Our Privacy Policy

Effective Date: 4th September 2025

Welcome to the zally privacy policy.

We believe in being transparent about how we handle your personal data. This policy will be updated regularly to reflect changes in our practices or relevant laws, and we encourage you to review it periodically.

Scope of this Policy

Unless specified otherwise, this privacy policy applies to all of zally’s applications, services, tools, and websites where we process your personal data as a data controller (or its local equivalent).

This document explains how zally (which includes zally and its affiliates, subsidiaries, and newly acquired companies, collectively referred to as "zally", "we", or "us") protects the personal data we process and control relating to you. It also details the rights you have regarding your data.

For individuals covered by EU and Swiss data protection laws, if the zally entity acting as the controller of your data is located outside these regions, our designated data privacy representative is Zally Limited.

What's Covered in this Policy?

  • How we use your personal data when you visit our website.

  • How we use cookies and other tracking technologies.

  • How we use personal data when you visit our physical offices.

  • How we use your personal data for marketing purposes.

  • Of course. I understand the importance of retaining all necessary legal clauses while improving clarity and readability.

Here is the updated version of the provided text. It has been modernised to be more direct and easier for a user to understand, using improved formatting and clearer language, without removing the original substance or legal commitments.

1. How zally Protects Your Personal Data

Your right to privacy and the security of your personal data are a top priority at zally. We are committed to handling your information responsibly to ensure you feel secure when you interact with us.

We protect your personal data in strict accordance with applicable laws and our internal data privacy policies. To achieve this, we implement and maintain appropriate technical and organisational security measures to protect your data against:

  • Unauthorised or unlawful processing

  • Accidental loss, alteration, or disclosure

  • Unauthorised access

  • Accidental or unlawful destruction or damage

Key Areas Covered in This Policy

To provide a clear understanding of our practices, this policy details:

  • Which categories of personal data we collect and how we process them.

  • The purposes and legal bases for using your personal data.

  • Whether we share your personal data with third parties.

  • Our policy on processing sensitive data.

  • The specific measures we take to ensure data security.

  • Where your personal data will be processed.

  • How long we retain your personal data.

  • The rights you have regarding your personal data.

Categories of Personal Data We Collect

We collect personal data from various individuals, including our employees (current and prospective), clients, suppliers, business contacts, shareholders, testers, website and application users. If we need to collect data not listed in this privacy statement, we will provide appropriate notice to individuals (as required by law) detailing what other data is being collected and how it will be used.

2. What Personal Data We Collect and Why

This section provides a detailed overview of the categories of personal data we collect, our purposes for collecting it, and the legal basis we rely on for processing.

The Types of Data We Collect

We have grouped the data we collect by context.

General Data Collection

This is data we may collect through your general interactions with zally.

  • Personal Details and Identifiers This includes your name, pronouns, all types of identifiers and contact details (such as email, phone numbers, physical address), and occasionally, when necessary for specific purposes, gender, date of birth, age, and place of birth.

  • Commercial Information This includes the history and records of products and services you have obtained from zally, as well as correspondence between you and us (including communications via AI-assisted channels) for purposes like payment processing and commercial follow-up.

  • Marketing and Research Information

    • Identifiers: Your IP address, social media handles, or other online identifiers.

    • Demographics: Data such as income, family status, age bracket, gender, interests, and current service providers.

    • Browsing History: Data and preferences expressed through your selection, viewing, or purchase of goods and services; information about your mobile device (type, device ID, operating system).

    • Social Media Content: Publicly available blogs, posts, or other content posted by you or that mentions or references you.

    • Analytics and Profiles: Profiles of individuals based on the data collected.

    • Voice-Enabled Services: Speech-to-text data from search requests, which is not recorded or stored.

  • Sensitive Data and Biometric Information Where permitted by local law or with your explicit consent, we may collect sensitive information. This can include health/medical information (like disability status or dietary requirements for events) or biometric information (for example, when you elect to use fingerprint authentication).

  • Audiovisual Materials This includes your photograph, images/footage from CCTV or other security systems, recordings from public marketing events, and audio/video recordings and transcriptions from meetings, workshops, or virtual sessions. It also includes voice command data used in our mobile applications.

  • Professional or Employment-Related Information This includes your current job title, description of your position, employer, work location, and your zally contact(s).

  • System and Application Access Data If you are given access to zally’s systems, we may collect the information required for that access, such as your System ID, LAN ID, email account, passwords, and other electronic network activity information like access logs.

  • Cyber Threat Intelligence Information We may process personal data as part of our efforts to understand and defend against cyber threats. This can include profiles of threat actors and evidence of malicious activities.

  • Cookies and Geolocation Data As detailed in our Cookies Policy, we may collect geolocation data and use cookies to enhance our services.

For Recruitment & HR Services

For recruitment, employment, or if when providing HR services to our clients and others, we may process the following additional categories of data:

  • Additional Personal Details: National identification number, social security number, insurance information, marital status, dependents, emergency contacts, and military history.

  • Professional and Education Information: Your full employment and education history.

  • Sensitive Data for Recruitment: Where permitted by law or with your consent, this may include health/medical information (to accommodate a disability), trade union membership, religion, race or ethnicity, and information on criminal convictions for background checks and to comply with diversity and anti-discrimination policies.

  • Immigration Documentation: Citizenship data, passport details, and residency or work permits.

  • Financial Information: Banking and other financial details required for payroll and benefits.

  • Talent Management Information: Data for background checks, performance reviews, training history, driver’s license information, and other details used to manage talent.

  • Recruitment Information: Information you submit in résumés/CVs, letters, and writing samples; information generated by our recruiters during the interview process; information received from third-party placement firms; and recommendations provided by others on your behalf.

  • Diversity Information: Data about race, ethnicity, religion, disability, gender, and/or sexual orientation for government reporting and to analyse the diversity of our workforce, subject to legal limits.

  • Assessment Information: Information generated by your participation in psychological, technical, or behavioural assessments. You will always be informed about the nature of such assessments beforehand.

Your Role and Data Sources

  • Sources of Data: We obtain the categories of personal data listed above either directly from you (e.g., when you sign up for a newsletter) or indirectly from third parties, which may include our affiliates, public authorities, public websites, social media, suppliers, and clients.

  • Providing Data is Voluntary: Your decision to provide personal data to us is voluntary. You will not face adverse consequences if you choose not to provide it, except where certain information is required by law or zally policy (e.g., for managing an employment relationship).

  • Consequences of Not Providing Data: Please note that if you do not provide certain information, we may not be able to accomplish some or all of the purposes outlined in this policy, and you may be unable to use certain tools or systems that require such personal data.

  • Providing Someone Else’s Data: If you provide us with the personal data of another person (e.g., a referral for a job), you are responsible for ensuring that they are aware of the information in this privacy statement and have given you their consent to share their information with zally.

3. How and Why We Use Your Data (Our Purposes and Legal Bases)

zally only uses your personal data for specific, defined purposes. Below is a list of our purposes for processing data and the legal basis we rely on for each.

General Business Purposes

  • Purpose: To manage our contractual and/or employment relationship with you.
    Legal Basis: Necessary for the performance of a contract to which you are a party.

  • Purpose: To facilitate communication with you, which may include AI-powered support (e.g., meeting recaps, suggested email content), handling emergencies, and providing you with requested information.
    Legal Basis:     Justified on the basis of our legitimate interests for ensuring proper communication.

  • Purpose: To operate and manage our business, including providing services to our clients (e.g., collecting data for surveys, analytics, or market research).
    Legal Basis:     Justified on the basis of our legitimate interests for ensuring the proper functioning of our business operations.

  • Purpose: To comply with legal and regulatory requirements.
    Legal Basis:     Necessary for compliance with a legal obligation to which we are subject.

  • Purpose: To monitor your use of our systems, including our website, apps, and tools.
    Legal Basis:     Justified on the basis of our legitimate interests in avoiding non-compliance and protecting our reputation.

  • Purpose: To perform "social listening" by identifying and assessing publicly accessible content about zally and our clients on social media to understand trends and stakeholder needs. Our goal is to gain insights, not to identify individuals.
    Legal Basis:     Justified on the basis of our legitimate interest in protecting our assets and brand.

  • Purpose: To conduct research and analytics related to cyber threat intelligence.
    Legal Basis:     Justified on the basis of our and our clients' legitimate interest in protecting our security infrastructure and business continuity.

  • Purpose: To improve the security and functioning of our website, networks, and information.
    Legal Basis:     Justified on the basis of our legitimate interests for ensuring you receive an excellent user experience and that our networks and information are secure.

  • Purpose: To undertake data analytics (including AI and machine learning) to describe, predict, and improve business performance and user experience.
    Legal Basis:     Justified on the basis of our legitimate interests for ensuring the proper functioning of our business operations.

  • Purpose: To market our products and services to you.
    Legal Basis:     Justified on the basis of our legitimate interests for ensuring that we can conduct and increase our business.

  • Purpose: To capture and use audio, video, and transcriptions from events and meetings (including virtual ones) to inform stakeholders and for marketing purposes.
    Legal Basis:     Based on your informed consent obtained prior to the event.

For Recruitment Purposes

  • Purpose: To assess your suitability for current and future roles.
    Legal Basis:     Justified on the basis of our legitimate interests in ensuring we recruit the appropriate employees.

  • Purpose: To manage your application and perform administrative functions (e.g., reimbursing interview expenses).
    Legal Basis:     Justified on the basis of our legitimate interests in ensuring we recruit the appropriate employees.

  • Purpose: To perform data analytics on our applicant pool to improve our recruitment process.
    Legal Basis:     Justified on the basis of our legitimate interests in ensuring we continually improve our recruitment processes.

  • Purpose: To record your online interview for review by additional recruiters and hiring managers.
    Legal Basis:     Justified on the basis of our legitimate interests in ensuring we recruit the appropriate employees.

  • Purpose: If you register on our Careers website, to enter you into our database to receive future mailings and personalised job recommendations.
    Legal Basis:     Justified on the basis of our legitimate interests in ensuring we recruit the appropriate employees.

  • Purpose: To perform legally-required reporting and respond to legal processes.
    Legal Basis:     Compliance with a legal obligation.

A Note on Our Legitimate Interests

Where the tables above state that we rely on our legitimate interests for a given purpose, we have conducted a balancing test to ensure our legitimate interests are not overridden by your own interests, rights, or freedoms. 

We believe this is justified given (i) the transparency we provide, (ii) our privacy-by-design approach, (iii) our regular privacy reviews, and (iv) your rights in relation to the processing. If you wish to obtain further information on our balancing test approach, please contact zally’s Data Privacy Officer.

4. Your Consent and How We Share Your Data

Basing Processing on Your Consent

In some cases, where required by law, we will only process your personal information for the purposes mentioned in this policy if we have your prior consent.

When you are asked to agree to a privacy statement by clicking or checking a box that says "I accept," "I agree," or something similar, this action will be considered your consent to process your personal data.

We will not use your personal information for any new purposes that are incompatible with the ones you were originally informed about, unless we are required or authorised by law, or it is in your vital interest to do so (for example, in a medical emergency).

Sharing Your Personal Data with Third Parties

We may share your personal data with trusted third parties to operate our business. Before we do, we take the necessary steps to ensure your data is protected in line with data privacy laws and our own internal policies. These third parties can include:

  • Service providers and professional advisors.

  • Public and governmental authorities.

  • Other zally companies and global affiliates/partners.

  • Third parties in connection with a corporate transaction, such as a merger or sale.

  • Our clients, if your data has been processed as part of a service we are providing to them.

For a detailed breakdown of the categories of data we collect and may share, please see section 2, "What Personal Data We Collect and Why".

We may also disclose your personal information for other specific business purposes, for example:

  • To our vendors: We share information with third-party service providers who help us with billing, payment processing, customer service, marketing, security and performance monitoring, data hosting, and research.

  • To protect our legal rights: We may share data to protect the legal rights, safety, and security of zally, our users, or the public, including to prevent fraud and malicious activity.

  • In a major business transaction: Your information may be shared in connection with a substantial corporate event, such as a merger, asset sale, or in the unlikely event of a bankruptcy.

  • For other disclosed purposes: We may share data for any other purpose that is disclosed to you at the time we collect the information or is done pursuant to your consent.

International Data Transfers

Any transfers of your personal data from the UK or European Economic Area (EEA) to countries outside of these regions will be based on a formal adequacy decision or governed by Standard Contractual Clauses, which ensure your data is protected to the same high standards. Any other international data transfers will be carried out in accordance with recognised global data transfer mechanisms.

5. Our Approach to Data Security and Sensitive Data

What About Sensitive Data?

We do not generally seek to collect sensitive data (also known as "special categories of data") through our website or other general channels. In the limited cases where we do, we will always do so in accordance with data privacy laws and, where required, ask for your explicit consent.

"Sensitive data" refers to personal data that requires special protection, such as information about:

  • Racial or ethnic origin

  • Political opinions or religious beliefs

  • Trade union membership

  • Physical or mental health

  • Biometric or genetic data

  • Sexual life or orientation

  • Criminal convictions and offences

How We Secure Your Data

We maintain robust organisational, physical, and technical security arrangements for all the personal data we hold. We have protocols, controls, and policies in place to maintain these arrangements, taking into account the risks associated with the types of data and the processing we undertake.

We are proud to hold an ISO/IEC 27001 certification. This is a leading international standard for information security, awarded by the British Standards Institution (BSI). It certifies that zally's processes and security controls meet the highest and strictest standards, providing an effective framework for protecting our clients' and our own information.

Our commitment to protecting your data is backed by a global Client Data Protection (CDP) program, which governs how we handle client information. To ensure our defences are robust, we also engage third-party providers to conduct regular penetration testing, which consistently validates the strength of our security measures.

Where Your Personal Data is Processed

As a global organisation, the personal data we collect may be transferred or accessed internationally throughout zally's business and between our various entities and affiliates.

All such transfers are performed in accordance with applicable data privacy laws and our own internal Binding Corporate Rules (BCR). Our BCR reflects the high standards of European data privacy laws (including the GDPR), which means all our group entities must follow the same internal rules for protecting your data. This ensures your rights remain the same, no matter where in the world your data is processed by zally.

6. Data Retention and Your Rights

Sources of Your Personal Information

If we do not get your personal information directly from you, we may obtain it from other sources, including:

  • Publicly available sources like registers or the internet.

  • zally employees, affiliates, subsidiaries, and newly acquired businesses.

  • Our clients, suppliers, and vendors (including third-party data providers).

  • Previous employers and educational institutions.

How Long We Keep Your Personal Data

We will only retain your personal data for as long as is necessary. Our retention policies ensure that data is deleted after a reasonable time according to the following criteria:

  • Ongoing Relationship: We keep your data as long as we have an active relationship with you (e.g., if you have an account with us).

  • Service Provision: We will keep your data while your account is active or for as long as needed to provide services to you.

  • Legal Obligations: We retain your data for as long as needed to comply with our global legal and contractual obligations.

Your Data Protection Rights

You are entitled to the following rights under applicable law:

  • Right to Access: You can ask if we process your personal data and, if so, request a copy and information about it.

  • Right to Rectification: You can request that we correct any inaccurate or incomplete personal data.

  • Right to Object: You can request that zally stops processing your personal data.

  • Right to Erasure: You can request that we delete your personal data where it is no longer necessary for the purposes for which it was collected.

  • Right to Restrict Processing: You can request that we only process your personal data in limited circumstances, such as with your consent.

  • Right to Data Portability: You can request a copy of your data in a structured, machine-readable format or ask us to transmit it to another data controller.

To the extent that our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. Please note this will not affect processing that has already occurred or processing based on other legal grounds.

If you believe your data privacy rights have been violated, we encourage you to contact us first to resolve the issue. However, you always have the right to file a complaint with a relevant supervisory authority or make a claim in a competent court.

7. How We Use Data from Our Website and Marketing

When You Visit zally’s Website

  • How We Gather Data: We collect personal data on our websites both directly (e.g., when you fill in a form for a newsletter) and indirectly (e.g., through our website’s technology, like cookies). This includes data you provide in forms, records of correspondence if you contact us, and any content you post.

  • Technical Data: We may collect technical information about your device, including your IP address, operating system, and browser type. We also log details of your visits, such as the pages you view and the resources you access.

  • Third-Party Links: Our websites may contain links to and from the sites of our partners and affiliates, or include third-party programs (like widgets). We are not responsible for the privacy practices of these third parties, so please check their policies before providing any information.

For Marketing Purposes

  • Sources of Marketing Data: Most of the data we use for marketing relates to employees of our clients and other companies we have a business relationship with. We may also obtain contact information from public sources, like social media, to make an initial business contact.

  • Targeted Emails and CRM: We send commercial emails to develop and maintain business relationships. These emails often contain technologies like web beacons and cookies to help us know if you’ve opened, read, or deleted the message and what links you’ve clicked. We manage this through our Customer Relationship Management (CRM) databases.

  • Push Notifications: If you use our mobile apps, we may send you push notifications with your consent. You can manage these preferences at any time in the app or your device settings.

  • Combining and Analysing Data: We may combine data from public sources with information from your interactions with us (across our websites and emails) to better understand your experience and improve our services.

  • Your Marketing Rights: You can prevent marketing communications by using the opt-out mechanisms in our emails or on the forms we use to collect your data. If you opt out, we will retain the minimum data necessary to ensure we don't contact you again.

8. Use of AI in Our Communications

When you communicate with us via email, chat, calls, or other channels, we may use AI-supported technology to enhance the experience. This technology can help us by:

  • Scanning communications to create suggested replies, summaries, and action items.

  • Providing real-time translation and interpretation.

The processing of personal data for these communication purposes is based on our legitimate interest. We will only record or transcribe audio and video based on your consent, and we will always be transparent when you are interacting with an automated system like a chatbot. Your personal data will not be used to train or improve AI solutions unless we specifically inform you or apply anonymisation techniques.

9. Other Ways We May Use Your Personal Data

This section describes other specific uses of personal data by some zally group companies.

Content Creation and Production

Some zally entities are in the business of content production for TV, film, marketing, and advertising. As part of these activities, we may process your personal data.

  • What data do we process? For production purposes, we may process images, footage, and the location of individuals captured during filming.

  • If you are a member of the public: We will make diligent efforts to notify you of filming in advance and provide you with the opportunity to avoid the area and not participate.

  • If you are a contributor or talent: If you are a focus of our filming (such as an interviewee, actor, or extra), we will also collect your name, contact information, and any other details you provide in pre-filming questionnaires or release forms. This may include special categories of data, like health information, if it's necessary to make adjustments to support you during filming.

If you have any questions about the data privacy aspects of our production activities, please don't hesitate to get in touch.

10. Contact Us

Please reach out to us if you have any questions or wish to exercise your rights.

How to Get in Touch

You can contact us for the following reasons:

  • If you have a general question about how zally protects your personal data.

  • If you wish to exercise your data protection rights.

  • If you want to make a complaint about our use of your data.

Contact Details

To exercise your rights or for any other data privacy queries, please contact our Data Privacy Officer.

  • Preferred Method: Contact us on our website

  • By Post: Data Privacy Officer, zally Limited DiSH, 47 Lloyd Street Manchester, M2 5LE United Kingdom