Legal

Privacy Policy

Last updated: July 8, 2026

Zylon (“Zylon,” “we,” “us,” or “our”) operates a social accountability platform available as a mobile application (iOS and Android, the “App”) and a website at zylon.app (the “Website”), together the “Service.” This Privacy Policy explains what personal information we collect, why we collect it, how it’s used, and the rights you have over it.

1.Overview

Zylon is operated by an individual/business based in South Africa. If you have questions about this policy or how your data is handled, contact us at support@zylon.app.

By creating an account or otherwise using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2.Who This Policy Applies To

This policy applies to all users of Zylon worldwide. Where a specific legal framework grants you additional rights — such as the GDPR (EU/UK), the CCPA/CPRA (California), or POPIA (South Africa) — those additional rights are described in Section 9.

3.Information We Collect

We collect the minimum information needed to run the Service. The tables below reflect exactly what is stored in our systems.

3.1 Account & Profile Information

DataPurposeSource
Email addressAccount creation, login, password reset, transactional notificationsProvided by you, or shared by Google/Apple if you use social sign-in
Password (hashed)AuthenticationProvided by you (not applicable if using Google/Apple Sign-In)
UsernamePublic identity within the appProvided by you
Full nameDisplayed on your profile (optional)Provided by you, or shared by Google/Apple if you use social sign-in
Profile photo (avatar)Displayed on your profileUploaded by you, or shared by Google/Apple if you use social sign-in
BioDisplayed on your profile (optional)Provided by you

We support Sign in with Apple, Google Sign-In, and email/password (all handled through our authentication provider, Supabase). When you use Google or Apple sign-in, the provider shares your name, email address, and (optionally) profile photo with us, as permitted by your settings with that provider. We never receive your Apple ID or Google account password.

3.2 Content You Create

DataPurpose
Goals (title, category, target date, motivation text)Core functionality — tracking your progress toward a stated goal
Weekly progress updates (“Win” and “Challenge” text, plus optional advice requests)Core functionality — the accountability loop
Photos attached to updatesShared visual progress; stored via our storage provider (Supabase)
Comments and replies on other users’ updatesCore functionality — the support/contribution system
“Helpful” marks on commentsReputation and rank calculation
Likes on commentsEngagement features
Follows (who you follow / who follows you)Social graph features
Zylon currently supports photo attachments only when posting an update. We do not currently support video uploads within posts. A short video appears during onboarding, but that video is fixed app content we provide, not something recorded or uploaded by you, and involves no data collection on our part.

Photo library access: we request access to your photo library only so you can choose to attach existing photos to your updates.

Because Zylon’s goal-history feature is public by design (past goals and updates are visible on user profiles as proof of progress), be mindful that content you post is generally visible to other users of the Service, consistent with how the app is described to you at the point of posting.

3.3 Subscription & Payment Information

Zylon Pro subscriptions are managed through RevenueCat, which syncs subscription status between Zylon and the Apple App Store or Google Play Store. We store your subscription status (active/inactive), product identifier, entitlement ID, purchase and expiration dates, renewal status, and your chosen posting/contribution commitment frequency (a Pro feature).

We never receive or store your payment card details. All billing is handled directly by Apple or Google as part of your App Store / Play Store account. RevenueCat acts only as a subscription-status intermediary between those platforms and our systems.

3.4 Notifications

  • Push notification token — delivering push notifications to your device via Expo's notification service
  • Device type — routing notifications correctly (iOS vs. Android)
  • Notification preferences — respecting your chosen notification settings (all / important only / none)
  • In-app notification history — comments, replies, helpful marks, follows, rank changes, and accountability reminders relevant to you

3.5 App Settings

We store your language preference, dark mode setting, and mention preferences, so your app behaves consistently across sessions and devices.

3.6 Automatically Collected / Technical Information

DataPurposeSource
Device type, OS version, app versionDebugging, compatibility, crash diagnosisExpo Device / Expo Application / Expo Constants
Crash reports and error logsIdentifying and fixing bugsSentry
Product usage/interaction data (e.g. screens viewed, features used, session activity)Understanding how the Service is used, improving the productPostHog
IP addressSecurity, rate-limiting, and abuse prevention (e.g. on our waitlist form)Automatically collected by our hosting/network infrastructure

3.7 What We Do Not Collect

We do not collect or store your precise geolocation. We do not access your contacts, calendar, or other apps on your device, and we do not access your microphone. We do not request any device permissions beyond photo library access and push notifications, both described above.

4.Who We Share Information With (Sub-Processors)

We use the following third-party service providers to operate Zylon. Each processes personal data only as necessary to provide their specific service to us, under their own privacy and security commitments.

ProviderPurposeData Involved
SupabaseDatabase hosting, authentication, and file storage (photos)Account data, content, media files
Expo (Expo Application Services)App infrastructure and push notification deliveryPush tokens, device metadata
RevenueCatSubscription/entitlement managementSubscription status, purchase metadata (no card data)
Apple App Store / Google PlayPayment processing for Pro subscriptionsPayment details (handled entirely by Apple/Google, never shared with us)
Google Sign-In / Sign in with AppleOptional social authenticationName, email, profile photo (only if you choose to use these)
PostHogProduct analytics — understanding feature usage to improve ZylonUsage/interaction events, device metadata
SentryCrash and error reportingCrash logs, stack traces, device metadata
VercelWebsite hostingStandard web request logs
Vercel AnalyticsPrivacy-focused, cookieless website traffic analyticsAggregate page-view data (no personal identifiers)

We do not sell your personal information to anyone, and we do not share it with third parties for their own independent marketing purposes.

We may disclose information if required by law, to enforce our Terms of Service, to protect the rights, safety, or property of Zylon or our users, or in connection with a merger, acquisition, or sale of assets (in which case we’ll notify you before your data becomes subject to a different privacy policy).

5.How Long We Keep Your Information

  • Account and content data: retained for as long as your account is active.
  • Account deletion:if you delete your account through the app, your profile and associated personal data are removed from active systems. Some content (e.g. comments you left on others’ posts) may be anonymized rather than fully deleted where removing it entirely would break the context of another user’s conversation.
  • Uploaded media: when a photo or its parent content is deleted, it is queued for permanent removal from our storage provider.
  • Crash/analytics data: retained according to Sentry’s and PostHog’s standard retention windows, typically 90 days, after which it is automatically purged.
  • Password reset codes: single-use and expire shortly after issuance.

6.Security

We use industry-standard measures to protect your information, including encrypted connections (HTTPS/TLS) between the app and our servers, database-level access controls (Row Level Security), and hashed password storage. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security, but we take reasonable steps to protect your information from unauthorized access, alteration, or disclosure.

7.Children's Privacy

Zylon is not directed at, and is not intended for use by, anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected information from a child under 13, we will take steps to delete it promptly. If you believe a child under 13 has provided us with personal information, contact us at support@zylon.app.

8.International Data Transfers

Zylon is operated from South Africa, and our service providers (Supabase, Expo, Vercel, RevenueCat, PostHog, Sentry) may store or process data in other countries, including the United States and the European Union. Where required, we rely on appropriate safeguards (such as standard contractual clauses used by our providers) to ensure your information receives an adequate level of protection wherever it is processed.

9.Your Rights

Depending on where you live, you may have some or all of the following rights regarding your personal information. To exercise any of these, contact us at support@zylon.app.

9.1 All Users

  • Access: request a copy of the personal data we hold about you.
  • Correction: update inaccurate information (most can be edited directly in-app via your profile settings).
  • Deletion: request deletion of your account and associated personal data, subject to Section 5.
  • Portability: request your data in a portable format.

9.2 If You’re in the European Economic Area or UK (GDPR)

In addition to the rights above, you have the right to object to or restrict certain processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your information is generally: performance of a contract (providing the Service you signed up for), your consent (e.g. for optional push notifications), and our legitimate interests (e.g. security, fraud prevention, and product improvement via analytics).

9.3 If You’re in California (CCPA/CPRA)

You have the right to know what personal information we collect, to request deletion, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share your personal information with third parties for cross-context behavioral advertising. California residents may designate an authorized agent to make requests on their behalf.

9.4 If You’re in South Africa (POPIA)

As the responsible party under the Protection of Personal Information Act, we process your personal information lawfully and only for the purposes described in this policy. You have the right to request access to, correction of, or deletion of your personal information, and to object to processing in certain circumstances, in accordance with POPIA.

10.Cookies (Website Only)

The Zylon website (zylon.app) uses Vercel Analytics, which is designed to operate without cookies or persistent identifiers that track individual visitors across sites. We do not currently use advertising or cross-site tracking cookies on the website.

11.Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we’ll notify you via the app, email, or a notice on our website prior to the change taking effect. The “Last updated” date at the top of this page reflects the most recent revision.

12.Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, contact us at support@zylon.app.