Privacy Policy – Zanspace

Effective Date: 1 June 2026

Last Updated: 1 June 2026

Zanspace ("the App", "we", "our", "us") is a food-safety and restaurant-management platform provided by Mobiki Ltd, a company registered in the United Kingdom. This Privacy Policy explains what information the Zanspace Android app (package com.zanspace.android), the Zanspace iOS app, and the web dashboard at app.zanspace.com collect, why we collect it, how we use it, and who we share it with.

Summary. Zanspace helps restaurants, cafés, kitchens and hospitality businesses meet UK food-safety requirements (Safer Food Better Business / HACCP), monitor fridge & freezer temperatures, track staff attendance and training, manage suppliers, deliveries and equipment maintenance, and publish allergen information. To deliver these features we collect the account and operational data described below. We do not sell your data, we do not use it for advertising, and we do not share it with data brokers.

1. Who we are

Data controller: Mobiki Ltd, London, United Kingdom.
Contact: info@mobiki.uk

2. What information we collect

2.1 Account & profile information

Name, email address, password (stored hashed), optional phone number, and your role in the restaurant (owner, manager, or staff member).
Restaurant business profile: trading name, address, opening hours, FSA / FHRS rating, business type, contact details.
Profile photograph if you choose to upload one.
Referral code if you signed up via a referral link.

2.2 Operational records

The records you and your team create while using the App. Specifically:

Daily checks & checklists: opening and closing checklists, custom daily tasks, and the YES/NO answers, timestamps and operator name for each item.
Hygiene checks: daily, weekly and monthly cleaning records.
Temperature records: fridge / freezer temperatures (manual or sensor), cooked / reheated food temperatures, hot- and cold-hold temperatures, probe-calibration logs.
Deliveries: food-delivery temperature records, supplier and goods-in details.
Suppliers & inventory: supplier directory, allergen information, food / menu items.
Staff records: staff list, training records and certificates, health-pass questionnaire answers, allergen-training completion, schedule / rota and shift assignments, clock-in / clock-out attendance events.
Equipment & assets: fridges, freezers, probes, beacons and other equipment registered to your restaurant, plus their maintenance history.
Inspections: internal inspection notes and EHO visit notes.
Messages & notifications: in-app messages and the notification history we deliver to you.
Photos: images you choose to attach to a record (training certificate, delivery invoice, fridge calibration tag, evidence of a corrective action, signed Health Pass) — uploaded to our secure cloud storage and linked to the record they belong to.
Signatures: e-signatures you draw on the screen when signing a checklist or training record.

2.3 Location data (only if you enable automatic staff attendance)

Zanspace can clock staff in and out automatically by detecting a small Bluetooth Low Energy (BLE) iBeacon installed at the workplace. To do this, the App requires the following operating-system permissions:

Platform	Permission	Why
Android	`ACCESS_FINE_LOCATION` `ACCESS_COARSE_LOCATION`	Android classifies any BLE scan that may identify a location as a "location" use; granted alongside Bluetooth.
Android	`ACCESS_BACKGROUND_LOCATION`	So the workplace beacon can be detected when the App is closed or the phone is locked — staff are clocked in the moment they arrive, without having to open the App first.
Android	`FOREGROUND_SERVICE_LOCATION`	Required by Android 14+ for the foreground service that runs the BLE scan; a persistent notification ("Zanspace presence — Watching your workplace beacon") is shown while the scan is active.
iOS	Location When In Use Location Always	iOS routes iBeacon advertisements through CoreLocation rather than CoreBluetooth, so the Location permission is required to discover the beacon. "Always" enables the same automatic clock-in behaviour as on Android.

What we collect when the feature is enabled:

An ENTER_WORKPLACE event (with a timestamp) when the user's device first detects the workplace beacon.
An EXIT_WORKPLACE event (with a timestamp) when the device loses the beacon for long enough to be considered "left the premises".
The UUID of the workplace beacon that was detected — this identifies your workplace, not the user's geographic location.

What we do not collect:

GPS coordinates, latitude or longitude.
Location history or movement traces outside the workplace.
Wi-Fi network names, BSSIDs, or cell-tower information.
Any data when the user is away from the workplace beacon.

Opt-in. Automatic attendance is opt-in. Before the operating-system permission prompt appears, the App shows a prominent disclosure dialog explaining the feature. If you decline, the App continues to work and staff can still clock in and out manually. You can revoke the permission at any time in the device's system settings (Android: Settings → Apps → Zanspace → Permissions → Location; iOS: Settings → Privacy → Location Services → Zanspace).

Use restrictions. The location-derived data described above is used solely for the attendance feature. It is not used for advertising or marketing, is not sold or rented to anyone, and is not shared with third parties except as listed in Section 5.

2.4 Bluetooth data

The App uses Bluetooth to discover and read data from the food-safety hardware paired with your restaurant. Specifically:

Workplace beacons — used for attendance as described in Section 2.3.
Temperature / humidity sensors — Zanspace reads sensor advertisements (temperature, humidity, battery level, RSSI) from BLE probes registered to your restaurant and stores those readings as part of your fridge / freezer / hot-hold records.

The App does not scan for, store data from, or attempt to connect to Bluetooth devices that are not registered to your restaurant.

2.5 Camera, microphone & photo library

Camera. Used only when you tap a "take photo" control inside the App to attach evidence to a checklist item, delivery record, equipment record or training record. The App does not record audio or video.
Photo library. Used only when you tap "choose from library" to pick an existing image to attach. The App does not enumerate or upload other photos.
Save to library (iOS). When you tap "Save card" on the Health Pass screen, the QR card image is saved into your photo library so you can show it offline.

The App does not request microphone access.

2.6 Device & notification data

Push-notification token (Firebase Cloud Messaging) — used to deliver the alerts you have asked for (temperature out-of-range, training due, schedule change, etc.). You can disable notifications at any time in your device settings.
Device model, OS version and App version — included with diagnostic events to help us identify and fix bugs.

2.7 Payment information

If your restaurant subscribes to a paid plan, payment is handled by a third-party payment processor on our web dashboard. We do not receive or store your full card number; we only see subscription status, the last 4 digits of the card and the cardholder's name as needed to send receipts and manage the subscription.

2.8 Analytics & diagnostics

The mobile apps themselves do not contain a third-party analytics SDK. The web dashboard uses PostHog to collect anonymised product-usage events (for example "user opened the Reports tab") so we can understand which features are used and prioritise improvements. PostHog events do not contain the contents of your operational records.

2.9 AI features

Some features of the App (for example, generating allergen menus or summarising a long week of records) may send the relevant record text to an AI processor to produce a result. Only the data you submit to that feature is sent; the AI processor does not receive your wider account data and is contractually prohibited from using your data to train its models.

3. How we use your information

To deliver the App's features (record-keeping, scheduling, attendance, alerts, reports, allergen menu, Health Pass QR, etc.).
To store your records so you and your team can audit them and produce them for an EHO inspection.
To send the notifications and reminders you have configured.
To process subscription payments and send receipts (paid plans).
To diagnose crashes, fix bugs and improve the App.
To comply with our legal obligations (for example, responding to lawful requests from authorities).

4. Legal basis (UK / EU GDPR)

We process personal data on the following legal bases:

Contract — to deliver the App's features under our Terms of Service.
Consent — for opt-in features such as automatic attendance (Location / Bluetooth) and push notifications.
Legitimate interest — for product analytics on our web dashboard, security monitoring, and bug diagnostics, balanced against your rights.
Legal obligation — where we are required to retain or disclose data by law (food-safety record retention, etc.).

5. Who we share data with

We do not sell, rent, or trade your personal data. We share data only with the following service providers, strictly to operate the App:

Provider	Purpose	Data shared
Cloud hosting (UK)	Storing and serving your records and the App backend.	All of the above, encrypted at rest.
Firebase Cloud Messaging (Google)	Delivering push notifications.	Device push token and the notification body.
PostHog (web only)	Anonymised product analytics on the web dashboard.	Anonymised event names; no record contents.
Stripe (paid plans)	Processing card payments on the web checkout.	Subscription metadata; we never receive your full card number.
WhatsApp Business API (optional)	If you enable WhatsApp delivery of alerts.	Phone number and message body of the alerts you opted in to.
AI processor	Generating allergen menus / summaries when you use those features.	Only the input you submit to the AI feature.
Authorities	Where required by law.	The minimum data necessary to comply.

6. Data retention

Operational records (checklists, hygiene logs, temperature logs, attendance, deliveries, training records) are retained for as long as your restaurant has an active account, plus a reasonable archival period afterwards, so that you can produce records covering past periods for a UK EHO inspection. You may request earlier deletion at any time (see Section 8). Diagnostic logs are retained for up to 90 days.

7. International transfers

Zanspace's primary data hosting is in the United Kingdom. Some service providers (for example Google Firebase) may process data outside the UK / EEA. Where that happens, we rely on the Standard Contractual Clauses or equivalent transfer mechanisms recognised under UK GDPR.

8. Your rights

Under UK / EU GDPR you have the right to:

Access the personal data we hold about you.
Have inaccurate data corrected.
Have your data deleted ("right to be forgotten"), subject to any legal-retention obligations.
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent at any time for processing based on consent (for example, Location for attendance, push notifications, WhatsApp alerts).
Lodge a complaint with the UK Information Commissioner's Office (ICO) — ico.org.uk.

You can delete your account directly from the App: Settings → Delete account. This soft-deletes the account; full erasure follows our standard retention process. To exercise any other right, contact us at info@mobiki.uk.

9. Children

Zanspace is a workplace tool intended for adults working in food-service businesses. The App is not directed at children and we do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Security

We use HTTPS / TLS for all data in transit, encrypt data at rest where appropriate, store passwords as salted hashes only, and follow industry-standard practices for authentication and access control. Authentication tokens on mobile devices are stored in the platform secure keystore (Android Keystore / iOS Keychain). No system can be guaranteed completely secure; we encourage you to use a strong unique password and to log out from shared devices.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be highlighted in the App and on this page. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact

Mobiki Ltd (trading as Zanspace)
London, United Kingdom
Email: info@mobiki.uk