Privacy Policy *Last updated: 28th Sep, 2025

This Privacy Policy describes how Zero Day ("we", "us", "our") collects, stores, uses, discloses, and protects personal data in connection with our tools and services (the "Services"). By using our Services, you agree to the terms in this Policy.

If you have any questions, you may contact us at admin@zero.day.

1. Introduction & Scope

1.1 Purpose

Zero Day is a digital product company offering automation tools and services for users. To enable certain functionality, we may request access to certain Google (Gmail) scopes. These accesses are requested only when the user explicitly opts in, and are used solely for the purpose the user authorized.

1.2 Applicable Law & Jurisdiction

Our operations are based in Kerala, India, and this Privacy Policy is governed by Indian law. We intend to comply with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and relevant rules under the Information Technology Act, 2000. You agree that any disputes will be subject to the courts of competent jurisdiction in Kerala, India.

1.3 Data Fiduciary & Controller

For the purposes of Indian law, Zero Day is the data fiduciary (i.e. the entity that determines the purpose and means of processing your personal data).

2. What Information We Collect

We collect only such personal information as is necessary for providing, maintaining, and improving our Services. We do not collect billing information, nor do we extract data from external sources without your consent.

2.1 Categories of Personal Data

  • Identity & contact data: name, email address, phone number (if voluntarily provided)
  • Account & profile data: user identifiers, settings, preferences
  • Usage / metadata: logs, timestamps, device identifiers, IP addresses
  • Google / Gmail Scope Data: if you voluntarily grant Gmail scopes, content and metadata accessible via those scopes
  • Any other data you voluntarily submit: e.g. inputs for automation tasks

3. Purpose, Lawful Basis & Use

We collect and process your personal data only for specific, explicit, and legitimate purposes.

3.1 Purposes of Processing

  • Enabling and executing automation tasks you've requested
  • Reading, sending, or managing Gmail / email as needed for those tasks (only with your explicit consent)
  • Providing you with user account support, notifications, messages, updates
  • Monitoring, logging, debugging, improving, or securing our Services
  • Compliance with legal obligations, prevention of fraud, abuse, or misuse
  • Enabling you to disconnect or revoke access at any time

3.2 Lawful Basis & Consent

We will request your free, specific, informed, and unambiguous consent before accessing sensitive scopes (e.g. Gmail scopes). You may withdraw consent at any time.

4. How We Store & Protect Your Data

4.1 Encryption & Security Measures

  • All personal data in our database is encrypted at rest using AES-256 encryption (or better).
  • Access to the data is protected by strong access controls, role-based permissions, and audit logs.
  • Communication to/from our servers uses TLS/SSL to protect data in transit.
  • We maintain security procedures, regular audits, and intrusion detection.

4.2 Retention & Deletion

  • We retain your data only as long as necessary to fulfill your requested automation tasks, or until you request deletion.
  • Once the data is no longer needed, we will permanently delete or anonymize it.
  • Any cached or backup copies will be purged as per our internal data retention policy.

4.3 Data Breach Notification

In the event of a personal data breach, we will:

  1. Promptly assess the scope, impact, and cause of breach
  2. Notify you (the affected user/data principal) without undue delay
  3. If required under law, notify the Data Protection Board within 72 hours
  4. Take remedial steps (mitigation, security strengthening)
  5. Maintain records of the breach, response, and communications

5. Use of Gmail / Google Scopes & User Controls

5.1 Requesting Scopes & Consent

  • We will request Gmail or other Google scopes only at the moment they are needed for your automation tasks.
  • We will clearly present which scopes are requested, what data will be accessed, and how they will be used.
  • You make a voluntary, explicit choice to grant or deny each scope.
  • We never request more permissions than strictly required.

5.2 Use & Limitations

  • We use the granted scope only for the specific operations you authorized.
  • We never use Gmail access for unrelated activities (e.g. profiling, advertisement, harvesting emails).
  • Scopes are isolated by user: we do not cross-share or pool access across users.

5.3 Revoking Access & Disconnection

  • At any point you can disconnect Gmail / Google access.
  • We will provide clear UI links (e.g. "Revoke Access," "Disconnect Gmail") within the application.
  • Once revoked, we immediately revoke our tokens and delete all associated data.

5.4 Token Storage & Security

  • Access tokens, refresh tokens, and any sensitive data are stored encrypted.
  • Tokens are rotated or invalidated as per best practices and purged when no longer needed.

6. Your Rights & Choices

As a data principal (user), you may:

  1. Access / View your personal data we hold
  2. Rectify / Correct any inaccurate or incomplete data
  3. Erase / Delete your personal data (to the extent permitted by law)
  4. Withdraw Consent / Revoke Access for any granted scope
  5. Object to Processing (if based on legitimate interest)
  6. Grievance / Complaint: raise concerns, request redress
  7. Nominate a person to exercise these rights on your behalf

7. Children & Minimum Age

We do not permit users under the age of 13 to access or use our Services. If we become aware that we have collected data from a child under that age, we will promptly delete such data.

8. No Third-Party Sharing & No Transfers Outside India

  • We do not share, sell, or rent your personal data to third parties for unrelated purposes.
  • We do not transfer your data outside India. All processing occurs within our infrastructure in India.
  • We maintain internal controls to prevent unauthorized cross-border transfers.

9. Cookies, Analytics & Logging

  • We may use cookies or local storage for session management, preferences, and performance.
  • We collect usage logs, server logs, error logs, and analytics data to monitor and improve our Services.
  • These logs do not include full content from Gmail or private messages, unless explicitly authorized.

10. Third-Party & External Links

We may use or interface with third-party APIs (e.g. Google APIs) when you authorize them. We are not responsible for the privacy practices of external websites or services. We encourage you to review their privacy policies.

11. Modifications, Updates & Versioning

We may revise this Privacy Policy from time to time. When we make material changes, we will notify you (e.g. via email or in-app notice) before the changes take effect, and obtain fresh consent if required.

12. Limitations & Disclaimers

  • We make no guarantees of perfect security; though we take reasonable and industry-standard measures, absolute security is impossible.
  • We are not liable for unauthorized access arising from your negligence (e.g. sharing your password, device compromise).
  • To the extent permitted by law, our liability relating to data processing is limited.

13. Contact Us / Grievance Officer

If you have any questions, want to exercise your rights, or wish to file a grievance, please contact:

Email: admin@zero.day (Attn: Data Protection / Privacy Team)

14. Miscellaneous

  • If part of this Policy is found invalid or unenforceable, the remainder will still apply.
  • This Policy does not create contractual rights beyond what is legally enforceable.
  • In case of conflict between this Policy and a more specific agreement, that specific agreement (if consistent with law) will govern.