ZakraBack to login
Legal Document

Privacy Policy

Product:Zakra AI-Powered Enterprise Knowledge Base & Reporting Platform
Operated by: Empowering Energy (trading as ESAP AI)
Platform: zakra.esap.ai
Risk Classification: HIGHEST Direct connection to client production databases

Who We Are

Zakra is an AI-powered enterprise knowledge base and reporting platform developed and operated by Empowering Energy (trading as ESAP AI) (CR No. [Insert CR Number]). We help organisations connect their databases, query them using natural language AI, and generate structured reports all through a secure, access-controlled interface.

Our Role: Data Processor

Zakra operates exclusively in a B2B enterprise context. Your organisation is the Data Controller: you determine which databases are connected, which tables and columns are exposed, and who has access. Empowering Energy (trading as ESAP AI) acts solely as a Data Processor, processing database data only on your organisation's behalf and strictly under your documented instructions.

Critical: Direct Database Access

⚠️ Zakra connects directly to your organisation's databases and executes AI-generated queries against your live data. This means the platform may access any data stored in your Connected Databases, including employee records, salary information, financial transactions, customer data, and other business records.

Your organisation, as Data Controller, is responsible for:

  • Configuring Table Access controls to restrict which columns AI can query (None, Read, Masked, Write)
  • Providing database credentials with minimum necessary access (read-only recommended)
  • Ensuring all data in Connected Databases is lawfully held under PDPL
  • Informing Data Subjects whose personal data may be queried or included in reports

What Data We Process

  • Client Database Content (Queried): Data from Connected Databases accessed through AI queries: employee records, salary/payroll data, financial transactions, invoices, purchase orders, and any other data in exposed tables
  • AI-Generated Reports: Structured reports (HR, Financial, Custom) containing analysis, summaries, and visualisations built from database query results
  • Chat Query Content: Natural language questions from users and AI-generated responses containing database-sourced results
  • Database Connection Credentials: Server IPs, ports, database names, authentication credentials (encrypted, never stored in plaintext)
  • Company Hierarchy Data: Company names, parent/subsidiary relationships, status, creation dates
  • User Account Data: Names, emails, roles (Super Admin, Admin, Regular), account status
  • Table Access Configurations: Column-level permissions (None, Read, Masked, Write) per table per role
  • Report Templates: Template names, types (HR, Financial, Custom), section structures
  • Usage and Analytics Data: Login timestamps, chat sessions, reports generated, daily activity volumes

Why We Process Your Data

PurposeLawful Basis
Database querying and AI-powered chat responsesPerformance of contract
AI report generation from database dataPerformance of contract
User authentication and role-based accessPerformance of contract
Table Access control enforcementPerformance of contract
Platform security and unauthorised access preventionLegitimate interest
Service quality improvement and analyticsLegitimate interest
Legal and regulatory complianceLegal obligation

We never process data for advertising, profiling, or any purpose outside the contracted scope. We do not retain copies of your raw database data only generated reports and chat outputs.

How We Use AI

  • Zakra uses AI to translate natural language questions into database queries and return results
  • AI auto-selects report templates, runs database queries, and builds structured reports
  • All AI-generated reports and chat answers are assistance tools not final records or audited outputs
  • AI outputs should always be verified against source data before use in formal decisions
  • We do not use your database data, reports, or chat content to train AI models without explicit written consent
  • We maintain documentation of AI models, query translation logic, and known limitations
  • Database credentials are never sent to LLM providers only query results

Data Sharing & Sub-Processors

ProviderPurposeLocation
Cloud Hosting ProviderInfrastructure, storage, and computeUSA
LLM ProviderAI query processing, report generation, NLUUSA
Analytics PlatformAnonymous usage analyticsUSA

No sub-processor receives direct access to your Connected Databases. Only query results are processed by LLM providers. 30 days' advance notice for any sub-processor changes.

Cross-Border Data Transfers

All transfers are protected by SDAIA-approved SCCs, completed TRAs filed with NDMO, encrypted transmission, and a contractual prohibition on secondary use. Your Connected Databases remain under your control and are not transferred.

Your Organisation's Rights Under PDPL

  • Access: Copy of all generated reports, chat histories, and configurations
  • Correction: Fix inaccurate metadata or user data
  • Deletion: Specific reports, chat histories, or all platform data
  • Portability: JSON or PDF export
  • Objection: Object to processing not in DPA
  • Restriction: Restrict processing during dispute
  • Audit: Evidence of PDPL compliance, query audit logs

Note: Rights regarding data in your Connected Databases must be fulfilled by your organisation directly at the database level.

Contact: privacy@esap.ai Response within 30 days.

Data Retention

Data TypeRetention Period
Generated reportsContract duration + 6 months
Chat session history and query logs12 months
Database connection credentialsContract duration, then immediately destroyed
Table Access configurationsContract duration, then deleted
Company and user account dataContract duration + 1 year
Report templatesContract duration + 6 months
Usage analytics12 months
Security and access logs6 months

Raw database data is NOT retained: only generated outputs. 30-day export window on termination. Permanent deletion confirmed in writing.

Data Security

  • AES-256 encryption at rest for all reports, chat logs, and credentials
  • TLS 1.3 encryption in transit, including database connections
  • Database credentials encrypted in secure vault never in plaintext
  • Column-level access control (None/Read/Masked/Write) enforced before queries execute
  • Company Context isolation between organisations
  • Role-based access (Super Admin / Admin / Regular)
  • Query audit logging all AI queries logged with user, timestamp, and content
  • Regular security audits and vulnerability assessments
  • 72-hour SDAIA/NDMO breach notification + immediate client notification

Contact & Complaints

Empowering Energy Data Privacy Team
📧 privacy@esap.ai · 🌐 zakra.esap.ai/privacy

Complaints may be submitted to SDAIA / NDMO at sdaia.gov.sa.

Terms of Service →Cookie Policy →