Privacy Policy

1. Scope

This Policy governs Personal Information processed in connection with (i) the public website located at https://www.zocraticmma.com and associated sub-domains, (ii) any related mobile or desktop applications, and (iii) our developer APIs, widgets, or other resources (collectively, the “Service”).

2. Categories of Personal Information We Collect

• Account & profile – email address, display name/handle, AWS Cognito user-ID, password hash, and optional avatar.
• Usage & device – IP address, user-agent/device type, OS/browser version, referrer URL, time-zone, clickstream and feature interactions, error logs.
• User-generated content – predictions, leaderboard entries, messages to Zobot, comments, support tickets, and survey responses.
• Marketing & communications – email preferences, campaign engagement, CASL express-consent records, and unsubscribe events.
• Derived & analytical – feature engagement scores, segmentation cohorts, probability models, and other inferences we generate about your likely interests.

We do not intentionally collect sensitive Personal Information (e.g., health records, government IDs) and request that you refrain from submitting such data via the Service.

3. Sources of Personal Information

We obtain Personal Information (i) directly from you when you register, post content, or communicate with us; (ii) automatically via cookies, server logs, and similar technologies; and (iii) from service providers or integration partners (e.g., AWS Cognito for authentication, analytics platforms, payment processors if and when paid features launch).

4. Purposes for Processing & Legal Bases

We process Personal Information for the following purposes (legal bases noted parenthetically where GDPR applies):

• Service delivery & security – create accounts, authenticate, provide features, prevent fraud (contract / legitimate interests).
• Analytics & product improvement – understand feature usage, debug performance, develop new MMA tools (legitimate interests / consent for non-essential cookies).
• Communications – transactional emails (contract), optional marketing newsletters (consent under CASL / CPRA §7024).
• Compliance & enforcement – comply with legal obligations, enforce ToS, resolve disputes (legal obligation / legitimate interests).
• Commercialisation – subject to Sec. 6 below, offer advertising, data licensing, or other monetisation (consent where required; “sale”/“share” disclosures per CPRA).

5. Cookies & Similar Technologies

We use (i) necessary cookies for authentication, security and core functionality, and (ii) optional analytics cookies to measure usage patterns. Where required by law (e.g., EU/UK), we will display a cookie banner and obtain your consent before setting non-essential cookies. You may withdraw consent or adjust preferences at any time via our “Cookie Settings” link.

6. Disclosure of Personal Information

6.1 Service Providers (Processors)

We disclose Personal Information to vetted third-party processors (e.g., cloud hosting, AWS Cognito, analytics, email delivery, customer support, payment processors) strictly for purposes described in Sec. 4. Each processor is bound by contractual obligations to (i) process data only pursuant to our instructions and (ii) implement industry-standard security measures.

6.2 Legal & Safety

We may disclose Personal Information to law-enforcement, regulators, or other parties when we believe disclosure is necessary to comply with a legal obligation, protect the rights or safety of individuals, or enforce our ToS.

6.3 Commercial Transfers & “Sale” / “Share”

(Optional – include only if you may monetise data with third parties)We reserve the right, subject to applicable law, to disclose certain limited categories of Personal Information (e.g., hashed email, pseudo-anonymous device IDs, aggregated engagement metrics) to carefully selected third parties in exchange for monetary or other valuable consideration. Where such disclosure constitutes a “sale” or “share” as defined under the CPRA, we will (i) provide a conspicuous “Do Not Sell or Share My Personal Information” link or equivalent opt-out mechanism, and (ii) honour Global Privacy Control (GPC) browser signals where legally required.

6.4 Corporate Events

Personal Information may be transferred as part of a financing, merger, acquisition, insolvency, or other corporate transaction involving the Operator, subject to customary confidentiality protections.

7. International Data Transfers

We store data primarily in Canada and the United States. Where Personal Information is transferred outside your jurisdiction, we rely on legally recognised safeguards (e.g., standard contractual clauses, adequacy decisions, or comparable mechanisms) as required by law.

8. Data Retention & Deletion

We retain Personal Information only as long as necessary to fulfil the purposes set out in Sec. 4 or as required by law. Criteria include account status, legal obligations, dispute-resolution windows, and legitimate operational needs. When retention is no longer justified, we will delete or anonymise the data in accordance with our internal schedule (typical account inactivity purge: {XX} months).

9. Security Measures

We employ administrative, technical and physical safeguards appropriate to the sensitivity of the information, including encrypted transport-layer communications (TLS 1.2+), least-privilege access controls, regular vulnerability scanning, and event logging. No method of transmission or storage is 100 % secure; therefore, we cannot guarantee absolute security.

10. Your Privacy Rights

• Access / Correction (PIPEDA, GDPR, CPRA) – obtain a copy of, or correct inaccuracies in, your Personal Information.
• Deletion – request deletion of Personal Information we hold about you, subject to legal exceptions.
• Portability (GDPR) – receive an electronic copy of certain data in a structured, machine-readable format.
• Opt-out of marketing – click “unsubscribe” in any promotional email or adjust your settings.
• Opt-out of “sale/share” (CPRA) – if applicable, exercise your right via our dedicated link or GPC signal.

To exercise rights, email privacy@zocraticmma.com with sufficient detail to verify your identity. We will respond within the timeframe mandated by applicable law (e.g., 30 days under PIPEDA, 45 days under CPRA).

11. Children’s Privacy

The Service is not directed to children under thirteen (13) years of age, and we do not knowingly collect Personal Information from such children. If we learn that we have inadvertently collected data from a child under 13, we will delete it promptly and may suspend the account.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via in-product notice or email. The “Last updated” line above indicates the effective date. Your continued use of the Service after an update signifies acceptance of the revised Policy.