Loading page content…
Security & Privacy at zigzag
We believe that privacy is a right, not a feature. This page explains in plain language how we protect your personal data, who we share it with, and how we approach compliance. We have nothing to hide — everything is here.
Last reviewed: March 2026 | Questions? Contact us at hello@gozigzag.com
This page supplements our Privacy Policy and Terms of Use. For details on what personal data we collect, your data-subject rights, cookies, and general contact information, please refer to those documents. This trust centre focuses on our security practices, lawful bases, retention schedules, and compliance approach.
GDPR Compliance
zigzag is designed to comply with the UK GDPR and EU GDPR. We have appointed a Data Protection Officer (Sami Abou Saab) and have conducted Data Protection Impact Assessments for our AI processing activities. We provide self-service tools for data export (Article 20), account deletion (Article 17), profile rectification (Article 16), and marketing and cookie consent management (Article 7). Cookie consent is enforced — declining optional cookies disables all non-essential tracking. Data retention is automated and all third-party processors operate under Data Processing Agreements with appropriate international transfer safeguards.
1. Who is responsible for your data?
FA Partners Limited (registered in England & Wales, company number 13771216) is the data controller for all personal data processed through our website and application. This means we determine why and how your personal data is used.
Registered address:
113 Canalside, Redhill, Surrey, England, RH1 2FH
Data Protection Officer:
Sami Abou Saab
For all data protection enquiries — including subject access requests, rights requests, and complaints — please contact our DPO at:
- Email: hello@gozigzag.com
- Post: FA Partners Limited, 113 Canalside, Redhill, Surrey, England, RH1 2FH
2. Lawful bases for processing
Under the UK GDPR, we are required to have a lawful basis for every way we use your personal data. Our Privacy Policy describes what data we collect and how we use it. Below we set out the legal basis for each processing activity.
| Purpose | Lawful basis |
|---|---|
| Provide and operate our service — authenticate your login, run the platform, deliver features | Performance of a contract — Article 6(1)(b) |
| Process payments — share billing details with Stripe to process transactions | Performance of a contract — Article 6(1)(b) |
| AI-powered content generation — process your business inputs via OpenAI to generate canvases, documents, and recommendations | Performance of a contract — Article 6(1)(b) |
| Service-related communications — account activity, security alerts, scheduled downtime | Performance of a contract / Legitimate interests — Article 6(1)(b) and (f) |
| Improve and develop our product — analyse anonymised, aggregated usage patterns (first-party analytics only, no third-party analytics cookies) | Legitimate interests — Article 6(1)(f). Our interest is improving the product for all users; this does not override your privacy as the analysis is anonymised. |
| Marketing communications — product news and promotional content, with your consent at sign-up | Consent — Article 6(1)(a). You can unsubscribe at any time. |
| Comply with legal obligations — e.g. retaining financial records for HMRC, responding to lawful court orders | Legal obligation — Article 6(1)(c) |
| Security monitoring — authentication logs and access monitoring to detect, investigate, and prevent fraud and abuse | Legitimate interests — Article 6(1)(f). Our interest is protecting our users and business from harm. |
We never use your data for purposes other than those listed above and in our Privacy Policy.
3. International transfers of personal data
Some of our subprocessors are based outside the United Kingdom and the European Economic Area. The UK GDPR restricts transfers of personal data to countries that have not been assessed as providing an adequate level of data protection, unless appropriate safeguards are in place.
Where we transfer personal data to the United States or other non-adequate countries, we rely on the following safeguards:
- Transfers from the UK: We use the International Data Transfer Agreement (IDTA), incorporated into our contracts with those providers.
- Transfers from the EU: We use the European Commission's Standard Contractual Clauses (SCCs), updated June 2021.
The full list of countries and applicable safeguards for each provider is detailed in our subprocessor list, which is available on request by contacting hello@gozigzag.com.
4. How long we keep your data
We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law. Our standard retention periods are:
| Data category | Retention period | Reason |
|---|---|---|
| Account & identity data | Duration of account + 30 days post-closure, then deleted | To allow account recovery; deleted promptly once no longer needed |
| Payment & billing records | 7 years from transaction date | HMRC financial record-keeping requirements |
| AI-generated content & business inputs | Duration of account + 30 days post-closure, then deleted | Required to deliver the service; deleted with your account |
| Support communications | 2 years from last contact | To provide context if you contact us again |
| Security & access logs | 90 days, then deleted | Security monitoring; deleted when no longer operationally required |
| Marketing consent records | Until consent withdrawn + 1 year, then deleted | To demonstrate valid consent if challenged |
| Anonymised analytics data | Indefinitely | Anonymised data is no longer personal data |
| Google OAuth tokens | Duration of account or until you revoke access, whichever is earlier | Required to operate Google Workspace integrations on your behalf |
At the end of each retention period, data is either permanently deleted or irreversibly anonymised. Deletion of account data propagates to our subprocessors within 30 days of account closure.
If you request deletion of your data before a retention period expires, we will honour that request unless a legal obligation requires us to retain it — for example, financial records for tax purposes. In such cases, we will tell you what we are retaining and why.
5. Your data rights (GDPR)
Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data. We have built self-service tools so you can exercise most of these without needing to email us.
| Right | How to exercise it |
|---|---|
| Access (Article 15) — obtain a copy of all personal data we hold about you | Self-service: Profile → Data & Privacy → Download My Data. Your export is generated instantly as a JSON file. |
| Portability (Article 20) — receive your data in a structured, machine-readable format | Same as above — the JSON export is machine-readable. |
| Rectification (Article 16) — correct inaccurate data | Self-service: Profile settings — edit your name, bio, company, and other details at any time. For data you cannot self-edit, email hello@gozigzag.com. |
| Erasure (Article 17) — delete all your data | Self-service: Profile → Data & Privacy → Delete My Account. This permanently removes your account, all projects, and all personal data across every table. Monitoring logs containing your email are anonymised. Payment records required by HMRC are retained for 7 years as mandated by law; you will be told what is retained and why. |
| Restrict processing (Article 18) | Email hello@gozigzag.com describing what processing you would like us to restrict. We will respond within 30 days. |
| Object (Article 21) — object to processing based on legitimate interests | Email hello@gozigzag.com with your objection. |
| Withdraw consent (Article 7) — for processing based on consent (marketing, optional cookies) | Self-service: Profile → Data & Privacy to toggle marketing email consent or cookie consent directly. You can change your cookie preference at any time from your profile settings without needing to clear site data. |
All requests are handled free of charge. We will respond within 30 days as required by Article 12(3). If a request is complex, we may extend this by a further 60 days but will tell you within the initial 30 days.
7. AI & automated processing
Our platform uses large language models from OpenAI to generate business canvases, brand stories, validation frameworks, MVP requirements, and other content. When you use any AI-powered feature, the business inputs you provide in that feature are sent to OpenAI's API for processing.
What data is sent to OpenAI
- The startup idea, business description, or other inputs you type into an AI-powered form.
- We do not send your name, email address, or other personally identifiable information to OpenAI.
How OpenAI handles your data
- We use the OpenAI API with the data processing terms that confirm OpenAI does not train its models on data submitted through the API.
- API inputs are retained by OpenAI for up to 30 days for abuse monitoring, then deleted. Full details are in OpenAI's Enterprise Privacy page.
Lawful basis
AI processing is necessary to perform the contract we have with you — Article 6(1)(b). The core purpose of zigzag is to generate AI-powered business content, and you use the platform specifically for that purpose.
No automated decision-making
We do not make any decisions that have legal or similarly significant effects on you based solely on automated processing. All AI outputs are tools to assist your own decision-making.
8. How we protect your data
Our Privacy Policy summarises our security practices. Below we provide additional technical detail in accordance with Article 32 of the UK GDPR.
Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Data at rest — including databases, backups, and file storage — is encrypted using AES-256.
Access controls
Access to production systems containing personal data is restricted to a small number of authorised engineers. All administrative access requires multi-factor authentication (MFA). We apply the principle of least privilege: no team member has broader access than their role requires.
Password security
User passwords are managed by our authentication provider, Auth0 (Okta). We never store your password in plain text. Auth0 hashes passwords using bcrypt with an appropriate cost factor before storage.
Infrastructure
Our application is hosted on Vercel with database infrastructure on DigitalOcean Managed PostgreSQL. Both providers maintain SOC 2 Type II certifications. We conduct automated vulnerability scanning on each deployment.
Security monitoring
We maintain audit logs of authentication events and access to personal data. Error and performance monitoring is provided by Sentry. Infrastructure metrics are monitored continuously via Grafana Cloud with automated alerting for security events.
Vulnerability disclosure
If you discover a security vulnerability in our service, please report it responsibly to hello@gozigzag.com. We commit to acknowledging your report within 48 hours and keeping you informed of our progress.
9. What happens if there is a data breach?
Despite our security measures, no system is entirely immune to incidents. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant data protection authority within 72 hours of becoming aware of the breach, where legally required.
- Notify affected users directly and without undue delay where the breach is likely to result in a high risk to their rights and freedoms. We will tell you what happened, which data was involved, the likely consequences, and the steps we are taking.
We maintain a formal incident response procedure and conduct post-incident reviews to prevent recurrence. All breaches, whether or not legally notifiable, are logged in our internal breach register.
If you believe your account or data has been compromised, please contact hello@gozigzag.com immediately.
10. Our approach to data protection compliance
We take a privacy-by-design approach, meaning privacy considerations are embedded into how we build and operate our product — not treated as an afterthought.
Record of Processing Activities
We maintain an internal Record of Processing Activities (RoPA) documenting every way we process personal data, as required by Article 30 of the UK GDPR.
Data Protection Impact Assessments (DPIAs)
In accordance with Article 35 of the UK GDPR, we have conducted Data Protection Impact Assessments for processing activities that may pose a high risk to data subjects. In particular, a DPIA has been completed for our use of AI (OpenAI) to process user business data. The assessment concluded that the residual risk is low after mitigations — including data minimisation (no personal identifiers sent to OpenAI), encryption in transit and at rest, and contractual safeguards under our Data Processing Agreement. The DPIA is reviewed annually or whenever our processing activities change materially.
Automated retention enforcement
The retention periods listed in section 4 are enforced automatically by a daily scheduled job that purges expired analytics events, error logs, API metrics, and LLM metrics. This ensures our stated retention schedule is not just aspirational but actively enforced in production.
Our commitment
We review this trust page and our underlying compliance programme at least every 12 months, and whenever we make material changes to how we process personal data. The "last reviewed" date at the top of this page reflects the most recent review.
11. How to make a complaint
If you are unhappy with how we have handled your personal data, we ask that you contact us first so we can try to resolve the matter. We take all complaints seriously and will respond within 30 days.
- Email: hello@gozigzag.com (we aim to respond within 2 business days)
- Post: FA Partners Limited, 113 Canalside, Redhill, Surrey, England, RH1 2FH
If you remain dissatisfied after raising the matter with us, you have the right to lodge a complaint with your local data protection authority. Depending on your location, this may include your national supervisory authority — EU authorities are listed at edpb.europa.eu — or an equivalent regulatory body in your jurisdiction.