zuzu.codes ("we", "us", "our") is operated by Harshit Krishna Choudhary, a sole proprietorship based in Bhagalpur, Bihar, India. As a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act), we are committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information.
Information We Collect
- Account information — email address when you sign up (via magic link, no passwords stored)
- Learning data — progress, code submissions, quiz responses, streak activity
- Payment metadata — transaction IDs and plan details via PayPal (we do not store credit card or PayPal account details)
- Device information — browser type, operating system, and screen size (collected automatically)
- Usage analytics — page views, feature usage, and interaction patterns (via PostHog)
Legal Basis for Processing
GDPR / UK GDPR
| Purpose | Legal basis |
|---|
| Account creation & authentication | Contract performance |
| Learning progress & streaks | Contract performance |
| Payment processing | Contract performance |
| Transactional emails (magic links, receipts) | Contract performance |
| Product analytics & improvement | Legitimate interest |
| Abuse prevention | Legitimate interest |
You may object to processing based on legitimate interest at any time by contacting us.
India DPDP Act 2023
We process your personal data based on your consent provided at the time of account creation. You may withdraw consent at any time by deleting your account (Settings → Delete Account) or by emailing us.
How We Use Your Data
- To provide and operate the learning platform
- To track your progress, streaks, and XP
- To process subscriptions and payments
- To send transactional emails (magic links, receipts)
- To improve the platform based on aggregated, anonymized usage patterns
- To detect and prevent abuse of the code execution service
We do not send marketing emails unless you explicitly opt in. All transactional emails comply with CAN-SPAM requirements and include an unsubscribe mechanism where applicable.
Third-Party Services
We use the following third-party services to operate zuzu.codes:
| Service | Purpose | Data shared | Location |
|---|
| Supabase | Authentication & database | Email, user ID, learning data | US (AWS) |
| PayPal | Payment processing | Email, transaction details | US |
| PostHog | Product analytics | Anonymized usage events | US |
| Vercel | Frontend hosting & CDN | IP address, request logs | Global (US origin) |
| Railway | API & executor hosting | Request logs, code submissions (sandboxed) | US |
| Cloudflare | DNS & DDoS protection | IP address, request metadata | Global |
| Resend | Transactional email delivery | Email address, email content | US |
We do not sell, rent, or trade your personal data to third parties.
International Data Transfers
Your data is processed and stored in the United States through our service providers. For users in the EU/EEA, UK, and India, these transfers rely on:
- Standard Contractual Clauses (SCCs) adopted by our service providers
- Adequacy decisions where applicable
- Your consent at the time of account creation
By using zuzu.codes, you consent to your data being transferred to and processed in the United States.
Cookies
- Authentication cookie — session token to keep you signed in (essential, strictly necessary)
- Analytics cookie — PostHog anonymous identifier for usage analytics (functional)
We do not use advertising, tracking, or third-party marketing cookies. EU/UK users: essential cookies do not require consent under ePrivacy/PECR. The analytics cookie is anonymized; you may block it via your browser settings or an ad-blocker.
Data Retention
- Your data is retained as long as your account is active
- Upon account deletion, your profile and submission data are permanently removed within 30 days
- Anonymized, aggregated analytics data may be retained indefinitely
- Payment records are retained as required by Indian tax law (minimum 7 years)
Your Rights
All Users
- Access your personal data (available in Settings)
- Delete your account and all associated data (Settings → Delete Account)
- Export your data upon request by emailing us
India (DPDP Act 2023)
- Right to access information about your personal data being processed
- Right to correction & erasure — correct inaccuracies or delete your data
- Right to grievance redressal — file a complaint with our Grievance Officer
- Right to nominate — nominate another person to exercise your rights in case of death or incapacity
EU/EEA Users (GDPR)
In addition to the above, you have the right to:
- Rectification — correct inaccurate personal data
- Restriction — restrict processing of your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
- Lodge a complaint with your local Data Protection Authority
California Users (CCPA/CPRA)
- Right to know what personal data we collect and how it is used
- Right to delete your personal data
- Right to opt-out of the sale of personal data — we do not sell your personal data
- Non-discrimination — we will not discriminate against you for exercising your rights
UK Users (UK GDPR)
You have the same rights as EU users listed above. You may lodge a complaint with the Information Commissioner's Office (ICO).
To exercise any of these rights, email hello@zuzu.codes. We respond within 30 days.
Artificial Intelligence & Your Data
zuzu.codes may incorporate AI-powered features to enhance learning. Regarding your data and AI:
- No training on user data — Your code submissions, quiz responses, and learning data are not used to train or fine-tune AI/LLM models unless you explicitly opt in
- Third-party AI providers — If AI features use third-party models (e.g., OpenAI, Anthropic), only the minimum necessary data is sent, and we ensure providers do not retain or train on your data per their enterprise data processing agreements
- AI-generated content — Any AI-generated content on the platform is clearly labeled per EU AI Act transparency requirements
- Opt-out — You may opt out of AI-powered features where available without affecting core platform functionality
This section will be updated as AI features are introduced.
Do Not Sell My Personal Information
We do not sell your personal information. We do not share personal data with third parties for their own marketing purposes.
Data Security
- All connections are encrypted via TLS
- Database enforces Row Level Security (RLS) — users can only access their own data
- Data is encrypted at rest in Supabase's managed PostgreSQL
- Code execution runs in isolated sandboxed containers
- DNS and edge traffic are protected by Cloudflare
Children's Privacy
We do not knowingly collect personal data from children under 13 (or under 16 in the EU/EEA). If you believe a child has created an account, please contact us and we will promptly delete it.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on the platform at least 14 days before they take effect.
Grievance Officer
In accordance with the DPDP Act 2023, IT Act 2000, and Consumer Protection Act 2019:
- Name: Harshit Krishna Choudhary
- Email: harshit.krishna.choudhary@gmail.com
- Phone: +91 9123489436- Address: Nawab Colony Road, Tilka Manjhi, Bhagalpur, Bihar, India — 812001
Grievances are acknowledged within 24 hours and resolved within 30 days.
Contact
For operational queries about this policy, email hello@zuzu.codes.
