Privacy & Data Protection

ZEA AI Privacy Policy

Comprehensive privacy protection for our aviation management platform

Effective Date: 1 October 2025 | Version: 2.0
1. Overview

This Privacy Policy explains how ZEAS Global FZCO, trading as ZEA AI (Zero Effort Aviation) ("ZEA AI", "we", "us", "our"), collects, uses, and protects personal data in connection with our aviation-management platform and related services.

Privacy-by-Design Architecture: ZEA AI operates on a privacy-by-design architecture where passenger information is never stored or cached within PAXP. When a user views a flight, passenger data is securely retrieved from Leon via API in real time and immediately discarded after the session ends. This ensures full data minimisation and 'privacy-by-design' compliance — no persistent passenger data ever exists within PAXP.

Our platform is designed to comply with the UAE Personal Data Protection Law (PDPL) and, where applicable, the UK GDPR and EU GDPR.

Registered address: Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Contact email: support@zeaai.co

2. Who Controls Your Data

ZEA AI Controls:

  • • User-account information (name, email address, company name)
  • • Login credentials and preferences
  • • Billing and subscription details
  • • Technical and usage logs

Operators Control:

  • • All passenger and flight data from Leon API or equivalent systems
  • • Any information uploaded by brokers or clients for their flights
  • • Accuracy and lawful processing of such data

Important: ZEA AI acts only as a data processor for operators and a data controller for its own user-account information.

Data Neutrality & Non-Solicitation

ZEA AI does not sell, rent, or use Operator or Broker data for marketing or solicitation purposes.We operate as an independent technology provider and do not compete with our customers for their clients or business relationships.

For further details, please refer to our Terms of Service (Data Neutrality and Non-Solicitation).

3. AI Processing Disclosure

Temporary AI Passport Processing

When a user uploads passport images, the data is processed temporarily through Azure OpenAI and, where applicable, PaddleOCR for machine-vision extraction of document fields.

Data-handling principles:

  • • Images are processed transiently (<5 seconds) and never stored
  • • Extracted text is transmitted securely to the operator's Leon system
  • • ZEA AI does not retain passport images or parsed data after processing
  • All AI-extracted information must be human-verified by the operator before use

Consent: By using the passport-scanning feature, users explicitly consent to this temporary AI processing. Consent may be withdrawn by not using the feature.

4. Our Privacy-First Architecture
Your Leon System
ZEA AI Interface
Your Team

ZEA AI acts as a real-time display layer and transmission bridge. No permanent copy of passenger data is held on our servers.

🔒 We literally cannot break your privacy

Zero passenger data storage = Zero privacy risk

This structure fulfils GDPR Article 5 (data minimisation) and PDPL data-protection principles by design.

5. Data We Collect and Process

(a) User Account Data – Controller: ZEA AI

Lawful basis: Article 6(1)(b) GDPR – contract performance

  • • Name, email, company details
  • • Encrypted password and login timestamps
  • • Preferences and dashboard settings
  • • Billing and usage analytics (aggregated)

Retention: Until account deletion or 12 months after last login

(b) Passenger and Flight Data – Controller: Operator

Role: ZEA AI acts as a data processor on behalf of operators (Article 28 GDPR).

  • • Passenger data (names, passport numbers, etc.) is processed transiently (<5s) via Leon API or AI passport parsing and is never stored
  • • Passenger information is never stored or cached within PAXP. When a user views a flight, passenger data is securely retrieved from Leon via API in real time and immediately discarded after the session ends
  • • Flight operational data (schedules, aircraft, routes, costs) is stored securely for analytics purposes to support platform insights and performance optimization
  • • Crew data (names, roles) is stored under legitimate interest for work-related scheduling and duty compliance, and is automatically deleted 30 days after flight completion
  • • All data is encrypted in transit (TLS 1.3) and at rest (AES-256), and no passenger personal data is retained

(c) Technical and Security Data

Lawful basis: Article 6(1)(f) GDPR – legitimate interests

  • • IP addresses, browser fingerprints (fraud prevention)
  • • API latency and error logs
  • • Anonymised analytics for performance optimisation
6. Your Data-Protection Rights

For user-account data (ZEA AI as controller):

  • Access – receive a copy of your data
  • Rectification – correct inaccuracies
  • Erasure – delete your account permanently
  • Portability – export data in machine-readable format
  • Object / Restrict – limit non-essential processing

For passenger data (operators as controllers):

  • • Contact your operator directly to exercise rights
  • • Leon API is the authoritative source for such data

Requests to ZEA AI should be sent to support@zeaai.co. We respond within 30 days as required by Article 12 GDPR and PDPL guidelines.

7. Data Security (Article 32 GDPR)

Technical measures:

  • • AES-256 encryption for data at rest
  • • TLS 1.3 for all transmissions
  • • bcrypt password hashing
  • • Role-based access controls and JWT authentication
  • • Multi-tenant data isolation

Organisational measures:

  • • Employee privacy training
  • • Strict least-privilege access policy
  • • 72-hour breach-notification procedure
  • • Quarterly security audits and penetration testing
8. Third-Party Processors
ProcessorPurposeData HandledLocation / Safeguard
SupabaseSecure database hosting (user accounts only)Account dataEU/US servers, SCCs, SOC 2
Microsoft Azure OpenAITemporary passport OCR processingPassport images (temporary)Microsoft global infrastructure, no storage
ResendTransactional email deliveryEmail addresses and messagesUS-based, GDPR-compliant DPA

All processors operate under Article 28 GDPR agreements and UAE PDPL Article 18 cross-border transfer safeguards.

9. International Transfers

For UAE users:

Transfers comply with PDPL Article 18 and Microsoft's adequate protection framework.

For UK/EU users:

Transfers comply with UK GDPR and EU-US Data Privacy Framework standards using Standard Contractual Clauses where necessary.

10. Data Retention & Deletion
  • • User account data retained until deletion or 12 months of inactivity
  • • Billing records retained for 7 years for tax compliance
  • • Flight operational data retained for analytics and platform optimization
  • • Crew data automatically deleted 30 days after flight completion
  • • Passenger data never stored — retrieved in real time from Leon API only when viewing, immediately discarded after session
  • • Passport images never stored — processed transiently (<5s) and discarded
  • • API logs (metadata only, PII-free) retained for 12 months
  • • Back-ups purged within 90 days of deletion
11. Legal Basis & Accountability

ZEA AI processes data only for:

  • • Contract performance with users (Art 6 (1)(b))
  • • Legitimate business interests (Art 6 (1)(f))
  • • Explicit consent for AI passport processing (Art 6 (1)(a))
12. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in law or practice. Material updates will be announced 30 days in advance via email and posted on our website. Continued use after updates constitutes acceptance.

Previous versions are available on request.

Contact Information
ZEAS Global FZCO — Trading as ZEA AI (Zero Effort Aviation)
Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates
Last updated 1 October 2025