Privacy Policy
Zimzam lets friends set the ringtone that plays on each other's phones, with permission. This policy explains what personal information the Zimzam app collects, why we collect it, how it is used and shared, and the choices and rights you have. Please read it carefully.
This policy is provided for transparency and to help you understand our data practices. It is not legal advice.
1. Who we are
Zimzam is a mobile application for Android (package com.friendringtone.app) that lets you
and your friends choose the ringtone that plays on each other's phones when you call, based on
permissions you each grant. In this policy, "Zimzam", "we", "us" and "our" refer to the operator of
the Zimzam app, operated by its developer as an independent sole proprietorship. You can contact us
at any time at support@automations.art. A postal contact
address is available on request.
2. Information we collect
We collect only the information we need to run the service. It falls into the following groups.
Account & profile
You sign in with Google Sign-In, handled through Firebase Authentication (a Google service). When you do, Google provides us with, and we store:
- your email address;
- your Google display name;
- your profile photo / avatar URL;
- your Google account user identifier (a stable ID used to recognise your account).
You may also set a chosen display name inside Zimzam that other users see instead of, or in addition to, your Google name.
Contacts (only to find friends)
If you grant the contacts permission, Zimzam reads your device contacts solely to find which of
your contacts already use Zimzam, so you can connect with them. To do this, the app takes the
phone numbers of your contacts, normalises them to standard
E.164 international format (for example +14155550123), and sends them to our
server, which checks them against existing Zimzam users and returns the matches. Only the phone numbers
needed for this matching are processed. We do not use your contacts for advertising, we do
not sell them, and we do not build advertising profiles from them. You
can use core parts of Zimzam without granting contacts access, and you can revoke the permission at any
time in Android settings.
Contact phone numbers and email addresses are hashed (SHA-256) on your device before they are
sent; we store only the hashes to find matches, never the raw numbers.
Content you upload (ringtones)
Zimzam lets you upload MP3 audio files (up to about 5 MB each) to use as ringtones. These audio files, and the ringtone assignments you create for your friends, are stored in Google Cloud Storage (GCS) so they can be delivered to the assigned friend's device.
Notifications token
- a Firebase Cloud Messaging (FCM) registration token — an identifier for your device that lets us deliver ringtone-change notifications and trigger playback.
Diagnostics, performance & analytics (Firebase / Google)
Zimzam uses several Google (Firebase) services that collect diagnostic and usage information to keep the app reliable and to understand how it is used. These are on by default:
- Firebase Crashlytics — collects crash and error reports, including device model, operating-system version, stack traces and the app's state at the time of a crash. Crash reporting is enabled by default.
- Firebase Analytics — collects app-usage and event analytics about how you interact with Zimzam, which may include an advertising / app-instance identifier.
- Firebase Performance Monitoring — collects performance data such as app-startup time, screen rendering and network-request timing.
We do not intentionally collect special categories of data (such as health, precise location, or payment-card numbers) through the app.
3. How we use information
We use the information above to:
- Provide the service — create and maintain your account and profile;
- Find friends — match your contacts to existing Zimzam users so you can connect;
- Deliver and play ringtones — store your uploaded audio and deliver the correct ringtone to a friend's device, then trigger playback when you call;
- Send notifications — let you know when a friend changes your ringtone or requests permission;
- Keep Zimzam secure — detect, prevent and investigate abuse, fraud and technical problems;
- Improve reliability and quality — use crash reports, performance data and usage analytics (via Firebase Crashlytics, Performance Monitoring and Analytics) to diagnose problems and understand how the app is used;
- Provide support — respond to your questions and requests.
We do not use your personal information for third-party advertising, and we do not sell it.
4. Legal basis for processing
Where data-protection law (such as the EU/UK GDPR) applies, we rely on the following legal bases, depending on the activity:
- Performance of a contract — to provide the Zimzam service you asked for (account, ringtone delivery, notifications);
- Consent — for permission-gated features such as reading your contacts and sending push notifications, which you can withdraw at any time in your device settings;
- Legitimate interests — to keep the service secure and working, in a way that is balanced against your rights.
5. Sharing & service providers
We do not sell your personal information. We share it only in these limited ways:
- With other Zimzam users, by your action — when you connect with a friend or assign them a ringtone, they can see the information needed for that interaction (for example your display name and avatar, and the ringtone you set).
-
Service providers (processors) — our backend and all personal data run on
Google Cloud Platform, using Cloud Run (the API), Compute
Engine (a PostgreSQL database) and Google Cloud Storage (your uploaded
ringtones), in the us-central1 region (United States). We also use
Firebase (Google) for authentication, push messaging (FCM), crash reporting
(Crashlytics), analytics and performance monitoring. These providers process data on our behalf under
their own terms and security controls. This marketing website
(
zimzam.automations.art) is served from a separate static web host and does not process your personal data. Our sub-processors are all Google: Firebase (Authentication, Cloud Messaging, Crashlytics, Analytics and Performance Monitoring) and Google Cloud Platform (Cloud Run, Compute Engine, Cloud Storage, Secret Manager and Cloud Logging), hosted primarily in the United States (us-central1). - Legal, safety and business transfers — we may disclose information if required by law, legal process or a valid government request, or to protect the rights, safety and security of our users, the public or Zimzam; and, if Zimzam is ever involved in a merger, acquisition or asset sale, information may be transferred as part of that transaction, subject to this policy.
6. Data retention
We keep your personal information for as long as your account is active and for as long as we need it to provide the service. Approximate periods:
- Account, profile, ringtones, friend relationships and contact-match data — kept while your account exists and deleted when you delete your account (see Delete your account). When you request deletion, your account and data are permanently deleted within 30 days.
- FCM token — kept while it is valid for your device and removed when it expires, when you sign out, or when your account is deleted.
- Crash, analytics and performance data (Firebase Crashlytics, Analytics and Performance Monitoring) — retained by these Google services for their standard periods: crash and performance data for approximately 90 days, and analytics data for up to 14 months, subject to the retention window configured in Firebase.
- Diagnostic and security logs — operational diagnostic logs are kept for about 30 days; security and abuse-prevention logs are kept for up to 90 days.
We may retain limited information longer where we are legally required to, or to resolve disputes and enforce our agreements. In particular, transaction and purchase records (for credit purchases and in-app payments) are kept in anonymised form — no longer linked to your profile — for as long as needed for tax, accounting and audit purposes.
7. Security
We take reasonable measures to protect your information. Data is encrypted in transit using HTTPS/TLS, stored on Google Cloud infrastructure, and access is restricted to what is needed to operate the service. Data is encrypted at rest with Google-managed keys on Google Cloud, and access is limited to authorised service accounts. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
8. Your rights & choices
Depending on where you live, you may have the right to access, correct, export, restrict or delete your personal information, and to object to certain processing. You can:
- view and update your profile and display name in the app;
- grant or revoke the contacts and notifications permissions in Android settings at any time;
- delete your account and associated data at any time.
To delete your account and data, follow the steps on our dedicated page:
You can also email support@automations.art to exercise any of these rights. We aim to respond within 30 days, and may first ask you to confirm your identity so we don't act on a request from someone who isn't you.
9. Android permissions we request
Zimzam requests only the permissions it needs, and only when a feature requires them:
You can review and change these permissions at any time in your device's app settings.
10. Children
Zimzam is not directed to children under 13 — or the older minimum age of digital consent where your country requires it, such as 16 in parts of the EU — and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.
11. International data transfers
Zimzam is built on Google Cloud Platform and Firebase, and your information is processed and stored on Google's infrastructure in the us-central1 region (United States). If you access Zimzam from another country, your information will be transferred to and processed in the United States, which may have different data-protection laws from your own. Where required, we rely on appropriate safeguards for such transfers — including, where applicable, the European Commission's Standard Contractual Clauses offered by our infrastructure providers, Google Cloud and Firebase.
12. Changes to this policy
We may update this policy from time to time. When we do, we will change the "Last updated" date above and, for significant changes, provide a more prominent notice — for example, an in-app message or a notice on this page. Your continued use of Zimzam after an update means you accept the revised policy.
13. Contact us
If you have questions about this policy or your personal information, contact us at support@automations.art. If a postal or data-protection contact address is required for your market, we will provide one on request.
This document explains, in plain language, how Zimzam handles your data. It is written for transparency and is not a substitute for legal advice.