Zorro - Privacy Policy

1. INTRODUCTION

Zorro ("we," "us," or "our") operates the Zorro mobile application (the "App"). This Privacy Policy describes how we collect, use, disclose, and protect information obtained through your use of the App.

By downloading, installing, or using the App, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with this Privacy Policy, you must not use the App.

This Privacy Policy applies to all users of the App worldwide and is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy laws.

2. INFORMATION WE COLLECT

We collect several types of information from and about users of the App, including:

2.1 Personal Information You Provide

When you register for an account or use the App, we collect the following personal information directly from you:

Name and Display Name: Used for account identification and service provision.
Email Address: Required for account creation, authentication, and communications.
Phone Number: Optional contact information for account recovery and notifications.
Profile Photograph: Optional image uploaded for account personalization.
Photographs and Images: Photos captured via camera or selected from your device's photo library when creating or responding to service requests.
Service Request Information: Text, descriptions, comments, and other content you submit through the App, including attachments associated with service requests.

2.2 Information Collected Automatically

When you use the App, we and our third-party service providers automatically collect certain information about your device and usage patterns:

Device Information: Device type, operating system and version, unique device identifiers, mobile network information, and device manufacturer.
Usage Data: App screens viewed, features accessed, time spent in the App, actions taken within the App, and interaction patterns.
Performance Data: App launch time, network request latency, screen rendering performance, and other technical performance metrics.
Log Data: Error logs, crash reports, stack traces, diagnostic information, and timestamps associated with App errors or crashes.
Analytics Data: User engagement events such as logins, sign-ups, service request creation, profile updates, and other in-app events. User identifiers transmitted to analytics services are cryptographically hashed (SHA-256) before transmission.

2.3 Information from Third-Party Services

If you choose to authenticate using Google Sign-In, we receive the following information from your Google account:

Google account name
Google account email address
Google account profile picture (if available)
Google account unique identifier

2.4 Location Information

We do not currently collect precise geolocation data. Any location information inferred from your IP address or network information is collected automatically by our service providers and is not used by us for tracking purposes.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

3.1 Service Provision and Account Management

To create and manage your user account
To authenticate your identity and provide secure access to the App
To enable you to create, submit, track, and manage service requests
To facilitate communication between you and our service providers
To store and manage photographs and attachments you upload in connection with service requests

3.2 App Improvement and Analytics

To analyze usage patterns and understand how users interact with the App
To measure the performance and stability of the App
To identify and diagnose technical issues, bugs, and crashes
To develop new features and improve existing functionality
To conduct research and analytics to enhance user experience

3.3 Security and Fraud Prevention

To detect, prevent, and respond to security incidents and fraudulent activity
To protect the rights, property, and safety of Zorro, our users, and the public
To enforce our Terms of Service and other legal agreements

3.4 Legal Compliance

To comply with applicable laws, regulations, legal processes, or governmental requests
To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements

3.5 Communications

To send you administrative messages, service announcements, and updates related to your account or service requests
To respond to your inquiries, comments, or customer support requests

We do not use your information for marketing, advertising, or promotional purposes.

4. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our legal bases for processing personal information under the GDPR are:

Performance of a Contract (Article 6.1.b): Processing is necessary to provide the services you request through the App, including account creation, authentication, service request management, and content storage.
Legitimate Interests (Article 6.1.f): Processing is necessary for our legitimate interests in operating, maintaining, improving, and securing the App, analyzing usage patterns, diagnosing technical issues, and preventing fraud, provided such interests are not overridden by your data protection rights.
Compliance with Legal Obligations (Article 6.1.c): Processing is necessary to comply with applicable laws and regulations, including responding to lawful requests from authorities.

You have the right to object to processing based on legitimate interests. See Section 9 for information about your rights.

5. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We share your information only in the following circumstances:

5.1 Third-Party Service Providers

We use third-party service providers to operate, maintain, and improve the App. These providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information and use it only for the purposes for which it was disclosed.

Firebase Services (provided by Google LLC)

We use the following Firebase services, which collect and process information as described:

Firebase Authentication: Manages user authentication, stores authentication credentials (email, phone number, hashed passwords), and user identifiers. Google processes this information to provide secure authentication services.
Firebase Analytics: Collects usage data, event tracking information, screen views, and user engagement metrics. User identifiers are cryptographically hashed before transmission. Google processes this information to generate analytics reports about App usage patterns.
Firebase Crashlytics: Automatically collects crash reports, error logs, stack traces, device information, and diagnostic data when the App crashes or encounters errors. Google processes this information to help us identify and fix bugs.
Firebase Performance Monitoring: Collects app performance metrics including startup time, network request latency, and screen rendering performance. Google processes this information to help us optimize App performance.

Firebase services are provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google's privacy policy is available at: https://policies.google.com/privacy

Google Sign-In (provided by Google LLC)

If you choose to authenticate using Google Sign-In, Google provides us with your Google account name, email address, profile picture, and unique identifier through OAuth 2.0 authentication. Google's privacy policy is available at: https://policies.google.com/privacy

Supabase (Backend Infrastructure Provider)

We use Supabase, Inc. to provide backend database and file storage services. Supabase stores:

User profile information (name, email, phone number, user identifiers)
Service request data (descriptions, comments, status information)
Notification data
Uploaded files, photographs, and attachments

Files and images are stored in private storage buckets with access restricted through authentication and time-limited signed URLs. Supabase's privacy policy is available at: https://supabase.com/privacy

5.2 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court, government agency, or law enforcement). We may also disclose your information when we believe disclosure is necessary to:

Comply with legal obligations, court orders, or legal processes
Enforce our Terms of Service or other agreements
Protect the rights, property, or safety of Zorro, our users, or the public
Detect, prevent, or address fraud, security, or technical issues

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice in the App of any such change in ownership or control of your personal information.

5.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

6. DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Information: We retain your account information (name, email, phone number, profile data) until you request account deletion or until your account is terminated.
Service Request Data: Service requests, associated content, and attachments are retained until you delete them or request account deletion.
Authentication Data: Authentication credentials are retained by Firebase Authentication until account deletion.
Analytics and Crash Data: Analytics events and crash reports are retained according to Firebase's default retention policies (typically 2 months for raw event data and 14 months for aggregated reports, subject to Google's data retention settings).
Cached Data: Information cached locally on your device (service requests, notifications, user preferences) is retained until cache expiration, App uninstallation, or manual cache clearing.
Deleted Data: When you request account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business purposes (e.g., fraud prevention, dispute resolution, legal compliance). Backups containing your information may persist for up to 90 days.

7. DATA SECURITY

We implement reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption: All data transmitted between the App and our servers is encrypted using industry-standard TLS/HTTPS protocols. Authentication credentials are hashed and encrypted.
Access Controls: Access to personal information is restricted to authorized personnel and service providers who require access to perform their functions and are bound by confidentiality obligations.
Secure Storage: Files and images are stored in private storage buckets with access restricted through authentication mechanisms. File access is provided through time-limited signed URLs that expire automatically.
Client Isolation: User data is stored in client-isolated directory structures with path sanitization to prevent unauthorized access.
Authentication: The App uses Firebase Authentication and OAuth 2.0 to provide secure user authentication.
Monitoring: We monitor for security incidents, unauthorized access attempts, and suspicious activity.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

8. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States, where our third-party service providers (Google/Firebase and Supabase) operate servers.

These countries may have data protection laws that differ from the laws of your country. When we transfer personal information internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses: Our service providers use Standard Contractual Clauses approved by the European Commission for transfers from the EEA to countries without an adequacy decision.
Service Provider Commitments: Google and Supabase have implemented technical and organizational measures to protect personal information in compliance with GDPR and other applicable privacy laws.
Privacy Shield Alternatives: Following the invalidation of the EU-U.S. Privacy Shield, our service providers rely on Standard Contractual Clauses and supplementary measures to ensure adequate protection.

By using the App, you acknowledge and consent to the transfer of your information to countries outside your country of residence, including the United States.

9. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have certain rights regarding your personal information:

9.1 Rights Under GDPR (EEA, UK, Switzerland Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal information and to request a copy of the personal information we hold about you.
Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal information. You can update your profile information directly within the App.
Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal information under certain circumstances. See Section 9.4 below for instructions.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal information under certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit that information to another controller.
Right to Object (Article 21): You have the right to object to processing of your personal information based on legitimate interests. If you object, we will no longer process your information unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe we have violated your data protection rights.

To exercise any of these rights, please contact us at zorro.digital.company@gmail.com with the subject line "GDPR Data Rights Request."

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

As described in Section 2, we collect the following categories of personal information:

Identifiers (name, email, phone number, device identifiers, user IDs)
Visual information (photographs, images)
Internet or network activity (usage data, analytics events, crash logs)
Device information (device type, operating system, performance metrics)
User-generated content (service requests, descriptions, comments, attachments)

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. We do not sell personal information to third parties for monetary or other valuable consideration.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA/CPRA.
Right to Non-Discrimination: You have the right to not receive discriminatory treatment for exercising your CCPA/CPRA rights.

To exercise these rights, please contact us at zorro.digital.company@gmail.com with the subject line "CCPA Data Rights Request." We will verify your identity before responding to your request.

9.3 Rights for Users in Other Jurisdictions

If you are located in a jurisdiction with applicable privacy laws that grant data subject rights, you may have similar rights to access, correct, delete, or restrict processing of your personal information. Please contact us at zorro.digital.company@gmail.com to exercise these rights.

9.4 Account Deletion and Data Deletion Requests

You may request deletion of your account and associated personal information at any time by sending an email to:

Email: zorro.digital.company@gmail.com
Subject Line: Delete My Account

In your email, please include:

The email address associated with your account
Confirmation that you wish to permanently delete your account and all associated data

Upon receipt of a valid deletion request, we will:

Verify your identity to ensure the request is legitimate
Delete your account and personal information within 30 days
Send you a confirmation email when the deletion is complete

Please note that:

Account deletion is permanent and cannot be undone
Certain information may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance)
Information stored in backup systems may persist for up to 90 days
Aggregated or anonymized data that cannot identify you may be retained indefinitely

10. PERMISSIONS REQUESTED BY THE APP

The App requests the following permissions to provide its functionality:

10.1 Camera Permission (android.permission.CAMERA)

Purpose: Allows you to take photographs directly within the App to attach to service requests.

When Requested: When you select the "Take Photo" option while creating or updating a service request.

How to Manage: You can revoke this permission at any time through your device's Settings > Apps > Zorro > Permissions. If you deny this permission, you will not be able to take photos within the App, but you can still select photos from your photo library.

10.2 Photo Library Access (READ_MEDIA_IMAGES)

Purpose: Allows you to select existing photographs from your device's photo library to attach to service requests.

When Requested: When you select the "Choose from Gallery" option while creating or updating a service request.

How to Manage: You can revoke this permission at any time through your device's Settings > Apps > Zorro > Permissions. If you deny this permission, you will not be able to select photos from your library, but you can still take photos with the camera.

10.3 Internet Access (android.permission.INTERNET)

Purpose: Required for all App functionality, including account authentication, service request submission, data synchronization, and communication with our servers.

When Requested: Automatically granted on installation (standard permission).

Impact: This permission is essential for the App to function. Without Internet access, the App cannot operate.

11. CHILDREN'S PRIVACY (COPPA COMPLIANCE)

The App is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child under the applicable age without verifiable parental consent, we will delete that information as quickly as possible.

If you believe that we may have collected information from a child under the applicable age, please contact us immediately at zorro.digital.company@gmail.com.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you by:

Posting the updated Privacy Policy in the App
Updating the "Last Updated" date at the top of this Privacy Policy
Sending you a notification through the App or via email

Your continued use of the App after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: zorro.digital.company@gmail.com

App Name: Zorro

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

14. GOVERNING LAW

This Privacy Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws of the jurisdiction in which Zorro is established, without regard to its conflict of law provisions.

For users in the EEA, UK, or Switzerland, nothing in this section affects your rights under the GDPR or other applicable data protection laws.

15. ACKNOWLEDGMENT

By using the App, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.