The Hackett Group Announces Strategic Acquisition of Leading Gen AI Development Firm LeewayHertz
Read more
Select Page

PRIVACY POLICY

1. Who we are

This privacy policy sets out how LeewayHertz collects and uses your personal data through your use of this website, including any data you may provide when you use our services such as our generative AI platform ZBrain.

LeewayHertz is the controller and responsible for your personal data (referred to as “LeewayHertz”, “we”, “us”, or “our” in this privacy policy).

We have appointed a Privacy Manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Privacy Manager using the information set out in the contact details section.

2. Types and Sources of Personal Data

Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you from different sources.

    • Identity Data: name, address, username or similar identifier, role, job function, years of experience
    • Contact Data: email address, work email address, work address, phone number,
    • Financial Data: payment and billing information such as bank account and payment card details
    • Transaction Data: details about payments to and from you and other details of services you have purchased from us.
    • Technical Data: [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website]
    • Profile Data: purchases or orders made by you, your interests, preferences, feedback and survey responses
    • Usage Data: information about how you interact with and use our website and services.
    • Marketing and Communications Data: your preferences in receiving marketing from us and our third parties and your communication preferences.

To provide our services and operate our business, we collect your personal data through following sources, which we have grouped together as follows:

Information You Provide to Us: information you give us by filling in forms on our website  or app, or by corresponding with us by phone, email, or otherwise. For example, this includes information provided when:

  • Creating an account or signing up for our services
  • Subscribing to any of our Services
  • Contacting customer support
  • Reporting a problem

Information We Collect Automatically: with each visit to our Site or use of our App, we automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. [We may also receive technical data about you if you visit other websites employing our cookies. Please see our cookie policy [insert link] for further details. For example: this includes information automatically collected when:

  • Technical information: browser type and version, time zone setting, browser plugins, operating system, and platform
  • Usage information: pages visited, clickstream data, products/services viewed or searched for
  • Interaction data: page response times, download errors, length of visits to certain pages
  • Device information: device type, unique identifiers, and mobile network information
  • Location data based on IP address or, with your permission, more precise GPS location

Information from Other Sources:

  • Social login data when you connect social media accounts
  • Information shared by our business partners or service providers
  • Data from third-party services you’ve authorized to share information with us

3. Lawful Bases for Processing Personal Data

We process personal data based on the following legal bases, as required by applicable data protection laws:

Performance of a contract with you: We process personal data where it is necessary for the performance of a contract with you or in order to take steps at your request before entering into a contract. This includes processing data as required to provide our applications and services to you, including access to and use of our cloud-based services, in accordance with our agreements and terms of service.

Legitimate Interests: We may process your personal data when it is necessary for the purposes of our legitimate interests or those of a third party, provided that these interests are not overridden by your interests or fundamental rights and freedoms. We also make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. Our legitimate interests include the interest in improving and optimizing our services, developing new features, including those with automated processing, conducting and managing our business operations effectively and securely, and marketing and promoting our services.

Consent: We may process personal data based on your explicit consent for specific processing activities. Where we rely on consent, you have the right to withdraw your consent at any time. This basis is typically used for activities such as sending certain marketing communications, where required by applicable law.

Legal Obligations: We process personal data where it is necessary for compliance with a legal obligation to which we are subject. This includes processing data to comply with applicable laws, regulations, governmental requests, and to fulfill any other legal or regulatory requirements.

4. Purposes of Processing Personal Data

We process personal data for various purposes to provide and improve our services, manage our business operations, and communicate with our users:

Purpose Type of data Legal basis and retention period

To provide and improve our applications and services to you, including:

  1. providing access to and functionality of our services
  2. ensuring their proper and efficient functioning
  3. enhancing the overall user experience based on usage patterns and feedback

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Technical

(f) Profile

(g) Marketing and Communications
  1. Performance of a contract with you: We process your personal data to provide access to our services, enable core features, and deliver functionalities as set out in our terms of service.
  2. Legitimate interest: Using data to develop new capabilities, enhance performance, and innovate to deliver improved technologies and user experiences.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

To communicate with you,

Including

  1. Responding to your inquiries promptly
  2. provide necessary support
  3. send essential service-related communications and updates regarding our service
  4. notifying you about changes to our terms or privacy policy

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications
  1. Performance of a contract with you: We use your data to respond to your queries and provide support and updates necessary for the delivery of our services as agreed.
  2. Legitimate interest: Ensuring effective communication with users to support ongoing service delivery and satisfaction.
  3. Legal obligation: We may be legally required to notify you of certain changes, such as updates to our terms or privacy policy.

This enables us to respond to your inquiries promptly, provide necessary support, and send you essential service-related communications and updates regarding our services.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.
To analyze usage data to gain insights into how our website and applications are utilized

(a) Technical

(b) Usage

(c) Marketing and Communications
  1. Legitimate interest: Understanding user behavior, identifying trends, and optimizing features for a better user experience.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

To maintain the security and integrity of our systems and your data, including

  1. implementing measures to protect platforms and personal information we hold against unauthorized access, potential security threats or malicious activities.

(a) Technical

(b) Profile

(c) Transaction

(d) Usage
  1. Legitimate interest: For provision of IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

To comply with applicable laws, regulations, legal processes or enforceable governmental requests, including:

  1. maintaining records required by law
  2. responding to legal requests from authorities
  3. establishing, exercising or defending legal claims

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications
  1. Necessary to comply with legal obligations
  2. Legitimate interest: Supporting legal compliance and facilitating lawful information disclosure and retention practices.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

For internal business administration purposes including

  1. financial record keeping
  2. accounting
  3. product development
  4. personal management
  5. essential business functions necessary for the operation of our services

(a) Identity

(b) Contact

(c) Financial

(d) Transactional

(e) Profile

(f) Usage
  1. Legitimate interest: For running and developing our business and provision of administration services.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

To send promotional communications, newsletters and information about new features, products or services that may be of interest to you.

You may opt-out of receiving marketing communications at any time.

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications
  1. Legitimate interest: To carry out direct marketing, develop our products/services and grow our business
  2. Consent: Having obtained your prior consent to receiving direct marketing communications.

We retain your personal data only as long as necessary to fulfil these purposes, considering legal, accounting, marketing, analytics, reporting, and service delivery requirements. Retention periods are based on the data’s nature and sensitivity, associated risks, processing needs, and applicable legal obligations.

5. Sharing of Personal Data

We may share your personal data with selected third parties in specific situations, as outlined below:

Service Providers: We may share personal data with third-party vendors and service providers who perform services on our behalf and assist us in operating our business and providing our services. These service providers are contractually bound to process data only in accordance with our instructions and to maintain appropriate security measures. This includes sharing data with cloud hosting providers, such as Amazon Web Services (AWS), which hosts our services, and email communication services, such as SendGrid, which we use to send emails. Categories of service providers may also include entities providing data storage, analytics, customer support, and IT services.

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.

Legal Authorities: We may disclose personal data to law enforcement agencies, governmental authorities, or other third parties if required to do so by law or in response to a valid legal request, such as a court order, subpoena, or government regulation. This is done to comply with our legal obligations and to protect our rights, property, and safety, and the rights, property, and safety of our users and others.

6. International Data Transfers

We may transfer your personal data to countries outside of your jurisdiction where our service providers or partners operate. This may involve transferring personal data to countries which have laws that do not provide the same level of data protection as UK and EU law. If we transfer data internationally, we will do so in compliance with applicable data protection laws to ensure a similar degree of protection is afforded to your personal data.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, as described in the table above. This includes retaining data for the duration required to provide you with our services effectively and to comply with any legal obligations that apply to us. The specific period for which we retain data may vary depending on the nature of the data, the purposes of processing, and applicable legal or regulatory requirements. This may include retaining data for the entire duration of your account’s existence or as stipulated in specific contractual agreements, such as Proof of Concept (POC) agreements.

8. Your Data Protection Rights

Subject to applicable data protection laws, you have certain rights regarding your personal data. We are committed to facilitating the exercise of these rights:

  • Right to Access: You have the right to request a copy of the personal data that we hold about you (commonly known as a “subject access request”) to check that we are lawfully processing it.
  • Right to Rectification: You have the right to request that we correct any personal data that you believe is inaccurate or incomplete.
  • Right to Erasure: You have the right to request the deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Right to Object to Processing: You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object. You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes
  • Right to Request a Transfer: You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Right to Withdraw Consent: You have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Right to Request Restriction: You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
    • If you want us to establish the data’s accuracy;
    • Where our use of the data is unlawful but you do not want us to erase it;
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

To exercise any of these rights, please contact us using the contact details provided in this policy.  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant data protection authority if you have concerns about our data processing practices. In the UK, the regulator for data protection issues is the Information Commissioner’s Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the relevant data protection authority so please contact us in the first instance.

10. Contact Details 

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:

11. If You Choose Not to Provide Certain Information

If you choose not to provide personal data that is necessary for the provision of our services or certain features of our applications or cloud-based services, it may limit your ability to fully utilize those features or access certain parts of our services. We will inform you when data is necessary for a particular service or feature.

 12. Automated Decision-Making

Certain features within our services incorporate automated decision-making processes as part of their core functionality. These features are designed to perform tasks and generate outputs automatically based on algorithms and the data they are trained on or access. This processing may involve personal data, particularly when these features interact with and process data from connected services or sources that store personal data, such as email platforms or other integrated systems.

13.Changes to this privacy policy

We keep our privacy policy under regular review. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

14. Google Integration and Data Use

ZBrain integrates with various Google services to provide enhanced functionality and workflow automation. When you connect your Google account, we access specific data via Google APIs in accordance with this Privacy Policy and the Google API Services User Data Policy, including its Limited Use requirements.

Data We Access

Depending on your configured workflows and connected services, ZBrain may access the following Google user data:

  • Basic Profile Information: Name, email address, and profile picture for authentication and account management.
  • Google Calendar™: Event details such as titles, times, locations, and attendees to enable calendar-based actions.
  • Google Contacts™: Names, email addresses, and phone numbers for contact lookup and automation.
  • Google Docs™: Document content for reading, editing, or appending via workflows.
  • Google Drive™: File and folder names, types, content, and permissions for file-related automation tasks.
  • Gmail™: Metadata and content (e.g., sender, subject, body, attachments) for user-defined email workflows. Gmail data is not used for advertising.
  • Google Sheets™: Spreadsheet content for reading, writing, or updating within workflows.
  • Google Tasks™: Task titles, notes, due dates, and status for task automation.
  • Google Forms™: Form data accessed only when included in your workflows, depending on configuration.

How We Use Your Data

We use your Google data solely to:

  • Authenticate users and manage ZBrain accounts
  • Enable and execute the integrations and features you choose
  • Support troubleshooting (only when authorized)

We do not sell or share your Google data with third parties without consent, store it longer than necessary for functionality, or access or modify it beyond what is explicitly stated.

This version was last updated on 16-06-2025.

See Our Work

OUR WORK