Zumbido

Request a Demo

Privacy Policy

Effective Date: January 1, 2026
Last Updated: January 1, 2026

1. Introduction

This Privacy Policy (“Policy”) explains how Zumbido Limited (“Zumbido,” “We,” “Us,” or “Our”), a corporation incorporated under the laws of Ontario, Canada, with registered office at 1857 Parkside Drive, Pickering, Ontario, Canada – ON L1V 3N9, collects, uses, processes, discloses, stores, and protects Your personal information when You access or use Our websites, applications, and SaaS services (collectively, “Services”).

By registering, accessing, or using Our Services, You (“You,” “Your,” “Data Principal,” or “Data Subject”) acknowledge that You have read, understood, and consent to the collection, processing, and use of Your personal data as described in this Policy.

This Policy complies with:

  • India’s Digital Personal Data Protection Act (DPDPA) 2023
  • European Union General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA), Canada

2. Definitions

Personal Data / Personal Information means any information relating to an identified or identifiable natural person, including but not limited to name, email address, phone number, postal address, IP address, device identifiers, financial information, and behavioral data.

Data Fiduciary / Data Controller means Zumbido Limited, which determines the purpose and means of processing personal data.

Data Principal / Data Subject means the individual (You) to whom the personal data relates.

Data Processor means any person or entity that processes personal data on behalf of the Data Fiduciary.

Processing means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

Consent means a clear affirmative action signifying Your freely given, specific, informed, and unambiguous agreement to the processing of Your personal data.

Sensitive Personal Data includes financial information, health data, biometric data, passwords, sexual orientation, religious or political beliefs, and any data deemed sensitive under applicable law.

3. Data Controller and Contact Information

Data Fiduciary / Data Controller:
Zumbido Limited
125, Village Green Square, Scarborough, Toronto, Ontario M1S 0G3 Canada
Email: connect@zumbido.ca

Data Protection Officer (DPO):
Email: dpo@zumbido.ca

4. Applicability and Scope

This Policy applies to:

  • Personal data processed in digital form or digitized afterward
  • Individuals located in India, the European Economic Area (EEA), California (USA), Canada, and all other jurisdictions where We offer Services
  • Data collected through Our websites, mobile applications, SaaS platforms, marketing communications, customer support interactions, and business partnerships

5. Personal Data We Collect

We collect the following categories of personal data:

5.1 Information You Provide Directly

  • Account Registration Data: Name, email address, phone number, company name, business address, job title, PAN (India), GST number, tax identification number
  • Payment Information: Bank account details, billing address, transaction history, payment method information
  • Customer Support Data: Support tickets, chat transcripts, feedback, complaint records
  • Business Information: Customer lists, supplier data, inventory records, order details, supply chain data (when You use Our ERP/supply chain services)

5.2 Information Collected Automatically

  • Technical Data: IP address, browser type and version, device type, operating system, time zone, location data, cookies, pixel tags, log files
  • Usage Data: Pages visited, features used, session duration, clickstream data, referral source, search queries
  • Performance Data: System performance metrics, error logs, API usage statistics

5.3 Information from Third Parties

  • Data from payment processors, identity verification services, marketing partners, resellers, and publicly available sources

6. Purpose of Processing and Legal Basis

We process Your personal data for the following purposes, based on the legal grounds specified:

Purpose Legal Basis (GDPR) Legal Basis (DPDPA)
Account registration and service delivery Contract performance Consent
Payment processing and invoicing Contract performance Consent
Customer support and query resolution Legitimate interest Consent
Product improvement and analytics Legitimate interest Consent
Marketing and promotional communications Consent Consent
Legal and regulatory compliance Legal obligation Legal obligation
Fraud prevention and security Legitimate interest Legitimate interest
Business intelligence and reporting Legitimate interest Consent

Under DPDPA, We obtain Your informed consent before processing personal data for almost all purposes. Consent is obtained through a clear affirmative action (e.g., clicking “I Agree,” checking a consent box, signing a registration form).

7. How We Use Your Personal Data

We use Your personal data to:

  • Provide, maintain, and improve Our Services
  • Process transactions, subscriptions, and payments
  • Communicate with You regarding Your account, orders, and service updates
  • Provide customer support and respond to inquiries
  • Send marketing communications (with Your consent)
  • Conduct business analytics, market research, and product development
  • Ensure platform security and prevent fraud
  • Comply with legal obligations, including tax reporting, audit requirements, and regulatory compliance
  • Enforce Our Terms of Service and other agreements

8. Data Sharing and Disclosure

We do not sell Your personal data. We may share Your data with the following categories of recipients:

8.1 Service Providers and Data Processors

  • Cloud hosting providers (AWS, Microsoft Azure, Google Cloud)
  • Payment processors (Stripe, PayPal, Razorpay)
  • Email and communication platforms (SendGrid, Twilio)
  • Analytics providers (Google Analytics)
  • Customer support tools (Zendesk, Freshdesk)

All third-party processors are bound by data processing agreements ensuring GDPR and DPDPA compliance.

8.2 Business Partners

  • Resellers, Master Resellers, and distribution partners (as necessary for service delivery and commission processing)
  • ERP and supply chain integration partners

8.3 Legal and Regulatory Authorities

  • Government agencies, tax authorities, law enforcement, courts, and regulators (when required by law or to protect Our rights)

8.4 Business Transfers

  • In the event of a merger, acquisition, asset sale, or bankruptcy, Your data may be transferred to the successor entity (You will be notified in advance)

9. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside India, the EEA, or Your country of residence, including Canada (where Our headquarters are located).

9.1 GDPR Safeguards for International Transfers

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission
  • We ensure adequate safeguards under GDPR Article 46

9.2 DPDPA Safeguards for International Transfers

  • We comply with DPDPA requirements for cross-border data transfers as notified by the Indian government

10. Data Retention

We retain Your personal data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law.

Data Category Retention Period
Account and registration data Duration of account + 6 years (for tax/audit compliance)
Payment and transaction records 7 years (per Indian Income Tax Act and Canadian tax law)
Customer support records 3 years after case closure
Marketing data Until consent is withdrawn + 1 year
Technical and usage logs 1 year

After the retention period, We will securely delete or anonymize Your data.

For Significant Data Fiduciaries (if applicable): If We qualify as a Significant Data Fiduciary under DPDPA, We will erase Your personal data within the mandated timeframes and notify You at least 48 hours in advance.

11. Your Data Principal / Data Subject Rights

11.1 Rights Under DPDPA (India)

You have the following rights under India’s DPDPA:

  1. Right to Access – Obtain a summary of personal data We process and information about processing activities
  2. Right to Correction – Request correction of inaccurate, incomplete, or outdated personal data
  3. Right to Erasure – Request deletion of Your personal data (subject to legal retention obligations)
  4. Right to Withdraw Consent – Withdraw consent at any time (withdrawal does not affect prior lawful processing)
  5. Right to Nominate – Nominate another individual to exercise Your rights in case of death or incapacity
  6. Right to Grievance Redressal – File a complaint with Our Grievance Officer or the Data Protection Board of India

11.2 Rights Under GDPR (EEA)

If You are in the EEA, You also have:

  1. Right to Data Portability – Receive Your data in a structured, machine-readable format
  2. Right to Object – Object to processing based on legitimate interests or for direct marketing
  3. Right to Restrict Processing – Request restriction of processing in certain circumstances
  4. Right to Lodge a Complaint – File a complaint with Your local data protection authority

11.3 Rights Under CCPA (California)

If You are a California resident:

  1. Right to Know – Request disclosure of categories and specific pieces of personal information collected
  2. Right to Delete – Request deletion of personal information
  3. Right to Opt-Out of Sale – We do not sell personal data, so this right does not apply
  4. Right to Non-Discrimination – You will not be discriminated against for exercising Your rights

11.4 How to Exercise Your Rights

To exercise any of the above rights, contact Us at:

Email: connect@zumbido.ca
We will respond to Your request within:

  • 7 days (acknowledgment)
  • 30 days (final response under GDPR)
  • As soon as reasonably practicable (under DPDPA)

12. Data Security

We implement reasonable technical and organizational security safeguards to protect Your personal data from unauthorized access, loss, misuse, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Multi-factor authentication (MFA) for administrative access
  • Regular security audits and vulnerability assessments
  • Access controls and role-based permissions
  • Logging, monitoring, and intrusion detection systems
  • Secure backup and disaster recovery procedures

However, no system is 100% secure. While We use commercially reasonable efforts to protect Your data, We cannot guarantee absolute security.

13. Data Breach Notification

13.1 Under DPDPA (India)

In the event of a personal data breach, We will:

  • Notify the Data Protection Board of India immediately, including the nature, extent, timing, location, and likely impact of the breach
  • Provide a follow-up report within 72 hours with mitigation measures, a copy of the notice to affected individuals, and findings regarding the cause
  • Notify affected Data Principals without undue delay

13.2 Under GDPR (EEA)

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and notify affected individuals if the breach poses a high risk to their rights and freedoms.

14. Consent and Notice Requirements

14.1 Informed Consent (DPDPA)

Before processing Your personal data, We provide You with a clear and specific notice containing:

  • The personal data to be processed
  • The purpose of processing
  • How You can exercise Your data principal rights
  • How to make a complaint to the Data Protection Board of India

Your consent is obtained through a clear affirmative action (e.g., clicking “I Agree,” checking a box, or signing a form). Consent is limited to what is necessary for the specified purpose.

14.2 Retroactive Consent

If You provided consent before the DPDPA came into effect, We will provide You with an updated privacy notice as soon as reasonably practicable. You may continue to use Our Services until You withdraw consent.

14.3 Withdrawal of Consent

You may withdraw Your consent at any time by contacting privacy@zumbido.ca. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

15. Cookies and Tracking Technologies

We use cookies, pixel tags, web beacons, and similar technologies to:

  • Recognize Your device and preferences
  • Analyze website traffic and usage patterns
  • Deliver personalized content and advertisements
  • Improve Our Services

You can control cookies through Your browser settings. Disabling cookies may limit certain features of Our Services.

For detailed information, please refer to Our Cookie Policy [link].

16. Children’s Privacy

Our Services are not directed to children under 18 years of age. We do not knowingly collect personal data from children. If We become aware that We have collected data from a child without verified parental consent, We will promptly delete such data.

If You are a parent or guardian and believe Your child has provided Us with personal data, contact connect@zumbido.ca immediately.

17. Marketing Communications

With Your consent, We may send You promotional emails, newsletters, and offers. You may opt out at any time by:

  • Clicking the “Unsubscribe” link in any marketing email
  • Contacting connect@zumbido.ca
  • Updating Your communication preferences in Your account settings

Opting out of marketing communications does not affect transactional or service-related communications (e.g., order confirmations, security alerts).

18. Grievance Redressal Mechanism

18.1 Grievance Officer (India – DPDPA Compliance)

Name: Kamlesh Kumar
Email: connect@zumbido.ca
Grievances will be acknowledged within 7 days and resolved within 30 days.

18.2 Data Protection Authorities

India: Data Protection Board of India (www.dpb.gov.in)
EU/EEA: Your local supervisory authority (list available at https://edpb.europa.eu)
California: California Attorney General (oag.ca.gov)
Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

19. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in Our practices, legal requirements, or business operations. We will notify You of material changes by:

  • Posting the updated Policy on Our website with a revised “Last Updated” date
  • Sending an email notification (if You have provided Your email address)
  • Displaying a prominent notice on Our platform

Your continued use of Our Services after the effective date of the updated Policy constitutes Your acceptance of the changes.

20. Governing Law and Jurisdiction

This Privacy Policy is governed by:

  • Indian law (including DPDPA 2023, IT Act 2000, and applicable regulations) for Data Principals located in India
  • GDPR for Data Subjects in the EEA
  • CCPA for California residents
  • PIPEDA for Canadian residents
  • Ontario law and the laws of Canada for all other matters

Disputes shall be resolved in accordance with the dispute resolution provisions in Our Terms of Service.

21. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or Our data practices, please contact:

Zumbido Limited
125, Village Green Square, Scarborough, Toronto, Ontario M1S 0G3 Canada
Email: connect@zumbido.ca
DPO: dpo@zumbido.ca

22. Acknowledgment

By using Our Services, You acknowledge that You have read, understood, and agree to be bound by this Privacy Policy. If You do not agree, please discontinue use of Our Services immediately.

Document Control

Document Title Zumbido Privacy Policy
Version 1.0 (DPDPA + GDPR Compliant)
Effective Date January 1, 2026
Last Updated January 1, 2026
Prepared By Zumbido Legal & Compliance Team
Review Frequency Annually or as required by law
Jurisdiction India, EU/EEA, California, Canada