Policy Document

Privacy Policy

How Zula collects, uses, shares, retains, and protects Personal Data across the Platform.

Effective

July 2026 (2026-07-v2)

Audience

Customers, Vendors, administrators, and visitors

Related documents

Terms of Service, Vendor Agreement

Definitions

"Applicable Data Protection Laws" means all data protection, privacy, and information security laws that apply to the Processing of Personal Data, including, where applicable, the Ghana Data Protection Act, 2012 (Act 843), the Nigeria Data Protection Regulation (NDPR), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

"Data Controller" means the entity that determines the purposes and means of Processing Personal Data, or any equivalent role under Applicable Data Protection Laws.

"Data Subject" means an identified or identifiable individual to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable individual, or any information protected as personal data or personal information under Applicable Data Protection Laws.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, retention, or deletion.

"Platform" means Zula's website, mobile applications, chef tools, and related services.

"Vendor" means an independent food provider using the Platform.

1. Who we are

Zula Technologies Inc. ("Zula", "we", "us", or "our") operates the Zula Platform.

This Privacy Policy explains how we collect, use, share, retain, and protect Personal Data when you use the Platform.

Privacy questions and Data Subject requests may be sent to [email protected] or through the support channel in the app.

2. Scope and controller roles

This Privacy Policy applies to Customers, Vendors, administrators, website visitors, and other users of the Platform.

Zula Technologies Inc. acts as a Data Controller for Personal Data it collects to operate accounts, Orders, payments, verification, support, safety, analytics, and platform administration.

When a Vendor receives Customer Personal Data to fulfill an Order, the Vendor acts as an independent Data Controller for its Processing of that data for fulfillment and related legal obligations. The Vendor Agreement sets out additional Vendor data obligations.

Some features may include additional in-app notices where data is collected for a specific purpose.

3. What we collect

Account and profile information: name, username, email address, phone number, profile photo, role, verification status, and saved preferences.

Ordering information: selected services, menu items, delivery or pickup details, notes, allergies, dietary preferences, budget, order history, payment status, refunds, and support records.

Vendor information: business profile, service listings, availability, payout details, Required Licenses, Ghana Card images, food safety / health compliance certificates, business registration documents, compliance declaration records, ratings, and Customer communications.

Device and app information: device type, app version, IP address, crash logs, diagnostics, notification tokens, approximate location signals, and usage events.

Communications: in-app messages, support requests, feedback, reviews, reports, and other content you submit or exchange through the Platform.

5. How we use Personal Data

Provide and operate the Platform, including login, onboarding, discovery, Order creation, payment processing, delivery coordination, notifications, chat, support, and fraud prevention.

Verify Vendor identity and compliance, review documentation, assign verification status, and investigate safety or policy concerns.

Personalize the experience by showing relevant chefs, meals, Flash Drops, subscriptions, saved preferences, and recommendations.

Protect users, Vendors, and the Platform by monitoring for abuse, suspicious payments, account compromise, policy violations, and safety issues.

Improve product quality by analyzing aggregate performance, app stability, support trends, and feature usage.

Comply with legal, tax, accounting, security, dispute resolution, and regulatory requirements.

6. Sharing and subprocessors

With Vendors: we share Order details needed to prepare, fulfill, update, or discuss an Order. This may include Customer name, delivery location, Order notes, allergies, dietary preferences, and contact details where necessary.

With payment providers: we share information required to process payments, refunds, wallet transactions, payouts, fraud checks, and financial records. Subprocessors may include Paystack and Stripe.

With infrastructure and support vendors: we use providers for hosting, notifications, analytics, crash reporting, customer support, communications, and security operations. Subprocessors may include cloud hosting providers, Firebase (push notifications and app infrastructure), Sentry (crash reporting), and analytics tools.

For legal and safety reasons: we may disclose information when required by Applicable Law, to enforce our terms, protect rights and safety, investigate fraud or abuse, or respond to valid legal requests.

Business transfers: if we merge, acquire, reorganize, finance, or sell part of our business, relevant information may be transferred subject to appropriate safeguards.

7. Chef and vendor data

Shared Customer Personal Data provided to Vendors typically includes Order fulfillment information such as Customer name, delivery address, contact details, Order notes, allergies, and dietary preferences.

Vendor verification data collected by Zula typically includes Ghana Card images, food safety / health compliance certificates, business registration documents, compliance declaration timestamps and versions, payout details, and related business profile information.

Zula uses Vendor verification data to assess onboarding readiness, assign verification status, enable payouts, support investigations, and protect Platform users.

Authorized Zula administrators may access verification documents for review, approval, suspension, or compliance actions. Access is restricted and logged where reasonably practicable.

8. Vendor data obligations

Vendors must handle Customer Personal Data in accordance with the Vendor Agreement and Applicable Data Protection Laws.

Vendors must use Customer Personal Data only for Order fulfillment and related lawful purposes, must not use Platform data for unrelated targeted marketing or re-identification, and must notify Zula within forty-eight (48) hours where feasible of a breach involving Customer Personal Data received through the Platform.

See the Vendor Agreement for full Vendor data handling requirements.

9. International transfers

Personal Data may be processed in Ghana, Nigeria, the European Economic Area, the United States, or other countries where we or our subprocessors operate.

Where Personal Data is transferred internationally, we implement appropriate safeguards required by Applicable Data Protection Laws, such as contractual protections, adequacy decisions where available, or other lawful transfer mechanisms.

10. Data retention

Account and profile data: retained while the account is active and for a reasonable period thereafter for support, dispute, and legal purposes.

Order and payment records: retained as needed for financial reporting, tax, fraud prevention, refunds, and dispute resolution, which may be longer than account data.

Vendor verification documents: retained while the Vendor remains active and for a reasonable period thereafter for compliance, investigations, and legal obligations.

Logs, diagnostics, and security records: retained for limited periods appropriate to security monitoring and system integrity.

Some information may remain in backups for a limited period after deletion. We may retain data longer where required or reasonably necessary under Applicable Law.

11. Security

We use administrative, technical, and organizational safeguards designed to protect Personal Data, including access controls, encrypted transport where appropriate, monitoring, and restricted administrative access.

No system can be guaranteed completely secure. You are responsible for protecting your login credentials, using accurate account information, and notifying us if you suspect unauthorized access.

12. Your rights and choices

You may update account details, saved addresses, payment preferences, and profile information in the Platform where those controls are available.

You may request access, correction, deletion, restriction, export, or account closure by contacting [email protected]. We may need to verify your identity before completing a request.

Depending on your location, you may have additional rights under Applicable Data Protection Laws, including data portability, objection to Processing, and withdrawal of consent where Processing is consent-based.

We aim to respond to verified Data Subject requests within thirty (30) days, subject to extension where permitted by Applicable Data Protection Laws.

Some requests may be limited where we must retain information for security, legal, financial, dispute, fraud-prevention, or operational reasons.

13. Personal data breach notification

We maintain procedures designed to detect, assess, and respond to personal data breaches.

Where required by Applicable Data Protection Laws, we will notify affected Data Subjects and relevant authorities of a personal data breach without undue delay and within timeframes required by Applicable Law.

Vendors who receive Customer Personal Data through the Platform must notify Zula without undue delay and, where feasible, within forty-eight (48) hours if they become aware of a breach involving such data.

14. Children and minors

The Platform is not intended for individuals who do not meet the minimum age required to form a binding agreement under Applicable Law.

If we learn that Personal Data was provided by a child without appropriate consent, we will take reasonable steps to delete it.

15. Changes and contact

We may update this Privacy Policy as our services, legal requirements, or business practices change. When changes are material, we will provide notice through the website, app, email, or another appropriate channel.

For privacy questions or requests, contact [email protected], use the support channel in the app, or submit the website contact form with enough detail for us to identify your account and respond effectively.