Privacy Notice
Effective: April 29, 2026. Last updated: April 29, 2026. Policy version: 2026-04-29.v3. Private by default.
Who controls this service
Nova Nuggets L.L.C, established in 2025 and headquartered in Dubai, UAE, operates ZAKI. Our production operations are hosted on European infrastructure with GDPR-aligned controls.
Data categories
We process the following categories of data:
- Account data: email, profile, auth and session metadata.
- User content: prompts, responses, memories, and references.
- Operational data: diagnostics, abuse-prevention signals, and service logs.
- Billing metadata for entitlement and reconciliation.
Processing chain and purpose
Service chain: ZAKI to TYP to third-party inference processors. We process data to provide account access, deliver features, secure the service, prevent abuse, and improve quality and cultural relevance.
Our mission and data use
We believe AI should be personal, and personal means private by default. We use necessary interaction data to improve ZAKI so the Arab world has its own voice in the AI era, while keeping user controls and privacy safeguards central.
Legal bases and GDPR rights
Where GDPR applies, legal bases may include contract performance, legitimate interests, legal obligations, and consent where required. You may request access, correction, deletion, restriction, portability, and objection rights as applicable law allows.
International transfers
Data may be processed outside your home jurisdiction through infrastructure or subprocessors. Where required, we apply transfer safeguards under applicable law.
Subprocessors
We use the following third-party processors to deliver the service. Material changes to this list are reflected in this Policy and emailed to active accounts at least 14 days before they take effect.
- Stripe, Inc. (US): payment processing for billing tiers. Shared: email, billing details, transaction metadata. Stripe stores card data; ZAKI never sees card numbers.
- Cloudflare, Inc. (US): DDoS protection, CDN, edge routing. Shared: request IPs, headers, request paths. No conversation contents.
- Anthropic, PBC (US): model inference for the Claude family when selected. Shared: conversation contents at the time of inference.
- OpenAI, OpenAI LLC (US): model inference when selected or used as a fallback. Shared: conversation contents at the time of inference.
- Together AI, Inc. (US): primary model inference (Kimi K2.5 and related open-source families). Shared: conversation contents at the time of inference.
Cookies and similar technologies
We use a small number of strictly necessary cookies to keep you signed in and to operate the service. Analytics cookies, where used, are off by default and only set after explicit consent in the cookie banner. You can change your choice at any time by clearing the chatzaki-cookie-consent cookie in your browser.
Retention and deletion
We retain data only as needed for service operation, security, anti-abuse, and legal obligations. You can request export, correction, or deletion. Account deletion starts deletion workflows subject to lawful retention requirements.
Security
Controls include encryption in transit, controlled access, monitoring, and role-based internal access controls. No internet service can guarantee absolute security.