Privacy Policy

Zygo Leads is the Data Fiduciary for the personal data processed through the Services. Our registered office is at Office No. A001, Tower-A, Bestech Business Tower, Sector 66, Mohali, Punjab 160062, India. For any privacy questions, you can reach us at support@zygoleads.com.

We collect the following categories of personal data:

• Account data: name, email address, phone number, country, language preference, password (stored as a salted hash).
• Lead data you enter: details about buyers, sellers, and properties such as names, phone numbers, budgets, locations, BHK type, and notes. You are the Data Fiduciary for the leads you record and you must have a lawful basis to do so.
• Communications: WhatsApp messages, call logs, and attachments you choose to import or sync.
• Payment data: billing name, GSTIN (if provided), and transaction references. Card and bank details are processed by our payment partner (Razorpay) and are not stored on our servers.
• Device and usage data: IP address, device type, browser, operating system, pages visited, timestamps, crash reports.
• Location data: approximate location derived from IP address, or precise location only if you grant permission inside our mobile apps.

We do not knowingly collect sensitive personal data such as financial account passwords, biometric information, or health data.

We use personal data to:

• provide, operate, and improve the Services;
• create and secure your account, including OTP verification;
• capture, organise, and follow up on your leads;
• send transactional messages (account, billing, reminders);
• process payments and issue invoices;
• respond to support requests and complaints;
• detect, prevent, and address abuse, fraud, and security issues;
• comply with our legal obligations, including under the Income Tax Act, 1961, the Companies Act, 2013, and the GST law.

Under the DPDPA, we process your personal data on the following grounds:

• Consent: you provide free, specific, informed, and unambiguous consent for clearly defined purposes (for example, sending marketing emails). You may withdraw consent at any time; withdrawal does not affect prior processing.
• Legitimate use: for purposes such as fulfilling a service you have requested, complying with law, and responding to a medical or safety emergency, as permitted by Section 7 of the DPDPA.

We use a small number of strictly necessary cookies and local storage entries to keep you signed in, remember your preferences, and protect the Services. We do not use third-party advertising cookies. You can clear cookies and local storage from your browser settings at any time; doing so may sign you out and reset your preferences.

We do not sell your personal data. We share it only with:

• Service providers (Data Processors) who run our infrastructure under written contracts: Supabase (database and authentication), our hosting and CDN provider, Razorpay (payments), email and SMS delivery partners, and analytics providers.
• Regulators, courts, and law enforcement when disclosure is required by an order of a competent authority or by law.
• Successors in the event of a merger, acquisition, or restructuring, subject to the same privacy commitments.

We keep personal data only for as long as needed to provide the Services and to meet our legal, accounting, and reporting obligations. Account data is retained while your account is active and for up to 24 months after closure, unless a longer period is required by law (for example, tax records under Section 44AA of the Income Tax Act, 1961 and Rule 6F). You may request earlier deletion using the rights described below.

We follow reasonable security practices and procedures as required by Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including TLS encryption in transit, encryption at rest for backups, role-based access controls, audit logs, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

Under the DPDPA, you have the right to:

• access a summary of the personal data we process about you;
• correct, complete, update, or erase your personal data;
• nominate another individual to exercise your rights in the event of your death or incapacity;
• withdraw consent that you previously gave us;
• raise a complaint with us at support@zygoleads.com and, if unresolved, with the Data Protection Board of India once it is constituted.

To exercise these rights, write to support@zygoleads.com. We may verify your identity before acting on the request and will respond within the timelines prescribed by law.

The Services are not directed to anyone below 18 years of age. We do not knowingly process personal data of children. If you believe a child's data has been provided to us, please contact us so we can delete it.

Some of our service providers may process personal data outside India. We transfer personal data only to countries that are not restricted by the Central Government under Section 16 of the DPDPA, and we put contractual safeguards in place to protect your data.

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date above. If changes are material, we will give you reasonable notice (for example, by email or in-app banner) before they take effect.

For any questions, complaints, or requests about this Policy or our privacy practices, write to support@zygoleads.com or send a letter to Office No. A001, Tower-A, Bestech Business Tower, Sector 66, Mohali, Punjab 160062, India. We will acknowledge your message within a reasonable time and respond as quickly as we can.