Privacy Policy
Effective date: 26 May 2026 ·
Version: 2026-05-26-v1 ·
Last updated: 26 May 2026
1. Who we are
This privacy policy explains how Brownshade Studio ("Zuzu", "we", "us" or "our") collects, uses, stores, shares and protects your personal data when you use the Zuzu mobile application ("the App") on Android.
For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary. You are the Data Principal.
If you are under 18 years of age, you must not use Zuzu. The App enforces an 18-plus age affirmation at sign-in.
2. What this policy covers
This policy covers personal data collected through the Zuzu Android app. It does not cover websites or services operated by third parties (e.g. your UPI app), or any personal data you give us outside the App (e.g. support emails).
3. What we collect, and why
3.1 From your Google account, on sign-in
- Full name — shown to other members in groups you join.
- Email address — used as your unique account identifier.
- Profile photo URL — shown next to your name in groups and activity.
- Phone number — only if your Google account exposes one. Stored privately, never shown to other users.
3.2 Information you give us directly
- UPI ID — optional. Stored on your profile so other group members can pay you. When someone taps "Pay via UPI" in Zuzu, your UPI ID is used to construct a
upi://pay intent on their device. Zuzu never processes or sees the payment itself — the transaction happens entirely inside the payer's UPI app.
- Group data — group name, member list, group creator.
- Expense data — title, amount, currency, who paid, how it is split, category, date.
- Settlement data — who paid whom, how much, in which group, status.
- Activity log entries — generated when you add/edit expenses, settle up, join/leave groups.
- Friends list — bidirectional mirror of users you have added as friends.
3.3 Collected automatically
- FCM device token — for push notifications. Removed immediately when you turn off notifications.
3.4 What we do NOT collect
- No device location, no contacts, no call logs, no SMS, no camera roll, no microphone.
- Camera is used only for QR scanning — no image is stored or uploaded.
- No analytics SDKs, no advertising SDKs, no fingerprinting, no third-party tracking.
4. How we use your data
| Purpose | Data used |
|---|
| Authenticate you | Google name, email, photo URL |
| Show group expenses and balances | Name, photo URL, expense + settlement data |
| Help you pay via UPI | Recipient's UPI ID only, at the moment you tap Pay |
| Send push notifications | FCM token, group membership, expense/settlement events |
| Friend search | Name (visible to signed-in users), Phone is never used for search and is never shown to other users |
| Home-screen widget | Group + balance data, locally on your device |
| Support & grievance | Email and details you choose to include |
We do not profile you, train models on your data, sell your data, or share it with advertisers.
5. Where your data is stored
- Cloud Firestore — provisioned in
asia-south1 (Mumbai, India). Your structured data is stored in India.
- Firebase Authentication — managed by Google on global infrastructure.
- Firebase Cloud Messaging — Google's global messaging service.
- Cloud Functions — our notification function runs in
asia-south1.
- On your device — notification toggle, PIN hash, biometric toggle, home-screen widget data. None is transmitted by Zuzu.
6. Sharing with third parties
We do not sell or rent your personal data. We share data only with:
- Google LLC — Firebase and Google Sign-In. See policies.google.com/privacy.
- UPI apps on your device — when you tap "Pay via UPI", we pass the recipient's UPI ID, amount and payee name as an Android Intent. Zuzu does not see or store the payment.
We may disclose data if required by law or a binding request from a lawful authority in India.
7. Cross-border transfers
Some Google services (Firebase Authentication, FCM) operate on global infrastructure that may process data outside India. By using Zuzu you consent to such transfers, subject to Google's contractual safeguards.
8. How long we keep your data
- Active account — kept for as long as your account exists.
- After account deletion — your profile, FCM tokens, friends list and solo groups are deleted. In shared groups, your identifier is replaced with
deleted_user.
- Push tokens — removed immediately when you disable notifications, sign out, or delete your account.
9. Your rights under the DPDP Act, 2023
Email ceo.bigai@gmail.com from your registered email to exercise any right:
- Right to access — request a copy of data we hold about you.
- Right to correction and erasure — correct data via Profile, or request in writing. For full erasure use Profile → Delete Account.
- Right of grievance redressal — we acknowledge within 7 days and respond within 30 days. Unresolved complaints may go to the Data Protection Board of India.
- Right to nominate — email us to register a nominee.
- Right to withdraw consent — see §10.
We do not charge a fee to exercise any of these rights.
10. Withdrawing your consent
- Push notifications — toggle off in Profile → Notifications. FCM token removed immediately.
- All data processing — use Profile → Delete Account.
- Everything else — email ceo.bigai@gmail.com.
11. Security
- All communication with Firebase uses TLS (HTTPS).
- Encryption at rest via Google Cloud infrastructure.
- Firestore Security Rules enforce owner-only access for private fields.
- Optional PIN (SHA-256 hashed) and biometric lock in Settings → Security.
- Sign-in is via Google only — we never see your Google password.
12. Children's data
Zuzu is for adults only. You must be at least 18 years old. We do not knowingly process data of anyone under 18. If you believe a minor has registered, email ceo.bigai@gmail.com.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, the App will re-prompt you for consent at next launch. The current version is 2026-05-26-v1.
14. Contact us