Privacy Policy

Please read this policy carefully. By accessing or using Zod, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree, please do not use our Service.

We may update this policy from time to time. We will notify you of any material changes by posting the new policy on this page and, where required by law, seeking your consent. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

Information you provide directly

• Account registration data: name, email address or phone number, date of birth, gender identity, and sexual orientation
• Profile information: photos, bio, interests, lifestyle preferences, relationship goals, height, education, occupation, and location (city-level)
• Authentication credentials: password (stored as a one-way hash), or OAuth tokens from third-party sign-in providers (Apple, Google)
• Identity verification data: a live selfie photograph and/or government-issued ID images used to verify your identity — see the dedicated Biometric and Verification Data section below for full details
• Communications: messages, media, and other content you send to other users through our encrypted messaging system
• Payment information: billing details processed by our PCI-DSS-compliant payment processors (Stripe, Apple Pay). We do not store full card numbers
• Customer support interactions: information you provide when contacting our support team
• Survey and feedback data: responses to optional surveys, ratings, and product feedback forms

Information collected automatically

• Device information: device type, operating system version, unique device identifiers (IDFV on iOS, Android Advertising ID), app version, screen resolution, language settings
• Usage data: features accessed, time spent on the app, swipe patterns (aggregated and anonymised), match interactions, session duration
• Log data: IP address, browser type, referring URLs, error logs, and crash reports
• Location data: precise GPS location (only when you grant permission, and only while the app is in use), or approximate location derived from IP address
• Cookies and similar technologies: see our Cookie Policy for full details

Information from third parties

• Social sign-in providers (Apple, Google): public profile data you authorise to be shared
• AWS Rekognition: face detection quality scores, face comparison similarity scores, and estimated age range — used solely for identity verification as described below
• Analytics providers: aggregated, anonymised behavioural data to help us improve the app
• Safety and fraud-detection partners: risk signals to protect users from scams and abuse

Sensitive personal data

By choosing to include information about your sexual orientation, gender identity, religion, ethnicity, or health on your profile, you explicitly consent to Zod processing this special-category data for the sole purpose of enabling the app to function as a dating service. You may remove such information at any time via your profile settings.

What face data we collect

To protect the Zod community from impersonation, catfishing, and fake profiles, we offer an optional Identity Verification feature. When you choose to complete verification, the app captures a single live selfie photograph using your device's front camera. Before capture, you are guided through a brief randomised liveness challenge (e.g., blink twice, smile, or turn your head) to confirm you are a real person present in real time. The app captures one still JPEG image at the end of this challenge.

We do not collect, derive, or store facial geometry templates, facial feature vectors, face prints, or any other biometric identifier as defined under BIPA (Illinois), CCPA, or equivalent laws. We collect only the photograph itself.

Zod collects a single live selfie photograph (JPEG image) during the optional Identity Verification process. The photograph is captured via the device's front camera following a randomised liveness challenge. No facial geometry templates, biometric identifiers, or face prints are derived or stored — only the photograph itself is processed and, upon successful verification, retained.

How we use your face data

• Anti-catfishing / identity verification: your selfie is compared against your existing profile photos using AWS Rekognition CompareFaces to confirm the person in the scan matches the person shown in your profile. A similarity score is calculated and stored alongside the verification attempt record.
• Government ID cross-check (optional): if you complete the optional ID Verification step, your stored selfie is compared against the face printed on your government-issued ID to confirm the document belongs to you.
• Photo authenticity anchor: once verified, your selfie is used as a reference point so that any new profile photos you attempt to upload are confirmed to match your verified identity. This prevents verified users from swapping in fake, celebrity, or AI-generated photos after verification.
• Profile photo consistency: all profile photo uploads are checked for cross-photo face consistency using AWS Rekognition to detect duplicate or mismatched identities.
• Age safety: face detection quality metrics (brightness, sharpness, age estimation) are used to reject blurred, dark, or low-confidence images and to flag potential age violations.

Your face data is never used for advertising, marketing profiling, tracking across third-party apps or websites, or any purpose other than the safety and identity functions described above.

Face data collected during Identity Verification is used exclusively for: (1) confirming that you match your profile photos (anti-catfishing); (2) optionally cross-checking the face on your government-issued ID; and (3) anchoring future profile photo uploads to your verified identity. Your face data is never used for advertising, profiling, or any purpose beyond the safety and identity functions described in this section.

Third-party sharing and storage location

Your selfie photograph is transmitted to AWS Rekognition (Amazon Web Services, operated in the us-east-1 region) for face detection, quality assessment, and face comparison. AWS processes the image bytes as part of the API call and does not independently retain the image after the call completes. AWS is bound by our Data Processing Addendum and may only process this data to provide the Rekognition API service to us.

Upon a successful verification result, the selfie photograph is stored in a private, access-controlled object storage bucket on DigitalOcean Spaces under a path unique to your user account (users/{user_id}/selfies/). The storage URL is recorded in our own encrypted database. The stored selfie is not publicly accessible and is not shared with other users, advertisers, data brokers, or any third party beyond the two sub-processors listed above.

No face data is shared with third parties for advertising, marketing, or any commercial purpose.

Your selfie photograph is sent to AWS Rekognition (Amazon Web Services, us-east-1) solely for face detection and comparison processing. AWS does not retain the image independently. Upon successful verification, the selfie is stored in a private DigitalOcean Spaces bucket under your user-specific folder. It is not publicly accessible and is never shared with advertisers, data brokers, or any third party for commercial purposes.

How long face data is retained

Your verified selfie is retained for the lifetime of your account. It is used as an ongoing photo-authenticity anchor so that every new profile photo you add continues to be validated against your confirmed identity. When you delete your account, your selfie and all associated verification data are permanently and irreversibly deleted from our live systems within 30 days and from backup archives within 90 days.

Verification attempt records (containing metadata such as the attempt timestamp, similarity score, device model, and result status) are retained for up to 2 years from the date of the attempt for fraud prevention and audit purposes, then permanently deleted. These records do not contain the selfie photograph itself after account deletion.

You may request deletion of your verification data at any time by going to Settings → Account → Delete Account, or by submitting a data deletion request to privacy@dhabli.com.

Your verified selfie photograph is retained for the lifetime of your account and is permanently deleted within 30 days of account deletion (removed from backups within 90 days). Verification attempt metadata (scores, timestamps, device info) is retained for up to 2 years for fraud prevention, then permanently deleted. You may request deletion of your verification data at any time by contacting privacy@dhabli.com.

Your controls

• Identity Verification is optional. You can use Zod without completing it, though some trust features (e.g., the verified badge and verified-only match filters) will be unavailable.
• You may delete your account at any time from Settings → Account → Delete Account. This permanently removes your selfie and all verification data.
• You may submit a data access or deletion request at any time by contacting privacy@dhabli.com.
• If you are an EU/UK resident, you may exercise your GDPR rights (access, rectification, erasure, portability, restriction) by visiting our GDPR page or contacting our DPO at dpo@dhabli.com.

We use your information for the following purposes, each supported by a lawful basis under applicable law:

To operate and improve the Service

• Create and manage your account
• Power our AI compatibility engine and serve you relevant matches
• Enable communication between matched users
• Process payments and manage subscriptions
• Provide customer support
• Detect and prevent fraud, abuse, and safety violations
• Maintain and improve the security and reliability of the platform

To personalise your experience

• Customise the matches and content shown to you based on your preferences and behaviour
• Show you users in your geographic area using your location data
• Remember your settings and preferences across sessions

To communicate with you

• Send transactional notifications (new matches, messages, account activity)
• Deliver safety alerts and account security notifications
• Send product updates and feature announcements (you can opt out at any time)
• Send marketing communications where you have opted in

To comply with legal obligations

• Respond to lawful requests from courts, law enforcement, and regulators
• Enforce our Terms of Service and Community Guidelines
• Maintain records as required by applicable law

What we do NOT do with your data

• We do not sell your personal data to third parties
• We do not display third-party advertising within the app
• We do not use your face data or biometric data for advertising or marketing profiling
• We do not use your data to train external AI models without your explicit consent
• We do not share your precise location with other users — only city-level location is shown

With other users

Information you add to your public profile (photos, bio, age, city, interests) is visible to other users in accordance with your privacy settings. Messages you send are visible only to the recipient. Your full name, email, phone number, and verification selfie are never shared with other users.

With service providers

We share data with trusted vendors who help us operate the Service, including:

• AWS Rekognition (Amazon Web Services) — face detection and comparison for identity verification
• DigitalOcean Spaces — cloud object storage for profile photos and verified selfies
• Stripe / Apple Pay — payment processing (PCI-DSS compliant; no card numbers stored by Zod)
• OpenAI Whisper — audio transcription for voice prompts (audio content only)
• Firebase (Google) — push notifications
• Analytics providers — anonymised usage analytics
• Customer support platforms — support ticket management

All vendors are bound by data processing agreements and may only use your data to provide services to us.

For safety and legal reasons

• To comply with a legal obligation, court order, or government request
• To investigate potential violations of our Terms of Service
• To protect the safety of our users or the public
• To enforce our rights or defend against legal claims

Business transfers

If Zod is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

Aggregated and anonymised data

We may share aggregated, anonymised statistics (e.g. "millions of users across 120+ countries") publicly or with partners for research and marketing purposes. This data cannot be used to identify you.

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specific retention periods:

• Active account data: retained for the lifetime of your account plus 30 days after deletion request
• Messages: retained for 12 months from the date sent, then automatically deleted from our servers
• Verified selfie photographs: retained for the lifetime of your account; permanently deleted within 30 days of account deletion and removed from backups within 90 days — see the Biometric and Verification Data section for full details
• Government ID images: deleted within 24 hours of a verification result (pass or fail); only the pass/fail outcome and similarity score are retained in the attempt record
• Verification attempt records (metadata only, no selfie): retained for up to 2 years for fraud prevention, then permanently deleted
• Payment records: retained for 7 years to comply with financial regulations
• Safety-related data (reports, ban records): retained for up to 5 years to prevent re-registration by banned users
• Log data and analytics: retained for up to 90 days in identifiable form, then anonymised indefinitely
• Deleted profile data: purged from live systems within 30 days and from backups within 90 days

You can delete your account at any time from Settings → Account → Delete Account. Deletion is permanent and irreversible.

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure ('right to be forgotten'): request deletion of your personal data, including your verified selfie and verification records
• Right to portability: receive your data in a structured, machine-readable format
• Right to restriction: ask us to limit how we process your data in certain circumstances
• Right to object: object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making: you have the right not to be subject to decisions based solely on automated processing that significantly affects you
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, go to Settings → Privacy, or contact our Privacy Team at privacy@dhabli.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

If you are a resident of the European Economic Area, see our GDPR page. If you are a California resident, see our CCPA page.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• All data in transit is encrypted using TLS 1.3
• Data at rest is encrypted using AES-256
• Verified selfie photographs are stored in private, access-controlled storage buckets — not publicly accessible
• Messages are end-to-end encrypted — not even Zod can read them
• Passwords are hashed using bcrypt with a minimum work factor of 12
• We conduct regular third-party penetration testing and security audits
• Access to production systems is restricted to authorised personnel and requires multi-factor authentication
• We operate a responsible disclosure programme for security researchers

Despite our efforts, no transmission over the internet or electronic storage is completely secure. If you suspect a security issue, please contact security@dhabli.com immediately.

Zod is a global service. Your data may be processed in countries other than your own, including the United States, United Kingdom, and European Union. Verification selfies are processed by AWS Rekognition in the us-east-1 (N. Virginia) region and stored on DigitalOcean Spaces infrastructure. When transferring data from the EEA or UK to countries not deemed adequate by the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA)
• Binding Corporate Rules where applicable
• Your explicit consent for specific transfers

You can request a copy of the safeguards we rely on by contacting privacy@dhabli.com.

All users are required to confirm their age during registration. Our face-detection pipeline uses age estimation to flag potential underage users, and these accounts are immediately suspended pending manual review.

If you believe a minor has registered on Zod, please report it immediately to safety@dhabli.com.

For privacy-related questions, requests, or complaints, please contact our Privacy Team:

We have a dedicated Data Protection Officer (DPO) for EU/UK users. You may contact our DPO directly at dpo@dhabli.com.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact your local supervisory authority.