Privacy Policy

Last updated: 25 May 2026

This Privacy Policy explains how Zygo Leads ("we", "our", or "us") collects, uses, discloses, and protects your personal data when you use our website, mobile apps, and services (collectively, the "Services"). We follow the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000, and the rules made under them.

1. Who we are

Zygo Leads is the Data Fiduciary for the personal data processed through the Services. Our registered office is at Office No. A001, Tower-A, Bestech Business Tower, Sector 66, Mohali, Punjab 160062, India. For any privacy questions, you can reach us at support@zygoleads.com.

2. Personal data we collect

We collect the following categories of personal data:

  • Account data: name, email address, phone number, country, language preference, password (stored as a salted hash).
  • Lead data you enter: details about buyers, sellers, and properties such as names, phone numbers, budgets, locations, BHK type, and notes. You are the Data Fiduciary for the leads you record and you must have a lawful basis to do so.
  • Communications: WhatsApp messages, call logs, and attachments you choose to import or sync.
  • WhatsApp Business account data: When you connect your WhatsApp Business number through Facebook Login for Business (Embedded Signup), we receive and securely store your WhatsApp Business Account (WABA) ID, phone number ID, Meta business ID, and an encrypted access token. These credentials are used solely to send automated CRM messages (property suggestions, OTPs, reminders, and status updates) from your connected WhatsApp number on your behalf. We do not use these credentials for any other purpose.
  • WhatsApp message data: Inbound messages, message delivery status updates, and any media shared by your leads via WhatsApp may be received through Meta's Cloud API webhook and stored in our database to display in your CRM conversation history.
  • Payment data: billing name, GSTIN (if provided), and transaction references. Card and bank details are processed by our payment partner and are not stored on our servers.
  • Device and usage data: IP address, device type, browser, operating system, pages visited, timestamps, crash reports.
  • Location data: approximate location derived from IP address, or precise location only if you grant permission inside our mobile apps.

We do not knowingly collect sensitive personal data such as financial account passwords, biometric information, or health data.

3. How we use your data

We use personal data to:

  • provide, operate, and improve the Services;
  • create and secure your account, including OTP verification;
  • capture, organise, and follow up on your leads;
  • send transactional messages (account, billing, reminders);
  • process payments and issue invoices;
  • respond to support requests and complaints;
  • detect, prevent, and address abuse, fraud, and security issues;
  • comply with our legal obligations, including under the Income Tax Act, 1961, the Companies Act, 2013, and the GST law.

4. Lawful basis for processing

Under the DPDPA, we process your personal data on the following grounds:

  • Consent: you provide free, specific, informed, and unambiguous consent for clearly defined purposes (for example, sending marketing emails). You may withdraw consent at any time; withdrawal does not affect prior processing.
  • Legitimate use: for purposes such as fulfilling a service you have requested, complying with law, and responding to a medical or safety emergency, as permitted by Section 7 of the DPDPA.

5. Cookies and similar technologies

We use a small number of strictly necessary cookies and local storage entries to keep you signed in, remember your preferences, and protect the Services. We do not use third-party advertising cookies. You can clear cookies and local storage from your browser settings at any time; doing so may sign you out and reset your preferences.

6. When we share personal data

We do not sell your personal data. We share it only with:

  • Service providers (Data Processors) who run our infrastructure under written contracts: Supabase (database and authentication), our hosting and CDN provider, our payment partner, email and SMS delivery partners, and analytics providers.
  • Meta Platforms, Inc. when you use Facebook Login for Business to connect your WhatsApp Business number via our Embedded Signup flow. Data exchanged with Meta's APIs is governed by Meta's Platform Terms (developers.facebook.com/terms) and the WhatsApp Business Terms of Service. We act as a Technology Provider (Solution Partner) on the WhatsApp Business Platform; your WABA remains yours and is not shared with any third party other than Meta.
  • Regulators, courts, and law enforcement when disclosure is required by an order of a competent authority or by law.
  • Successors in the event of a merger, acquisition, or restructuring, subject to the same privacy commitments.

7. How long we keep your data

We keep personal data only for as long as needed to provide the Services and to meet our legal, accounting, and reporting obligations. Account data is retained while your account is active and for up to 24 months after closure, unless a longer period is required by law (for example, tax records under Section 44AA of the Income Tax Act, 1961 and Rule 6F). You may request earlier deletion using the rights described below.

WhatsApp Business credentials (WABA ID, phone number ID, access token) are deleted immediately when you disconnect your WhatsApp number from the Services, or within 30 days of account closure whichever comes first. WhatsApp conversation history stored in our database is deleted at the same time.

8a. Connecting and disconnecting WhatsApp

You can connect your WhatsApp Business number at any time from Settings → WhatsApp inside the CRM. Connecting your number authorises us to send automated messages on your behalf using the WhatsApp Business Cloud API. You remain the owner of your WhatsApp Business Account (WABA); we are a Technology Provider operating under Meta's Platform Terms.

You can disconnect your WhatsApp number at any time from Settings → WhatsApp → Disconnect. Upon disconnection:

  • We immediately revoke our API access and delete the stored credentials.
  • Automated messages will stop being sent from your number.
  • Your WhatsApp Business app on your phone will continue working normally.
  • Conversation history stored in our CRM will be deleted within 30 days.

You may also request deletion of your Meta-related data by emailing support@zygoleads.com or by visiting our Data Deletion page.

9. How we protect your data

We follow reasonable security practices and procedures as required by Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including TLS encryption in transit, encryption at rest for backups, role-based access controls, audit logs, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

10. Your rights as a Data Principal

Under the DPDPA, you have the right to:

  • access a summary of the personal data we process about you;
  • correct, complete, update, or erase your personal data;
  • nominate another individual to exercise your rights in the event of your death or incapacity;
  • withdraw consent that you previously gave us;
  • raise a complaint with us at support@zygoleads.com and, if unresolved, with the Data Protection Board of India once it is constituted.

To exercise these rights, write to support@zygoleads.com. We may verify your identity before acting on the request and will respond within the timelines prescribed by law.

11. Children's data

The Services are not directed to anyone below 18 years of age. We do not knowingly process personal data of children. If you believe a child's data has been provided to us, please contact us so we can delete it.

12. Cross-border transfers

Some of our service providers may process personal data outside India. We transfer personal data only to countries that are not restricted by the Central Government under Section 16 of the DPDPA, and we put contractual safeguards in place to protect your data.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date above. If changes are material, we will give you reasonable notice (for example, by email or in-app banner) before they take effect.

14. Contact us

For any questions, complaints, or requests about this Policy or our privacy practices, write to support@zygoleads.com or send a letter to Office No. A001, Tower-A, Bestech Business Tower, Sector 66, Mohali, Punjab 160062, India. We will acknowledge your message within a reasonable time and respond as quickly as we can.