Privacy Policy for Zimmify

This Privacy Policy describes how Zimmify Private Limited ("we," "us," "our," or "Service Provider") collects, uses, stores, and protects your personal information when you use the Zimmify mobile application (the "Application" or "App") for iOS devices. This Application is provided as a commercial service on an "AS IS" basis.

By using the Application, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Application.

1. Information We Collect

1.1 User-Provided Information

When you register and use the Application, we may collect the following information that you provide directly:

• Account Information: Email address, password (encrypted), name (when using Sign in with Apple or Google), and authentication credentials
• Music Library Data: Song titles, artist names, album information, playlist names, and music metadata from your Apple Music library or local device library
• Context Data for Recommendations:
  • Mood data from our interactive mood selector
  • Photos and images you choose to analyze for context
  • Voice recordings when using voice input features
  • Text descriptions of your mood, activities, or music preferences
• Music Listening Behavior: Extensive play history, queue history, playback positions, and song preferences
• User Preferences: App settings, notification preferences, and customization choices
• Communications: When you contact us for support, feedback, or inquiries

1.2 Automatically Collected Information

We automatically collect certain information when you use the Application:

• Device Information: Device type, model, operating system version, unique device identifiers (UDID), mobile network information
• Usage Data: App features used, session duration, interaction patterns, error logs, performance data
• Technical Data: IP address, browser type, timezone, language preferences
• Authentication Tokens: Session tokens, refresh tokens for maintaining your logged-in state

1.3 Apple Music Integration

With your explicit permission, we access your Apple Music library through MusicKit and MediaPlayer frameworks to:

• Read your music library catalog (songs, artists, albums, playlists)
• Enable music playback within the Application
• Create personalized recommendations from your existing library
• We do NOT access your Apple ID password or payment information
• We do NOT modify or delete your Apple Music library

1.4 Location Information

We do NOT collect precise real-time location data. The Application does not track or store your geographic location.

1.5 Biometric Data

If you use Sign in with Apple or Google with Face ID, Touch ID, or other biometric authentication enabled on your device, biometric authentication is handled entirely by Apple or Google's systems. We do not collect, store, or process any biometric data. Authentication is managed through secure tokens provided by the authentication provider.

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Providing Our Service

• Deliver personalized music recommendations based on your context and mood
• Enable music playback and manage your listening experience
• Maintain your account, preferences, and listening history
• Restore your playback state when you return to the app

2.2 Processing Your Context

• Analyze the mood, photos, voice input, and text you provide to understand your musical preferences
• Process your music library to generate personalized recommendations
• Match your context with songs from your personal library

2.3 Account & Authentication

• Create and secure your user account
• Manage sign-in and authentication
• Support guest mode and account features
• Enable Sign in with Apple and Google for easy authentication

2.4 Service Improvement

• Improve recommendation quality and accuracy
• Develop new features and enhance user experience
• Monitor and maintain service performance and security
• Prevent fraud, abuse, and unauthorized access

2.5 Communication

• Send important service notifications and updates
• Respond to your support requests and inquiries
• Send promotional communications (with your consent, where required by law)
• Notify you of changes to our services or policies

3. Third-Party Services and Data Sharing

We use trusted third-party services to operate the Application. Your information may be shared with:

3.1 Cloud Infrastructure Providers

• Amazon Web Services (AWS): For hosting, authentication, data storage, and backend services. Data is stored in AWS data centers in the United States.
• Firebase (Google): For crash analytics, performance monitoring, and app stability diagnostics. Crash reports and performance data help us identify and fix issues.

3.2 Artificial Intelligence Services

We use AI service providers to power our recommendation engine. Your context data, photos, voice input, and music library information may be processed by these services to generate personalized recommendations.

Current AI Providers (as of December 2025):

• Anthropic (Claude) - Privacy Policy
• Perplexity - Privacy Policy
• OpenAI - Privacy Policy
• Google (Gemini) - Privacy & Terms

We may use additional AI providers such as xAI (Grok) or similar services. We may also use database services from providers like Pinecone, Weaviate, Qdrant, or similar providers to support our recommendation system.

We may change service providers without prior notice. All providers are contractually obligated to protect your data and comply with applicable privacy laws.

3.3 Authentication Services

• Apple Music/MusicKit: For music playback and library access in accordance with Apple's Privacy Policy
• Sign in with Apple: For OAuth authentication in accordance with Apple's Privacy Policy
• Google Sign-In: For OAuth authentication in accordance with Google's Privacy Policy
• Speech Recognition: For converting voice input to text (processed on-device when possible)

3.4 Data Sharing Principles

We share your information with third parties only:

• To provide and improve the Application's core functionality
• With service providers bound by strict confidentiality agreements
• When we have obtained your explicit consent
• To comply with legal obligations (see Section 3.5)

We do NOT:

• Sell your personal information to third parties
• Share your data for third-party advertising purposes
• Use your music library data for purposes unrelated to recommendations
• Share your photos, voice recordings, or mood data beyond what's necessary for AI processing
• Use your data to train third-party AI models (we use API-only services)

3.5 Payment and Subscription Services

• RevenueCat: For subscription management, in-app purchase handling, and purchase analytics. RevenueCat may collect purchase history, subscription status, and transaction data to manage your subscriptions. See RevenueCat's Privacy Policy.

3.6 Legal Disclosure

We may disclose your information when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or subpoenas
• Protect our rights, property, or safety, or that of our users or the public
• Investigate fraud, security breaches, or violations of our Terms & Conditions
• Respond to government requests or law enforcement inquiries

4. International Data Transfers

Zimmify operates globally, and your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States.

These countries may have data protection laws that differ from your home country. When we transfer your information internationally, we implement appropriate safeguards including:

• Standard Contractual Clauses approved by the European Commission (for EEA users)
• AWS's data protection commitments and certifications
• Encryption in transit and at rest
• Access controls and security measures compliant with international standards

By using the Application, you consent to the transfer of your information to the United States and other countries for processing and storage.

5. Data Security

We take the security of your information seriously and implement industry-standard security measures:

5.1 Technical Safeguards

• Encryption: Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
• Authentication: Passwords are hashed using industry-standard algorithms; we never store plain-text passwords
• Secure APIs: All API communications use HTTPS with certificate pinning
• Access Controls: Role-based access control (RBAC) limits employee access to user data
• AWS Security: We leverage AWS security features including IAM policies, VPC isolation, and security groups

5.2 Organizational Safeguards

• Regular security audits and vulnerability assessments
• Employee training on data protection and privacy
• Confidentiality agreements with all service providers
• Incident response procedures for data breaches

5.3 Your Responsibility

• Keep your account credentials confidential
• Use a strong, unique password
• Do not jailbreak or root your device, as this compromises security
• Keep your device's operating system and the Application updated

No Absolute Security: While we implement robust security measures, no system is completely secure. We cannot guarantee the absolute security of your information.

6. Data Retention

We retain your information for different periods depending on the type of data:

6.1 Active Account Data

• Account Information: Retained while your account is active plus 90 days after account deletion
• Music Library Data: Retained while your account is active plus 30 days after account deletion
• Play History and Preferences: Retained while your account is active plus 30 days after deletion
• Photos and Voice Recordings: Deleted immediately after AI processing is complete; not stored permanently
• Mood Data: Retained while your account is active plus 30 days after deletion

6.2 Automatically Collected Data

• Usage Analytics: Retained in aggregated, anonymized form for up to 24 months
• Error Logs: Retained for 90 days for debugging and service improvement
• Security Logs: Retained for 12 months for fraud prevention and security purposes

6.3 AI-Generated Data

• Processed Music Data: Cached to improve performance; anonymized and not linked to specific users when possible
• Recommendation Data: Retained while your account is active plus 30 days after deletion

6.4 Legal Compliance

We may retain certain information beyond these periods when required by law, to resolve disputes, enforce our agreements, or for legitimate business purposes.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information ("Right to be Forgotten")
• Data Portability: Request a copy of your data in a structured, machine-readable format
• Opt-Out: Unsubscribe from marketing communications at any time

7.2 Additional Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Object: Object to processing based on legitimate interests
• Right to Restrict: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority
• Automated Decision-Making: Our AI recommendations are automated; you can request human review by contacting us

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request details about the personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not "sell" personal information as defined by CCPA
• Right to Non-Discrimination: You will not be discriminated against for exercising your rights
• Right to Correct: Request correction of inaccurate information
• Right to Limit Sensitive Data Use: Limit use of sensitive personal information (voice, photos)

7.4 Other Jurisdictions

Users in other jurisdictions may have similar rights under local data protection laws. Contact us to inquire about your specific rights.

7.5 Exercising Your Rights

To exercise any of these rights, please contact us at contact@zimmify.com with the subject line "Privacy Rights Request." We will respond within:

• 30 days for general requests
• One month for GDPR requests (extendable by two additional months for complex requests)
• 45 days for CCPA requests (extendable by an additional 45 days)

We may request verification of your identity before processing your request to ensure security.

8. Children's Privacy

The Application is not intended for children under the age of 13.

• We do not knowingly collect personal information from children under 13
• If you are under 13, please do not use the Application or provide any information
• Parents and guardians: Please monitor your children's use of mobile applications
• If we discover we have collected information from a child under 13, we will delete it promptly
• If you believe a child under 13 has provided information to us, contact us at contact@zimmify.com

8.1 Age Verification

• Users must be at least 16 years old to consent to data processing in the EEA/UK
• Users aged 13-15 in the EEA/UK require parental consent
• By using the Application, you represent that you meet the minimum age requirements

8.2 Parental Controls

Parents can use device-level parental controls provided by Apple to restrict app usage and permissions for minors.

9. Cookies and Tracking Technologies

The Application does not use cookies directly, as it is a native mobile application. However, we use similar tracking technologies:

9.1 Local Storage

• We store app preferences, settings, and user configurations on your device
• We cache music information and playback history locally for improved performance
• We store artwork and temporary data on your device to reduce data usage

9.2 Analytics

• We collect usage analytics to improve the Application's performance and features
• Analytics data is aggregated and anonymized where possible
• You cannot currently opt out of analytics, but we minimize data collection to essential metrics

9.3 Third-Party SDKs

• We use third-party software development kits (SDKs) for cloud services, authentication, and backend communication
• These SDKs may collect device and usage information as described in their respective privacy policies

10. Automated Decision-Making and AI Processing

Our Application uses artificial intelligence and automated processing for music recommendations:

10.1 How It Works

• Your context data (mood, photos, voice, text) is analyzed by AI models to understand musical preferences
• Your music library is analyzed and processed to enable personalized recommendations
• Recommendations are generated automatically by matching your context to music in your library
• No human review is involved in the recommendation process

10.2 Your Rights

• You have the right to object to automated decision-making (GDPR users)
• You can request human intervention or review of AI-generated recommendations
• You can challenge recommendations and request explanation by contacting us

10.3 Limitations

• AI recommendations are suggestions only; you control what music you play
• Recommendations may not always be accurate or reflect your preferences
• AI-processed music information may contain errors or inaccuracies

11. Data Breach Notification

In the event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of discovering the breach (as required by GDPR)
• Notification will be sent to the email address associated with your account
• We will provide information about the nature of the breach, affected data, and steps we're taking
• We will notify relevant data protection authorities as required by law
• We will provide guidance on steps you can take to protect yourself

12. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Our Application does not currently respond to DNT signals, as there is no universally accepted standard for mobile applications. We collect only the information necessary to provide our services as described in this Privacy Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

• We will notify you of material changes by posting the updated policy within the Application
• For significant changes, we may also send you an email notification (if you have provided an email address)
• The "Last Updated" date at the top of this policy will be revised
• Your continued use of the Application after changes constitutes acceptance of the updated Privacy Policy
• We encourage you to review this Privacy Policy periodically

14. Your Consent

By using the Application, you consent to:

• The collection, use, and processing of your information as described in this Privacy Policy
• The transfer of your information to the United States and other countries
• The use of third-party AI and database services to process your data
• The storage of your information on cloud infrastructure

"Processing" includes collecting, storing, using, combining, analyzing, deleting, and disclosing information in any manner.

You may withdraw your consent at any time by:

• Deleting your account through the Application settings
• Contacting us at contact@zimmify.com to request account deletion
• Uninstalling the Application from your device

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Zimmify Private Limited
NO 8, APT# 001 "OYSTERS HIMANSHU"
NAGAWARA CIRCLE, THANISANDRA MAIN ROAD
BANGALORE-45, KARNATAKA, INDIA

Email: contact@zimmify.com
Privacy Rights Requests: Use subject line "Privacy Rights Request"
Data Protection Officer: contact@zimmify.com

For EEA/UK Users: If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

For California Residents: You may contact us at the email above regarding CCPA requests.

16. Opt-Out Options

You can opt out of certain data collection and processing:

16.1 Complete Opt-Out

• Uninstall the Application from your device to stop all data collection
• Delete your account to remove stored data from our servers

16.2 Selective Opt-Out

• Photo Analysis: Do not grant photo library permissions or do not use the photo recommendation feature
• Voice Input: Do not grant microphone permissions or do not use voice input features
• Marketing Communications: Adjust notification preferences in app settings or unsubscribe from emails
• Apple Music Access: Revoke MusicKit permissions in iOS Settings > Privacy > Media & Apple Music

16.3 Guest Mode

• Use the Application in guest mode for limited functionality without creating an account
• Guest mode provides basic features without AI-powered recommendations
• Less data is collected in guest mode (no account information, no backend sync)

17. Third-Party Links

The Application integrates with third-party services including but not limited to cloud infrastructure providers (AWS), authentication providers (Apple, Google), AI service providers (OpenAI, Google, Anthropic, xAI, Perplexity, or similar), database service providers (Pinecone, Weaviate, Qdrant, or similar), and Apple Music. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies:

• Apple Privacy Policy
• Google Privacy Policy
• OpenAI Privacy Policy
• Google Gemini Terms
• Anthropic Privacy Policy
• Perplexity Privacy Policy
• AWS Privacy Notice
• Pinecone Privacy Policy
• Firebase Privacy Policy
• RevenueCat Privacy Policy

The specific third-party services we use may change over time. Please refer to Section 3 for our current service providers.