top of page
luxury-bright-beachfront-villa-interior-with-panoramic-windows-palm-trees-terrace-generati

Zoul Privacy Policy

Effective Date: November 14, 2025
Version: 1.2
Entity: Zoul ESG FZCO, Dubai Silicon Oasis, Dubai, United Arab Emirates (“Zoul,” “we,” “our,” “us”)

This Privacy Policy explains how Zoul collects, uses, shares, stores, and protects personal data when you use our mobile applications, websites (including zoul.app, zoulmeditation.com, and local language domains), and related services (the “Platform”). We comply with applicable laws including the EU GDPR, UK-GDPR, UAE PDPL, and relevant US state privacy laws.
By using the Platform, you agree to this Policy. If you do not agree, do not use the Platform.

1) Who We Are & Roles

Data Controller. For individual consumer use of the Platform, Zoul ESG FZCO is the data controller.
Data Processor (Enterprise). Where we process personal data on behalf of an enterprise customer under a written agreement, Zoul acts as a data processor and the customer is the controller. Processing in that context is governed by the applicable Data Processing Addendum (DPA).
 

Contact (Privacy): support@zoul.app
Registered Office: Dubai Silicon Oasis, Dubai, United Arab Emirates
(If a postal address is required for a specific request, contact us at the email above.)

2) What We Collect

  • We collect the minimum data necessary to operate and improve the Platform:

  • Account Data: name, email, password, authentication logs, preferences.

  • Payment & Billing: billing details and transaction metadata. Card data is processed by payment processors (e.g., Apple, Google, Stripe); we do not store full card numbers.

  • Wellness & Usage Signals: meditation duration, session logs, sleep playback, mood inputs, in-app actions, timestamps, crash logs.

  • Device/Technical: IP address, device identifiers, OS, app version, language, time zone, browser type, referrer/UTM, network diagnostics.

  • Cookies/SDKs: strictly necessary cookies/SDKs; analytics cookies only with consent (see Section 10).

  • Support & Communications: survey responses, tickets, chat/email with Zoul, feedback.

  • Optional Permissions (with consent): microphone/camera for specific features; you can revoke in device settings.

  • Third-Party Sources: app stores, anti-fraud services, analytics (aggregated), and identity providers (e.g., Apple/Google SSO) as authorized by you.
     

Sensitive categories. We do not collect special category data such as religion, political views, or sexual orientation. Wellness signals above may qualify as sensitive under GDPR/PDPL; we treat them with enhanced safeguards (see Section 11). We only process clinical health data with explicit consent if ever required by law.
 

Children. We do not knowingly collect personal data from children below the minimum lawful age in their country (EU 16, UK 13, UAE 18). See Section 14.

3) How We Use Data (Purposes & Legal Bases)

Purpose
Examples
Legal Basis
Marketing (non-essential)

emails, promotions, remarketing

Consent where required; Legitimate Interests otherwise

Communications

service announcements, support replies

Legitimate Interests; Contract

Product Improvement & Analytics

feature usage, quality, performance

Legitimate Interests; Consent (where required for analytics cookies/SDKs)

Security & Abuse Prevention

authentication, rate-limiting, incident response

Legitimate Interests; Legal Obligation

Payments & Subscriptions

process purchases, receipts, fraud checks

Contract; Legal Obligation

Provide the Platform

account creation, session playback, personalization

Contract (Art. 6(1)(b)); Legitimate Interests

Where we rely on Legitimate Interests, we perform a balancing test and implement controls to protect your rights.

4) AI Use & Training Controls

  • Outputs & Inputs. Content you input into AI features and outputs you receive are treated as User Content under our Terms.

  • No identifiable training. We do not use your personal data in a form that identifies you to train our models. We may use de-identified or aggregated data to improve AI features.

  • Your control. You can manage contribution of de-identified content for AI improvement in Settings → Privacy → AI Training (where available).

  • Sensitive inputs warning. Do not submit confidential or sensitive health information into free-text prompts.

  • No professional advice. AI outputs may be inaccurate or incomplete and must not be relied on for medical, legal, or financial decisions.

5) Sharing & Recipients

  • We share personal data only as needed, under contracts requiring confidentiality and security:

  • Service Providers/Sub-processors: cloud hosting, storage, analytics, crash reporting, messaging, payments, AI infrastructure.

  • App Stores / Payment Facilitators: Apple/Google for in-app transactions (they are merchant of record).

  • Enterprise Customers: when we act as processor, per the customer’s instructions.

  • Corporate Transactions: merger, acquisition, or asset transfer under confidentiality.

  • Legal/Compliance: to comply with law, enforce terms, or protect rights, safety, and security.

  • With Your Direction/Consent.
     

A current list or categories of sub-processors is available on request and may be posted on our website. We will notify users of material changes where required.

6) International Transfers

Where data is transferred outside your jurisdiction, we use appropriate safeguards:
 

  • EEA/UK → third countries: EU Standard Contractual Clauses (SCCs) and UK IDTA/Addendum, plus supplementary measures.

  • Onward transfers by vendors: contractually restricted and monitored.
    Copies or a description of safeguards are available upon request where permitted by law.

7) Retention & Deletion


We keep data only as long as necessary for the stated purposes:

  • Account & Billing: up to 7 years (tax/audit).

  • Support Communications: up to 24 months.

  • Analytics/Telemetry: up to 13 months, then anonymized.

  • Wellness Signals: for the life of your account unless you delete them or your account.


Account deletion. On confirmed deletion:

  • Live systems: removed within 30 days.

  • Encrypted backups: purged within 30–90 days, unless longer is required for legal claims, fraud prevention, or compliance.

8) Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to processing, and to withdraw consent without affecting prior lawful processing.

  • Submit requests at support@zoul.app. We aim to respond within 30 days.

  • If your request is denied, you may appeal by replying to our response.

  • You can also complain to your local supervisory authority (e.g., ICO in the UK, or your EEA DPA).

9) US State Privacy (CPRA and similar)

  • Do Not Sell/Share. Zoul does not sell personal information. Certain disclosures for advertising may be deemed “sharing/targeted advertising” in some states. You may opt out via a Your Privacy Choices link where applicable. We honor Global Privacy Control (GPC) signals.

  • Sensitive Information. If processed, we limit use to permitted purposes and do not use it to infer characteristics.

  • Authorized Agents, Appeals, Non-discrimination. Supported as required by state law.

10) Cookies & Similar Technologies

  • Strictly Necessary: login, load balancing, security.

  • Analytics/Performance: only with consent in jurisdictions that require it.

  • Manage preferences via our Cookie Settings link or your browser. We honor GPC where applicable. See our separate Cookie Policy for details.

11) Security

We implement organizational and technical controls aligned with industry standards (e.g., ISO/IEC 27001/27002-aligned controls), including:

  • Encryption in transit (TLS 1.2+) and at rest (e.g., AES-256).

  • Least-privilege access, MFA for admins, key management.

  • Logging, monitoring, vulnerability management, and regular testing (including pen-tests).

  • Vendor due diligence and contractual safeguards.
     

Breach notification. If a breach likely risks your rights and freedoms, we will notify authorities and affected users as required by law (e.g., GDPR 72-hour rule).

12) Automated Decision-Making & Profiling

We do not make decisions producing legal or similarly significant effects solely by automated means.
We may use limited profiling for personalization and service improvement; you may request to opt out of non-essential personalization where available.

13) Enterprise & Education Accounts

For accounts provisioned by an organization, the organization controls Customer Personal Data and our processing is governed by the DPA with that organization.
Exercise your rights through your organization; we will assist as required.

14) Children’s Privacy

Minimum ages: EU 16, UK 13, UAE 18 (or higher if local law requires).
If we learn we collected data from a child below the applicable minimum without verifiable parental consent, we will delete it.

15) Marketing Choices

  • Emails: unsubscribe via footer link or settings.

  • Push Notifications: disable in device settings.

  • Analytics/Ads Cookies: manage in Cookie Settings.

16) Accessibility & Language

We aim to support accessibility best practices (e.g., WCAG 2.1 AA where feasible).
This Policy may be translated for convenience; the English version controls in case of conflict.

17) Changes to This Policy

We will post updates here. Material changes will be notified by email and/or in-product notice with reasonable advance notice. Continued use after the effective date constitutes acceptance.

  • View previous versions: available from our Policy archive page (or on request).

  • Current version: 1.2 (Revised) — Effective November 14, 2025.

18) Contact Us

Zoul ESG FZCO
Dubai Silicon Oasis, Dubai, United Arab Emirates
Privacy: support@zoul.app
General Support: support@zoul.app
Line: @zoul
WhatsApp: +44 7301 426 350

Jurisdiction-Specific Addenda (Summaries)

EEA/UK Addendum

Controller: Zoul ESG FZCO (see Section 1).
EU/UK Representative: If required by law at a later stage, we will appoint and publish details; until then, contact support@zoul.app.
Transfers: SCCs/IDTA with supplementary measures.
Rights: access, rectification, erasure, restriction, portability, objection, and complaint to your DPA/ICO.

US State Addendum

Opt-outs available via Your Privacy Choices where applicable; GPC honored.
No “sale” of personal information; limited “sharing” only with your controls.
Sensitive data limited to permitted purposes.

UAE PDPL Notice

We apply data minimization, purpose limitation, and security measures required by PDPL.
Cross-border transfers use recognized safeguards (contracts and technical measures).

bottom of page