Zcribbler Software Labs Private Limited
Privacy Policy
Effective date: June 8, 2026 · Version 1.2
1. Who We Are
Zcribbler Software Labs Private Limited is the controller/fiduciary of your personal data.
- Role under GDPR (EU): Data Controller
- Role under DPDP Act, 2023 (India): Data Fiduciary
- Location: Kannur, Kerala, India
- Privacy contact: [email protected]
2. Data We Collect
2.1 Data You Provide
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email | Account creation and identification | Contract / Consent |
| Username | Unique identity within the app | Contract / Consent |
| Date of birth | Age verification, legal compliance | Legal obligation |
| Tagline, about/bio | Profile display to connections | Contract / Consent |
| Display picture | Profile display | Contract / Consent |
| Zcribbles (12 content types) | Core service functionality | Contract / Consent |
| Replies, stamps | Social interaction features | Contract / Consent |
| Blips | Ephemeral content sharing | Contract / Consent |
| Direct Messages | Private communication between Users | Contract / Consent |
| Poll votes | Content interaction | Contract / Consent |
| Spaces membership and roles | Private group participation | Contract / Consent |
| Connections, blocks | Social graph management | Contract / Consent |
| Lucids responses and private portrait | Your daily reflection game and the private portrait it builds. This is a reflection, not a psychological diagnosis or clinical assessment. It is visible only to you, is never shared, sold, or used for advertising, and is erased when you reset Lucids or delete your account. | Explicit consent |
| Location (GPS coordinates) | Tagging events and memories (opt-in only) | Explicit consent |
| Report details, appeal reasons | Safety and content moderation | Legitimate interest / Legal obligation |
| User settings and preferences | Theme, notification, and privacy preferences | Contract / Consent |
2.2 Data Collected Automatically
| Data | Purpose | Legal Basis |
|---|---|---|
| Last login IP address | Security and fraud prevention | Legitimate interest |
| Login count | Security anomaly detection | Legitimate interest |
| Device information (user agent, OS, device name, app version) | Service optimisation, crash resolution, session management | Legitimate interest |
| Registration source | Understanding how users find us | Legitimate interest |
| Session tokens (hashed) | Authentication | Contract |
| FCM device tokens | Delivering push notifications | Consent |
| Consent records (consent type, timestamp, IP address, user agent) | Legal audit trail | Legal obligation |
2.3 Third-Party Data Collection
| Service | Data Collected | Purpose |
|---|---|---|
| Google Sign-In | ID token (email, name) | Authentication |
| Apple Sign-In | ID token (email, name) | Authentication |
| Firebase Analytics (Google) | App usage events, user ID, device info | Product analytics and improvement |
| Firebase Crashlytics (Google) | Crash reports, stack traces, device state at time of crash | Identifying and fixing bugs |
| Firebase Cloud Messaging (Google) | Device token | Delivering push notifications |
Firebase Analytics uses a Firebase Instance ID (a device identifier) for analytics. This is not a cookie, and we collect no advertising identifier (no Apple IDFA, no Android Advertising ID) on either platform. When you delete your account, your user identifier is cleared and these events are disassociated from your identity; Firebase retains the pseudonymised analytics and crash data for up to 14 months under its own retention policy. Firebase Crashlytics may still collect crash data separately to help us fix bugs.
2.4 EXIF Metadata Handling
When you select a photo from your device, the app:
- Extracts useful EXIF data (date taken, location if present) for your benefit (e.g., auto-filling a memory's date).
- Removes sensitive EXIF tags (such as GPS coordinates, timestamps, and camera make and model) from the photo file before uploading it to our servers.
This processing is performed on your device before upload, so the photo file we receive is not intended to contain your precise location, camera details, or original timestamp in its metadata.
2.5 Data We Do Not Collect
We do not collect: phone numbers, contact lists, SMS messages, call logs, browsing history, or data from other apps on your device.
We do not use: advertising SDKs, tracking pixels, browser cookies, or third-party data brokers.
We do not operate: any advertising network or monetise personal data in any form.
3. How We Use Your Data
We use your data for the following purposes:
- Providing the Service: Displaying your profile, delivering your content to connections, enabling messaging, Spaces, and social features.
- Authentication and security: Verifying your identity, managing sessions, detecting and preventing fraud.
- Content moderation: Reviewing reports, enforcing community guidelines, maintaining a safe environment.
- Push notifications: Delivering notifications you have opted into (stamps, replies, messages, connection requests, Space activity).
- Real-time delivery: Delivering live updates to your device via server-sent events when new content, messages, or notifications are available.
- Connection suggestions: Recommending potential connections based on mutual connections.
- Content labels: Generating descriptive labels for content to improve search and discovery within the Service.
- Product analytics: Understanding how the app is used to improve features and performance (via Firebase Analytics).
- Crash reporting: Diagnosing and fixing bugs to improve app stability (via Firebase Crashlytics).
- Legal compliance: Meeting our obligations under the DPDP Act, GDPR, IT Act, IT Intermediary Guidelines Rules, and other applicable laws.
- Grievance resolution: Addressing your complaints and appeals.
4. Legal Bases for Processing
Under the GDPR, we process your personal data on the following legal bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service (account creation, content delivery, messaging, social features, Spaces).
- Consent (Article 6(1)(a)): Location data, push notifications, analytics collection. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Legitimate interest (Article 6(1)(f)): Security measures (IP logging, device info), fraud prevention, connection suggestions. We have conducted balancing tests to ensure our interests do not override your rights.
- Legal obligation (Article 6(1)(c)): Age verification, content moderation (IT Rules), data retention for law enforcement cooperation, child safety reporting, consent audit trail.
Under the DPDP Act, 2023, we process your data based on your consent provided during account creation and for legitimate uses as specified in Section 7 of the Act.
5. Data Sharing
5.1 We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal data to third parties. This reflects our current data practices, as described in our Terms and Conditions.
5.2 Service Providers
We share data with the following categories of providers solely for operating the Service:
| Category | Data Shared | Purpose | Location |
|---|---|---|---|
| Authentication (Google, Apple) | ID tokens | Sign-in | US / Global |
| Analytics and notifications (Google Firebase) | App events, crash data, device tokens | Analytics, crash reporting, push notifications | US / Global |
| Cloud infrastructure | All app data | Compute, database, storage | India (primary) |
| Content delivery network | Media files, API responses | Fast global delivery | Asia-Pacific / Global edge |
Each provider is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.
5.3 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request, including to:
- Comply with a valid legal obligation, court order, or subpoena.
- Protect the safety of any person, including reporting CSAM to the National Center for Missing and Exploited Children (NCMEC) or equivalent authorities.
- Cooperate with law enforcement investigations as required by the IT Act, 2000 and IT Intermediary Guidelines Rules, 2021.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. Where this occurs, your personal data will remain subject to the commitments in this Privacy Policy, or you will be given notice and an opportunity to delete your account before any material change takes effect.
6. Cross-Border Data Transfers
Your data may be transferred to and processed in countries outside your country of residence:
| Data | Location | Purpose |
|---|---|---|
| Primary database and application | India | Service operation |
| Database backups | India (geo-redundant region) | Disaster recovery |
| Media files | Asia-Pacific | Content storage and delivery |
| CDN edge cache | Global points of presence | Performance |
| Analytics and crash data | Google Cloud (US) | Product analytics |
| Push notification tokens | Google Cloud (US) | Notifications |
Safeguards
- GDPR (EU residents): We rely on Standard Contractual Clauses (SCCs) with all infrastructure providers for transfers outside the EEA. All providers maintain SCCs as part of their Data Processing Agreements.
- DPDP Act, 2023 (Indian residents): Cross-border transfers are permitted except to countries restricted by Central Government notification under Section 16(1). As of the effective date of this policy, no such restriction has been notified.
- Encryption: Data is encrypted in transit and at rest using strong, industry-standard encryption.
7. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of your account | Contract performance |
| Deleted account data | 180 days after deletion request (soft-delete), then permanently erased | IT Intermediary Guidelines Rules, 2021 |
| Deleted media files | Approximately 50 days after deletion request | Automated lifecycle policy |
| Blips | Auto-expire after set duration | Product design |
| Suggestion dismissals | 90 days | Product design |
| Consent audit records | Indefinite (anonymised on account deletion) | Legal obligation (GDPR Art. 7, DPDP Act Sec. 6) |
| Application logs | 30 days | Operational debugging |
| Database backups | 7 to 35 days | Disaster recovery |
| Dismissed moderation reports | 12 months | Record-keeping |
| Upheld moderation reports | 3 years | Statute of limitations |
| Child safety evidence | Indefinite | Legal obligation (POCSO Act) |
After the retention period expires, data is permanently and irreversibly deleted. We do not retain data longer than necessary for the stated purpose.
8. Data Security
We implement the following technical and organisational measures to protect your data:
- No passwords: We use sign-in through Google and Apple, so we do not handle or store passwords.
- Encryption in transit: Connections are protected with modern transport-layer encryption (TLS), and HTTPS is enforced.
- Encryption at rest: Database and media storage are encrypted at rest using strong encryption.
- Network isolation: Our production database is not directly accessible from the public internet and is reachable only by our application servers.
- Media security: Media files are served through time-limited, cryptographically signed URLs and cannot be accessed without a valid signature.
- Rate limiting: We apply rate limiting at the application and network layers to help protect against abuse.
- Network protection: Our content delivery network provides denial-of-service mitigation at the edge.
- Secrets management: Credentials and keys are stored in a dedicated, access-controlled secrets store, and never in source code.
- Minimal logging: Application logs are designed to contain only identifiers and request metadata, not email addresses, names, or content.
- EXIF removal: Sensitive photo metadata (such as GPS, timestamps, and camera information) is removed on your device before upload.
While we take significant measures to protect your information, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
9. Your Rights
9.1 Under the GDPR (EU/EEA Residents)
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data. You can edit your profile directly in the app.
- Right to erasure (Art. 17): Request deletion of your data. Use the in-app account deletion flow.
- Right to restriction of processing (Art. 18): Request that we limit how we process your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. Contact [email protected] to request an export.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right regarding automated decision-making (Art. 22): You will not be subject to decisions based solely on automated processing that significantly affect you. All content moderation decisions can be appealed and are subject to human review.
- Right to lodge a complaint: You may file a complaint with your local data protection supervisory authority.
9.2 Under the DPDP Act, 2023 (Indian Residents)
- Right to access information (Section 11): Know what personal data we process and how.
- Right to correction and erasure (Section 12): Correct inaccurate data or request deletion.
- Right to grievance redressal (Section 13): File a grievance with our Grievance Officer.
- Right to nominate (Section 14): Nominate another person to exercise your rights in case of your death or incapacity.
9.3 How to Exercise Your Rights
- In the app: Edit Profile (for correction), and Account > Delete Account (for erasure and consent withdrawal).
- By email: [email protected] for access requests, data portability, or any other rights.
- Response time: We will respond within 30 days of receiving your request (GDPR). Under the DPDP Act, we will respond within a reasonable period.
We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
Withdrawing consent: Since Zcribbler requires consent to the Terms and Privacy Policy to function, the mechanism for withdrawing all consent is account deletion. Deleting your account withdraws all consents and triggers the data deletion process described in Section 7. You may also revoke device-level permissions such as location at any time through your device's system settings.
10. Children's Privacy
- Under 16: We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete the account and all associated data immediately.
- 16 to 17: Users between 16 and 17 may use the Service only with the consent of a parent or legal guardian. We require this consent to be confirmed during registration. Consent records (consent type, timestamp, IP address, user agent) are stored in our audit trail and preserved even after account deletion to meet our legal obligations.
- No advertising or ad profiling, at any age: We never use your data — minor or adult — for advertising, ad targeting, or behavioural ad profiles, and we collect no advertising identifier. We do not sell personal data, and we do not sell minors' data under any circumstances.
These measures are designed to meet our obligations under Section 9 of the DPDP Act, 2023, and Article 8 of the GDPR.
11. Automated Decision-Making
We use the following automated systems:
- Content moderation thresholds: Content that receives a defined number of community reports may be automatically hidden pending human review. This is not a final decision and can always be appealed.
- Content labels: Our backend generates descriptive labels for content to improve search and discovery. These labels describe content categories (e.g., content type, subject matter) and do not affect your rights or access to the Service.
No automated decision is made without the possibility of human review and appeal, consistent with GDPR Article 22 and the IT Intermediary Guidelines Rules, 2021.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will provide at least 30 days' advance notice.
- Notice will be provided through an in-app notification and, where possible, by email.
- The updated policy will include a new effective date and version number.
Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may delete your account.
13. Grievance Officer / Data Protection Contact
In compliance with Rule 3(2) of the IT Intermediary Guidelines Rules, 2021, and Section 13 of the DPDP Act, 2023:
- Office: Grievance Cell, Zcribbler Software Labs
- Designation: Grievance Officer / Data Protection Contact
- Email: [email protected]
- Location: Kerala, India
We will acknowledge your grievance within 24 hours and provide a resolution within 15 days.
14. Contact Us
- General enquiries: [email protected]
- Privacy and grievance enquiries: [email protected]