Privacy Policy

Marii (operated by Zeevio, based in Bulawayo, Zimbabwe) is committed to protecting your personal data and ensuring transparent data processing practices. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

We act as a Data Controller for your account and business profile information, and as a Data Processor for the invoicing, transaction, customer file, and customer data you submit on behalf of your clients. Our data practices comply fully with the Zimbabwe Cyber and Data Protection Act [Chapter 12:07] and regulations set by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).

Given the breadth of the Marii platform, we collect several categories of data:

• Account & Business Data: Legal business name, email addresses, phone numbers, physical addresses, and Tax Identification Numbers (TIN).
• ZIMRA Credentials: To facilitate FDMS integration where you enable fiscalisation, we securely process your ZIMRA Device ID, Activation Keys, and X.509 Certificates. These credentials are provided by you and remain your property. Your Device Private Keys are encrypted at rest using AES-256 GCM encryption. Marii acts solely as a custodian of these credentials for the purpose of transmitting fiscal data on your instruction — Marii does not use these credentials for any other purpose.
• Payment & Gateway Data: We store your payment gateway configuration (e.g., merchant IDs and API keys for EcoCash and card gateways). We do not store your customers' full card numbers — card data is handled exclusively by PCI-DSS compliant gateway providers.
• Online Store & Inventory Data: Product names, descriptions, images, pricing, stock levels, and order histories for your storefront.
• Client (Buyer) Data: Names, TINs, VAT numbers, contact details, and purchase histories of your clients, required for ZIMRA TaRMS input tax claims and your CRM.
• Transaction Data: Invoice amounts, line items, HS codes, applied tax rates, and payment statuses.
• Customer Files: Files, documents, images, notes, and attachments you upload against individual customer records. These may include any file type you choose to store (e.g., contracts, identity documents, medical or professional records, correspondence). Marii does not inspect or analyse the content of Customer Files — they are stored as-is and served back to you on request.
• AI Feature Inputs: Images, bank statements, and receipt photographs submitted to Marii's AI tools for processing. These are treated as confidential business data and are not used to train AI models.
• Usage & Technical Data: Log data, IP addresses, browser type, device information, and in-app behaviour analytics, used to improve the platform and diagnose issues.

We use the collected information to:

• Provide, operate, and maintain the full Marii platform and all its features.
• Power your online storefront, process orders, and coordinate payment settlement via your connected gateway.
• Transmit fiscal data to the ZIMRA FDMS API on your behalf and at your instruction, using credentials you provide. Marii acts as a software conduit for this transmission — not as a tax agent or compliance service.
• Generate ZIMRA-verified QR codes, QPD reports, and VAT 7 returns based on data you enter into the system.
• Process AI feature inputs (bank statements, receipts, product images) to return reconciliations, expense entries, and marketing creatives to you.
• Maintain your CRM, including client contact details, order history, Customer Files, and outstanding balances.
• Store and serve Customer Files you upload, organised chronologically against the relevant customer record.
• Send transactional notifications, payment confirmations, and technical notices.
• Improve platform performance, fix bugs, and develop new features using aggregated, anonymised usage analytics.

We do not use your data for advertising, and we do not sell your personal data to any third party.

AI-generated outputs (reconciliations, receipt interpretations, marketing content) should be reviewed by you before being acted upon. Marii is not liable for business decisions made based on unverified AI outputs.

Marii integrates with third-party payment gateways (including EcoCash and card processors) to enable your customers to pay you. In this context:

• Full card numbers and sensitive payment credentials are never stored on Marii servers. They are handled exclusively by your gateway provider under their own PCI-DSS compliance obligations.
• Marii stores transaction metadata (amounts, status, timestamps, gateway reference IDs) to power your financial dashboard and reports.
• Your gateway configuration credentials (merchant IDs, API keys) are encrypted at rest.

Customer Files are stored securely within your tenant and are isolated from all other users of the platform. The following applies to how we handle Customer Files:

• Customer Files are encrypted in transit (TLS) and at rest.
• Marii does not access, inspect, index, or analyse the content of your Customer Files. They are opaque to us — we store them and serve them back to you.
• Customer Files are not shared with any third party, including AI model providers, unless you explicitly initiate an action that requires it.
• You are the Data Controller for all personal data contained within Customer Files. Marii acts solely as a Data Processor, storing them on your behalf and at your instruction.
• If your Customer Files contain sensitive personal information (e.g., medical records, identity documents), you are responsible for ensuring you have obtained proper consent from the relevant individuals under the Cyber and Data Protection Act.
• Customer Files are subject to the same retention period as your other business data (minimum 6 years from the relevant transaction date). Upon account termination, you may request a full export within 90 days.

We do not sell your personal data. We share information only in the following circumstances:

• Regulatory Authorities (ZIMRA): Invoice and fiscal data is transmitted to ZIMRA at your instruction, using your ZIMRA device credentials, to fulfil your statutory fiscalisation obligations. Marii transmits this data as a software conduit — the submission is made on your behalf and under your responsibility.
• Payment Gateway Providers: Transaction data is shared with your chosen gateway to facilitate payment settlement.
• AI Processing Partners: Input data (images, documents) is transmitted to third-party AI model providers under strict confidentiality and data processing agreements. These providers are prohibited from retaining or using your data for any purpose other than returning the requested output. Customer Files are never sent to AI providers unless you explicitly initiate such processing.
• Cloud Infrastructure Providers: We use trusted third-party cloud hosting providers to operate our platform, subject to strict data processing agreements.
• Legal Requirements: If required by Zimbabwean law, court order, subpoena, or other valid legal process.

We implement industry-standard technical and organisational measures to protect your data, including:

• AES-256 GCM encryption for sensitive credentials (ZIMRA keys, gateway API keys) at rest.
• Encryption at rest for all Customer Files and business data.
• TLS encryption for all data in transit between your browser, the Marii platform, and third-party services.
• Tenant-level data isolation ensuring your data (including Customer Files) is inaccessible to other users of the platform.
• Role-based access controls limiting internal access to customer data.
• Regular security assessments of our infrastructure.

We retain your data for as long as your account is active and for a minimum of 6 years after your last transaction or account closure, in compliance with ZIMRA's statutory record-keeping requirements for tax records. This includes invoices, transaction records, customer records, and Customer Files.

You may request an export of your data at any time from the dashboard. Exported data will be provided within 14 business days.

Under the Cyber and Data Protection Act [Chapter 12:07], you have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request the deletion of your personal data (subject to the 6-year statutory retention period for tax and financial records).
• Withdraw your consent for data processing at any time, which will result in the suspension of your account.
• Request a portable export of your business data, including Customer Files, in a machine-readable format.

To exercise any of these rights, please contact our Data Protection Officer at privacy@marii.app. We will respond to all valid requests within 30 days.

Marii uses essential cookies to maintain your session and keep you logged in. We use first-party analytics to understand how the platform is used in aggregate so we can improve it. We do not use third-party advertising cookies or share your usage data with advertising networks.

You can manage cookie preferences through your browser settings, but disabling essential cookies will prevent you from using the platform.

We may update this Privacy Policy as the Marii platform evolves. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.