Privacy Policy

This Privacy Policy explains how ZUZU collects, uses, shares, and protects information across the ZUZU Shopping, ZUZU Merchant, and ZUZU Driver mobile apps and related backend services (together, the “Service”).

Last updated: 4 June 2026.

1. Who we are

ZUZU is a marketplace and delivery platform operating in Iraq and the Kurdistan Region of Iraq. In this policy “ZUZU”, “we”, “us” and “our” refer to the operators of the Service. You can reach us at support@zuzu.app for any privacy question or request.

2. What information we collect

Account & identity

Phone number — used to identify your account and deliver a one-time password (OTP).
Password — stored only as a salted hash by Firebase Authentication.
A synthetic email of the form phone_<digits>@zuzu.app, generated internally so we can use Firebase Authentication’s email/password backend. This email is not used to contact you.
Display name and phone-verified status.
Push-notification token (FCM) — so we can alert you about order updates.

Profile

Optional avatar image (uploaded to Cloudflare R2 storage).
Loyalty balance (ZUZU coins): current balance, total earned, total spent, and per-transaction history.

Delivery addresses

Label (Home, Office, etc.), street, city, province, optional landmark.
A GPS coordinate (latitude / longitude) for the pinned location.
Optional address-specific phone number that overrides your account phone for that delivery.

Orders

Items ordered, quantities, store IDs, line totals.
Order totals, delivery fee, applied coupon, coins redeemed.
Payment method (cash on delivery only at this time).
Order status history (the timestamps of each step: placed, confirmed, picked up, delivered, etc.).
Optional note you write to the store.
Refund requests and their decisions.

Device access (with your permission)

Location — used only while the app is open, to drop a pin for your delivery address. We do not track your background location.
Camera — used to scan QR stickers on packages (Merchant and Driver apps), and to capture banner images (admin features only in the Customer app).
Photo library — used to choose a banner image in the Customer app’s admin section.
Notifications — used to send order updates as push messages.

Server logs

Our Cloud Functions emit operational logs (e.g. when an OTP is requested, when a notification is sent, when an order is consolidated). These logs include user IDs and order IDs but no payment-card data because we don’t process cards. Logs are auto-deleted after Firebase’s default retention (typically 30 days).

3. How we use information

To authenticate you (phone + OTP, phone + password).
To show stores and products, place orders, and route deliveries.
To let the store you’re ordering from prepare your items, and to let the delivery driver bring them to your address.
To award and redeem ZUZU coins.
To send you order-status push notifications and (rarely) in-app announcements.
To investigate problems, prevent fraud and abuse, and improve the Service.
To comply with legal obligations (tax records, court orders, etc.).

4. Information shared between users

When you place an order, certain information is shared with the parties needed to fulfil it:

Shared with	What they see
The store(s) you ordered from	Your name, your phone number, the items they sell, the delivery address, your note, and the order’s status history.
The driver who picks up from each store	The store’s portion of your order, your name, your phone, and the delivery address.
The driver doing the final delivery	Your name, your phone, and the delivery address (no item details).
ZUZU operations / warehouse staff	Full order details, including the above, for operational and customer-support purposes.

5. Third-party services we use

Google Firebase (Authentication, Firestore, Cloud Functions, Cloud Messaging, Storage) — primary backend. Hosted in Google’s US/EU regions. See the Firebase privacy practices.
Cloudflare R2 — object storage for images uploaded to ZUZU (product photos, store banners, category icons).
OTPIQ (Iraq) — delivers SMS, WhatsApp, and Telegram one-time passwords during sign-in. We share only the phone number and the OTP code with OTPIQ.
Google Maps — opened via deep link from the Driver app for turn-by-turn directions. ZUZU does not directly forward user data to Google in this flow; the device’s operating system handles the handoff.
Apple Push Notification service — delivers iOS push notifications.

6. Payments

All orders are paid in cash on delivery. ZUZU does not process card data, and no card numbers are ever transmitted or stored. Future support for digital payments will be disclosed in an updated version of this policy.

7. How long we keep your information

Account data — kept until you ask us to delete your account.
Order data — kept indefinitely for tax, accounting, and dispute-resolution purposes, even after you delete your account. We anonymise it (remove your name and phone) on deletion so it can remain in our books without identifying you.
Logs — auto-expire per Firebase’s default retention.

8. Your rights

You may at any time:

Request a copy of the personal information we hold about you.
Ask us to correct inaccurate information.
Ask us to delete your account and the personal information attached to it (subject to the order-history exception in section 7).
Withdraw any consent you previously gave for optional features (e.g. push notifications) — toggle them off in your device settings.

Email support@zuzu.app and we will respond within 30 days. We may ask you to confirm the phone number on file before acting on a request, to protect your account.

9. Children

ZUZU is not directed at children under 13 and we do not knowingly collect their information. If you believe a child has signed up, please contact us and we will delete the account.

10. Security

All traffic between the apps and our backend uses TLS 1.2 or higher. Passwords are stored as salted hashes by Firebase Authentication; ZUZU operators never see your plaintext password. Access to Firestore is governed by server-side security rules that limit each role (customer, store owner, driver, admin) to the documents they are entitled to read or write.

11. International transfers

Some of our service providers (notably Google Firebase) store data in the United States and the European Union. By using ZUZU you consent to this transfer. We rely on each provider’s standard contractual safeguards.

12. Changes to this policy

We may update this Privacy Policy as the Service evolves. When we do, we will update the “Last updated” date at the top and, for material changes, surface a notice inside the app the next time you open it.

13. Governing law

This Privacy Policy is governed by the laws of the Kurdistan Region of Iraq and the Republic of Iraq. Disputes will be handled by the competent courts of those jurisdictions.

14. Contact

ZUZU

Email: support@zuzu.app

Support

Need help with ZUZU? Below are answers to the most common questions, plus how to reach our team if you need a human.

About ZUZU

ZUZU is a single marketplace served by three apps:

ZUZU Shopping — for customers ordering from local stores.
ZUZU Merchant — for store owners managing their orders.
ZUZU Driver — for delivery drivers picking up and delivering orders.

Frequently asked questions

How do I sign in?

Tap “Sign in” on the welcome screen, enter your phone number, and you’ll receive a one-time password (OTP) via WhatsApp or SMS. Enter the code, choose a password, and you’re in.

How do I place an order?

Open the home tab and browse stores or search for a product.
Tap a product, then Add to cart. Repeat across as many stores as you like.
Tap the cart icon, then Checkout.
Choose your delivery address (or add a new one and drop a map pin).
Tap Place order — you’ll see it appear in your Orders tab right away.

How does cash-on-delivery work?

When your driver hands you the package, you pay them in cash for the order total shown in the app. We do not process cards at this time, so make sure you have enough Iraqi dinars ready before delivery arrives.

I ordered from two stores — will the driver come twice?

No. Each store prepares its part of your order independently, and our drivers carry each part to our warehouse. Once every store’s items have arrived, we consolidate them into one package and dispatch a single delivery driver to your address.

Can I cancel my order?

Yes — but only while the order is still Pending, i.e. before any store has accepted it. Open the order from the Orders tab and tap the “Cancel order” button. Once any store accepts, the order is committed and we cannot cancel from the app.

How do ZUZU coins work?

You earn coins on every completed order (the amount is shown on the checkout screen). At any future checkout you can redeem coins to lower the total. Each coin is worth a fixed amount in Iraqi dinars (configured by ZUZU) and the conversion is shown on the checkout screen before you commit.

How do refunds work?

Open the affected order in the Orders tab, tap Request refund, and explain what went wrong. The store will review your request and approve or deny it. If approved, the refunded amount is credited back to your ZUZU coin balance (or paid in cash by the store, depending on the case).

How do I delete my account?

Email us at support@zuzu.app from the phone number / email on the account, asking us to delete it. We will confirm and complete the deletion within 30 days. (We retain anonymised order history for tax purposes — see section 7 of the Privacy Policy.)

I’m a store owner / driver. How do I sign up?

Store and driver accounts are provisioned by the ZUZU operations team. Email support@zuzu.app with your business name, location, and phone number and we will get back to you.

Contact us

Email · support@zuzu.app

We aim to respond within 48 hours. Please include the phone number on your account and (if relevant) the order ID so we can help faster.