Last Updated: October 15, 2025
HIQ Africa Ltd. (“HIQ Africa,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how the Zata mobile app (“Zata” or “the App”) collects, uses, discloses, and safeguards information when you use the App. By using Zata, you agree to the practices described here.
1. Who we are
– Company: HIQ Africa Ltd.
– Website: https://zata.rw
– Contact: privacy@hiq.africa, info@hiq.africa, info@zata.global
– Address: Norrsken Kigali House, KN 78 St., Kigali, Rwanda
– US correspondence: 651 North Broad Street, Suite 201, Middletown, DE 19709, +1 (302) 336-7210
– Data Controller: HIQ Africa Ltd.
2. What the app does
Zata helps businesses integrate with Electronic Billing Machine (EBM) services and related APIs, and can launch the web experience from within the app. Sign‑in is provided via Google Sign‑In using Supabase authentication.
3. What data we collect and why
We only collect data necessary to operate the App and deliver core features.
– Account and profile data: Google account basic profile (name, email, avatar), Supabase user ID/session tokens — used for authentication, account and session management.
– App activity and diagnostics: Basic event logs, crash/error diagnostics, limited technical metadata — used for troubleshooting, reliability, and security.
– Device and app metadata: App version, platform/OS, generic device model identifiers — used for compatibility and support.
– Invoice and transaction data: When you issue invoices/receipts in Zata, we process invoice numbers, dates, items, taxes, totals, payment mode, and related metadata — used to provide EBM‑compliant billing, reports, and history.
– Customer data in invoices: Names, phone numbers, emails, and TIN (if provided) — used to populate receipts/invoices and maintain records.
– Notifications identifiers (if notifications are enabled): Push/device identifiers, external user IDs, tags, and optional email tokens — used to deliver push/email notifications you opt into (e.g., transaction alerts, reports).
– Files and receipts (if you export/store receipts): Receipt PDFs and generated documents may be uploaded to secure storage — used for download history and record‑keeping.
– Contacts import (optional): If you use Google Contacts import, the app may read contact names, emails, and phone numbers from your Google account to help populate customers. This is optional and initiated by you.
We do not collect precise or coarse location, SMS, photos, calendar, or microphone data via the mobile app. We do not collect payment card data in the app.
4. How we collect data
– Directly from you: When you sign in with Google via Supabase and when you create invoices or enter customer details.
– Automatically: Through the app runtime for security, diagnostics, and session management.
– Local storage: Session and app keys (e.g., api_token, company_id, branch_id) may be stored on‑device to keep you signed in and improve performance.
– From connected services you enable: If you enable Google Contacts import, we access your contacts per the granted scope (`contacts.readonly`).
5. How we use data
– Authentication and account management (Google Sign‑In via Supabase)
– Provide core app functionality and access to the Zata web experience
– EBM‑compliant invoicing, receipts, and reporting (including storage of invoice/customer data you enter)
– Notifications you enable (e.g., transaction alerts, summaries)
– Security, fraud prevention, and abuse detection
– Debugging, support, and service improvement (e.g., crash/error diagnostics)
– Legal compliance and enforcement of our Terms
6. Legal bases for processing (where applicable)
– Contract: To provide the services you request (e.g., authenticate, issue invoices, maintain your session).
– Legitimate interests: To secure our services, prevent abuse, and improve reliability.
– Consent: For optional features like notifications or Google Contacts import; you can withdraw consent at any time.
7. Data sharing and disclosures
We do not sell your personal data. We share data only as necessary:
– Service providers and subprocessors:
– Supabase (authentication, application database/storage)
– Google (Sign‑In provider; optional People API for contacts import)
– OneSignal (optional push/email notifications: device IDs, external user IDs, tags/emails)
– Cloudinary (optional storage for exported receipts/documents: receipt PDFs and URLs)
– Legal reasons: If required by law, court order, or to protect rights and safety.
– Business transfers: In the event of a merger, acquisition, or asset transfer, subject to this Policy.
Third‑party policies:
– Google Sign‑In & People API: https://policies.google.com/privacy
– Supabase: https://supabase.com/privacy
– OneSignal: https://onesignal.com/privacy
– Cloudinary: https://cloudinary.com/privacy
8. International data transfers
Your data may be processed and stored in countries outside your own. We use secure transfer mechanisms and industry‑standard protections (e.g., HTTPS/TLS). By using the App, you consent to such transfers as permitted by law.
9. Data retention
– Account/session data: Retained while your account remains active or as needed to provide the service.
– Invoice/customer/transaction data: Retained to provide records, reporting, and compliance functionality; you may request deletion subject to legal obligations.
– Files/receipts: Retained while needed for your records; you can delete stored receipts from within the app if supported or by request.
– Diagnostics/log data: Retained for a limited period to troubleshoot and ensure security, then deleted or anonymized.
– Legal obligations: Certain records may be retained to comply with laws or resolve disputes.
10. Your rights and choices
Depending on your jurisdiction (e.g., GDPR, Rwanda Data Protection, CCPA/CPRA), you may have rights to access, correct, delete, restrict processing, portability, or to object.
How to exercise rights:
– Sign out in‑app or clear app data to end local sessions.
– Request account or data deletion by contacting: privacy@hiq.africa or info@hiq.africa. For data processed by Supabase/Google/OneSignal/Cloudinary, you may also use their account tools.
We will verify requests where required and respond within the timelines set by applicable law.
11. Account deletion and data deletion
– Email privacy@hiq.africa from the email linked to your account with the subject “Zata Account/Data Deletion.”
– We will delete or de‑identify personal data not required to be retained for legal, security, or fraud‑prevention purposes, typically within 30 days.
– Sessions on your device can be ended by signing out or clearing the app’s data.
12. Data security
We use technical and organizational measures to protect your data, including encryption in transit (HTTPS/TLS), secure session handling (PKCE OAuth flow, deep links), least‑privilege access controls, and audit logging where applicable. No method of transmission or storage is 100% secure; we continuously improve our safeguards.
13. Children’s privacy
Zata is not directed to children under 13 (or the equivalent age of consent in your region). We do not knowingly collect data from children. If you believe a child has provided data, contact us to delete it.
14. Cookies and similar technologies
The app and embedded web content may use local storage and cookies to maintain sessions and preferences. You can clear app data from system settings to remove local tokens.
15. Third‑party links and embedded content
Zata may open or embed third‑party content (e.g., app.zata.rw). Their practices are governed by their own policies. We encourage you to review those policies.
16. App permissions
The app uses minimal permissions:
– Internet/network access: Required for authentication and API communication.
We do not request access to contacts, location, SMS, microphone, or photos unless you explicitly use optional features (e.g., Google Contacts import).
17. Certifications and compliance
HIQ Africa maintains a Data Privacy Protection Certificate covering processing activities related to the Zata mobile app and associated backend services.
– Certificate: Data Privacy Protection Certificate
– Issuing Authority: RDPO
– Certificate ID: [Insert ID]
– Scope: Collection and processing of user authentication data (Google Sign‑In via Supabase), session management, diagnostics and security logs, EBM‑compliant invoicing data (including customer information you enter), notifications metadata (if enabled), and storage of receipts/documents (if enabled).
– Controls: Encryption in transit (TLS), secure session handling (PKCE), least‑privilege access, incident response, data subject request handling, and vendor due diligence (e.g., Supabase, Google, OneSignal, Cloudinary).
A copy of our certificate and control summary is available at https://zata.rw/privacy-policy and in this repository at DATA_PRIVACY_CERTIFICATE.md. For compliance inquiries, contact privacy@hiq.africa.
18. Google Play Data safety summary (disclosure overview)
– Data collected:
– Account/profile (name, email, avatar, Supabase ID)
– Invoice/transaction data (items, taxes, totals, payment mode, invoice IDs)
– Customer data in invoices (names, phones, emails, TIN if provided)
– Device/app metadata, diagnostics/logs
– Notification identifiers (push/device IDs, tags, external user IDs, email tokens) — optional
– Contacts (names/emails/phones) — optional, only if you use Google Contacts import
– Files/receipts (PDF URLs and related metadata) — optional, if you export/store receipts
– Purposes:
– App functionality, authentication, invoicing/EBM compliance, notifications (if enabled), security/fraud prevention, and reliability analytics
– Data handling:
– Data is encrypted in transit
– Data is not shared with third parties for advertising
– Data is not sold
– Users can request deletion of data and account
– Optional/Not collected by default:
– No precise/coarse location, SMS, photos, microphone, or calendar data
19. Changes to this policy
We may update this Policy to reflect changes in the App or legal requirements. We will update the “Last Updated” date and, where appropriate, notify you in‑app or on our website. Continued use after changes indicates acceptance.
20. Contact us
– Privacy requests: privacy@hiq.africa
– General support: info@hiq.africa, info@zata.global
– Website: https://zata.rw