Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account data — name, email address, phone number (optional), country, preferred language, and password (if you choose email + password sign-in).
• Profile data — professional title, company, biography, social links, profile photo, company logo, voice introduction recording, and any additional content you add to your digital business card.
• Contact data — names, phone numbers, email addresses, companies, job titles, notes, tags, and voice notes you save when you exchange information with others.
• Payment data — when you subscribe to a paid plan we collect your billing email and plan selection. Credit/debit card details are entered directly into Stripe, Razorpay, or handled by the Apple App Store / Google Play Store and are never stored on our servers.
• Communications — if you contact support or provide feedback we store the content of those communications.
• Device contacts — if you grant permission, we may import contacts from your device address book to help you identify and manage connections. We request this permission explicitly and you can deny or revoke it at any time.

1.2 Information Collected Automatically

• Device info — device name, operating system and version, app version, device platform (iOS/Android).
• Log data — IP address, authentication method, success/failure status, user-agent string, and general city-level location derived from your IP address.
• Analytics events— in-app actions (e.g. "contact_saved," "qr_scanned") are logged without personally identifiable content. You may opt out of analytics in Settings → Data & Privacy.
• Crash & performance data — we use Sentry to capture crash reports, error logs, and performance traces to improve app stability. These may include device state, stack traces, and limited screenshots of the error state.
• NFC and QR interactions— when someone taps your NFC card or scans your QR code we record the city, country, device type, and whether the interaction resulted in a contact save. We do not record the scanning person's identity unless they choose to share their information.

1.3 Information from Third-Party Sign-In

If you sign in with Google or Apple, we receive your name, email address, and a unique provider identifier. We do not access your Google or Apple contacts, calendar, or other account data through the sign-in flow.

2. How We Use Your Information

• Provide the Service — create and host your digital business card, store contacts, enable sharing via NFC/QR/link, and facilitate Connect Rooms.
• AI features— enrich contact details, generate profile summaries, transcribe and summarise voice notes, power the "Ask Me" conversational assistant, and deliver relationship insights. AI processing can be disabled in Settings → Data & Privacy.
• Communications — send OTPs for sign-in, security alerts (e.g. new device sign-in), follow-up reminders, weekly digests, and transactional emails.
• Payment processing — manage subscriptions and NFC card orders through Stripe, Razorpay, Apple App Store, or Google Play Store.
• Safety & security — detect fraud, enforce rate limits, prevent abuse, and maintain audit logs for enterprise accounts.
• Improvements — analyse aggregated, de-identified usage patterns to improve features and performance.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your data under the following legal bases:

• Contractual necessity — to create and maintain your account, provide core features (digital cards, contact management, Connect Rooms), process payments, and fulfil NFC card orders.
• Consent — for optional features such as AI processing, device contact import, voice-note recording, analytics collection, and marketing emails. You may withdraw consent at any time via the in-app settings without affecting the lawfulness of prior processing.
• Legitimate interest — for crash reporting (Sentry), fraud prevention, security monitoring, and aggregate analytics to improve the Service, balanced against your privacy interests.
• Legal obligation — to comply with applicable laws, regulations, or lawful government requests.

4. AI Data Processing

Certain features use Anthropic's Claude AI model. When you use these features, limited data (e.g. a contact's name, company, role, or your profile summary context) is sent to Anthropic's API for processing. Anthropic does not use your data to train their models. You can disable all AI processing in Settings → Data & Privacy → AI Processing. When disabled, no data is sent to AI providers.

AI-generated content (e.g. enrichment suggestions, summaries) is clearly labelled and you control whether to accept, edit, or discard it.

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

• Service providers — we use third-party providers to operate the Service (see table below). Each provider receives only the minimum data necessary for their function.
• When you share — your public profile information is visible to anyone with your profile link, QR code, or NFC card. Within Connect Rooms, your card is visible to other room participants based on room settings.
• CRM integrations — if you connect a CRM (e.g. HubSpot, Salesforce), contact data is synced per your field-mapping configuration.
• Legal requirements — we may disclose information when required by law, subpoena, or government request, or to protect our rights and safety.
• Business transfers — in connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

Third-Party Service Providers

6. Data Security

• Passwords are hashed using Argon2.
• Phone numbers, OAuth tokens, and 2FA secrets are encrypted at rest using Fernet or field-level encryption.
• Authentication tokens are stored in the device Keychain (iOS) or Keystore (Android).
• OTP codes are bcrypt-hashed and never stored in plain text.
• API traffic is encrypted via TLS. The mobile app uses certificate pinning for API connections.
• WebSocket connections are authenticated with single-use JWT tickets.
• Enterprise accounts have append-only audit logs with INSERT-only database permissions.
• We enforce rate limiting, account lockouts (5 failed OTP attempts → 30-minute cooldown), and IP-restricted service accounts.
• Screenshot prevention is enabled on authentication screens to protect sensitive credentials.

No system is 100% secure. If you become aware of a vulnerability, please contact us at security@zimly.ai.

7. Data Retention

• Account data — retained while your account is active. After you request deletion, data is permanently removed after a 30-day grace period (during which you can reactivate).
• Guest visitor data — IP addresses of guest visitors are automatically purged after 30 days.
• Room data — Connect Room data is purged 90 days after the room closes.
• OTP codes — expired codes are cleaned automatically every hour.
• Deleted contacts — soft-deleted and excluded from views; included in permanent deletion when your account is removed.
• Audit logs— enterprise audit logs are retained per the organisation's retention policy.

8. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights:

• Access & portability— request a full export of your data (Settings → Data & Privacy → Export My Data). We deliver a ZIP file containing your account, profiles, contacts, notes, rooms, settings, and devices in JSON format.
• Correction — update your information at any time through the app.
• Deletion — delete your account in Settings → Delete Account. After a 30-day grace period, all data is permanently removed.
• Opt-out of analytics— toggle off in Settings → Data & Privacy → Analytics.
• Opt-out of AI processing— toggle off in Settings → Data & Privacy → AI Processing.
• Notification preferences — manage push and email notifications per category, set quiet hours, or unsubscribe from marketing emails.
• Revoke permissions — camera, contacts, microphone, and NFC permissions can be revoked in your device settings at any time.
• Object to processing (EEA/UK) — you may object to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds.
• Restrict processing (EEA/UK) — request that we limit how we use your data while a dispute or verification is pending.
• Lodge a complaint (EEA/UK) — you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated applicable data protection law.

To exercise any right, email privacy@zimly.ai or use the in-app options. We respond to requests within 30 days.

9. International Data Transfers

Your data may be processed in countries other than your own. Our servers and service providers operate globally. We rely on Standard Contractual Clauses (SCCs) and service-provider data processing agreements to ensure adequate protection when data is transferred outside your jurisdiction.

For users in India, data processing complies with the Digital Personal Data Protection Act 2023 (DPDP Act). You have the right to access, correct, and erase your personal data, and to nominate a person to exercise these rights on your behalf.

10. Children's Privacy

The Service is not directed at children under 16 (or under 18 in jurisdictions that require it, such as India under the DPDP Act). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@zimly.ai and we will promptly delete it.

11. Cookies & Tracking Technologies

Our website uses essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking pixels. The mobile app does not use cookies; local data is stored via secure on-device storage (Keychain, Keystore, SQLite, MMKV).

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

13. Additional Disclosures for California Residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have additional rights:

• Right to know — you may request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete — you may request deletion of your personal information, subject to certain legal exceptions.
• Right to correct — you may request correction of inaccurate personal information.
• Right to opt-out of sale/sharing — we do not sell your personal information and do not share it for cross-context behavioural advertising as defined by the CPRA. Therefore, no opt-out mechanism is required.
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any CCPA/CPRA right, email privacy@zimly.ai with the subject line "California Privacy Request." We will verify your identity before processing the request and respond within 45 days.

14. Contact Us

If you have questions about this Privacy Policy, please contact: