ZOVRAH CORPORATE PRIVACY POLICY

Last updated: 18 May 2026

PART A — CORPORATE PRIVACY POLICY

1. Who We Are and What This Covers

This Corporate Privacy Policy explains how ZOVRAH UK LTD ("Zovrah", "we", "our", or "us") — registered in England and Wales under company number 16660258, registered office 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, ICO registration reference ZC133750 — processes personal data in connection with the Zovrah Corporate platform (the "Corporate Platform").

It covers personal data relating to the Organisation's corporate administrators, applicants, billing contacts, and officers, and the operational, security, support, and AI Copilot data generated through the Corporate Platform. It does not govern the personal data of individual employees who use the consumer Zovrah application; that is governed by the consumer Privacy Policy and is a relationship directly between Zovrah and the individual. This Corporate Privacy Policy forms part of the Corporate Terms of Use. Part B sets out the data-processing terms that apply to the limited categories of personal data the Organisation supplies to us.

2. Roles of the Parties (Controllership)

This is the most important part of this document, and it is deliberately specific:

Zovrah is the controller of the personal data of corporate administrators, applicants, billing contacts, and any officers whose data appears in verification documents — processed so we can provide and secure the Corporate Platform and administer the relationship with the Organisation.

Zovrah is the sole controller of the personal data of individual employees that is held in the consumer Zovrah application (wellbeing, readiness, journal, mood, biometric, and similar data). The Organisation is not a controller of that data, does not receive it, and cannot exercise data-subject rights over it.

The Organisation only ever receives Aggregated Data — anonymised, de-identified statistics at cohort level that have passed a minimum-cohort threshold. Aggregated Data is not personal data of identifiable employees. Because the Organisation does not receive employees' personal data, Zovrah does not act as the Organisation's processor for the workforce analytics; Zovrah is the controller of the underlying data and supplies anonymous statistical information to the Organisation.

The only circumstance in which Zovrah acts as the Organisation's processor is for the limited personal data the Organisation itself supplies or inputs (for example, personal data contained within support tickets, dashboard configuration, or uploaded content). Part B governs that limited processing.

3. Personal Data We Process

About corporate administrators and applicants: identity and contact details (full name, email, phone, role or job title, and the applicant's relationship to the Organisation); account credentials (managed authentication identifiers, hashed passwords, and session and reset tokens — plaintext passwords are never stored); profile data (display name and first name, which is the only name exposed in any community-style feature); authentication and security metadata (sign-in timestamps, network address, and user agent); and communications (support tickets and messages, AI Copilot conversation transcripts, and any feedback posts, comments, or votes).

About the Organisation (mostly entity data, but may include personal data of officers): legal company name, registration number, country of registration, registered and trading addresses, organisation type, expected seats, email domains, and billing-contact email; verification documents uploaded for due diligence, which may contain personal data of directors or signatories; onboarding questionnaire responses; and uploaded branding assets.

Billing and payment data: customer and subscription identifiers, invoice metadata, plan, seat count, currency, tax status, and payment-method status. Cardholder data is collected and stored exclusively by our payments provider in its PCI-DSS Level 1 environment; Zovrah never receives or stores card numbers.

Operational and security data: audit-log entries (actor, action, target, network address, metadata, timestamp), security events (sign-in anomalies, password changes, lockouts), and application and server logs. AI Copilot data: prompts and responses, scoped to a user and, where applicable, an Organisation, retained for the Organisation's own continuity.

4. Purposes and Legal Bases

We create and operate corporate administrator accounts and provide the Corporate Platform on the basis of our contract with the Organisation, relying on legitimate interests for the processing of an administrator's own personal data necessary to deliver and secure that access. We verify the Organisation for anti-fraud, know-your-business, and regulatory-hygiene purposes on the basis of our legitimate interests and, where applicable, legal obligation. We produce Aggregated Data for the Organisation as part of providing the Service under our contract with the Organisation; the computation of Aggregated Data from the underlying employee data relies on our relationship with the individual employee as controller of that data (including explicit consent for special category data captured in the consumer application) and on our legitimate interests in producing only de-identified, aggregated outputs. We handle billing and invoicing to perform the contract and to meet legal obligations such as tax. We provide support, and we monitor security and maintain audit logs, on the basis of contract and our legitimate interests in protecting the Service and its users, and legal obligation where applicable. We operate the AI Copilot to provide the Service on the basis of contract and legitimate interests; the Copilot does not process special category data of identifiable employees. We use de-identified, aggregated data across our customer base to improve the Service on the basis of legitimate interests. We send relevant business communications to Organisation contacts on the basis of legitimate interests, with an opt-out, and consent where required by applicable electronic-marketing law.

Special category data is only processed within the consumer application, under the individual's explicit consent, and is never disclosed to the Organisation.

5. Aggregation, De-identification, and Minimum-Cohort Controls

The Corporate Platform is engineered to prevent the Organisation from seeing any individual employee's personal data. All aggregation is performed server-side; the dashboard never receives row-level employee data. Aggregated metrics are suppressed below a minimum-cohort threshold so that small teams cannot be re-identified. Member listings show only first names; surnames, emails, and contact details of employees are not exposed to the Organisation. Database-level access controls restrict each Organisation to its own data, and cross-organisation access is technically prevented. There is no functionality enabling an Organisation to export individual employee health records. Manager-role users may be restricted to departmental aggregates only.

6. Sources of Data

We obtain personal data directly from the administrator (through the application, onboarding, settings, support, and Copilot prompts); from the payments provider (billing events); from the authentication provider (authentication events); and from Zovrah systems (audit logs, security events, and derived metrics). Employees' personal wellbeing data is provided by the individual through the consumer application and is not sourced through the Corporate Platform.

7. Sub-processors

We engage a small set of sub-processors, each under a written data processing agreement and appropriate due diligence: a cloud database, authentication, storage, and serverless-function provider; a payments, subscription, and tax provider; a third-party AI gateway provider and the large language model providers it routes to for the Copilot; a transactional email provider; and hosting and content-delivery providers. We maintain a current sub-processor list, available on request, and may update it on notice as described in Part B.

8. International Transfers

Some sub-processors are located outside the UK, including in the United States. Where personal data is transferred outside the UK or EEA, we rely on UK adequacy regulations where they apply, and otherwise on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses (and the EU Standard Contractual Clauses for EEA data), together with supplementary measures including encryption in transit and at rest and access controls. The primary processing region is configured to align with that of the consumer platform, and transfers outside the UK or EEA are made only under the safeguards described above. You may request a copy of the relevant safeguards via info@zovrah.com.

9. Retention

The following retention periods apply: rejected corporate applications are retained for around 12 months; the Organisation's record and verification data is retained for the term of the contract plus approximately 7 years for tax and audit; corporate membership links are retained for the active term plus a short period and then anonymised; Aggregated Data snapshots are retained for the active term plus a period for trend continuity and then permanently de-identified; alerts and dashboard configuration are retained for the active term plus a short period; support tickets and messages are retained for around 24 months from last activity; Copilot conversations are retained for around 12 months or until user or administrator deletion; audit logs and security events are retained for a minimum period (extendable for active investigations); billing records are retained per the payments provider plus approximately 7 years for tax; and branding assets are retained until removed by the Organisation or until termination plus a short period. Employees' personal data in the consumer application is governed by the consumer Privacy Policy and deleted on user request through the consumer account-deletion flow.

10. Data Subject Rights

Individuals have the rights of access, rectification, erasure, restriction, portability, and objection, subject to applicable law. Administrators may exercise rights over their own corporate-account personal data by contacting info@zovrah.com or, where exposed in-product, via account settings. Employees exercise their rights in respect of their consumer-application personal data against Zovrah as controller, through the consumer application's account-support flow; the Organisation cannot exercise those rights on its employees' behalf because the Organisation is not the controller of that data. Erasure of an Organisation does not erase the personal data an employee holds in their own Zovrah account; only the link to the Organisation is removed. We respond within one calendar month, extendable by two further months for complex requests, with notice. Complaints may be made to the ICO (ico.org.uk) or another competent supervisory authority.

11. Security

We apply technical and organisational measures including encryption in transit and at rest; managed authentication with rate-limited resets and session tokens; role separation enforced at the database layer with server-side privilege controls (client-side role claims are never trusted); database-level access controls on every corporate table; audit logging of sensitive actions; least-privilege staff access; backups and point-in-time recovery; and a documented incident-response process. Cardholder data is handled entirely within the payments provider's PCI-DSS Level 1 environment. Copilot prompts are scoped to the Organisation's data with no cross-tenant leakage, and sensitive personal data of identifiable employees is not transmitted to the Copilot. These measures are summarised here and set out as technical and organisational measures in Annex II to Part B. No system is completely secure, and you acknowledge the inherent risks of digital services.

12. Cookies and Similar Technologies

The Corporate dashboard uses strictly necessary cookies and local storage for authentication and session continuity, and functional storage for interface preferences. It does not use third-party advertising cookies. A consent mechanism would be introduced only if non-essential analytics or marketing technologies were added; the current corporate configuration is essential-only.

13. Automated Decision-Making

Zovrah does not make automated decisions producing legal or similarly significant effects on individuals through the Corporate Platform. The Aggregated Data shown to the Organisation is cohort-level decision-support information, not information about identified individuals. The Corporate Terms of Use prohibit the Organisation from using Zovrah outputs as the sole basis for individual employment decisions.

14. Breach Notification

Where a personal data breach affects personal data we process for the Organisation under Part B, we will notify the Organisation without undue delay, with the information it reasonably needs to meet its own obligations. We will notify the ICO (or other competent supervisory authority) where the statutory threshold is met. Where a breach concerns employees' personal data in the consumer application, Zovrah notifies the affected individuals directly as controller.

15. Children

The Corporate Platform is not directed at children, and administrators must be at least 18. Consumer accounts are age-restricted to adults, and the Organisation must not deploy Zovrah to any workforce population that would involve data subjects below the applicable minimum age.

16. Changes and Contact


We may update this Corporate Privacy Policy. Material changes will be notified to administrators with reasonable notice, and the "Last updated" date will reflect the latest change. For privacy enquiries, data-subject requests, or security reports, contact ZOVRAH UK LTD, 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, info@zovrah.com (ICO registration ZC133750).

PART B — DATA PROCESSING TERMS

These Data Processing Terms form part of, and are incorporated into, the Corporate Privacy Policy and the Corporate Terms of Use. They apply only to personal data that Zovrah processes as processor on behalf of the Organisation — that is, the limited personal data the Organisation or its Authorised Users supply or input (for example, personal data within support tickets, dashboard configuration, branding, or Copilot prompts). They do not apply to: (a) personal data for which Zovrah is controller (corporate-account and verification data — Part A applies); or (b) employees' personal data in the consumer application, of which Zovrah is sole controller and the Organisation is not a controller.

B1. Roles and instructions. For the personal data within scope, the Organisation is controller and Zovrah is processor. Zovrah will process that personal data only on the Organisation's documented instructions (including those set out in the Corporate Terms of Use and this Part B), unless required by law, in which case Zovrah will inform the Organisation unless legally prohibited.

B2. Subject matter and details. The subject matter is the provision of the Corporate Platform; the duration is the term of the Corporate Terms of Use plus applicable retention; the nature and purpose is hosting, storing, displaying, and supporting the Organisation's submitted content; the personal data is that contained in Organisation-supplied content; and the data subjects are the Organisation's Authorised Users and any individuals referenced in content the Organisation submits. These details are elaborated in Annex I.

B3. Confidentiality. Zovrah ensures that personnel authorised to process the personal data are bound by appropriate confidentiality obligations.

B4. Security. Zovrah implements the technical and organisational measures described in Annex II, appropriate to the risk.

B5. Sub-processors. The Organisation gives general authorisation for Zovrah to engage the sub-processors described in Part A section 7. Zovrah will impose data-protection obligations on each sub-processor that are materially equivalent to these terms and remains liable for its sub-processors. Zovrah will give notice of intended additions or replacements and allow the Organisation a reasonable period to object on reasonable data-protection grounds; if an objection cannot be resolved, the Organisation may terminate the affected part of the Service.

B6. Assistance. Taking into account the nature of processing, Zovrah will assist the Organisation, by appropriate measures, in responding to data-subject rights requests relating to in-scope data, and in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation.

B7. Personal data breach. Zovrah will notify the Organisation without undue delay after becoming aware of a personal data breach affecting in-scope data, with sufficient information to enable the Organisation to meet its own obligations.

B8. Deletion or return. On the end of the provision of services, Zovrah will delete or return in-scope personal data at the Organisation's choice, save where storage is required by law, in line with the retention periods in Part A section 9.

B9. Audits and information. Zovrah will make available information reasonably necessary to demonstrate compliance with these terms and will allow for and contribute to audits, including inspections, conducted by the Organisation or its mandated auditor on reasonable notice, subject to confidentiality and reasonable security and frequency limits.

B10. International transfers. Any transfer of in-scope personal data outside the UK or EEA is made under the mechanisms described in Part A section 8 (UK IDTA, UK Addendum, or EU Standard Contractual Clauses, with supplementary measures).

B11. Precedence. In the event of conflict between these Data Processing Terms and the rest of the Corporate Privacy Policy or the Corporate Terms of Use, these Data Processing Terms prevail in respect of in-scope processing.

Annex I — Processing Details

Categories of data subjects: the Organisation's Authorised Users (administrators and managers) and any individuals identified within content the Organisation submits. Categories of personal data: identity and contact details of Authorised Users, support content, configuration data, branding, and Copilot prompts to the extent they contain personal data. No special category data is in scope; special category data is processed only in the consumer application under the individual's explicit consent and is outside these terms. Nature and purpose of processing: hosting, storing, transmitting, displaying, and supporting the Organisation's content to provide the Corporate Platform. Duration: the term of the Corporate Terms of Use plus the retention periods in Part A section 9.

Annex II — Technical and Organisational Measures

Encryption of personal data in transit and at rest; managed authentication with rate-limited credential resets and session tokens; database-level access controls on every corporate table with server-side privilege enforcement and no reliance on client-side role claims; least-privilege staff access with logged and reviewable administrative actions; audit logging of sensitive actions and security-event monitoring; segregation preventing cross-organisation access; backups with point-in-time recovery; a documented incident-response process with breach-notification timelines (to the ICO within 72 hours where the threshold is met, and to the Organisation without undue delay for in-scope data); and exclusion of cardholder data from Zovrah systems (handled within the payments provider's PCI-DSS Level 1 environment).