Privacy Policy

1. Introduction

Zanda (“we”, “us”, “our”) is a cloud-based human resource management platform operated from Lusaka, Zambia. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our website at zanda.app and our software-as-a-service platform (collectively, the “Service”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller and Processor Roles

Zanda acts in two capacities depending on the context. When an organisation (“Customer”) subscribes to the Service and uploads employee data, the Customer is the data controller and Zanda is the data processor acting on the Customer’s behalf. When we collect data directly from visitors to our website or from individuals who create accounts, Zanda is the data controller.

3. Information We Collect

3.1 Information You Provide

When you sign up, we collect your full name, email address, company name, country, and password. When Customers use the platform, they may input employee data including names, national identity numbers, tax identification numbers, bank account details, salary information, contact details, emergency contacts, employment history, leave records, attendance data, performance reviews, and documents such as CVs and contracts.

3.2 Information Collected Automatically

When you visit our website or use the Service, we automatically collect your IP address, browser type and version, operating system, device information, pages visited, time spent on pages, referring URLs, and general geolocation data derived from your IP address. We use Cloudflare for security and performance, which may process connection metadata.

3.3 Cookies and Similar Technologies

We use essential cookies to maintain your session and preferences. We do not use advertising or tracking cookies. For more detail, see our Cookie Policy.

4. How We Use Your Information

We use personal data to:

Provide, maintain, and improve the Service, including running payroll calculations, generating reports, and delivering AI-powered features. Process account registration and authentication. Communicate with you about your account, including service announcements, security alerts, and support responses. Send transactional emails such as leave approval notifications, payroll confirmations, and password reset links. Detect, prevent, and respond to fraud, abuse, and security incidents. Comply with applicable laws and regulatory obligations, including statutory reporting in Zambia, Kenya, South Africa, and other supported jurisdictions. Generate anonymised, aggregated analytics to improve the Service.

5. AI Features and Data Processing

Zanda includes AI-powered features such as an HR Copilot, CV parsing, candidate ranking, attrition risk scoring, and payroll error detection. These features process Customer data to generate insights and recommendations.

AI processing is performed using third-party AI models (currently Anthropic’s Claude). When AI features are used, relevant data is sent to the AI provider for processing. We ensure that AI providers do not retain your data for training purposes and that processing is subject to appropriate data processing agreements. AI features are optional and can be disabled by the Customer.

6. Legal Basis for Processing

We process personal data based on the following legal grounds: contractual necessity (to provide the Service you have subscribed to), legitimate interests (to improve and secure the Service, detect fraud, and communicate with you), legal obligations (to comply with applicable laws such as tax reporting requirements), and consent (where you have explicitly opted in, such as for marketing communications).

7. Data Sharing and Disclosure

We do not sell personal data. We may share data with service providers who help us operate the Service, including Vercel (hosting), Neon (database), Cloudflare (security and CDN), Resend (email delivery), Flutterwave (payment processing), and Anthropic (AI processing). All service providers are bound by data processing agreements. We may also disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Zanda, our Customers, or the public.

8. Data Storage and Security

Data is stored on servers located in secure cloud infrastructure. We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, complete tenant data isolation in our multi-tenant architecture, rate limiting and CAPTCHA protection on authentication endpoints, regular security reviews, and bcrypt password hashing.

While we take reasonable measures to protect your data, no system is completely secure. In the event of a data breach affecting personal data, we will notify affected Customers and relevant authorities as required by applicable law.

9. Data Retention

We retain personal data for as long as the Customer’s account is active or as needed to provide the Service. When a Customer cancels their subscription, we retain their data for 90 days to allow for reactivation, after which it is permanently deleted. We may retain certain data longer where required by law (for example, payroll records may need to be kept for the period specified by local tax authorities).

10. Your Rights

Depending on your jurisdiction, you may have the right to access the personal data we hold about you, request correction of inaccurate data, request deletion of your data (subject to legal retention requirements), object to or restrict certain processing, request data portability (receive your data in a structured, machine-readable format), and withdraw consent where processing is based on consent. If you are an employee whose data is managed by a Customer, please direct your requests to your employer in the first instance, as they are the data controller for your employment data.

11. International Data Transfers

As a cloud-based service, your data may be processed in countries other than the one in which it was collected. We ensure that any international data transfers are subject to appropriate safeguards, including data processing agreements with standard contractual clauses where applicable.

12. Children’s Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised “Last updated” date and, where appropriate, by sending an email notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Zanda
Lusaka, Zambia
Email: privacy@zanda.app