Zest Technologies DIFC Limited ("Zest DIFC", "we", "us", "our") is a private company established in the Dubai International Financial Centre ("DIFC"), Dubai, United Arab Emirates, with registered company number CL4831.
Zest DIFC operates the Tarth AI agent compliance onboarding platform ("Tarth" or the "Platform") and the website at www.tarth.ai (the "Site").
This privacy policy (the "Privacy Policy") sets out how we collect, use, share, and protect personal data in connection with your use of the Site and the Platform. It applies globally. Zest DIFC is primarily regulated under the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and honours equivalent rights under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable data protection regimes where they apply to you.
Please read this Privacy Policy carefully so you understand your rights and how we handle your personal data. This Privacy Policy supersedes any previous privacy-related notice provided by us. If you do not agree with it, you should not access the Site or use the Platform.
The Site and Platform are not intended for children, and we do not knowingly collect data relating to children.
Tarth is a business-to-business platform used by regulated institutions and their compliance teams ("Customer Institutions") to onboard, verify, and screen individuals and entities ("Subjects"). Depending on the data in question, Zest DIFC acts in different capacities.
When we act as a data controller:
When we act as a data processor:
In our processor capacity, the Customer Institution is the data controller and instructs us on how Subject data is processed. Our processor obligations — including retention, deletion, security, and sub-processor use — are set out in our data processing agreement ("DPA") with each Customer Institution. Subjects wishing to exercise rights in relation to their onboarding data should contact the Customer Institution that onboarded them; we will assist the Customer Institution in fulfilling those requests.
We may collect personal data when you create an account, log in, complete onboarding or verification workflows, upload documents, interact with the Site, or communicate with us or with a Customer Institution through the Platform.
This may include:
When you visit the Site or use the Platform we collect:
We may use third-party analytics (such as Google Analytics) to understand aggregate usage.
We may receive personal data from:
We process personal data to:
We do not use Subject data to train generalised AI models outside of the specific verification and compliance tasks for which it was provided. We do not share Subject data with our AI sub-processors for their own training purposes.
The Site uses cookies and similar technologies that are essential to functionality (session management, security, preference storage) and for analytics. You can manage cookie preferences via your browser settings. Non-essential cookies are set only where the required consent has been given.
We share personal data only as described in this Privacy Policy.
Sub-processors. We use the following service providers to operate the Platform:
| Sub-processor | Purpose |
|---|---|
| Onfido | Identity verification, liveness checks, biometric verification |
| ComplyAdvantage | AML, sanctions, PEP, and adverse media screening |
| Clerk | Authentication and user management |
| OpenAI | AI model services supporting verification and compliance workflows |
| Anthropic | AI model services supporting verification and compliance workflows |
We require all sub-processors to provide at least equivalent data protection standards and to process personal data only on our instructions (or, for Subject data, on the instructions of the Customer Institution through us). An up-to-date list of sub-processors is maintained and made available to Customer Institutions.
We may also share personal data with:
Personal data may be transferred to and processed in countries outside the DIFC, including where our sub-processors operate. We rely on:
Contact [email protected] for a copy of the relevant Model Clauses.
Depending on the regime that applies to you, you have rights to:
Where we act as a processor (Subject data), please direct requests to the Customer Institution that onboarded you. We will support the Customer Institution in responding.
Where we act as a controller (account data, site data, marketing), contact us at [email protected]. We aim to respond within one month. We will let you know if we need more time and explain why.
You have the right to lodge a complaint with the DIFC Commissioner of Data Protection (The Gate, Level 14, PO Box 74777, Dubai; +971 4 362 2222) or with the supervisory authority in your jurisdiction (for example, the Information Commissioner's Office in the UK, or your national data protection authority in the EU).
Certain personal data is required for us to provide the Platform or for Customer Institutions to meet their KYC/AML obligations. Failure to provide it may delay or prevent onboarding and use of the Platform.
We apply appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest, audit logging, secure infrastructure, staff confidentiality obligations, and regular review of our security posture.
No transmission over the internet can be guaranteed 100% secure. Please contact us promptly if you suspect your data has been compromised.
Controller data (account, site, marketing). We retain this for the duration of your relationship with us plus up to two years after termination, to meet legal, accounting, and legitimate business requirements.
Processor data (Subject data). We retain this only as long as necessary to provide the Platform to the Customer Institution. By default:
Customer Institutions are responsible for meeting their own AML, KYC, and record-keeping obligations. They may download Subject records at any time to retain them in their own systems.
Deletion by Customer Institutions. Customer Institutions can delete Subject records directly through the Platform at any time. Deletion is permanent — once completed, records, uploaded documents, verification results, screening history, and associated metadata cannot be recovered. The Platform surfaces a confirmation step that warns of this before deletion is executed. Customer Institutions are reminded that they remain responsible for their own AML and record-keeping obligations and may wish to export records before deleting.
Deletion on subscription termination. Subject data is deleted in line with section 10 above.
Deletion of account (controller) data. Customer Institution users can request deletion of their own account and admin data by contacting [email protected]. We will complete deletion within 30 days, subject to any legal retention requirements.
Deletion requests from Subjects. Subjects should direct deletion requests to the Customer Institution that onboarded them, since that institution is the data controller for Subject data. We will assist the Customer Institution in executing such requests.
The Site and Platform may contain links to third-party websites, plug-ins, or applications. We do not control these third parties and are not responsible for their content, privacy policies, or handling of your information. Review their policies before providing any information.
We may amend this Privacy Policy from time to time to reflect changes in law or in how our business processes personal data. We will post the updated version on the Site and update the "Last updated" date. Material changes may be notified directly.
For questions, requests, or complaints relating to this Privacy Policy or your personal data:
We endeavour to respond as soon as practicable.