Legal
Privacy Policy
Last updated: July 15, 2026
zeldaLabs LLC FZ (“zeldaLabs”, “we”, “our”, “us”) is committed to safeguarding the privacy and security of the personal data entrusted to us by visitors to zeldalabs.com, customers of our products and services, Lab Partners, podcast listeners, and other contacts.
This Privacy Policy describes how we handle personal data in connection with our website, AI products (including AskZelda), the townHall Sessions podcast, the Lab Partners programme, and the services we provide (the “Services”).
This Privacy Policy is aligned with applicable data protection laws, including:
- UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
- EU General Data Protection Regulation (Regulation (EU) 2016/679) and UK GDPR, where applicable to visitors located in the EEA or the United Kingdom
- Any other regulations applicable to the jurisdictions in which we operate or to which the Services are directed
By using the Services, you acknowledge the practices described in this Policy. Where the law requires consent, we will ask for it explicitly (for example, before loading non-essential cookies or before subscribing you to our newsletter).
1. Categories of Data Processed
Depending on how you interact with us, we may process the following categories of data:
1.1 Contact and Account Data
- Name, email address, company or institution, and any message content you provide through our contact form, Lab Partners application form, or paper-request form.
- Email address provided when you subscribe to our newsletter.
1.2 AskZelda Interaction Data
- The text of any question you ask through the AskZelda assistant.
- A session identifier (the
askzelda_sidcookie), kept for up to 30 days from your last AskZelda interaction, used to group consecutive questions from the same browser and to enforce the daily question and feedback limits. - A daily-rotating, one-way hash derived from your network address, used solely to enforce fair-use limits on the assistant. It is not reasonably reversible to your IP address, is never combined with other data, and expires within a day (expired records are automatically deleted shortly afterwards). Raw IP addresses are not stored.
- The corresponding generated answer and metadata about the exchange (such as timestamp, success/error status, response latency, and the site pages cited), together with any feedback you give on an answer (thumbs up or down and an optional reason).
- If you attach a document, the file itself is processed transiently to generate the answer and is not stored; we retain only its file name, type, and size.
1.3 Analytics and Usage Data
Only if you give consent through the cookie banner, we collect pseudonymous data about how you use the site, including:
- Pages viewed, scroll depth, and engagement time on each page.
- Interactions with key surfaces: for example, opening AskZelda, sending an AskZelda message (length only, not the message text), clicking a podcast platform link, playing the Lab Podcasts hero voiceover, and clicking outbound or call-to-action links.
- Coarse geographic information (typically country and city) derived by Google Analytics from your network address.
Raw IP addresses are not retained by zeldaLabs. Google Analytics 4 anonymises IP addresses by default, as a property of the platform rather than a setting we apply.
What consent governs here is the pseudonymous record: the ability to attribute a sequence of actions to one visitor over time. The same interactions are also counted, without consent, as anonymous totals that belong to no one — see 1.4. Consenting does not add a category of interaction we would not otherwise count; it adds the thread that joins them together.
1.4 Cookieless Audience Measurement
Independently of the consent-based analytics described above, we operate our own first-party measurement for every visitor. It is designed so that no personal data is created or stored, and therefore does not rely on your consent:
- Nothing is written to your device: no cookie, no local or session storage, and no visitor identifier of any kind, including hashed, encoded, or otherwise pseudonymised identifiers.
- Your IP address and user-agent are evaluated during the request only, to identify automated traffic and to resolve a country code, and are then discarded. Neither is stored.
- What is retained is limited to aggregate daily counters: the number of views per page, the number of visits per referring website domain, the number of visits per country, the number of browser tabs that began a visit, the volume of automated traffic, and the number of times an interaction occurred — for example a scroll depth being reached, an outbound link being followed, or an AskZelda message being sent (a length range only, never the message text).
- Each counter is an independent running total. None of them is joined to any other, so the counters for a given day cannot be reassembled into an individual visit or sequence of actions.
Counting the tabs that begin a visit allows us to estimate how many visits a day's page views represent. It does not recognise a returning visitor and is not capable of doing so, which would require an identifier we do not create.
Because these counters are aggregate totals that cannot be attributed to, or linked back to, any individual, they do not constitute personal data under the UAE Personal Data Protection Law or the GDPR, and no individual rights attach to them. This data is held in our own infrastructure and is never sold, shared with advertisers, or used for cross-site tracking or profiling.
1.5 Technical and Log Data
- Standard server logs generated by our hosting provider (AWS Amplify), which may include request paths, response codes, user-agent strings, and timestamps.
- Error and diagnostic logs produced by our application code, used to detect and fix bugs.
1.6 Third-Party or Integrated Data
Where you reach us via a partner organisation, a referral, or an event, we may receive limited contact information from that source, used solely to follow up on the introduction.
2. Purpose and Legal Basis of Processing
zeldaLabs processes personal data only for the following purposes, and on the legal bases indicated:
- Service delivery: to operate the website, AskZelda, and our products and services, including answering your questions and managing the Lab Partners programme. Basis: performance of a contract or pre-contractual steps; legitimate interests.
- Communications: to reply to enquiries, send transactional and programme emails, and (with your consent) deliver newsletter content. Basis: consent for marketing; legitimate interests for transactional replies.
- Improvement and research: to understand how the site and AskZelda are used and to improve them. Where we use AskZelda transcripts for quality review or model improvement, we work with de-identified data where practicable. Basis: legitimate interests; consent for analytics cookies.
- Compliance and security: to prevent abuse, protect against fraud and unauthorised access, and comply with legal obligations. Basis: legitimate interests; legal obligation.
3. Data Sharing and Disclosure
zeldaLabs does not sell personal data and does not share it with advertising networks. We share data only with the following categories of recipients:
- Service providers acting on our behalf, including: Amazon Web Services (Amplify hosting, and DynamoDB in region eu-north-1, used for Lab Partners, newsletter, paper-request, and AskZelda records: questions, answers, feedback, and rate-limit counters); Google LLC (Gemini API for generating AskZelda answers, and Google Analytics for site usage measurement subject to your consent); Google Workspace / Gmail (for transactional and reply emails).
- Legal authorities, where disclosure is required by law, regulation, or judicial order applicable to us.
- Successors in interest, in connection with a merger, acquisition, or transfer of assets, subject to equivalent confidentiality safeguards.
All processors are bound by contractual obligations equivalent to those required of zeldaLabs under applicable data protection law.
4. Data Protection and Security
zeldaLabs maintains administrative, technical, and organisational safeguards designed to:
- Protect personal data against unauthorised access, alteration, loss, or disclosure.
- Restrict access to personal data to authorised personnel only, on a need-to-know basis.
- Encrypt data in transit (TLS) and at rest where supported by the underlying platform.
In the event of a confirmed data breach affecting personal data, zeldaLabs will notify affected individuals and, where required, the competent supervisory authority, within the timeframes required by applicable law.
5. Data Retention and Deletion
- Contact and Lab Partners submissions: retained for up to 24 months after last contact, then deleted unless we have a continuing contractual or legal reason to keep them.
- AskZelda transcripts: retained for up to 90 days for quality, abuse, and safety review, then deleted. De-identified extracts may be retained longer for product improvement.
- Newsletter subscribers: retained until you unsubscribe via the link in any email or at /unsubscribe.
- Analytics data: retained in Google Analytics for up to 14 months at the user-level; aggregated reports may be retained longer.
- Cookieless measurement counters: the IP address and user-agent used to produce them are discarded within the request and never stored. The resulting aggregate daily counts contain no personal data, so no deletion period applies to them and they may be kept indefinitely as anonymous statistics.
- Server and error logs: retained for up to 90 days for operational and security purposes.
6. Rights of Users
Subject to applicable law, you have the right to:
- Access and obtain a copy of the personal data we hold about you.
- Request rectification or correction of inaccurate data.
- Request deletion of personal data, subject to contractual or legal retention requirements.
- Object to or restrict processing carried out under legitimate interests.
- Request portability of data you provided to us in a structured, commonly used format.
- Withdraw consent at any time, where consent is the legal basis, including cookie consent, which you can revoke at any moment via the “Cookie settings” link in the footer.
Requests may be submitted by emailing townsquare@zeldalabs.com. You also have the right to lodge a complaint with a supervisory authority in your country of residence.
7. Cookies
For details on the specific cookies this site uses and how to change your choice, see the Cookie Policy.
8. International Data Transfers
Some of our service providers are located outside the United Arab Emirates, in particular within the European Economic Area and the United States. Where personal data is transferred internationally, zeldaLabs relies on the providers’ standard contractual clauses, equivalent safeguards, or recognised adequacy decisions, in line with applicable law.
9. Children's Data
The Services are not directed at children. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected such data, we will delete it promptly.
10. Policy Updates
This Privacy Policy may be revised from time to time to reflect changes in law, technology, or our practices. Material updates will be reflected in the “Last updated” date at the top of this page and, where appropriate, communicated through the website or by email.
11. Contact Details
For all privacy-related queries, rights requests, or concerns, please contact:
zeldaLabs LLC FZ
Meydan Free Zone, Dubai, United Arab Emirates
Email: townsquare@zeldalabs.com