Privacy Policy

Jurisdictional Compliance Overview

Zinovate Cloud operates across five regions. We comply with the applicable data protection law in each region where we have operations or process data about residents.

🇺🇸

United States

We comply with applicable federal and state privacy laws. We align with CCPA/CPRA (California), Virginia CDPA, Colorado CPA, and sector-specific laws including HIPAA where relevant.

CCPA / CPRA · HIPAA

🇨🇦

Canada

We comply with PIPEDA (Personal Information Protection and Electronic Documents Act) and applicable provincial laws including Quebec Law 25 (Bill 64).

PIPEDA · Law 25

🇬🇧

United Kingdom

We comply with UK GDPR and the Data Protection Act 2018. We are registered with the ICO where required. UK individuals retain all rights under UK GDPR.

UK GDPR · DPA 2018

🇦🇪

United Arab Emirates

We comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and the DIFC Data Protection Law 2020 where applicable.

UAE PDPL · DIFC DP Law

🇮🇳

India

We comply with India’s Digital Personal Data Protection Act 2023 (DPDPA) and the Information Technology Act 2000 and its amendments. We honour all DPDPA data principal rights.

DPDPA 2023 · IT Act

1. Who We Are

Zinovate Cloud (“we”, “us”, “our”) is part of the Zinovate Group, a specialised Cloud, AI and Security services company headquartered in the United States, with offices in the UK, UAE and India.

We provide Cloud migration, AI and data solutions, Microsoft 365 and modern workplace enablement, and cybersecurity services to businesses worldwide.

Data Controller: Zinovate Corp., 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, USA.
UK Representative: Zinovate Cloud UK, 60 Tottenham Court Road, Suite 2503a, Fitzrovia, London, W1T 2EW.
Contact: privacy@zinovatecloud.com

2. Data We Collect

Information You Provide Directly

Contact form submissions: First name, last name, business email address, phone number, company name, country, and enquiry details.
Business communications: Emails, calls, meeting notes, or other correspondence you initiate with us.
Service engagements: Project-related information, technical requirements, and business data you share during our consultancy or implementation services.
Account information: Credentials and profile data for any portals or platforms we provide to you.

Information Collected Automatically

Usage data: Pages visited, time spent, referring URLs, and interaction data collected via cookies and analytics tools.
Technical data: IP address, browser type, operating system, device identifiers, and approximate geographic location.
Log data: Server logs including access times, error reports, and request details.

Information from Third Parties

Business contact information from LinkedIn, industry databases, or publicly available sources for B2B outreach.
Referral information from partners or clients who recommend our services.
Data provided by clients as part of managed services contracts (processed as a Data Processor on your behalf).

We do not sell your personal data to any third party and we do not engage in profiling for advertising purposes.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

Responding to enquiries: Processing contact form submissions and communicating about our services.
Service delivery: Providing Cloud, AI, Security and managed services under a contract with you.
Account management: Managing access to portals, sending service notifications and billing.
Marketing communications: Sending newsletters, updates or promotions where you have opted in or where we have a legitimate interest. You may opt out at any time.
Analytics and improvement: Understanding how visitors use our website to improve content and user experience.
Legal compliance: Meeting obligations under applicable law, including tax, audit and regulatory requirements.
Security: Detecting fraud, abuse, and threats to our systems and services.

4. AI & Automated Processing

Zinovate Cloud provides AI and data services to clients. The following explains how AI and automated decision-making interact with personal data in the context of our own operations and the services we deliver.

4.1 Our Own Use of AI Tools

We use AI-assisted tools (including Microsoft Copilot and similar productivity AI) to support internal operations such as drafting, summarisation, and analysis.
Personal data entered into internal AI tools is governed by the terms of those tools’ providers. We configure these tools to disable training on customer data where such controls are available.
We do not use AI to make solely automated decisions that produce legal or similarly significant effects on individuals without human review.

4.2 AI Services Delivered to Clients

When we deploy AI solutions (such as Azure AI, Microsoft Copilot, OpenAI, or Google AI integrations) on behalf of clients, we act as a Data Processor. The client is the Data Controller and determines the purpose and means of processing.
We implement appropriate technical and contractual safeguards including Data Processing Agreements (DPAs) with clients and sub-processors.
AI models we deploy for clients are not trained on client data without explicit written consent.

4.3 Automated Decision-Making Rights

Under UK GDPR, EU GDPR, and applicable US state laws, you have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Where such processing occurs, you have the right to request human review. Please contact us at privacy@zinovatecloud.com to exercise this right.

4.4 Data Minimisation in AI Processing

We apply data minimisation principles to all AI workloads: only the data necessary for the specified purpose is processed. Anonymisation and pseudonymisation are applied where feasible before data is processed by AI systems.

5. Legal Basis for Processing

Where data protection law requires us to identify a legal basis for processing your personal data, we rely on the following:

Contract: Processing necessary to enter into or perform a contract with you (e.g. delivering services you have engaged us for).
Legitimate interests: Processing necessary for our legitimate business interests, including marketing to existing contacts, network security, and fraud prevention — provided those interests are not overridden by your rights.
Consent: Where you have opted in to receive marketing communications or to the use of non-essential cookies.
Legal obligation: Processing required to comply with applicable law.
Vital interests: In rare circumstances, where processing is necessary to protect someone’s life.

For residents of Canada, we rely on express or implied consent for most data collection and you may withdraw consent at any time. For residents of India under the DPDPA 2023, we rely on consent and legitimate uses (including contract performance, legal compliance, and medical/public interest purposes).

6. Data Sharing & International Transfers

Who We Share Data With

Technology partners: Microsoft (Azure, Microsoft 365, Dynamics 365), Google Cloud, AWS — used to deliver our services. Each partner maintains their own data protection commitments and DPAs.
Service providers: Hosting, analytics, email, CRM, billing and communication tools used to operate our business. These processors are bound by data processing agreements.
Professional advisors: Lawyers, accountants and auditors under confidentiality obligations.
Law enforcement or regulators: Where required by law, court order or regulatory authority.
Business transfers: In the event of a merger, acquisition or asset sale, personal data may be transferred to the successor entity.

International Data Transfers

As a global company, your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place for such transfers:

UK & EEA residents: Transfers to countries without an adequacy decision are protected by UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs).
Canadian residents: Transfers outside Canada are governed by contractual protections equivalent to PIPEDA requirements.
UAE residents: Cross-border data transfers comply with the UAE PDPL requirements including adequacy assessments and contractual safeguards.
Indian residents: Transfers outside India comply with restrictions under the DPDPA 2023 and any notified restricted country lists.

7. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. Our general retention periods are:

Contact form enquiries: Up to 3 years from last contact, or as needed to respond to an ongoing engagement.
Client service data: Duration of the contract plus up to 7 years for legal and audit compliance.
Marketing contact data: Until you unsubscribe or opt out, or after 3 years of inactivity, whichever is sooner.
Website analytics data: Up to 26 months in aggregated or anonymised form.
Financial and legal records: As required by applicable law in each jurisdiction (typically 6–7 years).

When data is no longer needed, it is securely deleted or anonymised in accordance with our data destruction procedures.

8. Your Rights by Region

Depending on where you are located, you have the following rights regarding your personal data:

Right	USA (CA/VA/CO)	Canada	UK	UAE	India
Know what data we hold	✓	✓	✓	✓	✓
Access / copy your data	✓	✓	✓	✓	✓
Correct inaccurate data	✓	✓	✓	✓	✓
Delete your data (“right to erasure”)	✓	✓	✓	✓	✓
Opt out of sale / sharing	✓ (CCPA)	—	—	—	—
Withdraw consent	✓	✓	✓	✓	✓
Restrict processing	—	✓	✓	✓	—
Data portability	✓ (CA)	—	✓	✓	✓
Object to processing	—	—	✓	✓	—
No automated decisions	✓ (CA)	—	✓	✓	—
Lodge complaint with regulator	✓	✓	✓	✓	✓
Nominate a representative	—	—	—	—	✓ (DPDPA)

To exercise any of these rights, email us at privacy@zinovatecloud.com with “Data Rights Request” in the subject line. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before acting on a request.

Regulatory Bodies

USA: State Attorney General offices; FTC for federal matters.
Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
UK: Information Commissioner’s Office (ICO) — ico.org.uk
UAE: UAE Data Office — uaedataoffice.ae
India: Data Protection Board of India (to be established under DPDPA 2023).

9. Cookies & Tracking Technologies

Our website uses cookies and similar technologies to improve your browsing experience and analyse traffic.

Types of Cookies We Use

Essential cookies: Required for the website to function (e.g. security tokens, session management). Cannot be disabled.
Analytics cookies: Used to understand how visitors interact with our website (e.g. page views, traffic sources). We use anonymised analytics data.
Preference cookies: Remember your settings such as selected language.
Marketing cookies: Only used if you have explicitly opted in. We do not use third-party advertising cookies by default.

You can manage or withdraw your cookie consent at any time through your browser settings or our cookie preference centre. For UK and EEA visitors, we obtain your consent before placing non-essential cookies in accordance with the UK PECR and applicable EU ePrivacy rules.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. Our security practices include:

Encryption of data in transit (TLS 1.2+) and at rest using industry-standard encryption.
Access controls and multi-factor authentication for systems handling personal data.
Regular security assessments, penetration testing and vulnerability management.
Employee training on data protection and information security.
Incident response procedures with notification timelines meeting regulatory requirements (72 hours under UK GDPR; as required under UAE PDPL, DPDPA and applicable US law).
Infrastructure hosted on Microsoft Azure with enterprise-grade security controls.

Despite these measures, no system is completely secure. If you believe your data has been compromised, please contact us immediately at security@zinovatecloud.com.

11. Children’s Privacy

Our services are directed at businesses and professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the “Last Updated” date at the top of this page.
Notify registered users or active clients by email where required by law.
Display a notice on our website where changes are significant.

We encourage you to review this policy periodically. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.

13. Contact & Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy & Data Protection

Email: privacy@zinovatecloud.com
Post (USA): Zinovate Corp., 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, USA
Post (UK): Zinovate Cloud UK, 60 Tottenham Court Road, Suite 2503a, Fitzrovia, London, W1T 2EW
Post (UAE): Business Center 1, M Floor, The Meydan Hotel, Nad Al Sheba, Dubai, PO Box 35195
Post (India): L5, Prestige Palladium Bayan, 129–140 Greams Road, Chennai, Tamil Nadu 600006

For UK GDPR purposes, our UK Representative is Zinovate Cloud UK at the address above. For complaints, you may also contact the UK ICO.

For Indian residents under the DPDPA 2023, you may nominate a person to exercise your rights on your behalf. Contact us at the email above to arrange this.

Response time: We aim to acknowledge all privacy requests within 72 hours and resolve them within 30 days (or the shorter period required by applicable law).

Table of Contents