Last updated: April 2026
1. Introduction
ZS Digital Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered in Malta. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the OneHazel platform (the "Platform") and our associated websites and services.
We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.
2. Data We Collect
We collect the following categories of personal data:
- Account Information — your name, email address, company name, and other details you provide when creating an account.
- Usage Data — information about how you use the Platform, including feature usage, workflow executions, and interaction patterns.
- Technical Data — IP address, browser type and version, device information, operating system, and referral URLs.
- Payment Data — payment transactions are processed by Stripe. We do not store your credit card numbers or full payment details on our servers.
3. How We Use Your Data
We use your personal data for the following purposes:
- To provide the Platform — creating and managing your account, processing workflows, and delivering the core service functionality.
- To improve our service — analysing usage patterns to enhance performance, fix issues, and develop new features.
- To communicate with you — sending service-related notifications, responding to support requests, and (with your consent) marketing communications.
- To comply with legal obligations — meeting regulatory, tax, and legal reporting requirements.
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
- Contract Performance — processing necessary to fulfil our contractual obligations to you when you use the Platform.
- Legitimate Interests — processing necessary for our legitimate business interests, such as improving the Platform, ensuring security, and preventing fraud, provided these do not override your fundamental rights.
- Consent — where you have given explicit consent, such as for receiving marketing communications. You may withdraw consent at any time.
- Legal Obligation — processing necessary to comply with applicable laws and regulations.
5. Data Storage & Security
Your data is stored in the European Union, using infrastructure provided by Supabase and AWS (EU regions). We implement robust security measures to protect your data, including:
- Encryption at rest — AES-256-GCM encryption for all stored data.
- Encryption in transit — TLS encryption for all data transmitted between your device and our servers.
- Tenant isolation — enterprise customers benefit from strict logical data isolation to prevent cross-tenant access.
6. Data Sharing
We do not sell your personal data. We only share your data with trusted third parties where necessary to operate the Platform:
- Infrastructure providers — Supabase and AWS, for hosting and database services.
- Payment processor — Stripe, for processing subscription payments securely.
- Analytics — only aggregated, anonymised data is used for analytics purposes. No personally identifiable information is shared with analytics providers.
All third-party processors we work with are GDPR-compliant and bound by data processing agreements.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access — request a copy of the personal data we hold about you.
- Right to Rectification — request correction of inaccurate or incomplete data.
- Right to Erasure — request deletion of your personal data ("right to be forgotten").
- Right to Data Portability — receive your data in a structured, commonly used, machine-readable format.
- Right to Restriction — request that we limit the processing of your data in certain circumstances.
- Right to Object — object to processing based on legitimate interests or for direct marketing purposes.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.
8. Cookies
We use essential cookies by default to ensure the Platform functions correctly (e.g., session management, authentication). Analytics cookies are only used with your explicit consent. You can manage your cookie preferences through your browser settings at any time.
9. Data Retention
We retain your data in accordance with the following schedule:
- Account data — retained while your account is active, plus 30 days after account closure.
- Usage logs — retained for 90 days.
- Payment records — retained as required by applicable tax and legal obligations.
10. Children
The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes via email or through an in-app notice. We encourage you to review this page periodically.
12. Contact
If you have any questions about this Privacy Policy or how we handle your personal data, please contact our Data Protection Officer:
Email: [email protected]
Company: ZS Digital Ltd, Malta