ZULO is a food awareness application operated by Aveor Studios, based in Mumbai, Maharashtra, India. We are the data controller responsible for your personal information.
Core account data, including your profile, craving logs, streak history, and karma records, is stored on servers located in Mumbai, Maharashtra, India.
For all privacy questions, data requests, or concerns, contact our Grievance Officer at: [email protected]
We aim to respond to all privacy requests within 7 business days.
Account information
When you sign in with Google or Apple, we receive your name, email address, and (where available) profile photo from the identity provider. When you sign in with email and password, we receive your email and a securely hashed password (we never see or store the password itself). This is used to create and identify your account.
Profile data you provide
Display name, first and last name, date of birth, city, country, gender, dietary preferences, and activity preferences you set during onboarding or in Settings. This personalises your experience.
Phone number
We require a phone number at signup. It is used for three purposes: (a) one-time password (OTP) verification when you first enable phone reminders, processed by Twilio Verify; (b) friend discovery, so people who already have your number in their contacts can find you on ZULO if you choose to be discoverable; (c) sending Skip reminders and notifications via WhatsApp or SMS where you have opted in. Your phone number is never visible to other users on your public profile and is never sold or shared with advertisers.
App activity
Foods you choose to log, Karma earned, streaks, challenges completed, badges earned, caves logged (moments of honesty), and craving patterns you voluntarily record. This data is the core of your personal awareness journey inside ZULO.
Subscription and purchase data
When you purchase a subscription (ZULO Plus, Pro, or Infinite, internally keyed as lite or core for Plus, pulse for Pro, and infinite for Infinite) or a one-off add-on, we store the plan key, subscription status, billing cadence, payment processor IDs (Razorpay subscription/payment IDs on the web for India; Lemon Squeezy order IDs on the web for non-India; Apple/Google product IDs on native), and transaction history. We do not store your card number, UPI handle, CVV, or any payment credential. These are handled directly by Razorpay, Lemon Squeezy, Apple, or Google depending on your region and platform.
AI usage data
When you request an AI Weekly Insight or use the Ask Anything feature, we send an anonymised summary of your last 7 days of activity (aggregate counts, top foods, top categories, cave triggers) to Anthropic (Claude). We do not send your name, email, phone, or any personal identifier to the AI provider. AI responses are stored in your account so you can review your history.
Camera and food scan images
When you use the food scan feature, the image you capture is sent through our Cloudflare Worker to OpenAI for food identification. The image is transmitted securely and is not stored by ZULO after the result is returned. No personal identifiers are attached to the image when it is sent. You can always skip the scan and search manually.
Device and technical information
Device type, operating system, browser, language, timezone, and session timestamps. Collected automatically to ensure the app functions correctly and to understand usage at an aggregate level. We also collect a push notification device identifier (when you opt in to notifications) and an in-app purchase identifier (when you make a native iOS or Android subscription purchase) so we can deliver pushes to your device and link your subscription to your account.
First-party device and diagnostic data
When you complete onboarding, ZULO records a set of first-party technical signals for performance monitoring and app improvement: your device operating system, device type, browser, language, referrer (the page or source that brought you to ZULO), PWA install status (whether you added ZULO to your home screen as an app), notification permission status, and your browser user agent string. We use this to keep the app working correctly across devices and browsers and to reproduce and fix technical issues. This data is collected at onboarding, stored in our Supabase database, linked to your account, and is not shared with any third party or advertiser.
Crash logs and diagnostic events
When the app crashes or encounters a runtime error, the operating system (Apple iOS or Google Android) may collect a crash log and forward it to us through Apple App Store Connect or Google Play Console for the purpose of fixing the bug. Our subscription SDK (RevenueCat) sends anonymised diagnostic events such as in-app purchase status so we can monitor app health. Push notifications are delivered via direct APNs (iOS) and FCM (Android) integrations operated by ZULO. None of these logs include the contents of your activity inside the app.
We do not use your data for advertising. We do not build advertising profiles. We do not sell, rent, or trade your personal information to any third party.
ZULO has social features. Here is what is visible to others by default:
Public by default: Display name, city, level, total Karma earned, total skips, current streak, earned badges, and Trophy Room cards on your public profile.
Always private: Your email address, phone number, date of birth, subscription status, purchase history, caves logged, hunger signal patterns, AI insight content, and any data you have not chosen to share.
You can turn off profile searchability at any time in Settings under Privacy. When off, other users cannot find you by name or view your profile.
We use a small number of trusted third-party services to operate ZULO. Each is bound by its own privacy and data protection commitments, and processes data only as necessary to provide its service:
We may update our service providers from time to time. This list reflects our current stack. Your data may be processed in countries outside India including the United States and the European Union by these providers. For transfers of personal data outside the European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission under GDPR Article 46(2)(c), as executed with our sub-processors.
We use reasonable technical and organisational measures to protect your data, including encrypted connections (TLS), row-level security on our database, access controls, and secure infrastructure. Payment data is handled by Razorpay, which is PCI DSS Level 1 compliant. No method of electronic storage or transmission is completely secure. We cannot guarantee absolute security, but we take it seriously and respond promptly to any identified issue.
ZULO is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at [email protected] and we will delete the account promptly.
We do not provide parental consent flows and do not target users under 18 in any marketing or product feature.
You have the following rights regarding your personal data:
To exercise any right, email [email protected]. We may ask you to verify your identity before processing sensitive requests. We respond within 7 business days. Some requests may be limited where we have a legal obligation to retain certain data (for example, tax records of completed transactions).
For users in India: The rights above are also protected under the Digital Personal Data Protection Act, 2023 (the "DPDP Act"). The Act guarantees you the rights of access, correction, completion, updating, and erasure of your personal data, the right to nominate another person to exercise these rights in case of your death or incapacity, and the right to a grievance-redressal mechanism. You may exercise these rights through the in-app paths described above or by contacting our Grievance Officer (see section 16). For users in the European Union and the United Kingdom, the same rights are protected under the GDPR and the UK GDPR respectively, and you may also lodge a complaint with your local data-protection authority.
For users residing in California: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding the personal information we collect, use, and share. This section explains those rights and how to exercise them.
Categories of personal information we collect (mapped to CPRA categories): identifiers (name, email, phone number, account ID); commercial information (subscription history, in-app purchase history); internet or other electronic network activity information (skip logs, app usage, device type, IP-derived city); geolocation (city and country only, never precise location); inferences (food-habit patterns and AI-generated insights drawn from your usage); and limited sensitive personal information (account credentials only). Section 3 lists categories we explicitly do not collect.
Categories of third parties we disclose to: see section 6 (Service Providers) for the full list. We disclose data only as necessary to operate the service; we do not authorise these providers to use your data for their own independent purposes.
Sale and sharing under the CPRA: we do not sell your personal information for money or any other valuable consideration. CPRA expands the definition of "sharing" to include cross-context behavioral advertising; we do not engage in behavioral advertising. We do use third-party product analytics (PostHog), crash monitoring (Sentry), and session recording (Microsoft Clarity) that receive opaque user identifiers tied to your account ID — these support service operation only, not advertising. If you consider this activity to be "sharing" under your interpretation of the CPRA, you may opt out via the method below.
Your CCPA/CPRA rights:
How to exercise these rights: email [email protected] with the subject line CCPA Opt-Out Request. Using this specific subject line ensures your request is routed to a dedicated review queue and does not land in general support. We respond within 45 days, with a single 45-day extension permitted for complex requests as the CPRA allows. We may ask you to verify your identity before processing the request — typically by replying from the email address on file for your account.
Global Privacy Control (GPC): We honor the Global Privacy Control (GPC) signal. If your browser or device transmits a GPC signal, we treat it as a valid opt-out of the sale or sharing of your personal data, consistent with applicable law.
Authorized agents: you may designate an authorized agent to submit a CCPA/CPRA request on your behalf. We will require written authorization signed by you and verification of the agent's identity before actioning any such request.
Annual metrics: in line with CCPA disclosure requirements: in the prior calendar year we received zero requests to know, zero requests to delete, zero requests to correct, and zero requests to opt out (the service is pre-launch as of this policy's last-updated date). We will update this disclosure annually.
You can delete your account at any time from within the app: Profile → Settings → Delete Account. This permanently and irreversibly deletes all your personal data, activity history, achievements, AI insights, and account information within 30 days.
Important: account deletion does not automatically cancel an active subscription. You must cancel your subscription separately through the billing platform that processed it:
Your subscription will continue to bill until you cancel it through the appropriate platform. Refunds (if applicable) follow our Refund and Cancellation Policy.
You can also request deletion by emailing [email protected]. Both you and our team will receive a confirmation email when deletion is complete.
Service communications such as account confirmations, payment receipts, security notices, subscription renewal notices, and deletion confirmations are necessary for operating your account and cannot be turned off.
Product communications such as daily summaries and streak reminders are optional and can be turned off in Settings under Notifications at any time.
ZULO is a personal awareness tool, not a medical application. Nothing in the app including AI-generated insights constitutes medical advice, dietary guidance, clinical treatment, or professional health recommendations. ZULO is not intended to diagnose, treat, prevent, or manage any medical condition including eating disorders, diabetes, obesity, or any other health condition. If you have concerns about your health or eating habits, please consult a qualified healthcare professional.
We notify you of material changes to this policy by email or via an in-app notice at least 14 days before the change takes effect. Continued use of the app after changes means you accept the updated policy.
In accordance with applicable Indian law, any grievances regarding the processing of your personal data may be directed to:
Vallabh Kulkarni, Grievance Officer
Aveor Studios Private Limited
Mumbai, Maharashtra, India
[email protected]
Response time: within 7 business days
Do Not Sell or Share My Personal Information · California residents: see § 11
© 2026 Aveor Studios · Terms and Conditions · Refund Policy · [email protected]