Extension to the EU-US Data Privacy Framework (the UK Secretary of State designated the US as an adequate jurisdiction for the purposes of the UK GDPR on 21 September 2023); Standard Contractual Clauses approved by the European Commission (Decision 2021/914), as supplemented by the UK Approved Addendum issued by the ICO under S119A(1) of the Data Protection Act 2018; and a Transfer Impact Assessment conducted in relation to Supabase's processing activities, which concluded that the risk of access to personal data by US authorities is low given the nature of the data processed. As of the date of Supabase's most recent Transfer Impact Assessment (March 2025), Supabase has not received any US government requests for customer data under FISA 702 or Executive Order 12333.
We do not sell your personal data to third parties. We may share data with the following categories of recipients: our third-party processors as described in Section 5, solely for the purposes of operating the Service; and law enforcement or regulatory authorities where required by law. All third-party service providers are required to process data in accordance with applicable data protection laws and under appropriate contractual safeguards.
Under UK GDPR, you have the following rights regarding your personal data: the right of access (to request a copy of the personal data we hold about you); the right to rectification (to request correction of inaccurate data); the right to erasure (to request deletion of your data, also known as the "right to be forgotten"); the right to restrict processing; the right to data portability; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time where processing is based on consent. To exercise any of these rights, please contact us at privacy@zira.chat or using the details in Section 2. We will respond to your request within one month.
ZiRa.chat uses essential cookies for chat session continuity and rate-limiting enforcement. These are HTTP-only secure cookies and cannot be accessed by client-side scripts. We also use Vercel Analytics and Vercel Speed Insights to measure site performance and usage trends. These tools collect anonymised performance metrics and do not track individual users across sites. We do not run third-party advertising trackers or sell data to advertisers.
ZiRA is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.
We strongly advise you not to share sensitive personal information in your conversations with ZiRA, including but not limited to: financial account numbers, passwords or security credentials, national insurance or social security numbers, medical or health information, or any other information you would not want to be processed by a third-party AI provider. ZiRA's content filtering systems are designed to detect and handle crisis-related messages with appropriate care, but the Service is not a substitute for professional support.
ZiRA is an AI assistant powered by large language models. AI responses may be inaccurate, incomplete, or outdated and should not be relied upon as financial, legal, medical, or professional advice. Conversations are processed by Anthropic's API and may be subject to Anthropic's data handling practices, including potential use for safety research and model improvement as outlined in Anthropic's usage policy. We do not use your conversation data to train or fine-tune AI models ourselves.
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact Blackmass Enterprises Ltd, registered in England and Wales (Company No. 16124799), at privacy@zira.chat.