Effective Date: August 12 2019 | Last Updated: March 25 2026

This Privacy Policy (“Policy”) describes how Zipydo Technologies Private Limited (“Zipydo”, “Company”, “we”, “us” and “our”), a private company established under the laws of India having its registered office at VP08, Pruksa Silvam, Virgonagar P.O., Bangalore 560 049, collects, uses, processes, stores, shares, and protects your information when you use:

(a) our website located at zipydo.com;
(b) the Zipydo mobile application(s) for iOS and Android;
(c) any services integrated with third-party platforms including Meta (Facebook/Instagram), Google, and Apple;
(d) any financial data processing services including bank statement analysis, balance sheet processing, and CRM data management; and
(e) any other services offered by Zipydo
(collectively, the “Zipydo Platform” and “Services”).

The terms “you” and “your” refer to the user of the Zipydo Platform. This Policy applies to all users in India.

Please read this Policy before using the Zipydo Platform or submitting any personal information to Zipydo. This Policy is a part of and incorporated within, and is to be read along with, the Terms of Use.

Your Consent

We obtain your consent in the following manner:

Account Registration Consent: When you create a Zipydo account, you consent to the processing of your account information for the purpose of providing our core Services. This consent is obtained through a clear affirmative action (checking a consent box) during registration.

Financial Data Consent: Before processing any bank statements, balance sheets, or CRM data, we obtain your explicit, specific consent through a separate consent flow that clearly describes: (a) what financial data will be collected; (b) how it will be processed; (c) who will have access; (d) how long it will be retained; and (e) your right to withdraw consent at any time.

Meta Platform Data Consent: When you connect your Meta (Facebook/Instagram) account to Zipydo, you consent through Meta’s OAuth authorisation flow, which lists the specific permissions being granted. You may revoke these permissions at any time through your Meta account settings or through Zipydo’s in-app privacy settings.

Google Platform Data Consent: When you connect your Google account, you consent through Google’s OAuth 2.0 flow. You may revoke access at any time through your Google Account permissions page.

Marketing Consent: We obtain separate opt-in consent before sending you any marketing or promotional communications.

Cookie Consent: We obtain cookie consent through our Consent Management Platform before setting any non-essential cookies. See the Cookies section below for details.

Withdrawal of Consent: You have the right to withdraw any of the above consents at any time by contacting us at support@zipydo.com or through your account settings. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Upon withdrawal, we will cease processing your personal data for the relevant purpose without undue delay, unless we are required to retain the data to comply with a legal obligation.

If you do not agree with this Policy, please do not use or access the Zipydo Platform.

Lawful Basis for Processing

We process your personal data only when we have a valid legal basis to do so. The legal bases we rely on include:

(a) Consent: Where you have given clear, specific, informed, and unambiguous consent for one or more specific purposes. You may withdraw consent at any time through your account settings or by contacting us at support@zipydo.com.

(b) Contractual Necessity: Processing necessary for the performance of a contract to which you are a party, including the delivery of our financial data analysis services, order fulfillment, and payment processing.

(c) Legal Obligation: Processing necessary to comply with applicable laws, including the Information Technology Act 2000, the Digital Personal Data Protection Act 2023 (India), the Prevention of Money Laundering Act 2002, RBI Directions, SEBI Regulations, the Income Tax Act 1961, and other applicable financial sector regulations.

(d) Legitimate Interest: Where processing is necessary for our legitimate interests (such as fraud prevention, network and platform security, and service improvement), provided these interests are not overridden by your fundamental rights and data protection interests. This basis is applicable for users in the EEA/UK under GDPR Article 6(1)(f).

(e) Vital Interest: Where processing is necessary to protect the vital interests of the data subject or another natural person.

(f) Public Interest: Where processing is necessary for the performance of a task carried out in the public interest.

For users in India: Under the Digital Personal Data Protection Act, 2023, we primarily rely on your consent and the “legitimate uses” specified under Section 7 of the Act, including processing for compliance with any law or court order, medical emergencies, and employment-related purposes.

For financial data: Processing of bank statements, balance sheets, and CRM data is conducted solely on the basis of your explicit, informed consent and/or contractual necessity for providing our financial analysis services. We do not process financial data for any secondary purpose without obtaining separate, specific consent.

Policy Changes

We may occasionally update this Policy and such changes will be posted on this page. If we make any significant changes to this Policy we will endeavour to provide you with reasonable notice of such changes, such as via prominent notice on the Zipydo Platform or to your email address on record and where required by applicable law, we will obtain your consent. To the extent permitted under the applicable law, your continued use of our Services after we publish or send a notice about our changes to this Policy shall constitute your consent to the updated Policy.

Links to Other Websites

The Zipydo Platform may contain links to other websites. Any personal information about you collected whilst visiting such websites is not governed by this Policy. Zipydo shall not be responsible for and has no control over the practices and content of any website accessed using the links contained on the Zipydo Platform. This Policy shall not apply to any information you may disclose to any of our service providers/service personnel which we do not require you to disclose to us or any of our service providers under this Policy.

Information we collect from you

We will collect and process the following information about you:

• Information you give us - This includes information submitted when you:

i.          Create or update your Zipydo account, which may include your name, email, phone number, login name and password, address, payment or banking information, date of birth and profile picture. If you sign in to the Zipydo Platform through third-party sign-in services such as Facebook, Google or Gmail or any other social networking or similar site (collectively, “SNS”), an option of which may be provided to you by Zipydo at its sole discretion, you will be allowing us to pass through and receive from the SNS your log-in information and other user data; or

ii.         Provide content to us, which may include reviews, ordering details and history, favourite vendors, special merchant requests, contact information of people you refer to us and other information you provide on the Zipydo Platform (“Your Content”).

iii.        Use our Services, we may collect and store information about you to process your requests and automatically complete forms for future transactions, including (but not limited to) your phone number, address, email, billing information and credit or payment card information.

iv.        Correspond with Zipydo for customer support;

v.         Participate in the interactive services offered by the Zipydo Platform such as discussion boards, competitions, promotions or surveys, other social media functions or make payments etc., or

vi.        Enable features that require Zipydo’s access to your address book or calendar;

vii.       Report problems for troubleshooting.

viii.      If you sign up to use our Services as a merchant or a delivery partner, we may collect location details, copies of government identification documents and other details (KYC), call and SMS details.

• Financial Data We Collect (with your explicit consent) – When you use our financial data analysis or management services, we may collect and process the following categories of financial data:

i.          Bank account statements and transaction history, which you provide to us or authorise us to retrieve through secure API integrations with your banking institution or account aggregator;

ii.         Balance sheet data, profit and loss statements, and financial summaries uploaded by you or generated through our Services;

iii.        Income and expenditure records, including salary credits, EMI debits, utility payments, and other transaction categories;

iv.        Credit or debit card transaction summaries (we do not store full card numbers, CVV, or PIN data);

v.         GST returns, tax-related filing data, and invoice data, where applicable and where you have specifically authorised such access;

vi.        CRM data including customer contact details, customer transaction history, and communication records that you upload or import into the Zipydo Platform;

vii.       Financial account identifiers such as bank account numbers (masked/tokenised), IFSC codes, UPI IDs, and merchant IDs necessary to provide the requested service.

Important: Financial data is collected exclusively for the specific financial analysis, reporting, or management service you have requested. We do not use financial data for advertising, profiling, credit scoring, or any purpose beyond the stated service without your separate, explicit consent.

• Data We Receive from Meta Platforms – When you connect your Meta (Facebook or Instagram) account to the Zipydo Platform or use features that integrate with Meta’s platform, we may receive and process the following data in accordance with Meta’s Developer Data Use Policy:

i.          Your Meta User ID and public profile information (name, profile picture);

ii.         Email address associated with your Meta account (only with your explicit permission);

iii.        Your meta campaigns, ads, conversion data, performance metrics, page data etc. obtained via explicit authorization via Meta OAuth consent screen;

iv.        We access Meta User Data solely to provide the app features and experience you have requested. We do not use Meta User Data for advertising, selling to third parties, or building independent user profiles beyond what is necessary for the service.

• Data We Receive from Google APIs – When you connect your Google account or use Google-integrated features:

i.          Basic profile information (name, email address) via Google Sign-In;

ii.         Google Sheets, Google Drive, or Gmail data only where explicitly authorised by you through Google’s OAuth consent screen, and only to the extent necessary for the financial analysis or service you have requested;

iii.        Google Ads data like past and present campaign info, ads performance metrics etc. where explicitly authorised by you through Google’s OAuth consent screen, and only to the extent necessary for the financial analysis or service you have requested;

iv.        We comply with the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only for providing or improving user-facing features that are prominent in the requesting application’s user interface.

• Information we collect about you - With regard to each of your visits to the Zipydo Platform, we will automatically collect and analyse the following demographic and other information:

i.          When you communicate with us (via email, phone, through the Zipydo Platform or otherwise), we may maintain a record of your communication;

ii.         Location information: Depending on the Services that you use, and your app settings or device permissions, we may collect your real time information, or approximate location information as determined through data such as GPS, IP address;

iii.        Usage and Preference Information: We collect information as to how you interact with our Services, preferences expressed and settings chosen. Zipydo Platform includes the Zipydo advertising services (“Ad Services”), which may collect user activity and browsing history within the Zipydo Platform and across third-party sites and online services, including those sites and services that include our ad pixels (“Pixels”), widgets, plug-ins, buttons, or related services or through the use of cookies. Our Ad Services collect browsing information including without limitation your Internet protocol (IP) address and location, your login information, browser type and version, date and time stamp, user agent, Zipydo cookie ID (if applicable), time zone setting, browser plug-in types and versions, operating system and platform, and other information about user activities on the Zipydo Platform, as well as on third party sites and services that have embedded our Pixels, widgets, plug-ins, buttons, or related services;

iv.        Transaction Information: We collect transaction details related to your use of our Services, and information about your activity on the Services, including the full Uniform Resource Locators (URL), the type of Services you requested or provided, comments, domain names, search results selected, number of clicks, information and pages viewed and searched for, the order of those pages, length of your visit to our Services, the date and time you used the Services, amount charged, details regarding application of promotional code, methods used to browse away from the page and any phone number used to call our customer service number and other related transaction details;

v.         Device Information: We may collect information about the devices you use to access our Services, including the hardware models, operating systems and versions, software, file names and versions, preferred languages, unique device identifiers, advertising identifiers, serial numbers, device motion information and mobile network information. Analytics companies may use mobile device IDs to track your usage of the Zipydo Platform;

vi.        Stored information and files: Zipydo mobile application (Zipydo app) may also access metadata and other information associated with other files stored on your mobile device. This may include, for example, photographs, audio and video clips, personal contacts and address book information. If you permit the Zipydo app to access the address book on your device, we may collect names and contact information from your address book to facilitate social interactions through our services and for other purposes described in this Policy or at the time of consent or collection. If you permit the Zipydo app to access the calendar on your device, we collect calendar information such as event title and description, your response (Yes, No, Maybe), date and time, location and number of attendees.

vii.       If you are a partner restaurant, merchant or a delivery partner, we will, additionally, record your calls with us made from the device used to provide Services, related call details, SMS details location and address details.

• Information we receive from other sources -

i.          We may receive information about you from third parties, such as other users, partners (including ad partners, analytics providers, search information providers), or our affiliated companies or if you use any of the other websites/apps we operate or the other Services we provide. Users of our Ad Services and other third-parties may share information with us such as the cookie ID, device ID, or demographic or interest data, and information about content viewed or actions taken on a third-party website, online services or apps. For example, users of our Ad Services may also be able to share customer list information (e.g., email or phone number) with us to create customized audience segments for their ad campaigns.

ii.         When you sign in to Zipydo Platform with your SNS account, or otherwise connect to your SNS account with the Services, you consent to our collection, storage, and use, in accordance with this Policy, of the information that you make available to us through the social media interface. This could include, without limitation, any information that you have made public through your social media account, information that the social media service shares with us, or information that is disclosed during the sign-in process. Please see your social media provider’s privacy policy and help center for more information about how they share information when you choose to connect your account.

iii.        If you are partner restaurant, merchant or a delivery partner, we may, additionally, receive feedback and rating from other users.

COOKIES

Our Zipydo Platform and third parties with whom we partner, may use cookies, pixel tags, web beacons, mobile device IDs, “flash cookies” and similar files or technologies to collect and store information with respect to your use of the Services and third-party websites.

Cookies are small files that are stored on your browser or device by websites, apps, online media and advertisements. We use cookies and similar technologies for purposes such as:

• Authenticating users;
• Remembering user preferences and settings;
• Determining the popularity of content;
• Delivering and measuring the effectiveness of advertising campaigns;
• Analysing site traffic and trends, and generally understanding the online behaviours and interests of people who interact with our services.

A pixel tag (also called a web beacon or clear GIF) is a tiny graphic with a unique identifier, embedded invisibly on a webpage (or an online ad or email), and is used to count or track things like activity on a webpage or ad impressions or clicks, as well as to access cookies stored on users’ computers. We use pixel tags to measure the popularity of our various pages, features and services. We also may include web beacons in e-mail messages or newsletters to determine whether the message has been opened and for other analytics.

To modify your cookie settings, please visit your browser’s settings. By using our Services with your browser settings to accept cookies, you are consenting to our use of cookies in the manner described in this section.

We may also allow third parties to provide audience measurement and analytics services for us, to serve advertisements on our behalf across the Internet, and to track and report on the performance of those advertisements. These entities may use cookies, web beacons, SDKs and other technologies to identify your device when you visit the Zipydo Platform and use our Services, as well as when you visit other online sites and services.

Cookie Consent Mechanism:

• Strictly Necessary Cookies: Required for the Zipydo Platform to function. These cookies do not require consent.
• Analytics Cookies: Used to understand how you interact with our Services and to measure performance.
• Advertising/Marketing Cookies: Used to deliver and measure the relevance and effectiveness of advertising.
• Functional Cookies: Used to remember your preferences and personalise your experience.

You may change your cookie preferences at any time by clicking the “Cookie Settings” link available in the footer of our website or via the in-app privacy settings.

Third-Party Cookies Used on This Platform:

• Google Analytics — usage analytics. Privacy Policy.
• Meta Pixel / Facebook SDK — integration and analytics. Privacy Policy.

Uses of your information

• We use the information we collect for following purposes, including:

i.          To provide, personalise, maintain and improve our products and services, such as to enable deliveries and other services, enable features to personalise your Zipydo account;

ii.         To carry out our obligations arising from any contracts entered into between you and us and to provide you with the relevant information and services;

iii.        To administer and enhance the security of our Zipydo Platform and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

iv.        To provide you with information about services we consider similar to those that you are already using, or have enquired about, or may interest you. If you are a registered user, we will contact you by electronic means (e-mail or SMS or telephone) with information about these services;

v.         To understand our users (what they do on our Services, what features they like, how they use them, etc.), improve the content and features of our Services (such as by personalizing content to your interests), process and complete your transactions, make special offers, provide customer support, process and respond to your queries;

vi.        To generate and review reports and data about, and to conduct research on, our user base and Service usage patterns;

vii.       To allow you to participate in interactive features of our Services, if any; or

viii.      To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.

ix.        If you are a partner restaurant or merchant or delivery partner, to track the progress of delivery or status of the order placed by our customers.

We may combine the information that we receive from third parties with the information you give to us and information we collect about you for the purposes set out above. Further, we may anonymize and/or de-identify information collected from you through the Services or via other means, including via the use of third-party web analytic tools. As a result, our use and disclosure of aggregated and/or de-identified information is not restricted by this Policy, and it may be used and disclosed to others without limitation.

We analyse the log files of our Zipydo Platform that may contain Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring, app crashes, page viewed and exit websites and applications, operating system, date/time stamp, and clickstream data. This helps us to administer the website, to learn about user behaviour on the site, to improve our product and services, and to gather demographic information about our user base as a whole.

DATA RETENTION POLICY

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation. Our retention periods are as follows:

Account Information: Retained for the duration of your active account, plus 30 days after account deletion to process any pending transactions or obligations. After this period, account data is securely deleted or anonymised.

Financial Data (bank statements, balance sheets, CRM data): Retained for the duration required to provide the requested service, plus the minimum period mandated by applicable financial regulations, including:

• 5 years under the Prevention of Money Laundering Act, 2002 (where applicable);
• 8 years under RBI Master Directions for KYC records (where applicable);
• 7 years from the date of the transaction under the Income Tax Act, 1961 and GST regulations (where applicable).

Where no statutory retention period applies, financial data is deleted or anonymised within 90 days of the completion of the service for which it was collected, or upon your request, whichever is earlier.

Meta Platform Data: Retained only for the duration necessary to provide the app experience requested by the user. Deleted without undue delay when: (a) you request deletion; (b) you disconnect your Meta account from Zipydo; (c) your Zipydo account is deleted or deactivated; (d) the data is no longer necessary to provide the service; or (e) Meta requests deletion.

Google Platform Data: Retained only for the duration necessary to provide the service you have authorised. Deleted upon disconnection of your Google account or upon your request.

Transaction Records: Retained for 7 years from the date of the transaction, as required under the Income Tax Act, 1961 and applicable GST regulations.

Marketing and Communication Preferences: Retained until you withdraw consent or unsubscribe from marketing communications.

Device and Usage Logs: Retained for a maximum of 12 months from the date of collection, after which they are anonymised or securely deleted.

Customer Support Records: Retained for 3 years from the date of the last interaction for quality assurance and dispute resolution purposes.

After the applicable retention period expires, personal data is securely deleted using industry-standard data destruction methods, or irreversibly anonymised such that it cannot be used to re-identify any individual.

YOUR DATA RIGHTS

Depending on your location and applicable law, you have the following rights regarding your personal data:

Rights Available to All Users:

• Right to Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request correction of any inaccurate or incomplete personal data.
• Right to Deletion: You may request deletion of your personal data. We will delete your data without undue delay, subject only to any overriding legal retention obligations.
• Right to Withdraw Consent: You may withdraw any previously given consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right to Grievance Redressal: You may lodge a complaint with the Data Protection Board of India, or the relevant supervisory authority in your jurisdiction.

Additional Rights for Users in India (DPDP Act, 2023):

• Right to Information: You may obtain a summary of your personal data being processed and the processing activities undertaken.
• Right to Correction and Erasure: You may request correction, completion, updating, or erasure of your personal data.
• Right to Nomination: You may nominate any other individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act.

How to Exercise Your Rights:

• In-App: Navigate to Settings > Privacy > Manage My Data
• Email: support@zipydo.com
• Web Form: [YOUR_URL]/privacy-request

We will acknowledge your request within 48 hours and respond to all verifiable requests within 30 days of receipt (or within a shorter period where required by applicable law, e.g., 72 hours for certain DPDP Act requests). If we require an extension, we will inform you of the reason and the expected response time.

For requests relating to Meta Platform Data, we will act without undue delay in accordance with Meta’s Developer Data Use Policy.

Disclosure and Distribution of Your Information

We may share your information that we collect for following purposes:

• With Service Providers: We may share your information with our vendors, consultants, marketing partners, research firms and other service providers or business partners, such as Payment processing companies, to support our business. For example, your information may be shared with outside vendors to send you emails and messages or push notifications to your devices in relation to our Services, to help us analyse and improve the use of our Services, to process and collect payments. We also may use vendors for other projects, such as conducting surveys or organizing sweepstakes for us.
• With Partner Restaurants/Merchant: While you place a request to order food through the Zipydo Platform, your information is provided to us and to the restaurants/merchants with whom you may choose to order. In order to facilitate your online food order processing, we provide your information to that restaurant/merchant in a similar manner as if you had made a food order directly with the restaurant. If you provide a mobile phone number, Zipydo may send you text messages regarding the order’s delivery status.
• With Other Users: If you are a delivery partner, we may share your name, phone number and/or profile picture (if applicable), tracking details with other users to provide them the Services.
• For Crime Prevention or Investigation: We may share this information with governmental agencies or other companies assisting us, when we are:
  • Obligated under the applicable laws or in good faith to respond to court orders and processes; or
  • Detecting and preventing against actual or potential occurrence of identity theft, fraud, abuse of Services and other illegal acts;
  • Responding to claims that an advertisement, posting or other content violates the intellectual property rights of a third party;
  • Under a duty to disclose or share your personal data in order to enforce our Terms of Use and other agreements, policies or to protect the rights, property, or safety of the Company, our customers, or others, or in the event of a claim or dispute relating to your use of our Services. This includes exchanging information with other companies and organisations for the purposes of fraud detection and credit risk reduction.
• For Internal Use: We may share your information with any present or future member of our “Group” (as defined below) or affiliates for our internal business purposes. The term “Group” means, with respect to any person, any entity that is controlled by such person, or any entity that controls such person, or any entity that is under common control with such person, whether directly or indirectly, or, in the case of a natural person, any Relative (as such term is defined in the Companies Act, 2013 to the extent applicable) of such person.
• With Advertisers and advertising networks: We may work with third parties such as network advertisers to serve advertisements on the Zipydo Platform and on third-party websites or other media (e.g., social networking platforms). These third parties may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you.

While you cannot opt out of advertising on the Zipydo Platform, you may opt out of much interest-based advertising on third party sites and through third party ad networks (including DoubleClick Ad Exchange, Facebook Audience Network and Google AdSense). For more information, visit www.aboutads.info/choices. Opting out means that you will no longer receive personalized ads by third parties ad networks from which you have opted out, which is based on your browsing information across multiple sites and online services. If you delete cookies or change devices, your opt out may no longer be effective.

• To fulfill the purpose for which you provide it.
• We may share your information other than as described in this Policy if we notify you and you consent to the sharing.

• Third-Party Data Processors and Sub-Processors: We engage the following categories of third-party service providers who may process personal data on our behalf. All service providers are bound by written Data Processing Agreements (DPAs) that require them to: (a) process personal data only on our documented instructions; (b) ensure confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist with data subject rights requests; (e) delete or return all personal data upon termination of services; and (f) submit to audits and inspections.

i.          Cloud Infrastructure: We use Google Cloud Platform (GCP) — data hosting, storage, and computing services. GCP Privacy Notice and Amazon Web Services (AWS) — data hosting, storage, and computing services. AWS Privacy Policy.

ii.         Payment Processing: [Name of Payment Gateway] — PCI-DSS compliant payment processing services.

iii.        Analytics: Google Analytics — aggregated, anonymised usage analytics to improve our Services.

iv.        Customer Support: FreshChat — support ticket management and resolution.

A current and complete list of our sub-processors is available upon request by contacting support@zipydo.com.

META PLATFORM DATA OBLIGATIONS

When you connect your Meta (Facebook or Instagram) account to the Zipydo Platform, or use features that integrate with Meta’s platform, we receive and process certain data from Meta. This section describes our obligations and practices specific to Meta User Data, in compliance with Meta’s Platform Terms and the Developer Data Use Policy (DDUP).

What Meta Data We Access:

• Following type of data/permissions we collect: public_profile, email, pages_read_engagement, business_management, ads_read, ads_management, read_insights etc.

How We Use Meta Data:

• Solely to provide, support, and maintain the app features and experience you have specifically requested.
• To conduct analytics only in aggregated, de-identified, or anonymised form that does not allow for the re-identification of any individual user.

What We Do NOT Do with Meta Data:

• We do not sell, license, purchase, or otherwise transfer Meta User Data to or from any third party, data broker, advertising network, or data reseller.
• We do not use Meta User Data for any form of advertising, including targeted, behavioural, contextual, or re-targeting advertising.
• We do not use Meta User Data to build or augment user profiles for purposes unrelated to your direct use of our app.
• We do not use Meta User Data to conduct or facilitate surveillance, or to provide tools, data, or services to surveillance-related entities.
• We do not use Meta User Data to make decisions about employment, credit, insurance, housing, education, or similar matters concerning any individual.
• We do not transfer, share, or process Meta User Data in any manner that would violate Meta’s Developer Data Use Policy.

Sharing of Meta Data with Service Providers: We share Meta User Data with service providers only where:

• It is necessary for the service provider to provide a service on our behalf that directly supports your use of the app;
• We have a written agreement with the service provider that requires them to (a) protect Meta User Data at least to the standard required by Meta’s DDUP, (b) use Meta User Data only as instructed by us, and (c) delete Meta User Data when they cease providing services to us;
• We remain fully responsible to Meta for any acts or omissions of our service providers and their sub-service providers.

Deletion of Meta Data: We delete Meta User Data without undue delay when:

• You request deletion of your data (via in-app settings, email, or web form);
• You disconnect or de-authorise your Meta account from Zipydo;
• Your Zipydo account is deleted or permanently deactivated;
• A user deletes their Meta account, or no longer has a Meta account;
• The data is no longer necessary to provide the app experience or service;
• Meta requests deletion of the data.

Data Correction: We provide an easily accessible and clearly marked mechanism for users to request correction of their Meta User Data. You may submit a correction request through Settings > Privacy > Manage My Data, or by emailing support@zipydo.com.

Incident Notification to Meta: In the event of any unauthorised access, processing, or breach involving Meta User Data, or any incident that could compromise our IT systems, we will notify Meta using Meta’s designated incident reporting form as soon as practicable, and will immediately begin remediation and cooperate with Meta as required.

This section does not supersede, modify, or provide less protection than Meta’s Developer Data Use Policy. In the event of any conflict between this Policy and Meta’s DDUP, the terms that provide greater protection for user data shall prevail.

FINANCIAL DATA HANDLING

Given the nature of our Services in the financial domain, we process financial data with the highest level of care and security. This section describes the specific safeguards we apply to financial data.

Purpose Limitation: Financial data (including bank statements, balance sheets, CRM data, invoices, and tax records) is processed exclusively for the specific financial analysis, reporting, or management service you have requested. We do not use financial data for advertising, user profiling, credit scoring, or any purpose beyond the stated service without obtaining your separate, explicit consent.

Security Measures for Financial Data:

• Encryption at rest using AES-256 and in transit using TLS 1.2 or higher;
• Role-based access control (RBAC) with the principle of least privilege;
• Multi-factor authentication (MFA) for all personnel accessing financial data systems;
• Data masking and tokenisation for sensitive fields including account numbers, balances, and personal identifiers;
• Regular penetration testing and vulnerability assessments conducted at least annually by qualified third-party assessors;
• Comprehensive audit logging of all access to, and operations on, financial data;
• Segregation of financial data from non-financial data in our storage systems.

Data Localisation: In compliance with the Reserve Bank of India’s data localisation directives, payment system data and financial transaction data of Indian users is stored and processed within India. Where any processing requires temporary transfer of data outside India (e.g., for cloud computing services), it is done with end-to-end encryption and contractual safeguards, and a copy of the data is retained within India at all times.

Third-Party Access to Financial Data: Financial data is not shared with any third party (including advertisers, Meta, Google, Apple, or any other platform provider) unless: (a) you provide explicit, specific consent; (b) we are required to do so by law, regulation, court order, or regulatory direction; or (c) it is necessary for a regulated financial service provider to deliver a service you have specifically requested.

PCI-DSS Compliance: Where we process payment card data, we maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS). We use PCI-DSS compliant payment processors and do not store full card numbers, CVV codes, or PIN data on our systems.

Account Aggregator Framework: Where we access your financial data through the Account Aggregator (AA) framework regulated by the Reserve Bank of India, we do so in compliance with the applicable RBI Master Directions and only with your explicit, digitally signed consent through the AA ecosystem.

CROSS-BORDER DATA TRANSFERS

Your personal data may be transferred to, stored in, and processed in countries other than the country in which it was collected. Specifically, your data may be processed in:

• India (primary data processing and storage);
• United States (Amazon Web Services cloud infrastructure, and certain third-party service providers);
• Singapore (Google Cloud Platform / Amazon Web Services);
• Hong Kong (Google Cloud Platform / Amazon Web Services);

We ensure that appropriate safeguards are in place for all international transfers of personal data:

For transfers from the European Economic Area (EEA) and United Kingdom: We rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914), supplemented by additional technical and organisational measures where required by the Schrems II decision (Case C-311/18). Copies of the relevant SCCs are available upon request.

For transfers from India: We transfer personal data only to jurisdictions that have not been restricted by the Central Government of India under Section 16 of the Digital Personal Data Protection Act, 2023. Where further conditions for cross-border transfer are notified under the DPDP Rules, we will comply with such conditions.

For financial data: In compliance with Reserve Bank of India data localisation directives, payment system data and financial transaction data of Indian users is stored within India. Where any cross-border transfer of financial data is required for service delivery, we apply end-to-end encryption (TLS 1.2+ in transit, AES-256 at rest), contractual safeguards through DPAs, and access restrictions limited to authorised personnel on a need-to-know basis. A copy of financial data is always retained in India.

Our cloud infrastructure providers (Amazon Web Services and Google Cloud Platform) maintain compliance with ISO 27001, SOC 1/2/3, PCI-DSS, and other applicable security certifications. Details are available at https://aws.amazon.com/compliance/ and https://cloud.google.com/security/compliance.

CHILDREN’S DATA PROTECTION

Our Services, including our financial data analysis services, are not intended for children. For the purposes of this section:

• In India, a “child” is an individual who has not completed eighteen (18) years of age, as defined under Section 2(f) of the Digital Personal Data Protection Act, 2023.
• In the EEA/UK, a child is an individual under sixteen (16) years of age (or such lower age as permitted by the applicable EU member state, but in no case below thirteen (13) years), as defined under GDPR Article 8.
• In the United States, a child is an individual under thirteen (13) years of age, as defined under the Children’s Online Privacy Protection Act (COPPA).

We do not knowingly collect, store, or process personal data from children. If we become aware that we have inadvertently collected personal data from a child without obtaining appropriate parental or guardian consent, we will take immediate steps to delete such data from our systems without undue delay.

In compliance with Section 9 of the DPDP Act, 2023:

• We will not process personal data of a child in any manner that could be detrimental to the well-being of the child.
• We will not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
• Before processing personal data of a child (should such a situation arise), we will obtain verifiable consent from the parent or lawful guardian of the child.

Our financial data analysis services (bank statements, balance sheets, CRM data) are strictly restricted to users aged eighteen (18) years and above.

If you believe that a child has provided us with personal data, or that we are processing the personal data of a child, please contact us immediately at support@zipydo.com.

DATA BREACH NOTIFICATION

We have implemented a comprehensive incident response plan to detect, respond to, and recover from personal data breaches. In the event of a personal data breach that affects your data, we will take the following steps:

(a) Notification to the Data Protection Board of India: We will report the breach to the Data Protection Board of India without undue delay, as required under Section 8(6) of the Digital Personal Data Protection Act, 2023. Under the DPDP Act, all personal data breaches must be reported, regardless of the assessed risk level.

(b) Notification to EEA/UK Supervisory Authorities: Where the breach involves personal data of individuals in the EEA or UK, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR Article 33, unless the breach is unlikely to result in a risk to the rights and freedoms of affected individuals.

(c) Notification to Meta: Where the breach involves Meta User Data or could compromise our IT systems in a manner relevant to Meta Platform data, we will notify Meta using Meta’s designated incident reporting form as soon as practicable, and will immediately begin remediation and cooperate with Meta as required under Section 6.4 of the Developer Data Use Policy.

(d) Notification to Affected Users: We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing clear information about the nature of the breach, likely consequences, and measures they can take to protect themselves.

(e) Notification to CERT-In: We will report the incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours, as required under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

(f) Notification to Financial Regulators: Where the breach involves financial data (bank statements, balance sheets, payment data), we will notify the Reserve Bank of India and/or other relevant financial regulators as required by applicable circulars and regulatory directions.

Our breach notification to regulators and affected individuals will include: the nature of the personal data breach; the categories and approximate number of individuals affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects; and the contact details of our Data Protection Officer.

DATA SECURITY

We implement and maintain administrative, physical, and technical safeguards designed to protect personal data against unauthorised access, alteration, disclosure, destruction, or loss. Our security programme is designed in accordance with industry standards and applicable legal requirements, including GDPR Article 32, the DPDP Act 2023, and Meta’s Developer Data Use Policy Section 6.

Access Management:

• Role-based access control (RBAC) enforcing the principle of least privilege across all systems;
• Multi-factor authentication (MFA) for all personnel accessing personal data or production systems;
• Regular access reviews conducted quarterly, with immediate deprovisioning upon role change or employment termination;
• Unique user IDs for all system access, with prohibition of shared accounts.

Encryption:

• Data in transit: TLS 1.2 or higher for all external and internal communications;
• Data at rest: AES-256 encryption for all stored personal data, including database-level and file-system encryption;
• Tokenisation of payment card data and sensitive financial identifiers using PCI-DSS compliant vault services;
• Encryption key management following industry best practices with regular key rotation.

Monitoring and Detection:

• Continuous security monitoring of events, anomalies, and unauthorised access attempts;
• Intrusion Detection and Prevention Systems (IDS/IPS) on perimeter and internal networks;
• Security logging and audit trail retention in accordance with defined schedules;
• Cloud monitoring services for infrastructure-level threat detection;
• Endpoint monitoring software on all managed IT assets.

Application Security:

• Secure Software Development Lifecycle (SDLC) incorporating security reviews at each phase;
• Regular vulnerability assessments and penetration testing conducted at least annually by qualified independent assessors;
• Compliance with OWASP Top 10 for web application security;
• Code review processes incorporating security-focused analysis.

Incident Response:

• Documented and formally defined security incident response plan;
• Dedicated security personnel for investigation, triage, and escalation;
• Target response times: triage within 1 hour of detection, containment within 4 hours;
• Post-incident review and remediation with documented lessons learned;
• See also our “Data Breach Notification” section above for reporting obligations.

Physical Security:

• Data centre physical access controls managed by our cloud infrastructure providers (AWS and GCP), which maintain ISO 27001, SOC 1/2/3, and PCI-DSS certifications;
• Office premises secured with access controls for areas where personal data is processed.

Certifications and Frameworks: [State your applicable certifications, e.g., “We maintain ISO 27001 certification” or “We are in the process of obtaining ISO 27001 certification and align our security practices with the NIST Cybersecurity Framework (CSF).”]

Employee Training: All personnel with access to personal data undergo mandatory data protection and information security awareness training upon joining, and at least annually thereafter. Additional role-specific training is provided for personnel handling financial data or Meta/Google Platform data.

We use vault and tokenization services from PCI-DSS compliant third-party service providers to protect sensitive personal and financial information. You are advised not to send your full credit/debit card details through unencrypted electronic platforms. Where we have given you (or where you have chosen) a username and password which enables you to access certain parts of the Zipydo Platform, you are responsible for keeping these details confidential. We ask you not to share your password with anyone.

While we take all reasonable steps to protect your personal data, please be aware that no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your data transmitted through the Zipydo Platform, but we continuously review and improve our security measures.

AUTOMATED DECISION-MAKING AND PROFILING

We use automated processing to analyse financial patterns in bank statements, categorise transactions, and generate financial summaries and reports. These automated processes:

• Are used solely to provide the financial analysis service you have requested;
• Do not produce decisions that have legal or similarly significant effects on you without human oversight and review;
• Are based on your explicit consent or are necessary for the performance of a contract with you;
• Include the following safeguards: (a) the right to request human review of any automated output; (b) the right to express your point of view; and (c) the right to contest any decision or output.

OPT-OUT

When you sign up for an account, you are opting in to receive emails from Zipydo. You can log in to manage your email preferences or you can follow the “unsubscribe” instructions in commercial email messages, but note that you cannot opt out of receiving certain administrative notices, service notices, or legal notices from Zipydo.

If you wish to withdraw your consent for the use and disclosure of your personal information in the manner provided in this Policy, please write to us at support@zipydo.com. Please note that we may take time to process such requests, and your request shall take effect no later than 5 (Five) business days from the receipt of such request, after which we will not use your personal data for any processing unless required by us to comply with our legal obligations. We may not be able offer you any or all Services upon such withdrawal of your consent.

DATA PROTECTION OFFICER, GRIEVANCE OFFICER AND PLATFORM SECURITY

Data Protection Officer (DPO):

Name: Zipydo Grievance Officer
Email: support@zipydo.com
Address: Zipydo Technologies Private Limited, VP08, Pruksa Silvam, Virgonagar P.O., Bangalore 560 049, India

Grievance Officer (under the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023):

Name: Zipydo Grievance Officer
Email: support@zipydo.com
Address: Zipydo Technologies Private Limited, VP08, Pruksa Silvam, Virgonagar P.O., Bangalore 560 049, India
Response Time: Acknowledgement within 24 hours of receipt; resolution within 30 days, or such shorter period as may be prescribed under applicable law.

Complaints Regarding Meta Platform Data: If you have concerns specifically regarding how your Meta User Data is processed by Zipydo, you may also contact Meta’s Data Protection Officer at: https://www.facebook.com/help/contact/540977946302970

Regulatory Complaints: You have the right to lodge a complaint with the appropriate regulatory authority:

• India: The Data Protection Board of India, once constituted and operational under the DPDP Act, 2023.

If you come across any abuse or violation of this Policy, please report it to support@zipydo.com.

Platform Security — Data Storage: The Zipydo Platform stores your data with the cloud platforms of Amazon Web Services, provided by Amazon Web Services, Inc., and Google Cloud Platform, provided by Google LLC. Data may be stored on servers located in India (AWS ap-south-1 Mumbai region), Singapore (AWS ap-southeast-1 / GCP asia-southeast1), Hong Kong (GCP asia-east2), and the United States. Amazon Web Services and Google Cloud Platform maintain ISO 27001, SOC 1/2/3, PCI-DSS, and other security certifications. Details of security measures are available at https://aws.amazon.com/security/ and https://cloud.google.com/security. The AWS privacy policy is available at https://aws.amazon.com/privacy/. The GCP privacy notice is available at https://cloud.google.com/terms/cloud-privacy-notice.

In the event you have questions or concerns about the security measures adopted by our cloud infrastructure providers, you can contact their data protection / privacy teams, whose contact details are available in their respective privacy policies, or you may write to our Data Protection Officer at the address provided above.