What we collect.
Which is, mostly, nothing.

What we collect

Zodian is designed to work without an account. Here is the entire picture of personal data the app and website touch:

We do not collect: contacts, photos, microphone audio, calendar events, SMS, browsing history, advertising IDs, IP-based location history, biometric data, payment data, or precise real-time location.

How we use what we have

To make the app work — show you charts, calendars, rasi palan, horai and temple guides — and to fix it when it breaks. We do not profile you, target ads, build inferences about you, or feed your data into AI training. We do not use your data for any purpose beyond what this policy lists.

Lawful basis (GDPR / UK GDPR)

Where the EU or UK GDPR applies, we rely on the following legal bases:

• Consent (Art. 6(1)(a)) — for optional features such as cross-device cloud sync, location auto-fill, push notifications, and crash reporting. You can withdraw consent at any time in app settings or via your OS, and we will stop the relevant processing.
• Performance of a contract (Art. 6(1)(b)) — to deliver the app's core functionality you have asked us to provide.
• Legitimate interests (Art. 6(1)(f)) — to keep the app secure and functional, including aggregate, anonymous crash analysis and basic abuse prevention on the sync service. We balance this against your rights and only use the minimum data necessary.

Birth data (date / time / place of birth) may be considered culturally or religiously sensitive in some jurisdictions. When you opt in to cloud sync, an encrypted copy is stored in our Firebase project; otherwise it never leaves your device.

Permissions Zodian asks for

Each permission is optional. The app works without any of them granted; toggling them off does not disable core functionality.

Device identifiers & tracking

We do not collect, read or transmit Apple's IDFA (Identifier for Advertisers), Google's Advertising ID (AAID/GAID), the Android ID, or any cross-app tracking identifier. We do not participate in Apple's App Tracking Transparency (ATT) framework because we do not track you across other companies' apps and websites — there is nothing to ask permission for. We do not use device fingerprinting.

Third parties (sub-processors)

The smallest list we could keep. Every entry is necessary for the feature it powers; nothing here is used for marketing or advertising.

• Google Firebase — Firestore, Authentication, Cloud Functions (Google LLC, US). Powers cross-device sync. When you turn sync on, your birth profiles and preferences are sent over TLS and stored in Firestore, encrypted at rest using Google-managed keys. Sign-in is via Apple ID or Google — we never see your password. You can disable sync and delete your synced copy from inside the app at any time. Firebase is governed by Google's Data Processing & Security Terms; Google does not access your Zodian data for advertising.
• Sentry (EU region) — for crash and performance logs you can disable in Settings → Privacy → Diagnostics. Includes anonymized stack traces, app version, OS version, device model. No personal data.
• Resend (US) — only used to deliver email you send us via the support form (and our reply). Stores message contents until we mark it processed.
• Vercel — hosts zodian.app (this website). Standard edge-server access logs (IP, user-agent, requested path) are retained per Vercel's policy and are not joined to any in-app data.
• Apple App Store & Google Play — for app distribution, aggregate download analytics, and crash reports surfaced by the platform. Anonymous and aggregate.
• Namecheap — domain registrar for zodian.app.

That is it. No Facebook SDK, no Google Analytics for Firebase advertising, no AppsFlyer, no Mixpanel, no Branch, no Amplitude, no Adjust, no Singular.

International data transfers

The Zodian team operates from Chennai, India. The data that leaves your device is processed by sub-processors located in:

• United States — Google (Firebase / Firestore / Authentication, default multi-region) and Resend.
• European Union — Sentry.
• Global edge network — Vercel.

For users in the EU, UK or India: where personal data is transferred outside your jurisdiction, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, Google's Data Processing & Security Terms, or the equivalent cross-border-transfer mechanism recognised by Indian law under §16 of the DPDP Act 2023, as applicable. You may request a copy of the relevant contract by writing to us.

Data retention

Security

On-device data is stored using platform-native secure storage (iOS Keychain / Android Keystore), encrypted at rest by the operating system. Synced data is transmitted over TLS 1.2+ and stored encrypted at rest in Google Firestore using Google-managed keys; access is restricted by per-user Firestore security rules so one user cannot read another's data. Authentication is delegated to Apple and Google so your password never reaches us.

We do not currently apply additional client-side end-to-end encryption on top of Google's storage encryption — Google can technically decrypt your synced data on their infrastructure, but does not access it for advertising, profiling, or any purpose other than running the storage service. If you need a stronger threat model, keep sync turned off; on-device data never leaves your phone.

No system is perfectly secure. If you discover a vulnerability, please email security@zodian.app before disclosing publicly. We aim to respond within 72 hours.

Children & COPPA

Zodian is rated 4+ on the App Store and "Everyone" on Google Play, but it is a general-audience app and is not directed to children under 13. We do not knowingly collect personal information from anyone under the age of 13 (or under 16 in jurisdictions where the GDPR digital-consent age is set at 16).

In compliance with the United States' Children's Online Privacy Protection Act (COPPA): if we discover that we have inadvertently collected personal data from a child under 13 without verified parental consent, we will delete it promptly. Parents who believe their child has provided personal data may email privacy@zodian.app and we will delete the data within 7 days.

Parents are welcome to compute charts for their children using their own phones; nothing about the family member's data leaves the device.

Your rights

Wherever you live, you can write to privacy@zodian.app and ask us to access, correct, export or delete the data we hold about you. We aim to respond within 30 days. We will never charge a fee for a reasonable request, and we will not retaliate against you for exercising any of these rights.

EU & UK (GDPR / UK GDPR)

You have the right to access, rectification, erasure (the "right to be forgotten"), restriction of processing, data portability, objection, and not to be subject to solely automated decisions. You may also lodge a complaint with your local supervisory authority (e.g. the Irish Data Protection Commission, the UK ICO).

India (DPDP Act 2023)

As a Data Principal, you have the right to access a summary of your personal data and processing activities, the right to correction and erasure, the right to grievance redressal, and the right to nominate. Our Grievance Officer is listed in §15 below. If your grievance is not satisfactorily resolved you may lodge a complaint with the Data Protection Board of India.

California (CCPA / CPRA)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of the sale or sharing of personal information, and to limit our use of sensitive personal information. The categories we collect, in CCPA terminology, are:

• Identifiers — email address (if you contact us, or if provided by Apple/Google when you sign in for sync); Firebase user ID.
• Internet or other electronic network activity — crash reports and aggregate website logs.
• Geolocation data — approximate, used once for birth-city pre-fill if you grant permission. Not stored server-side.
• Sensitive personal information — only if you opt in to cross-device sync. Birth date, time and place may be considered sensitive in your jurisdiction; we use it solely to deliver the core sync feature you have asked for and never for inferring characteristics, marketing, or any other purpose. You may turn sync off and delete the synced copy at any time, which is the CCPA right to limit use of sensitive PI in practice.

We do not sell or share personal information as those terms are defined under the CCPA, and we have not done so in the preceding 12 months. There is therefore no "Do Not Sell or Share My Personal Information" mechanism to enable, but you are welcome to email us to confirm.

We honor Global Privacy Control (GPC) signals at zodian.app. You will not be discriminated against for exercising any CCPA right.

How to exercise any of these rights

Email privacy@zodian.app from the address you used to contact us, or include enough detail to identify the data you are referring to. We will verify your request, respond within 30 days (45 days for CCPA, with possible 45-day extension), and document our response.

Account & data deletion

You only have a Zodian sync account if you turned cross-device sync on. Either way, you can erase every trace of yourself from the app and our infrastructure in under a minute.

• Delete one birth profile. Profiles → swipe the row → Delete. Removed locally immediately and from your synced copy on next sync (or immediately if you are online).
• Reset everything on this device. Settings → Reset all data. Wipes local storage but leaves the cloud copy intact for your other devices.
• Turn off sync. Settings → Sync → Sign out. Stops uploading; your synced copy stays on Firebase for 30 days in case you sign back in, then is auto-deleted.
• Delete sync account + cloud data. Settings → Sync → Delete cloud data & account. We tombstone your Firebase user record and purge all Firestore documents associated with you within 30 days. This satisfies Apple App Review Guideline 5.1.1(v) (in-app account deletion) and Google Play's account deletion requirement.
• Uninstall. Removes everything on this device. Synced data still in Firebase will be auto-deleted after 24 months of inactivity unless you sign in again, but for an immediate purge use the option above first.

You may also email privacy@zodian.app to request deletion of your sync account, support inbox correspondence, or both. Verified requests are completed within 7 days.

Privacy at the App Store & Google Play

The disclosures below mirror what Zodian declares in App Store Connect (Apple Privacy Nutrition Labels) and Google Play Console (Data Safety form). Use this section as a quick cross-reference.

Apple Privacy Nutrition Labels

Google Play Data Safety

All data is encrypted in transit. You can request deletion of any data we hold by emailing privacy@zodian.app — see §11 and §12.

This privacy policy is also linked from inside the Zodian app at Settings → About → Privacy Policy, satisfying both Apple and Google's in-app accessibility requirements.

Changes to this policy

If we change this policy in a material way (new data category, new sub-processor, new purpose), we will: (a) post the updated version at this URL with a new effective date and version number; (b) show an in-app notice the next time you open the app; and (c) email anyone who has previously contacted us. Material changes get at least 30 days' notice before they take effect; non-material edits (typos, link fixes, formatting) are made silently.

A version history is available on request.

Contact & grievance officer

Questions, requests, complaints — write to a real human:

For security disclosures, please use security@zodian.app instead.