How Zephira.ai Approaches GDPR Compliance
1. Context
Since 25 May 2018, the General Data Protection Regulation (GDPR) has set the standard across Europe for how personal data must be handled — from collection through to storage and use.
2. What Changed
GDPR raised the stakes considerably for any organisation active in the EU: penalties can reach 4% of worldwide annual revenue or €20 million, whichever figure is larger, and individuals gained expanded rights, including the ability to have their data erased entirely. The underlying philosophy is straightforward — data protection should be embedded from the start, putting people firmly in control of their own information.
3. Putting the GDPR Principles Into Practice at Zephira.ai
a. Lawfulness, fairness, and transparency
GDPR sets out six possible lawful grounds for processing personal data. Consent is one option, but for a B2B data platform like Zephira.ai, legitimate interest is typically the more suitable basis.
Relying on legitimate interest means we've assessed and documented why our processing is appropriate, proportionate, and fair to the individuals concerned.
Our Legitimate Interests Assessment:
Why we process this data
Zephira.ai has a legitimate interest in processing personal data connected to company officers, directors, and key decision-makers at businesses registered in the EU and elsewhere. This information is drawn from official government registries and other publicly accessible sources.
The business need behind it
This data underpins a specific and lawful purpose: giving our customers verified business intelligence — including company ownership, officer, and structural data — for due diligence, compliance, and B2B research purposes. Recital 47 of the GDPR expressly acknowledges that legitimate business activities of this kind can justify processing personal data.
What individuals can reasonably expect
The people included in our data are typically directors, officers, or shareholders acting in a professional capacity — roles that are, by law in most jurisdictions, part of the public record. It is reasonable for such individuals to expect that this information may be accessed for legitimate business and compliance purposes.
Keeping it proportionate
We limit the data we process to what's relevant: names, job titles, company affiliations, nationality, and publicly registered business details. Where a registry confirms someone has left a role or company, we update our records to reflect that.
Your ability to object
If you'd like your information restricted or suppressed from our platform, you're entitled to raise that request with us, and we will act on it in line with applicable law.
Why this matters
By aggregating accurate, verified registry data and keeping it current, Zephira.ai gives businesses a trustworthy alternative to fragmented, outdated, or unofficial sources — supporting better-informed due diligence, compliance, and commercial decisions.
b. Purpose limitation
We collect and process this data for one core purpose: providing verified company and officer information that our customers use for business research, compliance, and due diligence.
c. Data minimisation
What we hold is limited to what's necessary for this purpose — officer and shareholder names, roles, company associations, nationality, and other details drawn directly from official registries.
d. Accuracy
Zephira.ai works to keep the data we aggregate accurate and up to date, refreshing records as registries publish updates. If you identify an inaccuracy, you have the right to request a correction.
e. Storage limitation
We retain data only as long as it remains relevant to our stated purpose, updating or removing records once a person's role or company status changes according to the source registry.
f. Security
Access to our data is limited to legitimate business use cases, and we apply appropriate technical and organisational safeguards to protect it against unauthorised access, loss, or misuse.
g. Your rights
You can request access to, correction of, restriction on, or removal of your personal data at any time. To submit a request, please use the contact information on our Privacy Policy page.