Skip to main content
Zehna Logo
Zehna

Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect the following categories of information when you use Zehna:

  • Account data: Your name and email address when you register for an account.
  • Session and usage data: Pages visited, features used, session duration, device type, browser type, IP address, and interaction logs collected automatically as you use the platform.
  • Mental health interaction data: Text and responses you share with Zehna's AI support tools, including mood logs, journal entries, and wellness check-ins. This constitutes special category data under GDPR Article 9 and is subject to heightened protection (see Section 3 below).
  • Analytics data: Aggregated usage statistics collected via Google Analytics, including page views, referral sources, and user flow data.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the service: To operate, maintain, and personalise your experience on Zehna.
  • Improve AI models: To train and improve our AI-powered mental wellness tools using anonymised and aggregated interaction data, subject to your explicit consent where required.
  • Analytics: To understand how users interact with the platform and improve features and performance.
  • Communications: To send you service-related notifications, updates, and — where you have opted in — newsletters or wellbeing content.
  • Safety and compliance: To detect and address technical issues, prevent misuse, and comply with applicable legal obligations.

3. Special Category Data (Mental Health)

Important Notice Regarding Mental Health Data

Any information you share through Zehna's AI support tools — including mood entries, journal content, and wellness check-ins — constitutes special category personal data relating to health under GDPR Article 9 and equivalent provisions of Iranian data protection law.

We apply the following heightened protections to this data:

  • Mental health interaction data is processed only on the basis of your explicit consent, which you may withdraw at any time.
  • This data is never sold to third parties under any circumstances.
  • AI analysis of your interactions is used solely to improve the quality and relevance of therapeutic responses — it is not used for profiling, advertising, or any purpose unrelated to your wellness.
  • Access to identifiable mental health data is restricted to a minimum number of authorised personnel operating under strict confidentiality obligations.

4. Information Sharing

We do not sell your personal data. We share data only with the following categories of third-party processors, each bound by a Data Processing Agreement (DPA):

  • Google LLC (Google Analytics): Aggregated, anonymised analytics data for platform usage statistics. Google Analytics data is subject to Google's data processing terms. You may opt out via the Google Analytics Opt-out Browser Add-on.
  • Hosting and infrastructure providers: Iranian-based server infrastructure providers who store and process data on our behalf under strict contractual data protection obligations.

We do not share your personal data with any other third parties without your explicit prior consent, except where required by applicable law or a valid legal order.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on zehna.ir. The following table describes the cookies we use:

Cookie / Technology Category Purpose Retention Opt-out
Session cookie Essential Maintains your authenticated session Session (deleted on browser close) Not available — required for the service to function
CSRF token Essential Protects against cross-site request forgery attacks Session Not available — required for security
Google Analytics (_ga, _gid) Analytics Usage statistics — pages visited, session duration, user counts Up to 2 years (_ga); 24 hours (_gid) Available via Google Analytics Opt-out Add-on or browser Do Not Track setting

You can configure your browser to refuse cookies. Note that disabling essential cookies will prevent you from using core features of the platform.

6. Data Security

We implement technical and organisational security measures proportionate to the sensitivity of the data we hold:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Personal data and mental health interaction data are encrypted at rest on our servers.
  • Access controls: Access to personal data is restricted on a need-to-know basis, with role-based access controls and audit logging.
  • Iranian server infrastructure: All personal data is stored on servers located within the Islamic Republic of Iran, minimising cross-border data transfer risks.

No method of electronic storage or transmission is completely secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your personal data for the following periods:

  • Account data (name, email, profile): Retained for the duration of your active account, plus 90 days following account deletion — after which it is permanently deleted or anonymised.
  • Session and chat logs (mental health interaction data): Retained for 12 months from the date of creation, after which logs are deleted or irreversibly anonymised.
  • Analytics data (Google Analytics): Retained for 26 months per Google's default data retention settings.

We may retain data for longer periods where required by applicable law, a valid legal order, or to resolve a dispute.

8. Your Rights (GDPR)

If you are located in the European Union or a jurisdiction with equivalent data protection law, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You may request a copy of the personal data we hold about you, including information about how it is processed.
  • Right to Rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data we hold about you.
  • Right to Erasure (Art. 17): You may request that we delete your personal data ("right to be forgotten"), subject to certain legal exceptions.
  • Right to Restrict Processing (Art. 18): You may request that we limit the ways in which we use your personal data in certain circumstances.
  • Right to Data Portability (Art. 20): You may request that we provide your personal data in a structured, commonly used, machine-readable format so you can transfer it to another service provider.
  • Right to Object (Art. 21): You may object to the processing of your personal data where we rely on legitimate interests as our legal basis.
  • Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions made solely by automated processing — including profiling — that produce significant legal or similarly significant effects on you.

To exercise any of these rights, email us at privacy@zehna.ir. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

9. Iranian Data Protection

Zehna operates in compliance with Iran's Personal Data Protection Law (قانون حمایت از داده‌های شخصی). In accordance with this law:

  • All personal data is stored on servers located within the Islamic Republic of Iran.
  • We process your data only on lawful bases recognised under Iranian data protection law, including consent, contract performance, and legitimate interests.
  • The supervisory authority for data protection matters in Iran is the Iran Data Protection Authority. You have the right to lodge a complaint with this authority if you believe your data has been processed unlawfully.

10. Children's Privacy

Zehna's platform is intended for users aged 16 years and older. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. Given the sensitive nature of mental health support, responsible use by minors requires parental involvement. If you are a parent or guardian and believe your child under 16 has registered without consent, please contact us at privacy@zehna.ir and we will promptly delete their account and data.

11. Mental Health Data Notice

Please read this notice carefully

  • Any mental health information you share on Zehna is treated as sensitive personal data and receives heightened protection as described in this policy.
  • Zehna's AI responses are provided for mental wellness support only — they do not constitute medical diagnoses, clinical assessments, prescriptions, or professional therapy.
  • If you are experiencing a mental health crisis or believe you may be at risk of harming yourself or others, please call 1480 (Iran's National Mental Health Crisis Line) or contact emergency services immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — including changes to the categories of data we collect, how we use your data, or your rights — we will provide at least 30 days advance notice via email to all registered users before the changes take effect. The updated policy will also be posted on this page with a revised "Last updated" date. Continued use of the platform after the notice period constitutes acceptance of the revised policy.

13. Contact

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact our Privacy team: