Privacy Policy

Zeal Global Inc. operates the Zeal AI Legal Intelligence Platform. This policy explains what data we collect, how we process it, how we protect it, and what rights you have over it. We have written this document to be read, not merely filed.

Effective Date

January 1, 2026

Controller

Zeal Global Inc.

Privacy Contact

privacy@zealdocs.com

Navigation

Table of Contents

  1. 01Introduction and Scope
  2. 02Information We Collect
  3. 03AI-Specific Data Handling
  4. 04How We Use Information
  5. 05Data Sharing
  6. 06Cookies and Tracking Technologies
  7. 07International Data Transfers
  8. 08Data Retention and Deletion
  9. 09Data Security
  10. 10Your Rights
  11. 11CCPA / CPRA (California Residents)
  12. 12GDPR (EU / EEA Residents)
  13. 13Children's Privacy
  14. 14Data Breach Notification
  15. 15Changes to This Policy
  16. 16Contact Information

Section 01

Introduction and Scope

Zeal Global Inc. ("Zeal," "we," "our," or "us") provides the Zeal AI Legal Intelligence Platform, a software-as-a-service product that helps legal and commercial teams manage, analyze, and act on contract data using artificial intelligence. This Privacy Policy applies to all users of the Platform, visitors to our public website at zeal.us, and individuals whose data is processed in connection with the services we provide to our enterprise customers.

This policy governs our practices as a data controller -- that is, when we determine the purposes and means of processing personal data. When we process personal data on behalf of enterprise customers as part of delivering the Platform, we act as a data processor, and our obligations in that role are governed by the Data Processing Addendum (DPA) executed with each enterprise customer.

By using the Platform or our website, you acknowledge that you have read and understood this policy. If you are accessing the Platform on behalf of an organization, that organization is responsible for ensuring that the individuals whose data it submits to Zeal have been informed of, and have agreed to, the applicable data practices described here and in any applicable DPA.

This policy does not apply to third-party products, services, or websites that may be linked from the Platform or our website. We encourage you to review the privacy policies of any third parties you interact with.

Section 02

Information We Collect

We collect information in several categories depending on how you interact with Zeal.

Account and Identity Information

When you or your organization creates an account on the Platform, we collect information necessary to establish and manage that account. This includes your name, work email address, job title, organization name, and authentication credentials. For organizations using single sign-on, this information may be received from your identity provider. We also collect billing contact information, including name, address, and payment method details for paid accounts. Payment processing is handled by a third-party payment processor; Zeal does not store full card numbers.

Contract Data

The core function of the Platform is to process contracts and related legal documents that you upload or connect to the Platform. This contract data may include the full text of agreements, supporting schedules, amendments, correspondence, extracted clause libraries, and structured metadata you add. Contract data may contain personal data about individuals named in those documents, including counterparty representatives, signatories, and individuals referenced in obligation or notice provisions.

You retain ownership of all contract data you submit to the Platform. Zeal processes this data solely to provide the services you have requested and as described in this policy and any applicable DPA.

Usage Data and Analytics

We collect data about how you interact with the Platform: which features you use, how frequently, the searches and queries you submit, workflow actions you take, and the outputs or reports you generate. This information is used to improve the Platform, provide customer support, and understand aggregate usage patterns. We do not build individual behavioral profiles for advertising purposes.

Technical Data

We automatically collect certain technical data when you access the Platform or website. This includes IP address, browser type and version, operating system, device type, referring URL, and session identifiers. This data is used for security monitoring, fraud prevention, service reliability, and aggregate traffic analysis. IP addresses are retained in log form and are subject to the retention schedule described in Section 8.

Communications Data

If you contact us by email, through in-product support channels, or by submitting a form on our website, we collect the content of that communication and any identifying information you provide. We use this data to respond to your inquiry and to improve our support processes. Support conversations may be reviewed by our team for quality assurance, subject to confidentiality obligations.

Section 03 - Critical

AI-Specific Data Handling

This section addresses the questions we hear most often from enterprise legal and privacy teams: what happens to contract data when the AI systems touch it, where does it go, and can it affect other customers. We answer each question directly.

How Contract Data Is Processed by AI Systems

When you query the Platform -- asking it to extract a clause, identify risk, summarize an agreement, or run a workflow -- the relevant portions of your contract data are passed to AI systems for processing. We use retrieval-augmented generation: a vector search retrieves the most relevant document segments for the task, and those segments are included in the context provided to a large language model. Only the segments relevant to the specific task are retrieved and submitted. We do not submit entire contract libraries to a model in a single call.

What Data Is Sent to LLMs and How It Is Handled

Contract text submitted to a large language model is used solely to produce the output you have requested. Zeal operates under data processing agreements with each AI model provider used in production. Those agreements include: (a) zero data retention beyond the immediate inference call, meaning the provider does not store the submitted text after the response is returned; (b) explicit prohibitions on using submitted data to train, fine-tune, or otherwise improve the provider's shared models; and (c) confidentiality obligations covering the content of inference calls. Zeal's use of your contract data for AI inference is strictly purpose-limited to the tasks you initiate.

Data Isolation Between Customers

Your contracts are never accessible to other customers and are never used to train models that other customers benefit from. Isolation is enforced at multiple layers. Each customer's data is stored in a separate logical partition in Zeal's databases. Retrieval operations are scoped to the requesting customer's namespace -- a query from Customer A cannot retrieve documents belonging to Customer B. Inference calls are constructed with only the requesting customer's data in context. There is no shared conversation history, no shared cache of retrieved results, and no mechanism by which one customer's contract language can influence the outputs produced for another customer.

Vector Database Storage: Embeddings and Customer Namespaces

To enable fast semantic search across your contracts, Zeal generates vector embeddings of your documents and stores them in a vector database. Embeddings are mathematical representations of text; they capture meaning and semantic relationships but do not reconstruct the original text. Each customer's embeddings are stored in a customer-specific namespace that is logically isolated from all other customers. Namespace access is enforced by the application layer and audited. Embeddings are retained for the duration of your subscription and are permanently deleted, along with source documents, when your account is closed or when you request deletion under Section 8.

Agent Fleet Data Processing

The Zeal Platform includes an agent fleet -- automated AI agents that can take sequences of actions on your behalf, such as monitoring for contract milestones, drafting summaries, populating fields, routing documents, or triggering integrations. Each agent operates within the permission scope granted to it by your organization's administrators. Agents access only the contract data, metadata, and system integrations that fall within their configured scope. Agent actions are logged in a structured audit trail that records what the agent accessed, what action it took, when, and the result. These logs are visible to your administrators in the Platform and are retained according to the data retention schedule in Section 8. Agents do not retain inter-session memory of contract content beyond what is explicitly stored in your account.

Model Training Clarification

Zeal does not use customer contract data to train, fine-tune, distill from, or otherwise update shared AI models -- whether those models are developed by Zeal, by an AI provider, or by any third party. This is a firm contractual commitment, not an operational preference. Enterprise Data Processing Addenda include explicit provisions prohibiting training use of customer data. If this commitment is material to your organization's vendor evaluation, we will provide the relevant DPA language on request.

Section 04

How We Use Information

We use the information we collect for the following purposes:

Providing the PlatformProcessing your contract data, running AI analysis, executing agent workflows, generating outputs, and making the Platform available to your authorized users.
Account and relationship managementCreating and administering your account, communicating about your subscription, sending service notices, and managing billing.
Security and fraud preventionDetecting and investigating unauthorized access, abuse, or threats; enforcing our terms of service; and protecting the integrity of the Platform.
Product improvementAnalyzing aggregate, de-identified usage patterns to understand how the Platform is used and where it can be improved. This analysis uses aggregate behavioral data, not the content of your contracts.
Customer supportDiagnosing and resolving issues you report; providing technical assistance; and improving our support processes.
Legal complianceComplying with applicable law, responding to lawful requests from public authorities, and establishing, exercising, or defending legal claims.
CommunicationsSending you updates about the Platform, including new features, policy changes, and security notices. You may opt out of non-essential communications at any time.

Section 05

Data Sharing

Zeal does not sell personal data. We do not share personal data with third parties for their independent marketing or advertising purposes. The circumstances in which we share data are limited to the following.

Service Providers

We engage third-party service providers to help us deliver and operate the Platform. These providers process data only on our behalf and only for the purposes we direct. They are contractually prohibited from using the data for any other purpose. Categories of service providers include:

  • Cloud infrastructure providers (hosting, storage, compute)
  • AI model providers (for inference only, under zero-retention agreements as described in Section 3)
  • Vector database providers (storing customer-namespaced embeddings)
  • Authentication and identity management providers
  • Payment processing providers (who handle card data directly; Zeal does not receive or store full payment card numbers)
  • Customer support and communication platforms
  • Security monitoring and logging services

The full list of sub-processors is disclosed in Zeal's Data Processing Addendum. Enterprise customers are notified of sub-processor changes in advance and have the right to object as provided in the DPA.

Legal Requirements

We may disclose information if we believe in good faith that disclosure is required by applicable law, regulation, court order, or other lawful process. Where permitted, we will notify the affected customer before disclosing and will seek to limit the scope of any required disclosure. We will not disclose customer contract data in response to government requests unless legally compelled to do so and, where possible, will challenge requests that appear overbroad or lacking legal foundation.

Business Transfers

If Zeal is involved in a merger, acquisition, asset sale, or similar corporate transaction, customer data may be transferred as part of that transaction. We will provide notice of any such transfer and any resulting material changes to data handling practices. Any acquiring entity will be required to honor the privacy commitments made in this policy and in applicable DPAs.

No Sale of Personal Data

Zeal does not sell personal data. Zeal does not share personal data with third parties for cross-context behavioral advertising. This applies to all data categories, including usage data, technical data, and contract data.

Section 06

Cookies and Tracking Technologies

Zeal uses cookies and similar technologies on our website and Platform for the purposes described below.

Strictly necessary cookies

Required for the Platform to function. These include session authentication tokens, CSRF protection tokens, and preferences you have set. These cannot be disabled without breaking Platform functionality.

Functional cookies

Used to remember preferences and settings (such as display language, notification preferences, and UI state) to improve your experience across sessions.

Analytics cookies

Used to understand how the Platform and website are used in aggregate. Analytics data is collected in a privacy-preserving manner and is not linked to individual identity for advertising purposes. You may opt out of analytics cookies through our cookie preference center.

Security cookies

Used to detect and prevent fraudulent or unauthorized activity, including bot detection and rate limiting.

You can manage cookie preferences at any time through our cookie preference center, accessible from the footer of our website. Rejecting non-essential cookies will not affect your ability to use the Platform. We do not use cookies to build advertising profiles or to track you across unrelated websites.

We do not respond to Do Not Track (DNT) browser signals because there is no consistent industry standard for what such a signal should mean. California residents may exercise their opt-out rights as described in Section 11.

Section 07

International Data Transfers

Zeal is headquartered in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States and potentially in other jurisdictions where Zeal or its service providers operate.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, Zeal relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. Zeal's Data Processing Addendum incorporates the SCCs published by the European Commission under Implementing Decision (EU) 2021/914, including the relevant modules for controller-to-processor transfers. For UK transfers, Zeal uses the UK International Data Transfer Addendum to the EU SCCs.

Zeal also conducts Transfer Impact Assessments (TIAs) for transfers to third countries where required. These assessments evaluate the legal framework of the destination country and identify supplementary technical and organizational measures applied to mitigate transfer risk. Where Zeal determines that adequate protection cannot be ensured for a given transfer, we will not make that transfer without implementing appropriate safeguards.

Enterprise customers who require data residency within the EU or UK may elect EU-region processing in their enterprise agreement, which limits primary storage and AI processing to EU-based infrastructure. See the Data Residency section of our Security page for details.

Section 08

Data Retention and Deletion

We retain data only for as long as necessary to provide the Platform, meet legal obligations, resolve disputes, and enforce our agreements. The following schedule describes our default retention periods.

Data CategoryDefault Retention
Contract data (uploaded documents, extracted data)Duration of subscription, plus 30 days post-termination grace period
Vector embeddingsDuration of subscription; deleted with source documents on termination or upon deletion request
Agent action logs24 months from the date of action
Account and identity informationDuration of account, plus 90 days after account closure
Usage and analytics data36 months from collection
Technical logs (IP, access logs)12 months from collection
Support communications36 months from the date of the communication
Billing records7 years, as required for financial record-keeping compliance
Backup data90 days; backups are encrypted and subject to the same access controls as primary data

Deletion and the Right to Erasure

You may request deletion of your personal data at any time as described in Section 10. Enterprise customers may delete contract data, embeddings, and agent logs directly through the Platform administration console or via the Zeal API. Upon receiving a validated deletion request, we will delete the specified data within 30 days from primary systems and within 90 days from backup systems. We will confirm completion of the deletion in writing. Certain data may be retained beyond the standard period where required by law or to resolve an active dispute.

Custom Retention Policies

Enterprise customers may configure shorter retention periods for contract data on a per-repository basis through the administration console. Data past a configured retention window is permanently deleted on a scheduled basis, and deletion is verified and logged in the audit trail.

Section 09

Data Security

Zeal maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer data. The program is audited annually and certified against recognized industry standards.

SOC 2 Type II
ISO 27001

Encryption

All customer data is encrypted at rest using AES-256. All data in transit between clients and Zeal's infrastructure, and between internal services, is encrypted using TLS 1.3. TLS 1.0 and 1.1 are disabled across all endpoints. Encryption keys are managed through a dedicated key management service with per-tenant key isolation and scheduled rotation. Enterprise customers may supply their own encryption key (BYOK) via AWS KMS or Azure Key Vault.

Access control

Access to production systems is restricted to authorized personnel using role-based access control, phishing-resistant multi-factor authentication, and zero-trust network principles. All access is logged. Privileged access is subject to enhanced review and time-limited grant procedures. Zeal applies the principle of least privilege across all systems.

Vulnerability management

Zeal conducts an independent third-party penetration test of its production environment annually. Continuous vulnerability scanning covers container images, dependencies, and infrastructure configurations. Critical and high-severity findings are remediated within defined SLAs. Summary penetration test reports are available to enterprise customers under NDA.

SOC 2 Type II audit

Zeal undergoes an annual SOC 2 Type II audit conducted by a licensed independent CPA firm, covering the Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The full report is available to enterprise customers and prospects under NDA.

ISO 27001 certification

Zeal maintains ISO 27001 certification for its information security management system across production infrastructure, development, and core business processes. Certification is maintained through annual surveillance audits and triennial recertification by an accredited registrar.

No security measures can guarantee absolute protection. If you discover a potential security vulnerability in the Platform, please report it to security@zealdocs.com. Zeal maintains a responsible disclosure program and will acknowledge receipt within two business days.

Section 10

Your Rights

Depending on your location and the applicable legal framework, you may have the following rights with respect to your personal data. We honor these rights for all users, regardless of location, to the extent technically and legally possible.

Access and Portability

You may request a copy of the personal data we hold about you. Where technically feasible, we will provide the data in a structured, commonly used, machine-readable format. Enterprise customers can export contract data and agent logs directly from the Platform administration console.

Correction

You may request correction of inaccurate or incomplete personal data. You can update most account information directly within the Platform. For other data, contact us at privacy@zealdocs.com.

Deletion

You may request deletion of your personal data. We will delete your data from primary systems within 30 days of a validated request and from backup systems within 90 days. We will confirm completion in writing. Certain data may be retained where required by law, such as billing records subject to financial record-keeping obligations.

Restriction of Processing

You may request that we restrict the processing of your personal data in certain circumstances -- for example, if you contest the accuracy of the data or if you have objected to processing and we are considering that objection.

Objection

You may object to our processing of your personal data where we rely on legitimate interests as the legal basis for processing. We will consider your objection and cease processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is necessary for legal claims.

Withdrawal of Consent

Where we rely on your consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing that occurred before withdrawal.

To exercise any of these rights, submit a request to privacy@zealdocs.com. We will verify your identity before processing the request and will respond within the timeframes required by applicable law (generally 30 days, with an extension of up to 60 additional days where permitted for complex or numerous requests). We do not charge a fee for exercising these rights unless a request is manifestly unfounded or excessive.

Section 11

CCPA / CPRA Rights for California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), as updated through 2026 regulatory requirements. This section describes those rights and how to exercise them.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email address, IP address, account ID); commercial information (billing records, subscription details); internet or other electronic network activity information (usage data, access logs); professional or employment-related information (job title, organization); and inferences drawn from usage data to understand how users interact with the Platform. We do not collect sensitive personal information as defined under CPRA except where necessary to provide the Platform, and we do not use or disclose it for purposes other than those specified in CPRA Section 1798.121.

Your CCPA / CPRA Rights

Right to KnowYou may request disclosure of the categories and specific pieces of personal information we have collected, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom we share it.
Right to DeleteYou may request that we delete personal information we have collected from you, subject to certain exceptions including legal compliance and fraud prevention.
Right to CorrectYou may request correction of inaccurate personal information we hold about you.
Right to Opt Out of Sale or SharingZeal does not sell or share personal information as defined under CCPA/CPRA. No opt-out is required, but you may contact us at any time to confirm this practice.
Right to Limit Use of Sensitive Personal InformationTo the extent we collect sensitive personal information, we use it only to perform the services you have requested and for no other purpose. You may request that we limit use to these purposes.
Right to Non-DiscriminationWe will not discriminate against you for exercising any CCPA/CPRA rights. Exercising your rights will not result in denial of the Platform, different prices, or reduced quality of service.

To submit a CCPA/CPRA request, email privacy@zealdocs.com with the subject line "California Privacy Request." We will verify your identity before processing and will respond within 45 days, with an extension of up to 45 additional days where permitted. You may designate an authorized agent to make a request on your behalf by providing written authorization and verifying your own identity.

For purposes of CCPA/CPRA, when Zeal processes personal information on behalf of a business customer as a service provider, that business customer (not Zeal) is responsible for fulfilling CCPA requests from the individuals whose data was submitted. If you submitted personal data to the Platform through your employer or another organization, please direct your CCPA request to that organization.

Section 12

GDPR Rights for EU / EEA Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable national implementing legislation apply to our processing of your personal data.

Legal Bases for Processing

We process your personal data on the following legal bases:

  • Performance of a contract: Processing necessary to provide the Platform and fulfill our obligations under the customer agreement.
  • Legitimate interests: Processing for security monitoring, fraud prevention, product improvement, and communications about the Platform where those interests are not overridden by your rights and freedoms.
  • Legal obligation: Processing required to comply with applicable law.
  • Consent: Where you have explicitly consented to a specific type of processing, such as receiving marketing communications.

Your GDPR Rights

Under GDPR, you have the rights to access, rectification, erasure, restriction of processing, data portability, and objection described in Section 10. You also have the right to lodge a complaint with your national data protection authority if you believe our processing violates applicable law.

Data Protection Officer

Zeal has appointed a Data Protection Officer (DPO). You may contact the DPO directly at privacy@zealdocs.com with the subject line "Attention: Data Protection Officer." The DPO can advise on privacy matters, assist with GDPR requests, and handle escalations.

Processing as a Data Processor

When Zeal processes personal data submitted by enterprise customers through the Platform, Zeal acts as a data processor under GDPR and the customer acts as data controller. In this capacity, Zeal processes data only on the instructions of the customer and in accordance with the Data Processing Addendum. Individuals whose data is processed in this context should direct GDPR requests to the enterprise customer (the data controller), who will coordinate with Zeal as required.

Section 13

Children's Privacy

The Zeal Platform is designed for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected personal data from someone under 18, we will promptly delete it.

If you believe a person under 18 has provided personal data to Zeal, please contact us at privacy@zealdocs.com and we will take appropriate steps to identify and remove that data.

Section 14

Data Breach Notification

Despite our security measures, no system is completely immune from security incidents. In the event of a personal data breach, Zeal will respond according to the following commitments.

Notification Commitments

Internal detection and confirmationIncident declared and response team activated within 1 hour
Customer notification (severity-1 data breach)Within 24 hours of confirmation, regardless of jurisdiction
Supervisory authority notification (GDPR Article 33)Within 72 hours of becoming aware of the breach
Individual notification (where required by law)Without undue delay, within the timeframes required by applicable law
Post-incident report to affected customersWithin 5 business days of incident resolution; includes root cause analysis, timeline, and remediation steps

Breach notifications to enterprise customers will be delivered to the primary security and legal contacts designated in the customer account. Notifications will include the nature of the breach, the categories and approximate volume of data affected, likely consequences of the breach, and the measures taken or proposed to address it. Status updates are also posted to Zeal's public status page.

Section 15

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a prominent notice within the Platform at least 30 days before the changes take effect. The notification will describe what is changing and why.

For non-material changes -- such as clarifications, corrections, or updates that do not alter your rights or our core data practices -- we will update the policy and revise the effective date without advance notice. We encourage you to review this policy periodically.

For enterprise customers, material changes that affect the Data Processing Addendum will be communicated separately, with the advance notice required by the DPA and applicable data protection law. If you object to a material change, you may exercise your rights as described in the applicable DPA.

Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the updated terms, except where explicit consent is required by law.

Section 16

Contact Information

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a concern about how we handle your data, please contact us using the information below.

General Privacy Inquiries

privacy@zealdocs.com

For rights requests, policy questions, and general privacy concerns

Data Protection Officer

privacy@zealdocs.com

Subject line: Attention: Data Protection Officer

Security Disclosures

security@zealdocs.com

For vulnerability reports and security-related inquiries

Mailing Address

Zeal Global Inc.

For written correspondence regarding privacy matters

Related documents: Security Overview and Terms of Service. Enterprise customers may request the Data Processing Addendum (DPA) from their account manager or by emailing privacy@zealdocs.com.