Privacy Policy

Last updated: November 7, 2025

1. Introduction & Scope

Metrix Zenith X Artificial Intelligence (“MZX”, “we”, “us”, “our”) operates the Hector AI platform, portals, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, share, and protect information when you interact with the Service.

Controller vs. Processor. When you use the Service directly (e.g., via our upload interface or portals), we act as the data controller. For B2B/Enterprise deployments where your organization determines the purposes and means of processing, we may act as a data processor under a separate Data Processing Addendum (DPA).

2. Key Definitions

  • Customer Content: Documents, templates, prompts, and other materials you upload to or create through the Service.
  • Personal Information: Information that identifies, relates to, or could reasonably be linked to you or your device.
  • Portals: The web-based interfaces through which you access the Service (upload interface, download portal, management portal).

3. Information We Collect

A. Information You Provide

  • Contact & Account Data: Name, email address, organization, job title, and credentials you create or provide during registration.
  • Billing & Transaction Data: Payment method details, billing address, purchase history, and credit/run balances. Payment card data is processed by our payment processors and is not stored on our systems.
  • Customer Content: RfPs (PDF documents), PowerPoint templates, brand assets, instructions/prompts, and any other materials you upload.
  • Communications: Messages you send to us via email, support channels, or in-portal feedback.

B. Information from Third Parties

  • Authentication/SSO Providers: If you sign in via a third-party identity provider, we receive profile information as authorized by your provider settings.
  • Marketing Partners: We may receive contact information from business partners or public directories for outreach purposes.
  • Public Sources: Publicly available business information (e.g., company websites, professional profiles) used for account enrichment.

C. Automatically Collected Information

  • Device & Log Data: IP address, browser type, operating system, referring URL, pages visited, timestamps, and unique device identifiers.
  • Portal Telemetry: Feature usage patterns, session duration, navigation paths, and interaction events within the portals.
  • Email Interaction: Open/click tracking for transactional and delivery notification emails.

D. Cookies & Similar Technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. See our Cookie Notice for details on the types of cookies used and how to manage your preferences.

4. How We Use Information

We use the information we collect to:

  • Provide and operate the Service: Process your RfPs, generate outputs, deliver results, manage your account, and provide support.
  • Personalize your experience: Remember your preferences, templates, and usage patterns.
  • Improve and develop: Analyze usage trends, diagnose technical issues, and improve Service quality and performance.
  • Communicate: Send transactional notifications (delivery links, receipts), service updates, and, with your consent where required, marketing communications.
  • Ensure security and compliance: Detect and prevent fraud, abuse, and unauthorized access; enforce our Terms of Service; and comply with legal obligations.

AI & Model Providers

Customer Content may be transmitted to third-party AI model providers (currently including OpenAI, Anthropic, Google Cloud Vertex AI, Perplexity, and Mistral) solely to process your requests. We do not use Customer Content or Outputs to train foundation models by default; any such training would require your explicit opt-in.

De-identified/Aggregated Data

We may use de-identified or aggregated data for analytics, benchmarking, and Service improvement. This data cannot reasonably be used to identify you. You may opt out of de-identified data usage where required by law or upon reasonable request by emailing privacy@mzx.ai.

Automated Decision-Making

The Service uses automated processing (AI models) to generate outputs. These outputs are tools for your review and do not constitute automated decisions with legal or similarly significant effects on you. You retain full control over whether and how to use any output.

5. Legal Bases for Processing (EEA/UK Only)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

  • Contractual necessity: Processing required to perform the Service you requested (e.g., account management, RfP processing, output delivery).
  • Legitimate interests: Service improvement, analytics, security, and fraud prevention, where our interests do not override your rights.
  • Consent: Where you have given specific consent (e.g., marketing communications, optional data uses). You may withdraw consent at any time.
  • Legal obligations: Processing required to comply with applicable laws (e.g., tax records, anti-money laundering).

See the Appendix for a detailed purpose-by-purpose legal basis matrix.

6. How We Share Information

We may share your information with:

  • Service Providers: Third-party vendors who assist in operating the Service (hosting, AI model providers, email delivery, payment processing, analytics). These providers are contractually bound to use your data only for the services they provide to us.
  • Enterprise Customers: If your account is managed by an organization, that organization may access account and usage data in accordance with their agreement with us.
  • Business Partners: With your consent or as described at the time of collection.
  • Corporate Transactions: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction.
  • Legal/Protection: When required by law, court order, or governmental authority; to enforce our Terms; or to protect the rights, property, or safety of MZX, our users, or the public.
  • Other Users: Certain information (e.g., display name) may be visible to other users within the same organizational account.

7. Your Choices

  • Marketing Opt-Out: You may unsubscribe from marketing emails using the link in any marketing message. Transactional emails (delivery notifications, receipts) are not marketing and cannot be opted out of.
  • Cookies: You can manage cookie preferences through your browser settings or our cookie consent mechanism. Disabling certain cookies may affect Service functionality.
  • Declining to Provide Data: You may decline to provide certain information, but this may limit your ability to use some Service features.

8. Data Subject & U.S. State Rights

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, restrict processing, data portability, and object to processing. To exercise these rights, contact us at privacy@mzx.ai.

GDPR/UK GDPR Rights

If you are in the EEA or UK, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent at any time
  • Lodge a complaint with your local supervisory authority

U.S. State Privacy Notice

If you are a resident of a U.S. state with applicable privacy legislation (e.g., California, Virginia, Colorado, Connecticut, Utah), you may have additional rights. Please refer to our U.S. State Privacy Notice for details.

9. International Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and the United Arab Emirates. When we transfer personal data outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other valid transfer mechanisms.

10. Security

We implement technical and organizational measures designed to protect your information, including encryption in transit and at rest, access controls, regular security assessments, and incident response procedures. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete it promptly.

12. Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Default retention periods:

  • Uploaded documents (Customer Content): 360 days
  • Generated content (Outputs): 360 days or per customer setting
  • Operational logs/telemetry: 24 months
  • Billing/transaction records: 7 years (legal requirement)

You may request deletion of your data at any time by contacting us. Standard backups are overwritten on normal cycles.

13. How to Contact Us

For privacy-related questions, requests, or complaints:

  • Email: privacy@mzx.ai
  • Postal Address: Metrix Zenith X Artificial Intelligence, IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates

EU/UK Representative: If you are in the EEA or UK and wish to contact our Article 27 representative, please email privacy@mzx.ai and we will provide the relevant contact details.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email and/or a prominent notice on the Service, with an updated effective date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Supplemental Notices

The following supplemental notices are incorporated by reference and provide additional detail on specific topics:

  • Cookie Notice — Details on cookies and similar technologies used by the Service.
  • Subprocessor List — Current list of third-party subprocessors.
  • U.S. State Privacy Notice — Additional rights for U.S. state residents.
  • Data Processing Addendum (DPA) — Applicable to enterprise/processor engagements.

Appendix — GDPR/UK GDPR Legal Basis Matrix

Purpose Categories of Data Legal Basis
Account registration & management Contact & Account Data Contractual necessity
RfP processing & output delivery Customer Content, Account Data Contractual necessity
Billing & payments Billing & Transaction Data Contractual necessity; Legal obligation
Service improvement & analytics Portal Telemetry, Device & Log Data Legitimate interests
Security & fraud prevention Device & Log Data, Account Data Legitimate interests; Legal obligation
Marketing communications Contact Data Consent
Legal compliance All categories as required Legal obligation
De-identified analytics Aggregated/de-identified data Legitimate interests

Notice to European Users

Identity of the Controller

Metrix Zenith X Artificial Intelligence, IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates. Contact: privacy@mzx.ai.

EU/UK Representatives (Article 27)

For Article 27 representative details, please contact privacy@mzx.ai.

Your Rights

Under GDPR/UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data in certain circumstances
  • Restrict processing of your data
  • Object to processing based on legitimate interests
  • Portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at privacy@mzx.ai. We will respond within 30 days (extendable by two months for complex requests).

Automated Decision-Making

The Service uses AI models to generate outputs. These outputs are aids for your review and do not constitute automated decisions producing legal effects concerning you. You are not subject to a decision based solely on automated processing that significantly affects you.

Sensitive Personal Data

We do not intentionally collect or process special categories of personal data (as defined in GDPR Article 9). Our Terms of Service prohibit uploading such data.

Data Retention

See Section 12 above for retention periods.

Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

↑ Back to top