Legal

Privacy Policy.

Privacy Statement for the ZEEVAA Platform (United Kingdom)

Last Updated: 20 May 2026

Scope

This Privacy Statement explains how Ariz Rizvi Real Estate Limited ("ZEEVAA", "we", "us", "our"), including our subsidiaries and authorised service providers, collects, uses, shares and protects personal data when you use our web, mobile, voice and AI-chat services across the zeevaa property platform in the United Kingdom.

It applies to all personal data processed by Ariz Rizvi Real Estate Limited, our affiliates and third-party service providers operating on our behalf in connection with the zeevaa platform offered to users in the UK.

Ariz Rizvi Real Estate Limited is the data controller for the personal data processed under this Statement. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and the Privacy and Electronic Communications Regulations 2003 (PECR).

UK data residency: all personal data of UK users is stored and processed exclusively within the United Kingdom. We do not transfer your personal data outside the UK. Our cloud infrastructure, AI processing, backups and operational support for UK users are all delivered from UK-based data centres and UK-based teams (or by sub-processors operating under UK-only data residency commitments).

1. Principles We Follow

  • Data protection by design and by default — we embed privacy considerations from the design stage and throughout the lifecycle of every product and process, and collect only the personal data necessary to deliver and improve our services.
  • Security — we apply industry-standard encryption, identity controls and secure UK-based infrastructure.
  • Transparency & control — you can access, correct, port, restrict, object to or request deletion of your personal data in accordance with your rights under the UK GDPR (see Section 7).
  • Accountability — we maintain records of our processing activities, carry out Data Protection Impact Assessments where required, and can demonstrate compliance with the UK data protection principles.

2. Data We Collect by Persona

A. Buyers and Renters

What we collect: account details; voice/text queries; location data; lifestyle and "vibe" preferences; saved searches; viewing history; financial documents for straight-through processing (STP), including Open Banking tokens (provided via FCA-authorised Account Information Service Providers under the Payment Services Regulations 2017); and Know Your Customer (KYC) / Anti-Money Laundering (AML) information required under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. For tenancy applications we may also collect information required to carry out Right to Rent checks under the Immigration Act 2014.

Why: personalised search, recommendations, neighbourhood intelligence, 3D/AR walkthrough optimisation, mortgage readiness checks and statutory eligibility checks.

Lawful basis (UK GDPR Article 6): Consent; Performance of a Contract; Legitimate Interests; or Legal Obligation, depending on the activity. Where we rely on Legitimate Interests, we have carried out a Legitimate Interests Assessment which is available on request. KYC/AML and Right to Rent checks are processed on the basis of Legal Obligation.

B. Sellers and Developers

What: property images, descriptions, unit availability, pricing, marketing assets, staff contact details and scheduling information.

Why: listing creation, AI-optimised marketing, dynamic pricing and automated viewing coordination.

Lawful basis: Performance of a Contract and Legitimate Interests.

C. Investors and Institutional Users

What: portfolio holdings, investment goals, alerts, transaction history and risk preferences.

Why: yield analytics, Automated Valuation Model (AVM) inputs, predictive ROI modelling and portfolio insights.

Lawful basis: Performance of a Contract and Legitimate Interests.

D. Agents and Vendors

What: agent IDs, client interaction logs, vendor business details, service categories and reviews.

Why: lead management, marketplace publishing, scheduling, fulfilment and performance analytics.

Lawful basis: Performance of a Contract and Legitimate Interests.

Children

Our services are not directed at children under 18. Where any part of our platform is likely to be accessed by children, we apply the ICO's Age Appropriate Design Code and the "children's higher protection matters" duty introduced by the Data (Use and Access) Act 2025, including stronger default settings and additional safeguards on profiling and automated decision-making.

3. Artificial Intelligence and Automated Decision-Making

  • Models used: we operate a combination of local Small Language Models (SLMs) and cloud-based AI models hosted within the United Kingdom to support semantic search, AVM, content generation and workflow automation. All AI processing of UK user data takes place on UK infrastructure.
  • Generative AI: images you upload may be processed to enhance quality, generate staging suggestions or create alternative design visualisations.
  • Predictive models: AVM, yield analytics and risk overlays provide estimates only and do not constitute regulated financial advice under the Financial Services and Markets Act 2000.
  • Solely automated decisions: certain STP eligibility checks, KYC/AML screening and affordability decisions may be made by solely automated means. Where such a decision produces legal or similarly significant effects for you, you have the right under Article 22 of the UK GDPR (as amended by the DUAA) to:
    • obtain meaningful information about the logic involved;
    • request human intervention from a member of our team;
    • express your point of view; and
    • contest the decision.

Requests can be made to contact@zeevaa.ai.

4. How We Share Data

We do not sell personal data. We share data only to deliver and improve our services with:

  • Financial institutions and FCA-regulated providers for STP, mortgage processing, affordability checks, Open Banking, payment processing and AML/KYC verification.
  • UK-based cloud infrastructure providers for hosting, compute, storage and AI processing, all operating under UK data residency commitments.
  • Mapping and geospatial service providers for location-based features.
  • Vendors and marketplace partners when you request quotes or services.
  • Regulators, public bodies and law enforcement, including HMRC, the Home Office, the National Crime Agency, the FCA and the ICO, where we are required or permitted to do so by law (including AML/KYC, Right to Rent and Suspicious Activity Report obligations).

Cross-border transfers: we operate a UK data residency model for the ZEEVAA platform. Personal data of UK users is stored and processed within the United Kingdom only, and we do not routinely transfer your personal data outside the UK. Where, in exceptional and limited circumstances, an international transfer becomes necessary (for example, to comply with a legal obligation or to deliver a service you have specifically requested), we will only do so where an appropriate transfer mechanism is in place under Articles 44–49 of the UK GDPR (such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses), supported by a Transfer Risk Assessment.

5. Technical Data and Analytics

Automatically collected: IP address, device identifiers, session logs, spatial interaction data from 3D/AR walkthroughs, and AI-chat logs. Personal data is removed or pseudonymised from AI-chat logs before they are used for model training or evaluation.

Purpose: security, fraud detection, product improvement, personalisation and analytics.

Lawful basis: Legitimate Interests for analytics and product improvement; Legal Obligation for security and fraud monitoring where applicable; Consent for non-essential cookies and tracking (see Section 8).

6. Security and Retention

Security controls: Identity and Access Management, encryption in transit and at rest, role-based access, secure key management, logging, monitoring, anomaly detection and regular penetration testing across our UK-based infrastructure. We notify the ICO of any personal data breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours of becoming aware of it, in accordance with Article 33 of the UK GDPR, and notify affected individuals where the breach is likely to result in a high risk.

Retention:

  • Financial and transaction records, KYC/AML evidence and Right to Rent records: retained for the periods required by UK law (typically 5–7 years).
  • Search and preference data: anonymised after 2 years of inactivity.
  • Account data: retained for the duration of your account, plus a reasonable period thereafter to handle disputes, exercise legal rights and meet regulatory obligations.
  • Other data: retained based on legal, regulatory or operational requirements documented in our internal retention schedule.

7. Your Rights and Choices

Subject to the conditions set out in the UK GDPR, you have the right to:

  • Access — obtain a copy of the personal data we hold about you, including your Buyer Passport.
  • Rectification — have inaccurate or incomplete personal data corrected.
  • Erasure ("right to be forgotten") — request deletion where one of the grounds in Article 17 applies and we are not required to retain the data.
  • Restriction of processing — restrict how we use your data in certain circumstances.
  • Data portability — receive your data in a structured, commonly used and machine-readable format.
  • Object — including objecting to processing based on Legitimate Interests or to direct marketing at any time.
  • Withdraw consent — at any time where we rely on consent, without affecting the lawfulness of processing before withdrawal.
  • Not be subject to solely automated decision-making producing legal or similarly significant effects, and to request human review (see Section 3).
  • Opt out of training of our local AI models with your personal data.

How to exercise your rights: contact contact@zeevaa.ai or use the privacy controls in your account settings. We will respond within one month, with the possibility of extending by a further two months for complex requests (and we will tell you if we do).

Right to complain to ZEEVAA: in line with section 164A of the Data Protection Act 2018 (in force from 19 June 2026), you have a right to complain directly to us if you believe we have infringed your data protection rights. You can submit a complaint by emailing contact@zeevaa.ai or using the complaints form on our website. We will acknowledge your complaint within 30 days and respond to it without undue delay.

Right to complain to the regulator: if you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

You may also seek a judicial remedy through the UK courts.

8. Cookies and Tracking

We use cookies and similar storage and access technologies for authentication, security, analytics and personalised content. In line with PECR (as updated by the Data (Use and Access) Act 2025) and the ICO's April 2026 guidance on storage and access technologies, we obtain your consent for non-essential cookies before they are set, and rely on the statutory exceptions for strictly necessary, certain analytics and limited other categories where permitted. You can manage your preferences at any time through our cookie settings panel.

9. Third-Party Services and Links

Our platform integrates third-party services such as payment processors, mapping APIs, identity verification providers, CRM systems and analytics tools. Each third party maintains its own privacy practices; we have contractual safeguards in place under Article 28 of the UK GDPR (where they act as processors) to ensure data is used only for service delivery.

10. Changes to This Statement

We may update this Privacy Statement to reflect product, regulatory or operational changes. The revised "Last Updated" date will be published, and material changes will be communicated to affected users in advance where reasonably practicable.

11. Contact and Data Protection Officer

Data Protection Officer: contact@zeevaa.ai

For any rights requests, complaints or queries about how we handle your personal data, please contact our Data Protection Officer using the details above. You also have the right to complain to the ICO (see Section 7).