1. Who we are
This Privacy Policy describes how Zlash (operated by GSS Group of Companies, an Indian unincorporated entity, hereinafter "Zlash", "we", "us") processes the personal data of users ("you", the "Data Principal" under the Digital Personal Data Protection Act, 2023 — "DPDPA") of the Zlash website at zlash.ai and the Zlash mobile application (collectively, the "Service").
For the purposes of DPDPA 2023, Zlash is the Data Fiduciary in respect of the personal data described in this policy. We process personal data of Data Principals located in India only.
2. Categories of personal data we process
We process the following categories of personal data. The specific items listed under each category are exhaustive — anything not listed here is not processed.
2.1 Account data
- Email address (from Google or Apple OAuth, or a debug-only password sign-in we use internally during development)
- OAuth subject identifier (used to bind your sign-in to your Zlash account)
- Display name (only if you elected to share it via Google / Apple)
- Account approval status (pending / approved / rejected)
- Account creation timestamp
2.2 Wallet metadata
When you select your payment instruments in the Wallet picker, we store only the bank name and the card type (credit / debit / UPI / EMI / BNPL). For example: { bank: "HDFC", card_type: "credit" }.
We do not collect, store, transmit, request, or have any way to read: your card number (PAN), CVV, expiry date, card name, billing address, OTP, UPI PIN, mobile number used for OTP, or any other field that could be used to charge or re-issue your card. Wallet metadata is the bare minimum needed to compute which published card-linked offers apply to you.
2.3 Search and usage data
- Search queries you submit (e.g. "iPhone 15 Pro 256 GB")
- Pincode you optionally provide for delivery-eligibility checks (the pincode itself; never your full address)
- Anonymous session and request identifiers (UUIDs) used to correlate streaming events for a single search
- Click-out events when you tap "Visit" on a merchant — we record the merchant identifier and your effective price rank for ranking-quality feedback only; we do not follow you to the merchant or receive their order data
- App version, OS version, device model — used to gate force-update flows and reproduce bug reports
2.4 Diagnostics and telemetry
Only when you grant the corresponding consent toggle:
- Crash reports (consent: "Crash reports") — stack traces and the breadcrumb sequence leading to the crash. We disable screenshot attachment, view-hierarchy capture, and we strip user email and IP address from crash events before they leave your device. Sent to Sentry.
- Anonymous analytics (consent: "Anonymized analytics") — event names like
search.submitted,wallet.saved,search.matrix_rendered, with no personal identifiers attached. Sent to PostHog.
Both flows fail closed — if the consent toggle is off, we do not initialise the relevant SDK and no events leave your device.
2.5 Device integrity tokens
Before sensitive actions such as saving wallet metadata, our app may request a Play Integrity token (Android) or an App Attest assertion (iOS). The token is a short-lived, single-use cryptographic claim that does not contain personal data. We forward it to our server which verifies it with Google or Apple to confirm the request comes from a genuine, unmodified Zlash app on a genuine device. Tokens are not stored after verification.
2.6 Payments
Zlash Price Intelligence does not process payments and does not collect payment instrument data. When you choose to buy a product, you leave Zlash and complete payment directly on the merchant's website or app. Zlash does not receive payment identifiers, settlement status, card numbers, UPI IDs, CVV, OTP, or UPI PIN.
2.7 What we explicitly do not collect
- Card numbers, CVV, expiry, OTP, UPI PIN — see §2.2
- Aadhaar number, PAN number, voter ID, passport number, or any government identifier
- Biometric data (face, fingerprint, voice) — even when you use biometric unlock on your device, the biometric never leaves your device's secure enclave
- Precise geolocation (lat/long) — we use pincode only, and only when you supply it
- Contact list, photos, calendar, SMS, call logs, microphone
- Children's data — Zlash is not directed at and may not be used by anyone under 18 (see §10)
3. Purposes for which we process your data
DPDPA 2023 §6 requires us to specify the purpose for each processing activity and obtain free, specific, informed, unconditional, and unambiguous consent for each. The granular consent toggles you see during onboarding map to the purposes below:
| Purpose | Legal basis (DPDPA) | Withdrawal effect |
|---|---|---|
| Provide the Service (account, search, wallet calibration) | Consent + performance of contract | Equivalent to closing your account |
| Anonymous product analytics | Consent (granular toggle) | No new events; existing aggregates retained |
| Crash diagnostics | Consent (granular toggle) | No new crash events captured |
| Marketing communications | Consent (granular toggle) | Removal from mailing list within 7 days |
| Fraud prevention, integrity attestation, abuse rate-limiting | Legitimate use (DPDPA §7(c)) | N/A — consent not required |
| Legal compliance (court orders, regulatory requests) | Legitimate use (DPDPA §7(b)) | N/A — consent not required |
4. Who receives your data
We share your personal data only with the following categories of recipients ("Data Processors" under DPDPA), and only to the extent necessary to provide the Service:
- Supabase, Inc. — managed Postgres database + authentication backend. Hosted in the AWS Mumbai (ap-south-1) region. Account data, wallet metadata, and search history are stored here.
- Sentry (Functional Software, Inc.) — crash and error monitoring. Used only when you grant the "Crash reports" consent. EU/US tenant. PII stripped before transmission.
- PostHog Inc. — product analytics. Used only when you grant the "Anonymized analytics" consent. EU tenant (eu.i.posthog.com).
- Google LLC — Play Integrity API attestation, Google Sign-In.
- Apple Inc. — App Attest, Sign in with Apple.
- Anthropic, OpenAI, Replicate, Tinyfish, and other AI providers — used to classify your search query into a product intent, structure the search plan across merchants, and (in the case of Tinyfish) extract live prices from merchant pages. Only your search query string and de-identified intent fields are sent. No account data, wallet metadata, or persistent identifiers are sent to these providers. We do not authorise any of these providers to use your queries to train their models.
- Cloudflare, Inc. — CDN and DDoS protection. Processes request metadata (IP address, user agent) for security and routing only. Logs retained for 30 days.
- Indian governmental authorities — only when we are legally required to disclose (court order, RBI / SEBI / TRAI / IT Ministry directive). We notify you of such disclosure unless legally prohibited.
We do not sell, rent, lease, barter, or otherwise transfer your personal data to third parties for their own marketing purposes, and we do not place your data on any "data marketplace".
5. Cross-border data transfers
Your account data, wallet metadata, and search history are stored in the AWS Mumbai (ap-south-1) region operated by Supabase. They do not leave India for primary storage.
The following processors operate in jurisdictions outside India:
- Sentry — United States and European Union
- PostHog — European Union (Frankfurt)
- Google, Apple — United States and European Union
- AI providers (Anthropic, OpenAI, etc.) — United States primarily
Cross-border transfer is currently permitted under DPDPA 2023 §16 unless the destination country has been notified by the Central Government as restricted. As of the date of this policy, no such restriction list has been notified. We will re-assess and, if necessary, restrict transfers within 30 days of any such notification taking effect.
6. How long we keep your data
- Account data — until you delete your account (see §7), then a 30-day grace period during which sign-in restores it, then permanent erasure within 7 days of grace expiry.
- Wallet metadata — until you remove it from the Wallet picker, or until account deletion. No backup retention beyond the 30-day Supabase WAL window.
- Search history — locally on your device only (the last 5 queries). Not retained on our servers beyond the SSE session.
- Click-out events + ranking feedback — 90 days at full fidelity, then aggregated into per-merchant counters with no user link.
- Crash diagnostics — 90 days in Sentry, then auto-deleted.
- Anonymous analytics — 12 months in PostHog at event level, then aggregated.
- Consent audit log — 7 years (regulatory requirement to prove we had your consent at the time we processed your data).
- Financial records (post-v2 payments) — 8 years (Income Tax Act §44AA, GST Act §36).
7. Your rights as a Data Principal
DPDPA 2023 §11–14 grants you the following rights. We honour requests within the 30-day window mandated by the Act.
- Right to access — receive a summary of the personal data we process about you, the recipients with whom we have shared it, and the purposes. In-app: Settings → Privacy & data → Export my data.
- Right to correction and erasure — correct inaccurate data, or erase data that is no longer necessary for the purpose for which it was collected. In-app: Settings → Privacy & data → Delete my account (initiates a 30-day erasure with grace period).
- Right to grievance redressal — escalate issues with how we have handled your data. Contact our Grievance Officer (§13) directly.
- Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity. Contact the Grievance Officer (§13) to record a nomination.
- Right to withdraw consent — withdraw any consent you have given, with the same ease as you gave it. In-app: Settings → Privacy & data → individual toggles.
When our in-app DSAR endpoints are temporarily unavailable, the in-app flow falls back to email — sending us a request at gss@zlash.ai will start the same 30-day clock.
8. How we protect your data
- All traffic between your device and our servers is encrypted in transit using TLS 1.2 or higher with strong cipher suites.
- Our mobile app pins the TLS certificate of
api.zlash.aiwith a primary and backup public-key hash, so a network attacker presenting a fraudulent certificate cannot intercept traffic even if they have installed a root CA on your device. - Wallet metadata and authentication tokens on your device are stored in the iOS Keychain or Android EncryptedSharedPreferences (hardware-backed where supported). On first launch we wipe any keychain entries from a prior install of the same bundle id, so an uninstall is a true uninstall.
- Our Android APK signing certificate is verified at startup against an anti-tamper pin baked into the build, so a re-packaged or re-signed APK from an unofficial source will refuse to perform sensitive actions.
- Server-side, your data sits in a Postgres database with row-level security policies (RLS) such that your account can only read its own rows — even a SQL injection in our application code cannot expose another user's data.
- Production secrets are managed in a secure secret store and rotated annually or on suspicion of exposure, whichever is sooner.
- We commission an independent penetration test prior to public release and annually thereafter.
9. Personal data breach notification
In the event of a personal data breach affecting your data, we will notify the Data Protection Board of India and you, the affected Data Principal, in accordance with DPDPA 2023 §8(6) and the timelines specified by the Board (currently expected to be within 72 hours of detection). Our notification will describe the nature of the breach, the categories of data and approximate number of Data Principals affected, the likely consequences, and the measures we have taken or propose to take.
10. Children
Zlash is intended for users 18 years of age and older. We do not knowingly process the personal data of children. The first-launch consent gate requires you to confirm that you are 18+ before any data processing begins. If we discover that we have inadvertently collected personal data of a child without verifiable parental consent, we will delete it without delay. If you believe a child has provided personal data to us, please contact the Grievance Officer (§13).
12. Mobile app permissions
The Zlash mobile app requests the following operating-system permissions:
- Internet — required to fetch live prices.
- Notifications (post-launch, optional) — only used to alert you about price drops on items you have explicitly added to a watchlist.
We do not request location, camera, microphone, contacts, photos, calendar, SMS, or call logs.
13. Grievance Officer and Data Protection Officer
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and DPDPA 2023, we have designated a Grievance Officer to address your concerns:
Grievance Officer: Gantavya Singh Shekhawat
Email: gss@zlash.ai
Address: GSS ATTRACTIVES, Mumbai — 400057, India
Response time: Acknowledged within 24 hours, resolved within 15 days as required by IT Rules 2021.
For privacy-specific concerns under DPDPA 2023, you may also write to our Data Protection Officer at gss@zlash.ai.
If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India at the address notified by the Ministry of Electronics and Information Technology.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email and via an in-app banner at least 7 days before the new version takes effect, and we will record the date of change at the top of this page. Your continued use of the Service after a material change becomes effective constitutes your acceptance, except where the change requires fresh consent under DPDPA — in which case we will re-prompt you for that consent.
15. Contact us
For any privacy-related question:
- Privacy and DSAR requests: gss@zlash.ai
- Grievance Officer: gss@zlash.ai
- General support: gss@zlash.ai