Privacy Policy Overview
ZILU
Privacy Policy
Effective date: April 1, 2025
Last updated: April 2, 2025
📋 This Privacy Policy explains how Valhalla Lab ('we', 'us', 'our') collects,
uses, and protects your personal data when you use the ZILU mobile application.
By using ZILU, you agree to the practices described in this document.
1. Who We Are
ZILU is operated by Valhalla Lab, a company registered in France.
Company
Valhalla Lab
Address
50 Avenue des Champs-Élysées, 75008 Paris, France
Contact
privacy@ziluapp.com
App
ZILU — available on the Apple App Store
2. Data We Collect
We collect only the data necessary to operate ZILU's core features. We do not sell your data to third parties.
2.1 Account Data
When you create a ZILU account, we collect:
• Email address (used for authentication and communications)
• Username and profile picture (optional, chosen by you)
• Age (to verify you are 13 years of age or older)
• Device identifiers (for push notification delivery)
2.2 Photos and Videos
ZILU's core feature requires you to submit live proof of completed challenges. To do this, the app accesses your device camera in real time. We collect:
• Photos and short videos captured through the in-app camera (live capture only — we do not access your photo library)
• Timestamp and basic device metadata automatically attached to each submission
• AI verification result (verified / rejected) associated with each photo
Photos are used solely to verify your challenge completion. They are stored securely on our servers and may be displayed in your profile feed and the public Explore feed within the app. You may delete your submissions at any time through your profile settings.
2.3 Apple Health & HealthKit Data
With your explicit permission, ZILU integrates with Apple HealthKit to automatically verify step-count and fitness challenges. We may read:
• Step count
• Calories burned (active energy)
• Workout data (type, duration)
Important: ZILU does not write any data to Apple Health. HealthKit data is used only to verify challenge completion within the app. It is never shared with advertisers, third parties, or used for purposes beyond in-app verification. You can revoke HealthKit access at any time in your iPhone Settings → Privacy & Security → Health.
2.4 Usage and Analytics Data
We automatically collect certain technical data to operate and improve the app:
• App usage events (challenges viewed, submissions made, leaderboard interactions)
• Crash reports and error logs
• Device type, operating system version, and app version
• Session duration and feature engagement metrics
2.5 Data We Do NOT Collect
• We do not collect precise GPS location
• We do not access your photo library or camera roll
• We do not collect payment card details (payments handled by Apple's in-app purchase system and RevenueCat)
• We do not track you across third-party apps or websites
3. How We Use Your Data
We use the data we collect for the following purposes:
• To create and manage your account
• To verify challenge submissions using AI
• To display your profile, rank, and submissions to other users within the app
• To operate the leaderboard, duels, and leagues features
• To send push notifications related to your activity (challenges, rank changes, streaks)
• To administer weekly prize pools and process payouts
• To detect and prevent cheating, fraud, and abuse
• To improve app performance, fix bugs, and develop new features
• To comply with legal obligations
We do not use your data for targeted advertising. ZILU is an ad-free product.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for processing your personal data is:
• Contract performance — processing necessary to provide the ZILU service you signed up for (account data, photo submissions, HealthKit data for challenge verification)
• Legitimate interests — analytics and crash reporting to maintain and improve the app, fraud prevention and anti-cheat measures
• Consent — HealthKit data access (you grant this explicitly via Apple's permission prompt; you may withdraw at any time)
• Legal obligation — where required by applicable law
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share data only with the following trusted service providers, strictly as needed to operate ZILU:
PROVIDER
PURPOSE
DATA SHARED
AWS (Amazon Web Services)
Secure cloud storage for photos and app data
Photos, account data, app logs
Apple / RevenueCat
Subscription management and in-app purchases
Purchase tokens (no card details)
OpenAI / AI provider
AI verification of photo submissions
Challenge name, photo (anonymized)
Stripe
Prize payout processing for weekly winners
Name, email, payout amount
OneSignal or FCM
Push notification delivery
Device token, notification content
Analytics provider (e.g. Mixpanel)
App usage analytics and crash reporting
Anonymized usage events
All third-party providers are contractually bound to process your data only for the purposes described above and in accordance with applicable privacy law.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the service. Specifically:
• Account data — retained for the duration of your account. Deleted within 30 days of account deletion request.
• Photos and videos — retained for 90 days after submission, then automatically deleted. You may delete individual submissions at any time.
• HealthKit data — not stored on our servers. Accessed in real time for challenge verification only.
• Analytics data — retained in anonymized form for up to 24 months.
• Prize payout records — retained for 7 years as required by French accounting law.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
• Right of access — request a copy of the data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your account and associated data
• Right to restriction — request that we limit processing of your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw HealthKit permission at any time via iPhone Settings
To exercise any of these rights, contact us at privacy@ziluapp.com. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority (CNIL) at www.cnil.fr.
8. Data Security
We take the security of your data seriously. Our measures include:
• All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher
• Photos are stored in encrypted form on AWS S3 with restricted access controls
• Access to production databases is limited to authorized personnel only
• We conduct regular security reviews and vulnerability assessments
• In the event of a data breach that affects your rights, we will notify you and the relevant authority within 72 hours as required by GDPR
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
9. Children's Privacy
ZILU is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@ziluapp.com and we will delete it promptly.
Users between the ages of 13 and 17 may use ZILU only with verifiable parental consent, in accordance with applicable law.
10. International Data Transfers
Valhalla Lab is based in France (European Union). Your data may be processed by our service providers in countries outside the EEA, including the United States (AWS, OpenAI, Stripe). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
11. Push Notifications
ZILU sends push notifications to keep you engaged with challenges, rank updates, and streak reminders. You can manage notification preferences at any time in:
• ZILU app → Profile → Settings → Notifications
• iPhone Settings → Notifications → ZILU
Disabling notifications will not affect your ability to use the app, but may impact your awareness of time-sensitive challenge windows.
12. Apple HealthKit — Special Notice
ZILU requests access to Apple HealthKit data solely to verify fitness-related challenges (steps, workouts, calories). In compliance with Apple's HealthKit guidelines:
• We do not use HealthKit data for advertising or marketing
• We do not share HealthKit data with third parties for any purpose other than challenge verification
• We do not sell HealthKit data
• HealthKit data is not used to build profiles for advertising
• We access HealthKit data only when you submit a fitness challenge that requires it
You can revoke HealthKit access at any time: iPhone Settings → Privacy & Security → Health → ZILU.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
• Notify you via a push notification or in-app banner
• Update the "Last updated" date at the top of this document
• For significant changes, request your renewed consent where legally required
We encourage you to review this Policy periodically. Continued use of ZILU after changes are posted constitutes your acceptance of the updated Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
📧 Email: privacy@ziluapp.com
🌐 Website: www.ziluapp.com
📮 Mail: Valhalla Lab — 50 Avenue des Champs-Élysées, 75008 Paris, France
We aim to respond to all privacy inquiries within 30 days.
© 2026 Valhalla Lab. All rights reserved. | ZILU Privacy Policy — April 1, 2025
Valhalla Lab — 50 Avenue des Champs-Élysées, 75008 Paris | Page
ZILU