This Privacy Policy explains how moonBYTE Technologies LLP ("moonBYTE", "Zapac", "we",
"us"), a Limited Liability Partnership registered in India with its place of business in Ajmer, Rajasthan,
collects, uses, shares and protects personal data in connection with the Zapac website at
zap.ac and the Zapac service (together, the "Service"). We are committed to processing personal
data lawfully, fairly and transparently, and we do not sell personal data.
1. Our two roles: controller and processor
Zapac handles two different kinds of data, and our responsibilities differ for each:
| Data | Our role | Examples |
|---|---|---|
| Account-holder data — your own signup, profile and billing data | Controller | Name, email, phone (for verification), billing identity, workspace settings, policy-acceptance records |
| Your end-users' click, scan and conversion data generated by your campaigns | Processor (you are the controller) | Click and scan events, a privacy-preserving visitor hash, coarse geo, device and conversion data |
Where we act as a processor for your campaign data, we process it on your behalf and under your instructions; business and agency customers may enter into a Data Processing Agreement with us that governs that relationship.
2. Information we collect
- Information you provide: account details (name, email), authentication data, a phone number where verification is required, billing identity, the links, QR codes, bio-page content and messages you create, and your support communications.
- Information generated through use: log and device data, IP address (handled as described in Section 5), and product-usage telemetry used to operate and improve the Service.
- Click and scan analytics: when someone clicks a Zapac link or scans a Zapac QR code, we record privacy-first event data — a derived visitor hash (not a raw identifier), coarse location, device and referrer — so you can measure your campaigns.
3. How we use information
- To provide, maintain and improve the Service and your analytics.
- To secure the Service and prevent abuse. To assess link safety, our automated systems analyse URL strings, patterns and reputation signals; we never automatically open your destination URLs.
- To process payments, prevent fraud and meet tax and accounting obligations.
- To communicate with you about your account, security and service changes, and — where you have not opted out — relevant product updates.
- To comply with law and respond to valid legal process.
4. Legal bases and consent
Where the GDPR applies, we rely on: performance of a contract (to provide the Service), our legitimate interests (to secure and improve the Service and prevent abuse), consent (for optional marketing), and legal obligation (for tax and compliance). Where the Indian Digital Personal Data Protection Act, 2023 applies, we process personal data on the basis of your consent or other lawful grounds, and we honour your rights as a Data Principal. You may withdraw consent for optional processing at any time.
5. Cookies, IP addresses and retention
Cookies. This website uses only strictly-necessary cookies. The full Service uses essential cookies to keep you signed in and secure, and — only with consent where required — limited analytics. We do not use third-party advertising cookies.
IP addresses. Click and scan analytics are designed to minimise personal data. For visitors in the EU, raw IP addresses are not stored; elsewhere, any raw IP is retained only briefly for abuse-forensics and then dropped, with analytics kept in aggregated or de-identified form.
Retention. We keep account data for as long as your account is active and as needed to provide the Service, then for any period required by law (for example, tax and accounting records). Event-level analytics are retained for a limited window and thereafter kept only in aggregate. When you delete your account, we delete or de-identify your personal data within a reasonable period, except where retention is legally required.
6. Who we share data with — sub-processors
We do not sell personal data. We share data with vetted service providers ("sub-processors") who process it on our behalf to operate the Service, each under appropriate contractual safeguards. Our current sub-processors are:
| Sub-processor | Purpose | Data category |
|---|---|---|
| Neon | Primary database (system of record) | Account, workspace and link data |
| Google Cloud / Firebase | Identity Platform — authentication | User identity, auth credentials |
| Cloudflare | Redirect edge, analytics engine, security, DNS and assets | Click/scan telemetry, request metadata, uploads |
| Tinybird | Real-time click/scan analytics | Click, scan and conversion analytics |
| Stripe | International billing and payments | Billing identity, payment data |
| Razorpay | India billing and payments | Billing identity, payment data |
| Resend | Transactional and product email | Email address, message metadata |
| PostHog | Product analytics and feature flags | Internal usage telemetry |
| Sentry | Error and performance monitoring | Error context (PII-scrubbed) |
| Better Stack | Logging, uptime and alerting | Logs (PII-scrubbed) |
| QStash | Asynchronous job delivery | Job payload metadata |
| Anthropic (Claude) | URL-pattern abuse analysis (URL strings only — destinations are never fetched) | URL strings |
| Google Web Risk | URL reputation lookups | URL strings (hash/database lookup) |
| SMS / OTP provider | Phone verification | Phone number |
| Vercel | Application, API and website hosting | Request metadata |
| Infisical | Secrets management | No customer data (secrets only) |
We keep this list current and will update it as our providers change. We may also disclose data where required by law or valid legal process, or to protect the rights, safety and security of our users, the public or Zapac.
7. International data transfers
We are based in India and use service providers located in other countries, so personal data may be transferred and processed outside your country, including outside the EU and India. Where required, such transfers are covered by appropriate safeguards such as Standard Contractual Clauses or the providers' own transfer mechanisms, and by the conditions of the applicable data-protection laws.
8. Your rights
Subject to applicable law, you may have the right to access, correct, delete, export (port), restrict or object to the processing of your personal data, and to withdraw consent. Where we act as a processor for a customer's campaign data, we will assist that customer in responding to their end-users' requests. To exercise your rights, email privacy@zap.ac. You also have the right to complain to your local data-protection authority (in India, the Data Protection Board).
9. Children
The Service is intended for businesses and adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.
10. Security
We use technical and organisational measures appropriate to the risk, including tenant isolation, encryption in transit, access controls and monitoring. We never store full card details — payments are handled by Stripe and Razorpay on their PCI-compliant systems. No method of transmission or storage is perfectly secure, but we work continuously to protect your data and will notify you and the authorities of a personal-data breach as required by law.
11. Changes to this policy
We may update this Privacy Policy from time to time. Each version carries an effective date and version identifier, and we will give notice of material changes. Your continued use of the Service after an update takes effect constitutes acceptance of the updated policy.
12. Contact us
For privacy questions or to exercise your rights, email privacy@zap.ac.
For grievances under Indian law, contact our Grievance Officer at
grievance@zap.ac (see the Contact page).
moonBYTE Technologies LLP · Ajmer, Rajasthan, India · moonbytetechnologies.in
See also: Terms of Service · Acceptable Use Policy · Refund & Cancellation Policy