Zcribbler Software Labs Private Limited

Privacy Policy

Effective date: June 8, 2026 · Version 1.2

1. Who We Are

Zcribbler Software Labs Private Limited is the controller/fiduciary of your personal data.

2. Data We Collect

2.1 Data You Provide

DataPurposeLegal Basis
Name, emailAccount creation and identificationContract / Consent
UsernameUnique identity within the appContract / Consent
Date of birthAge verification, legal complianceLegal obligation
Tagline, about/bioProfile display to connectionsContract / Consent
Display pictureProfile displayContract / Consent
Zcribbles (12 content types)Core service functionalityContract / Consent
Replies, stampsSocial interaction featuresContract / Consent
BlipsEphemeral content sharingContract / Consent
Direct MessagesPrivate communication between UsersContract / Consent
Poll votesContent interactionContract / Consent
Spaces membership and rolesPrivate group participationContract / Consent
Connections, blocksSocial graph managementContract / Consent
Lucids responses and private portraitYour daily reflection game and the private portrait it builds. This is a reflection, not a psychological diagnosis or clinical assessment. It is visible only to you, is never shared, sold, or used for advertising, and is erased when you reset Lucids or delete your account.Explicit consent
Location (GPS coordinates)Tagging events and memories (opt-in only)Explicit consent
Report details, appeal reasonsSafety and content moderationLegitimate interest / Legal obligation
User settings and preferencesTheme, notification, and privacy preferencesContract / Consent

2.2 Data Collected Automatically

DataPurposeLegal Basis
Last login IP addressSecurity and fraud preventionLegitimate interest
Login countSecurity anomaly detectionLegitimate interest
Device information (user agent, OS, device name, app version)Service optimisation, crash resolution, session managementLegitimate interest
Registration sourceUnderstanding how users find usLegitimate interest
Session tokens (hashed)AuthenticationContract
FCM device tokensDelivering push notificationsConsent
Consent records (consent type, timestamp, IP address, user agent)Legal audit trailLegal obligation

2.3 Third-Party Data Collection

ServiceData CollectedPurpose
Google Sign-InID token (email, name)Authentication
Apple Sign-InID token (email, name)Authentication
Firebase Analytics (Google)App usage events, user ID, device infoProduct analytics and improvement
Firebase Crashlytics (Google)Crash reports, stack traces, device state at time of crashIdentifying and fixing bugs
Firebase Cloud Messaging (Google)Device tokenDelivering push notifications

Firebase Analytics uses a Firebase Instance ID (a device identifier) for analytics. This is not a cookie, and we collect no advertising identifier (no Apple IDFA, no Android Advertising ID) on either platform. When you delete your account, your user identifier is cleared and these events are disassociated from your identity; Firebase retains the pseudonymised analytics and crash data for up to 14 months under its own retention policy. Firebase Crashlytics may still collect crash data separately to help us fix bugs.

2.4 EXIF Metadata Handling

When you select a photo from your device, the app:

  1. Extracts useful EXIF data (date taken, location if present) for your benefit (e.g., auto-filling a memory's date).
  2. Removes sensitive EXIF tags (such as GPS coordinates, timestamps, and camera make and model) from the photo file before uploading it to our servers.

This processing is performed on your device before upload, so the photo file we receive is not intended to contain your precise location, camera details, or original timestamp in its metadata.

2.5 Data We Do Not Collect

We do not collect: phone numbers, contact lists, SMS messages, call logs, browsing history, or data from other apps on your device.

We do not use: advertising SDKs, tracking pixels, browser cookies, or third-party data brokers.

We do not operate: any advertising network or monetise personal data in any form.

3. How We Use Your Data

We use your data for the following purposes:

5. Data Sharing

5.1 We Do Not Sell Your Data

We do not sell, rent, lease, or trade your personal data to third parties. This reflects our current data practices, as described in our Terms and Conditions.

5.2 Service Providers

We share data with the following categories of providers solely for operating the Service:

CategoryData SharedPurposeLocation
Authentication (Google, Apple)ID tokensSign-inUS / Global
Analytics and notifications (Google Firebase)App events, crash data, device tokensAnalytics, crash reporting, push notificationsUS / Global
Cloud infrastructureAll app dataCompute, database, storageIndia (primary)
Content delivery networkMedia files, API responsesFast global deliveryAsia-Pacific / Global edge

Each provider is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.

5.3 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or governmental request, including to:

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. Where this occurs, your personal data will remain subject to the commitments in this Privacy Policy, or you will be given notice and an opportunity to delete your account before any material change takes effect.

6. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside your country of residence:

DataLocationPurpose
Primary database and applicationIndiaService operation
Database backupsIndia (geo-redundant region)Disaster recovery
Media filesAsia-PacificContent storage and delivery
CDN edge cacheGlobal points of presencePerformance
Analytics and crash dataGoogle Cloud (US)Product analytics
Push notification tokensGoogle Cloud (US)Notifications

Safeguards

7. Data Retention

Data TypeRetention PeriodBasis
Active account dataDuration of your accountContract performance
Deleted account data180 days after deletion request (soft-delete), then permanently erasedIT Intermediary Guidelines Rules, 2021
Deleted media filesApproximately 50 days after deletion requestAutomated lifecycle policy
BlipsAuto-expire after set durationProduct design
Suggestion dismissals90 daysProduct design
Consent audit recordsIndefinite (anonymised on account deletion)Legal obligation (GDPR Art. 7, DPDP Act Sec. 6)
Application logs30 daysOperational debugging
Database backups7 to 35 daysDisaster recovery
Dismissed moderation reports12 monthsRecord-keeping
Upheld moderation reports3 yearsStatute of limitations
Child safety evidenceIndefiniteLegal obligation (POCSO Act)

After the retention period expires, data is permanently and irreversibly deleted. We do not retain data longer than necessary for the stated purpose.

8. Data Security

We implement the following technical and organisational measures to protect your data:

While we take significant measures to protect your information, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights

9.1 Under the GDPR (EU/EEA Residents)

9.2 Under the DPDP Act, 2023 (Indian Residents)

9.3 How to Exercise Your Rights

We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

Withdrawing consent: Since Zcribbler requires consent to the Terms and Privacy Policy to function, the mechanism for withdrawing all consent is account deletion. Deleting your account withdraws all consents and triggers the data deletion process described in Section 7. You may also revoke device-level permissions such as location at any time through your device's system settings.

10. Children's Privacy

These measures are designed to meet our obligations under Section 9 of the DPDP Act, 2023, and Article 8 of the GDPR.

11. Automated Decision-Making

We use the following automated systems:

No automated decision is made without the possibility of human review and appeal, consistent with GDPR Article 22 and the IT Intermediary Guidelines Rules, 2021.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may delete your account.

13. Grievance Officer / Data Protection Contact

In compliance with Rule 3(2) of the IT Intermediary Guidelines Rules, 2021, and Section 13 of the DPDP Act, 2023:

We will acknowledge your grievance within 24 hours and provide a resolution within 15 days.

14. Contact Us