Legal · Privacy Policy

Privacy Policy

H&A Global Limited · zh.app

Last updated: 12 June 2026. This English version is authoritative; a Chinese summary is also available.

1. Data controller

The data controller for zh.app is H&A Global Limited, Company No. 13721106, registered office Unit Fs. 113a, 154-160 Fleet Street, Blackfriars, London EC4A 2DQ, United Kingdom. Contact: contact@zh.app.

2. What we collect

  • Account data — email address, display name (optional), and a salted hash of your password (never the password itself). If you sign in with Google, we receive your email and basic profile name from Google.
  • Subscription data — membership tier, billing period and renewal dates, and Stripe customer/subscription identifiers. Card numbers are handled entirely by Stripe and never touch our servers.
  • Service usage — custom research requests you submit (their content and timestamps, used to provide the service and enforce monthly quotas) and signed-in session records.
  • Technical logs — our hosting provider (Cloudflare) processes IP addresses and request metadata to serve and secure the site. We do not run advertising or cross-site tracking.

3. Why we process it (legal bases)

  • To provide the service you signed up for — accounts, subscriptions, custom requests (performance of a contract).
  • To secure the service, prevent abuse and enforce quotas (legitimate interests).
  • To send transactional email such as account and billing notices (performance of a contract). We do not send marketing email without your consent.
  • To meet legal obligations such as tax and accounting record-keeping (legal obligation).

4. Processors and third parties

  • Cloudflare — hosting, CDN, DNS, data storage and email forwarding.
  • Stripe — payment processing and subscription billing (Stripe acts as its own controller for card data; see Stripe's privacy policy).
  • Google — optional "Sign in with Google" authentication.
  • Resend — transactional email delivery.

We do not sell personal data, and we share it only with the processors above as needed to run the service, or where required by law.

5. International transfers

Our processors may store data outside the UK (notably in the United States and on global CDN infrastructure). Where they do, transfers are protected by appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or adequacy regulations.

6. Retention

Account data is kept while your account is active and deleted or anonymised within a reasonable period after account deletion, except where billing and tax law requires longer retention (typically 6 years for transaction records in the UK). Encrypted database backups rotate on a fixed schedule (approximately 8 weeks).

7. Your rights

Under UK GDPR you may request access to, correction of, or deletion of your personal data; restriction of or objection to processing; and data portability. Write to contact@zh.app and we will respond within one month. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

8. Cookies

We use only essential cookies. See the Cookie Notice.

9. Changes

We will post any changes here and update the date above; material changes will be highlighted on the site.