Privacy policy — Zaina AI
Effective date: 26 February 2026 | Last updated: 16 March 2026
1. Who we are
Zaina AI ("Zaina") is a brand owned and operated by The Agile Monkeys, the legal entity and Data Controller responsible for the personal data processed through the platform zaina.ai.
- ●Data Controller: The Agile Monkeys
- ●Trading name: Zaina AI — The Intelligence of Beauty
- ●Website: https://zaina.ai
- ●General contact: info@theagilemonkeys.com
- ●Data Protection contact: privacy-team@theagilemonkeys.com
- ●Response time: We respond to all data subject requests within 30 days.
2. Scope
This Policy governs the processing of personal data through:
(a) The Zaina AI conversational assistant (chat interface); (b) The appointment request form; (c) The coming soon registration form and any other website forms; (d) Any interaction with the platform at zaina.ai.
It applies to all users globally, including individuals located in the Kingdom of Saudi Arabia, in accordance with the extraterritorial reach of the PDPL (Personal Data Protection Law, Royal Decree No. M/19, as amended by Royal Decree No. M/148, 2023).
3. Personal data we collect and how
We collect and process data through two distinct and technically separated flows. These flows are not linked to each other, except as described in section 3.2.
3.1 Chat conversation data
When you use the Zaina AI assistant, your conversation — including the questions you ask and the information you voluntarily share — is retained as text.
What we retain: Full text of the conversation session.
What we do not retain in connection with the chat: Your name, email address, phone number, or any other direct identifier. The chat is stored without linkage to your identity.
Important: Although conversations may reference aesthetic or medical procedures in general terms, chat data is stored without any linkage to your identity. As a result, this data is not classified as sensitive personal data under the PDPL, as it cannot be attributed to an identified or identifiable individual.
3.2 Appointment request data
If you choose to request an appointment with a Zaina Verified partner clinic, we collect the following through a separate form:
- ●Your name
- ●Your email address and/or phone number
- ●The type of procedure you are interested in (e.g. liposuction, facial peel)
Architecture note: Your appointment data is stored separately from your chat history. The only connection between the two is the procedure category you indicated interest in. Your full chat transcript is not linked to your appointment record.
The procedure type collected at appointment stage constitutes sensitive personal data (health/aesthetic category) under the PDPL and is handled accordingly.
3.3 Registration and waitlist data
- ●Email address (and optionally, name), provided voluntarily via the coming soon or registration form.
3.4 Technical and usage data
Standard server logs (IP address, browser type, pages visited, timestamp) collected for security and platform performance. Not linked to chat content or appointment records.
4. Legal basis and purposes
| Processing activity | Data involved | Legal basis | Purpose |
|---|---|---|---|
| Chat conversation processing ¹ | Conversation text | Legitimate interest (PDPL Art. 11(b)) — provision of the informational service | Generating AI responses to your queries |
| Chat retention for internal analysis | Conversation text (no identity) | Legitimate interest (PDPL Art. 11(b)) | Aggregate demand analysis; product improvement |
| Chat data in anonymised clinic reports | Aggregated, anonymised trends | Legitimate interest (PDPL Art. 11(b)) | Market intelligence reports shared with partner clinics |
| Appointment request processing | Name, contact, procedure type | Explicit consent (PDPL Art. 11(a)) | Referring you to a Zaina Verified clinic |
| Email registration | Email address | Explicit consent (PDPL Art. 11(a)) | Launch and product notifications |
| Registration confirmation | Email address | Legitimate interest (PDPL Art. 11(b)) | Single transactional confirmation |
| Server logs | Technical data | Legitimate interest (PDPL Art. 11(b)) | Security and platform performance |
| Compliance records | Consent records | Legal obligation | Regulatory compliance |
¹ The processing of chat data for AI response generation relies additionally on the contractual necessity of service delivery, as the LLM processing by Anthropic Inc. is technically inseparable from providing the informational service.
Clinic reports — important clarification
Reports shared with partner clinics contain only aggregated and anonymised data (e.g. volume of queries by procedure type, most common questions by category). Individual conversations are never shared with clinics in identifiable or pseudonymous form.
5. How the AI assistant works
The Zaina AI assistant uses a Retrieval-Augmented Generation (RAG) system combining:
- ●A curated knowledge base of aesthetic medicine and plastic surgery procedures.
- ●Real-time information about Zaina Verified partner clinics in Riyadh.
- ●A Large Language Model (LLM) to generate responses. Conversation data is transmitted to a data processor under a Data Processing Agreement incorporating Standard Contractual Clauses (SCCs). For details: privacy.claude.com/en/articles/10458704
Your conversation is sent to the LLM API for processing. It is not used to train or fine-tune AI models. It is not used to improve the RAG knowledge base. Retained conversations are used solely for internal demand analysis and anonymised reporting as described in section 4.
6. Data sharing and third parties
We do not sell, rent, or trade your personal data.
| Recipient | Data shared | Basis |
|---|---|---|
| LLM API providers (e.g. OpenAI, Anthropic, Google). Currently Anthropic Inc. (Claude API) — LLM sub-processor | Conversation text (in transit for response generation) | Data Processing Agreement incorporating SCCs (currently privacy.claude.com/en/articles/10458704) |
| Zaina Verified partner clinics | Your name, contact details, procedure type — only with your explicit consent | Explicit consent |
| Zaina Verified partner clinics (reporting) | Aggregated, anonymised demand data only | Legitimate interest |
| Cloud infrastructure providers. Currently Lovable Labs Inc. (platform hosting via Supabase, EU region) | Technical and stored data | Data Processing Agreement incorporating SCCs (Currently lovable.dev/data-processing-agreement) |
| Regulatory authorities (SDAIA, courts) | As legally required | Legal obligation |
| Acquirers in a business transfer | With equivalent protections | Legitimate interest |
All third-party processors are bound by Data Processing Agreements requiring them to process data only on our instructions and to maintain appropriate security standards.
7. International data transfers
Data is primarily processed on EU-based servers. The EU provides data protection standards equivalent to international best practice (GDPR).
We have conducted a transfer risk assessment per the PDPL Transfer Regulation (amended September 2024). No transfer conflicts with Saudi national interests or public order.
Where personal data is transferred outside the Kingdom of Saudi Arabia or the European Economic Area, we rely on the following safeguards, identifying the applicable Standard Contractual Clauses module for each transfer relationship:
| Recipient | Data transferred | SCC module | Rationale |
|---|---|---|---|
| LLM API providers (OpenAI, Anthropic, Google) | Conversation text processed in the US | Module 2 — Controller to Processor | Zaina determines purposes; providers process on our instructions only |
| Cloud infrastructure providers (AWS/GCP) | Stored data hosted on EU servers; potential US routing | Module 2 — Controller to Processor | Zaina determines purposes; providers provide infrastructure only |
| Zaina Verified partner clinics | Name, contact, procedure type — with explicit consent | Module 1 — Controller to Controller | Clinics independently determine how they process the referred patient's data |
The SCCs applied are those adopted by the European Commission under Decision 2021/914. They are incorporated by reference into the relevant Data Processing Agreements and supplier contracts without modification. In the event of any conflict between a commercial agreement and the applicable SCC module, the SCCs prevail.
Jurisdiction
To ensure an equivalent level of protection for all international data transfers, irrespective of the applicable contractual framework, Zaina applies the following controls:
- ●Transfers are limited to the minimum data necessary for the service to function (conversation text in transit only; no persistent identity linkage).
- ●All processors are bound by GDPR-compliant DPAs, which provide an equivalent level of data subject protection.
- ●Zaina retains the right to terminate the processing relationship and migrate to an alternative provider in the event of a material compliance failure.
- ●A transfer risk assessment has been conducted and documented internally per PDPL Transfer Regulation (amended September 2024).
- ●Processing is scoped to EU-based infrastructure where possible, ensuring transfers to third-country processors are minimised.
Copies of the applicable contractual instruments are available upon written request to privacy-team@theagilemonkeys.com.
Transfer Risk Assessment
A formal Transfer Risk Assessment (TRA) has been conducted in accordance with Article 29 of the PDPL, the SDAIA Regulation on Personal Data Transfer Outside the Kingdom (September 2024), and the SDAIA Risk Assessment Guidelines (February 2025), following the four-phase methodology prescribed therein. The TRA concludes that residual risk is low and that transfers are permissible under current safeguards. Document reference: TAM-ZAINA-TRA-001-v1.0, dated 12 March 2026.
8. Data retention
| Data type | Retention period | Rationale |
|---|---|---|
| Chat conversation text | 24 months from session date | Demand analysis and reporting cycle |
| Appointment request (name, contact, procedure) | Duration of referral relationship + 5 years | Contractual audit and revenue reconciliation with clinics |
| Consent records | 3 years | Regulatory compliance |
| Email (waitlist/registration) | Until unsubscribe or deletion request | Communication consent |
| Server logs | 90 days | Security monitoring |
Deletion requests are processed within 30 calendar days.
Right to erasure of chat data: Because chat conversations are stored without identity linkage, we cannot retrieve or delete a specific individual's chat unless you provide sufficient context to identify the session (e.g. approximate date, device, content). We will make reasonable efforts to locate and delete the data upon request.
9. Sensitive personal data
The procedure type collected as part of an appointment request — when linked to your name and contact details — is treated as sensitive personal data under the PDPL. Chat conversation data, which is stored without identity linkage, is not classified as sensitive personal data. We apply the following additional safeguards:
- ●Access is restricted to authorised personnel only.
- ●Data is encrypted at rest and in transit.
- ●Clinic reports are anonymised before sharing; no individual-level sensitive data is disclosed.
- ●We do not use sensitive data for marketing purposes.
- ●We do not collect sensitive data from individuals under 18.
10. Your rights under the PDPL (Art. 4)
You have the right to:
- ●Be informed — about how your data is processed (this policy).
- ●Access — request a copy of the personal data we hold about you.
- ●Correct — request correction of inaccurate data.
- ●Erase and destroy — request deletion of your data.
- ●Withdraw consent — at any time, without penalty, without affecting prior lawful processing.
- ●Object to marketing — opt out of communications at any time.
- ●Lodge a complaint — with SDAIA: https://sdaia.gov.sa
To exercise any right: privacy-team@theagilemonkeys.com. We respond within 30 days.
11. Security
- ●TLS/SSL encryption for all data in transit.
- ●Encryption at rest on EU-based servers.
- ●Role-based access controls; minimum necessary access principle.
- ●Technical separation between chat storage and appointment/identity data.
- ●Regular security reviews and vulnerability assessments.
In the event of a personal data breach that may cause harm to data subjects, we will notify SDAIA within 72 hours and notify affected users without undue delay, as required by the PDPL.
12. Medical disclaimer
Zaina AI is an informational tool only. It does not provide medical diagnoses, clinical prescriptions, or surgical advice. Content generated by the Zaina AI assistant is for informational and decision-support purposes only. All healthcare and surgical decisions must be made in consultation with a qualified, licensed medical professional.
Zaina AI is not a medical device under any applicable law.
Zaina AI أداة معلوماتية فحسب. لا تُقدّم تشخيصاً طبياً أو وصفات سريرية أو نصائح جراحية. غير مخصص للأغراض الطبية. يجب اتخاذ جميع قرارات الرعاية الصحية بالتشاور مع متخصص طبي مرخَّص.
13. Children
Our services are not directed at individuals under 18. We do not knowingly collect personal data from minors. If we become aware that personal data has been collected from a person under 18, we will delete it immediately. Contact: privacy-team@theagilemonkeys.com.
14. Cookies
We use only technically necessary cookies to operate the platform. We do not use advertising or tracking cookies. You may control cookies through your browser settings.
15. Policy updates
We will notify registered users of material changes by email or site notice at least 15 days before they take effect. The "last updated" date at the top of this policy reflects the most recent version.
16. Governing law and regulator
This policy is governed by the Saudi Arabia Personal Data Protection Law (PDPL). The competent supervisory authority is the Saudi Data and Artificial Intelligence Authority (SDAIA) — https://sdaia.gov.sa
17. Contact
The Agile Monkeys (operating as Zaina AI) privacy-team@theagilemonkeys.com https://zaina.ai