This Privacy Notice for Mazza AI ("we," "us," or "our") describes how and why we access, collect, store, use, and share ("process") personal information when you use our services ("Services") - including our website at mazzaai.com, our AI voice and WhatsApp agent platform, and our business dashboard. If you have questions, contact us at admin@mazzaai.com.
This notice is governed by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL"). The UAE Data Office is the supervisory authority. Where our clients serve customers in the EU/EEA or UK, we also support our clients' obligations under the GDPR. Our role differs depending on the data - see section 03.
What Information Do We Collect?
We collect the account information you give us, technical information collected automatically, and - on behalf of our business clients - the caller and customer data generated when their AI agents handle calls and messages.
When you register, subscribe, or contact us, we collect information you voluntarily provide, which may include:
Payments are processed by Stripe. We never receive or store full card numbers or security codes - only a payment token and non-sensitive details such as the card brand and last four digits (see section 09).
When you use the Services we automatically collect technical information such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, and usage logs. This is used to keep the Services secure and operational and for our internal diagnostics.
This is the heart of our platform. When a client's AI agent answers a call or a WhatsApp message, we process the following on the client's behalf (see section 03 for our role):
Where a client connects Google services, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
How Do We Process Your Information?
To provide, secure, and improve the Services, to operate the AI agents, to communicate with you, and to comply with law.
Information Processed on Behalf of Our Clients
When we handle calls and messages for a business, we act as a data processor on that business's behalf. The business is the data controller of its callers' and customers' information.
Mazza AI provides automated call answering, appointment booking, and customer messaging for businesses in the UAE and wider GCC. When we provide these services, we act solely as a processor, handling caller and customer information under the documented instructions of the business client, who remains the controller. Our processor obligations are set out in our Data Processing Agreement.
We record calls and store transcripts and conversation content. To deliver the service - and to give the business a record of what was said and booked - we store call recordings, call transcripts and summaries, and the full content of WhatsApp conversations (including media). We do this only to provide the Services to the relevant client. We do not use this data for our own independent purposes, and we do not use it - and our AI providers do not use it - to train AI models.
Retention. Data processed on behalf of a client is retained for the life of that client's account so the business has continuous access to its own records. When a client closes its account, or instructs us to delete specific records, we delete the data from our active systems (see section 08).
Our clients' responsibilities. Business clients are responsible for having a lawful basis to process their customers' data, for informing their customers that calls and messages may be handled by an automated AI assistant and may be recorded, and for honouring opt-outs. We provide tools to support this, including a configurable AI disclosure on the agents and a customer-facing notice template.
AI & Automated Processing
Our agents are powered by third-party AI. Conversation content is sent to those providers only to generate a response, never to train their models, and a human can always take over.
To understand callers and customers and generate helpful replies, we send conversation content to specialist AI providers:
The agents help with bookings and inquiries; they do not make legally or similarly significant decisions about a person on a solely automated basis. A human operator can take over any conversation at any time, and a caller or customer can ask to speak to a human or to stop messaging at any point (for example by replying STOP on WhatsApp).
A complete list of every provider that may process personal data, and the country in which they operate, is maintained on our Sub-processors page.
When and With Whom Do We Share Information?
Only with the service providers (sub-processors) that help us run the platform. We never sell, rent, or trade personal information.
We share information with vetted sub-processors strictly to operate the Mazza AI platform, limited to what each provider needs for its role. We do not sell, rent, or trade personal information, and we do not permit our providers to use it for their own purposes (including AI model training or advertising). The providers we rely on include:
A current, itemised list is maintained at mazzaai.com/subprocessors. We may also disclose information where required by law, court order, or government authority, or in connection with a merger, acquisition, or sale of assets (subject to the same protections described here).
International Data Transfers
Our primary database is in Singapore, and some providers operate in the United States and globally. Your data therefore leaves the UAE, protected by contractual safeguards.
Mazza AI is based in Dubai, but our infrastructure and providers are international. Our primary database and file storage are hosted in Singapore (Supabase on AWS). Certain processing also takes place with providers in the United States (Anthropic, VAPI, Clerk, Stripe, Resend, Vercel) and globally (Meta/WhatsApp). This means personal data we process is transferred outside the UAE.
We rely on appropriate safeguards for these transfers, including data-processing and contractual terms with each provider (such as the EU Standard Contractual Clauses or equivalent protections where applicable), and we require providers to maintain security and confidentiality consistent with this notice and the PDPL. For data we process on behalf of a client, the client (as controller) is responsible for ensuring it has a valid basis for international transfer of its customers' data, which our DPA and Sub-processors page support.
Cookies & Tracking Technologies
Essential cookies only - to keep you signed in. No advertising or analytics cookies.
We use a small number of strictly necessary cookies for secure authentication and session management. They keep you signed in, protect your account, and route requests correctly. They cannot be switched off without breaking the platform.
We do not use advertising, tracking, or analytics cookies, and we do not allow third parties to place such cookies on our Services. Because we only set essential cookies, no cookie consent banner is required. Full detail is in our Cookie Policy.
How Long Do We Keep Your Information?
For as long as your account is active, then deleted on closure or request. Deleted records leave our trash after 30 days.
We keep account information for as long as you have an account with us, and data processed on behalf of a client for the life of that client's account, unless a longer period is required or permitted by law (such as tax or accounting requirements).
You can delete records from the dashboard at any time. Deleted records are held in a recoverable trash for 30 days and then permanently purged. When an account is closed, we delete or anonymise the associated personal information from our active systems. Where deletion is not immediately possible (for example, data held in encrypted backups), we isolate the information from further processing until deletion is possible.
Security
We protect personal information with layered technical and organizational measures.
Our safeguards include encryption of data in transit (TLS), strict tenant isolation enforced at the database level so one client can never see another's data, role-based access controls, encryption of stored integration credentials and access tokens, private media storage served only through short-lived signed links, and signature verification on all inbound webhooks. Card data is handled entirely by Stripe and never stored on our servers.
No method of transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security.
Data Breaches
If a breach affects your personal data, we assess it and notify the authority and affected parties without undue delay.
We maintain an incident-response process. If we become aware of a personal-data breach that is likely to harm the rights of affected individuals, we will assess the risk and, in line with the UAE PDPL, notify the UAE Data Office and the affected controllers without undue delay, together with the information they need to respond. Where we act as a processor for a client, we will notify that client promptly so they can meet their own notification obligations.
Do We Collect Information from Minors?
We do not knowingly collect data from or market to children under 18.
We do not knowingly collect, solicit data from, or market to children under 18. By using the Services, you represent that you are at least 18, or are the parent or guardian of such a minor and consent to their use. If we learn that we have collected personal information from a person under 18, we will take reasonable steps to delete it. If you believe we may have such data, contact us at admin@mazzaai.com.
What Are Your Privacy Rights?
Under the UAE PDPL you can access, correct, restrict, port, object to, and request deletion of your personal information.
As a user of our Services, you have the following rights under UAE Federal Decree-Law No. 45 of 2021:
- The right to request access to and a copy of your personal information.
- The right to request correction of inaccurate or incomplete information.
- The right to request erasure of your personal information.
- The right to restrict processing of your personal information.
- The right to data portability.
- The right to object to processing in certain circumstances.
Account holders can export their organization's data and delete records directly from the dashboard. If you are an end customer of one of our business clients, please direct access or deletion requests to that business (the controller); we will assist them in responding. To make any request to us, contact us using the details in section 14. We will respond within 30 days.
To review, change, or close your account, sign in to your settings or contact us. On account closure we deactivate and delete your account information from our active databases, except where we must retain limited information to prevent fraud, resolve disputes, or comply with law.
Do We Make Updates to This Notice?
Yes - we will update this notice as needed to stay accurate and compliant.
We may update this Privacy Notice from time to time, indicated by the "Last updated" date above. If we make material changes, we will post a prominent notice or notify you directly. We encourage you to review it periodically.
How Can You Contact Us?
If you have questions or comments about this notice, email us or write to us:
Mazza AI
Dubai, United Arab EmiratesHow Can You Review, Update, or Delete Your Data?
You have the right to request access to the personal information we hold about you, details of how we process it, correction of inaccuracies, or deletion. You may also withdraw consent where processing is based on consent. These rights may be limited in some circumstances by applicable law.
To request to review, update, or delete your personal information, contact us at admin@mazzaai.com.