Zcribbler Software Labs Private Limited
Privacy Policy
Effective date: April 10, 2026 · Version 1.1
- We collect your name, email, and date of birth when you sign in with Google or Apple. Nothing else is required to start.
- We never sell your data. This is a legally binding promise.
- Location is opt-in only. We never track you in the background.
- We strip GPS coordinates, timestamps, and camera info from your photos before upload.
- Firebase Analytics helps us understand how the app is used. You can turn it off in Settings.
- When you delete your account, your data is permanently erased within 180 days.
- You can request all your data, correct it, or delete it anytime. Email privacy@zcribbler.com.
This is a plain-English summary. The full legal text is below.
1. Who We Are
Zcribbler Software Labs Private Limited is the controller/fiduciary of your personal data.
- Role under GDPR (EU): Data Controller
- Role under DPDP Act, 2023 (India): Data Fiduciary
- Location: Kannur, Kerala, India
- Privacy contact: privacy@zcribbler.com
2. Data We Collect
2.1 Data You Provide
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email | Account creation and identification | Contract / Consent |
| Username | Unique identity within the app | Contract / Consent |
| Date of birth | Age verification, legal compliance | Legal obligation |
| Tagline, about/bio | Profile display to connections | Contract / Consent |
| Display picture | Profile display | Contract / Consent |
| Zcribbles (12 content types) | Core service functionality | Contract / Consent |
| Replies, stamps | Social interaction features | Contract / Consent |
| Blips | Ephemeral content sharing | Contract / Consent |
| Direct Messages | Private communication between Users | Contract / Consent |
| Poll votes | Content interaction | Contract / Consent |
| Spaces membership and roles | Private group participation | Contract / Consent |
| Connections, blocks | Social graph management | Contract / Consent |
| Location (GPS coordinates) | Tagging events and memories (opt-in only) | Explicit consent |
| Report details, appeal reasons | Safety and content moderation | Legitimate interest / Legal obligation |
| User settings and preferences | Theme, notification, and privacy preferences | Contract / Consent |
2.2 Data Collected Automatically
| Data | Purpose | Legal Basis |
|---|---|---|
| Last login IP address | Security and fraud prevention | Legitimate interest |
| Login count | Security anomaly detection | Legitimate interest |
| Device information (user agent, OS, device name, app version) | Service optimisation, crash resolution, session management | Legitimate interest |
| Registration source | Understanding how users find us | Legitimate interest |
| Session tokens (hashed) | Authentication | Contract |
| FCM device tokens | Delivering push notifications | Consent |
| Invite device signals (IP address, screen dimensions, timezone, locale) | Matching invite link clicks to app installs | Legitimate interest |
| Consent records (consent type, timestamp, IP address, user agent) | Legal audit trail | Legal obligation |
Note: Invite device signals are automatically deleted within one hour and are used solely for matching invite links to app installs.
2.3 Third-Party Data Collection
| Service | Data Collected | Purpose |
|---|---|---|
| Google Sign-In | ID token (email, name) | Authentication |
| Apple Sign-In | ID token (email, name) | Authentication |
| Firebase Analytics (Google) | App usage events, user ID, device info | Product analytics and improvement |
| Firebase Crashlytics (Google) | Crash reports, stack traces, device state at time of crash | Identifying and fixing bugs |
| Firebase Cloud Messaging (Google) | Device token | Delivering push notifications |
Firebase Analytics uses a Firebase Instance ID (a device identifier) for analytics. This is not a cookie. You can disable analytics collection in the app settings. Firebase Crashlytics may still collect crash data separately to help us fix bugs.
2.4 EXIF Metadata Handling
When you select a photo from your device, the app:
- Extracts useful EXIF data (date taken, location if present) for your benefit (e.g., auto-filling a memory's date).
- Strips all sensitive EXIF tags (GPS coordinates, timestamps, camera make and model) from the photo file before uploading it to our servers.
The version of your photo stored on our servers does not contain your location, camera details, or original timestamp in its metadata.
2.5 Data We Do Not Collect
We do not collect: phone numbers, contact lists, SMS messages, call logs, browsing history, or data from other apps on your device.
We do not use: advertising SDKs, tracking pixels, browser cookies, or third-party data brokers.
We do not operate: any advertising network or monetise personal data in any form.
3. How We Use Your Data
We use your data for the following purposes:
- Providing the Service: Displaying your profile, delivering your content to connections, enabling messaging, Spaces, and social features.
- Authentication and security: Verifying your identity, managing sessions, detecting and preventing fraud.
- Content moderation: Reviewing reports, enforcing community guidelines, maintaining a safe environment.
- Push notifications: Delivering notifications you have opted into (stamps, replies, messages, connection requests, Space activity).
- Real-time delivery: Delivering live updates to your device via server-sent events when new content, messages, or notifications are available.
- Invite matching: Temporarily matching invite link clicks to app installs using device signals, to credit the correct inviter. This data is deleted within one hour.
- Connection suggestions: Recommending potential connections based on mutual connections.
- Content labels: Generating descriptive labels for content to improve search and discovery within the Service.
- Product analytics: Understanding how the app is used to improve features and performance (via Firebase Analytics, which you can disable).
- Crash reporting: Diagnosing and fixing bugs to improve app stability (via Firebase Crashlytics).
- Legal compliance: Meeting our obligations under the DPDP Act, GDPR, IT Act, IT Intermediary Guidelines Rules, and other applicable laws.
- Grievance resolution: Addressing your complaints and appeals.
4. Legal Bases for Processing
Under the GDPR, we process your personal data on the following legal bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the Service (account creation, content delivery, messaging, social features, Spaces).
- Consent (Article 6(1)(a)): Location data, push notifications, analytics collection. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Legitimate interest (Article 6(1)(f)): Security measures (IP logging, device info), fraud prevention, invite matching, connection suggestions. We have conducted balancing tests to ensure our interests do not override your rights.
- Legal obligation (Article 6(1)(c)): Age verification, content moderation (IT Rules), data retention for law enforcement cooperation, child safety reporting, consent audit trail.
Under the DPDP Act, 2023, we process your data based on your consent provided during account creation and for legitimate uses as specified in Section 7 of the Act.
5. Data Sharing
5.1 We Never Sell Your Data
As stated in our legally binding Data Promise, we will never sell, rent, lease, licence, or trade your personal data to any third party.
5.2 Service Providers
We share data with the following categories of providers solely for operating the Service:
| Category | Data Shared | Purpose | Location |
|---|---|---|---|
| Authentication (Google, Apple) | ID tokens | Sign-in | US / Global |
| Analytics and notifications (Google Firebase) | App events, crash data, device tokens | Analytics, crash reporting, push notifications | US / Global |
| Cloud infrastructure | All app data | Compute, database, storage | India (primary) |
| Content delivery network | Media files, API responses | Fast global delivery | Asia-Pacific / Global edge |
Each provider is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.
5.3 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request, including to:
- Comply with a valid legal obligation, court order, or subpoena.
- Protect the safety of any person, including reporting CSAM to the National Center for Missing and Exploited Children (NCMEC) or equivalent authorities.
- Cooperate with law enforcement investigations as required by the IT Act, 2000 and IT Intermediary Guidelines Rules, 2021.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. As per our Data Promise, the acquirer must either honour all privacy commitments or delete your data within 90 days with advance notice.
6. Cross-Border Data Transfers
Your data may be transferred to and processed in countries outside your country of residence:
| Data | Location | Purpose |
|---|---|---|
| Primary database and application | India | Service operation |
| Database backups | India (geo-redundant region) | Disaster recovery |
| Media files | Asia-Pacific | Content storage and delivery |
| CDN edge cache | Global points of presence | Performance |
| Analytics and crash data | Google Cloud (US) | Product analytics |
| Push notification tokens | Google Cloud (US) | Notifications |
Safeguards
- GDPR (EU residents): We rely on Standard Contractual Clauses (SCCs) with all infrastructure providers for transfers outside the EEA. All providers maintain SCCs as part of their Data Processing Agreements.
- DPDP Act, 2023 (Indian residents): Cross-border transfers are permitted except to countries restricted by Central Government notification under Section 16(1). As of the effective date of this policy, no such restriction has been notified.
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
7. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of your account | Contract performance |
| Deleted account data | 180 days after deletion request (soft-delete), then permanently erased | IT Intermediary Guidelines Rules, 2021 |
| Deleted media files | Approximately 50 days after deletion request | Automated lifecycle policy |
| Session tokens | 30-day expiry | Security |
| Blips | Auto-expire after set duration | Product design |
| Invite device signals | 1 hour (automated cleanup) | Operational |
| Suggestion dismissals | 90 days | Product design |
| Consent audit records | Indefinite (anonymised on account deletion) | Legal obligation (GDPR Art. 7, DPDP Act Sec. 6) |
| Application logs | 30 days | Operational debugging |
| Database backups | 7 to 35 days | Disaster recovery |
| Dismissed moderation reports | 12 months | Record-keeping |
| Upheld moderation reports | 3 years | Statute of limitations |
| Child safety evidence | Indefinite | Legal obligation (POCSO Act) |
After the retention period expires, data is permanently and irreversibly deleted. We do not retain data longer than necessary for the stated purpose.
8. Data Security
We implement the following technical and organisational measures to protect your data:
- No passwords: We use OAuth-only authentication (Google Sign-In and Apple Sign-In), eliminating the risk of password breaches.
- Token security: Session tokens are hashed using HMAC-SHA256 with a cryptographic pepper stored in a dedicated secrets vault. All secret comparisons use constant-time algorithms to prevent timing attacks.
- Encryption in transit: All connections use TLS 1.2 or higher. HTTPS is enforced at every layer.
- Encryption at rest: Database and media storage use AES-256 encryption.
- Network isolation: The production database runs within a private virtual network with no public endpoint.
- Media security: All media files are served through cryptographically signed URLs that expire after 7 days. Files cannot be accessed without a valid signature.
- Rate limiting: 120 requests per minute per user for API endpoints, 30 requests per minute for authentication, and 1,000 requests per minute per IP at the CDN level.
- DDoS protection: Our content delivery network provides DDoS mitigation and rate limiting at the edge.
- Secrets management: All credentials and keys are stored in a dedicated, access-controlled secrets vault, never in code.
- No PII in logs: Application logs contain only user IDs and request metadata, never email addresses, names, or content.
- EXIF stripping: Photos are stripped of sensitive metadata (GPS, timestamps, camera info) on your device before upload.
9. Your Rights
9.1 Under the GDPR (EU/EEA Residents)
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data. You can edit your profile directly in the app.
- Right to erasure (Art. 17): Request deletion of your data. Use the in-app account deletion flow.
- Right to restriction of processing (Art. 18): Request that we limit how we process your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. Contact privacy@zcribbler.com to request an export.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right regarding automated decision-making (Art. 22): You will not be subject to decisions based solely on automated processing that significantly affect you. All content moderation decisions can be appealed and are subject to human review.
- Right to lodge a complaint: You may file a complaint with your local data protection supervisory authority.
9.2 Under the DPDP Act, 2023 (Indian Residents)
- Right to access information (Section 11): Know what personal data we process and how.
- Right to correction and erasure (Section 12): Correct inaccurate data or request deletion.
- Right to grievance redressal (Section 13): File a grievance with our Grievance Officer.
- Right to nominate (Section 14): Nominate another person to exercise your rights in case of your death or incapacity.
9.3 How to Exercise Your Rights
- In the app: Edit Profile (for correction), Settings > Account > Delete Account (for erasure and consent withdrawal), Settings (for notification and analytics preferences).
- By email: privacy@zcribbler.com for access requests, data portability, or any other rights.
- Response time: We will respond within 30 days of receiving your request (GDPR). Under the DPDP Act, we will respond within a reasonable period.
We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
Withdrawing consent: Since Zcribbler requires consent to the Terms and Privacy Policy to function, the mechanism for withdrawing all consent is account deletion. Deleting your account withdraws all consents and triggers the data deletion process described in Section 7. You may also withdraw specific consents (e.g., analytics, location) through the app settings without deleting your account.
10. Children's Privacy
- Under 13: We do not knowingly collect personal data from children under 13. If we discover that we have collected data from a child under 13, we will delete the account and all associated data immediately.
- 13 to 17: Users between 13 and 17 may use the Service with verifiable parental or guardian consent. We require this consent during registration. Consent records (consent type, timestamp, IP address, user agent) are stored in our audit trail and preserved even after account deletion to meet legal obligations.
- No behavioural tracking for minors: For users under 18, we disable behavioural analytics and do not create engagement profiles.
This is in compliance with Section 9 of the DPDP Act, 2023, Article 8 of the GDPR, and the COPPA (US).
11. Automated Decision-Making
We use the following automated systems:
- Content moderation thresholds: Content that receives a defined number of community reports may be automatically hidden pending human review. This is not a final decision and can always be appealed.
- Content labels: Our backend generates descriptive labels for content to improve search and discovery. These labels describe content categories (e.g., content type, subject matter) and do not affect your rights or access to the Service.
No automated decision is made without the possibility of human review and appeal, in compliance with GDPR Article 22 and the IT Intermediary Guidelines Rules, 2021.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will provide at least 30 days' advance notice.
- Notice will be provided through an in-app notification and, where possible, by email.
- The updated policy will include a new effective date and version number.
Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may delete your account.
13. Grievance Officer / Data Protection Contact
In compliance with Rule 3(2) of the IT Intermediary Guidelines Rules, 2021, and Section 13 of the DPDP Act, 2023:
- Name: Raj Kishan A V
- Designation: Grievance Officer / Data Protection Contact
- Email: privacy@zcribbler.com
- Location: Kannur, Kerala, India
We will acknowledge your grievance within 24 hours and provide a resolution within 15 days.
14. Contact Us
- General enquiries: hello@zcribbler.com
- Privacy and grievance enquiries: privacy@zcribbler.com