Privacy Policy

Ohrus Labs - Service, Lda ("Ohrus", "we", "us" or "our"), the entity responsible for the Ziett platform, is committed to the responsible processing of the personal data of everyone who interacts with its services.

This Privacy Policy describes what data we collect, how we use it, with whom we share it, how long we retain it, and the rights of data subjects.

This policy applies to the institutional website (ziett.co), the web application (app.ziett.co), and the Ziett API.

1. Who We Are

The data controller for personal data is:

Ohrus Labs - Service, Lda
NIF: 5002714485
Casa 1, Rua da ENDE, Fubu, Município do Camama, Luanda, Angola
Privacy email: privacy@ziett.co
Phone: +244 955 577 430

2. Applicable Legislation

The processing of personal data by Ohrus is subject to the following legislation, depending on the relevant jurisdiction:

Legislation	Scope of Application
LPDP — Law No. 22/11 of June 17 (Angola)	Data processing carried out in Angola; main regulatory base of Ohrus
GDPR — Regulation EU 2016/679	Data subjects residing in the European Union or the European Economic Area
UK GDPR — Data Protection Act 2018 (United Kingdom)	Data subjects residing in the United Kingdom
LGPD — Law No. 13.709/2018 (Brazil)	Data subjects residing in Brazil

Ohrus is authorized in Angola under APD Authorization No. 682422756000/2026, issued by the Data Protection Agency (Agência de Protecção de Dados) on June 3, 2026.

When the legislation of a specific jurisdiction requires additional safeguards, these are applied through the Data Processing Addendum (DPA), which complements this Policy.

3. Data We Collect

3.1 User Account Data

When you create a User Account:

Name — can be a pseudonym or nickname;
Email address — for authentication and communications;
Password — stored in an irreversible encrypted format (hash);
Account creation date and time and interface preferences.

3.2 Billing Account Data

Data with fiscal and legal value, which must be strictly truthful:

Full legal name (individual or corporate name);
Tax Identification Number (NIF) or local equivalent;
Billing address and Country of Registration;
Billing email address and phone number;
IBAN (when applicable for bank transactions);
Transaction history and tax documents.

3.3 Message and Content Data

When you send messages through the Platform, we process data provided by the client:

Message content (text, parameters, templates, images, audio);
Recipient Data (phone numbers, channel identifiers);
Delivery metadata (date, time, channel, delivery status);
Contact lists registered on the Platform.

Ohrus acts as a sub-processor for this data — processing it only under the instruction and responsibility of the Billing Account. The client is the data controller.

3.4 Usage and Technical Data

Automatically collected during the use of the Platform:

IP address and network information;
Browser type and version, and operating system;
Pages visited, features used, session duration;
API logs (requests, responses, errors) and performance data.

3.5 Cookies and Analytics Data

Collected via Google Analytics and first-party cookies. For full details, please refer to the Cookie Policy.

4. Legal Bases for Processing

The table below indicates the legal basis for each processing category, including the equivalent standard across the main applicable laws.

Processing Purpose	Legal Basis	LPDP	GDPR	LGPD
Account creation and management	Performance of a contract	Art. 6	Art. 6(1)(b)	Art. 7, II
Provision of Services (sending messages, API)	Performance of a contract	Art. 6	Art. 6(1)(b)	Art. 7, II
Issuance of invoices and tax documents	Legal obligation	Art. 6	Art. 6(1)(c)	Art. 7, II
Communication to authorities (AGT, APD)	Legal obligation	Art. 6	Art. 6(1)(c)	Art. 7, II
Fraud detection and platform security	Legitimate interest	Art. 6	Art. 6(1)(f)	Art. 7, IX
Product improvement (aggregated analytics)	Legitimate interest	Art. 6	Art. 6(1)(f)	Art. 7, IX
Marketing communications and updates	Consent	Art. 6	Art. 6(1)(a)	Art. 7, I
Non-essential cookies (Google Analytics)	Consent	Art. 6	Art. 6(1)(a)	Art. 7, I

5. How We Use the Data

We use the collected data exclusively to:

Provide Services — create and manage accounts, process and deliver messages, issue invoices, provide analytics, and support API integrations.

Security and integrity — detect and prevent fraudulent activities, monitor Platform security, and investigate incidents.

Legal compliance — comply with tax and accounting obligations, respond to competent authorities, and comply with Applicable Data Protection Laws.

Product improvement — analyze usage patterns in an aggregated and anonymized format to develop new features.

Communications — send essential operational notifications (always active) and communications about news and updates to the Platform (opt-out available).

6. What We Do Not Do with Your Data

Ohrus makes the following commitments:

We do not resell data from Users, Billing Accounts, Organizations, or Recipients;
We do not share data with partners for third-party marketing purposes;
We do not use client contacts in marketing campaigns for Ohrus or Ziett;
We do not create Recipient profiles for advertising purposes;
We do not make automated decisions with a significant impact on data subjects without human supervision.

Ohrus shares data only to the extent necessary to provide the Services or to comply with legal obligations. The full and updated list of sub-processors is available at ziett.co/legal/subprocessors.

Entity	Type	Data	Legal Basis
AGT (General Tax Administration)	Public authority	Name, NIF	Legal obligation
Vendus	Invoicing software	Name, NIF, Address, IBAN	Contractual obligation
Unitel SA	Telecommunications operator	Username, Phone number, Message content, Recipient number	Contractual obligation
Africell SA	Telecommunications operator	Username, Phone number, Message content, Recipient number	Contractual obligation
Google LLC	Infrastructure and analytics	Usage data, technical logs	Contractual obligation
Metabase	Business Intelligence	Aggregated usage data	Contractual obligation

Ohrus enters into written contracts with all sub-processors to ensure compliance with Applicable Data Protection Laws.

8. Data Retention

Data Category	Retention Period	Justification
User Account Data	While active + 2 years after closure	Dispute resolution
Billing Account Data	While active + 7 years after closure	Tax and legal obligation
Invoices and financial records	7 years	Tax obligation
Message Content	30 to 90 days after sending (standard plan)	Operational verification and error resolution
Delivery metadata (without content)	12 months	Analytics and dispute resolution
Contact lists	While associated with an active Billing Account	Service operation
API and security logs	90 days	Technical diagnosis
Analytics data (aggregated)	24 months	Product improvement

8.1 Extended Message Retention

By default, message content is automatically deleted between 30 and 90 days after sending. Clients who require longer retention periods can purchase an Extended Retention plan, available on the Platform.

9. Data Subject Rights

The rights below apply to all data subjects, with the detail that clients in specific jurisdictions have additional rights indicated in sections 10 and 11.

Right	Description
Access	Know what personal data we process about you
Rectification	Correct inaccurate or incomplete data
Erasure	Request the deletion of your data when it is no longer necessary
Objection	Object to processing for marketing purposes or based on legitimate interest
Portability	Receive your data in a structured, machine-readable format
Restriction	Request the restriction of processing in certain circumstances

How to exercise your rights:

Email: privacy@ziett.co
Phone: +244 955 577 430
Address: Casa 1, Rua da ENDE, Fubu, Município do Camama, Luanda, Angola

We respond within a maximum period of 30 days, extendable by an additional 30 days in highly complex cases, with prior notification.

If you believe your rights have not been respected, you can lodge a complaint with the competent supervisory authority (see Section 10 and 11 for specific regional authorities).

10. Additional Rights — EU, EEA, and UK Residents

If you are a resident of the European Union, the European Economic Area, or the United Kingdom, the GDPR (or UK GDPR) grants you the following additional rights and safeguards:

Right not to be subject to a solely automated decision — including profiling, with significant effects, without human intervention (Art. 22 GDPR).

Right to lodge a complaint with a European supervisory authority — namely with the competent authority of the Member State where you habitually reside, work, or where an alleged infringement occurred. You can consult the list of authorities at edpb.europa.eu.

International transfers — When data of subjects in the EU/EEA/UK is processed by Ohrus, we apply appropriate contractual safeguards. Please consult our DPA for details on the transfer mechanisms used.

For specific questions regarding the GDPR, contact privacy@ziett.co with the subject "GDPR Request".

11. Additional Rights — Brazil Residents

If you are a resident of Brazil, the LGPD (Law No. 13.709/2018) grants you specific rights, including:

Confirmation and access — confirm the existence of processing and access the data (Art. 18, I and II LGPD);
Anonymization, blocking, or erasure of unnecessary data or data processed in non-compliance (Art. 18, IV LGPD);
Portability to another service provider (Art. 18, V LGPD);
Information about entities with whom we shared data (Art. 18, VII LGPD);
Revocation of consent at any time (Art. 18, IX LGPD).

You can also lodge a complaint with the National Data Protection Authority (ANPD): gov.br/anpd.

For questions regarding the LGPD, contact privacy@ziett.co with the subject "LGPD Request".

12. Data Security

Ohrus implements technical and organizational measures to protect personal data, including:

Encryption in transit — TLS/HTTPS in all communications;
Encryption at rest — databases and storage systems;
Secure authentication and role-based access control (RBAC);
Continuous monitoring of access and suspicious activities;
Encrypted password storage (irreversible hash);
Periodic security audits.

In the event of a data breach with a potential impact on the rights of data subjects, Ohrus will notify the APD and, when legally required, the supervisory authorities of the affected jurisdictions within the legally established timeframes (72 hours for the GDPR). Affected data subjects will be notified without undue delay, when applicable.

13. Cookies and Tracking Technologies

We use cookies on the website (ziett.co) and in the application (app.ziett.co). Non-essential cookies (including Google Analytics) are only activated after explicit consent from the user, in compliance with the GDPR and the ePrivacy Directive.

For a full description of the cookies used and management instructions, please consult the Cookie Policy.

14. Clients' Responsibility Over Third-Party Data

When clients upload third-party data to the Platform (contact lists, Recipient data), they assume the role of data controller for that data. Ohrus acts as a sub-processor, processing data only under instructions from the clients.

Clients are responsible for:

Ensuring an appropriate legal basis for sending communications to Recipients;
Ensuring that data was collected lawfully and with the necessary consent;
Fulfilling information obligations toward data subjects;
Complying with Applicable Data Protection Laws in the jurisdiction of the Recipients.

The Data Processing Addendum (DPA) formalizes this relationship for clients who request it.

Email: privacy@ziett.co
Website: https://ziett.co
Legal Entity: Ohrus Labs - Service, Lda — NIF: 5002714485
Address: Casa 1, Rua da ENDE, Fubu, Município do Camama, Luanda, Angola
Phone: +244 955 577 430

Supervisory authority (Angola): Agência de Protecção de Dados (APD) Rua do MAT, Complexo Administrativo Clássicos de Talatona, 3.º edifício, 7.º andar, Luanda geral@apd.ao | www.apd.ao