Zado ← Home

Privacy Policy

Effective: June 15, 2026 · Last updated: June 15, 2026

1. Who we are

Zado is a mobile messaging app with real-time translation and live call captions, operated by Sefa Tanış ("Zado", "we", "us"). This policy explains what data Zado processes, why, and the choices you have. Questions: support@zadomessenger.com.

2. Information we collect

2.1 Information you provide

Phone number — in E.164 format, verified by SMS one-time code (via Twilio). Used as your account identifier.
Profile — display name, username, and (optionally) a profile photo and short "about" text.
Messages & content — text, photos, videos, documents, voice messages, and shared locations you send. Group names and membership.
Location — only when you choose to share a location in a chat or use location-based features. Zado does not track your location in the background.
Friends & contacts you add in-app — the social connections you create inside Zado (we do not upload your phone's address book).

2.2 Information collected automatically

Device & session info — device model, OS version, app version, and linked-device sessions (for multi-device and security).
Push tokens — Firebase Cloud Messaging (Android) and Apple Push / VoIP tokens (iOS), to deliver messages and calls.
Presence — online status and last-seen time (you can hide this in settings).
Diagnostics — crash reports and basic performance/analytics data (Firebase Crashlytics, Performance, Analytics).

3. How we use your information

To provide core messaging, calling, groups, friends, presence, and media delivery.
To verify your phone number and secure your account (rate limiting, abuse prevention).
To power optional features you turn on — translation, live captions, voice-message transcription.
To send notifications about messages and calls.
To diagnose crashes and improve reliability.
To comply with legal obligations.

4. Service providers we share data with

Zado uses the following processors strictly to provide the features you use. They process data on our behalf and are not permitted to use it for their own purposes.

Provider	Purpose	Data involved
Google Firebase	Authentication, database, storage, push, crash/analytics	Account, messages in transit, tokens, diagnostics
Twilio	SMS one-time-code verification	Phone number
Agora	Voice & video calls	Real-time audio/video streams
Google Cloud Speech-to-Text	Live call captions (speech recognition)	Call audio (only while captions are on)
OpenAI	Message translation, transcription	Message text / audio you choose to translate or transcribe
ElevenLabs, Cartesia	Voice-message text-to-speech	Text/voice for the voice features you use

We may also disclose information to comply with the law, enforce our terms, or in connection with a merger or acquisition (with notice where required). We do not sell your personal information.

About translation & live captions. These are optional features that are on by default but can be turned off at any time. When active, the relevant message text or call audio is sent to the translation/speech providers above to produce the translation or caption. If you turn them off, that content is not sent for those purposes.

5. Encryption & security

In transit: all traffic is encrypted with HTTPS/TLS.
Cloud backups: when you back up your chats to the cloud, the backup is stored on our storage provider (Google Firebase Storage), encrypted at rest by the provider, and access-controlled so that only your authenticated account can retrieve it. Cloud backups are not end-to-end encrypted.
Server access: protected by strict database security rules; sign-in is rate-limited to prevent abuse.

Zado does not currently use end-to-end encryption. Messages are encrypted in transit and are deleted from our servers after delivery (see retention below); message translation and live captions, when enabled, are processed by the providers listed in section 4.

6. Data retention

Messages: deleted from our servers after delivery; they then live only on your devices.
One-time codes: valid ~10 minutes, then deleted.
Profile & account data: kept until you delete your account.
Push tokens: kept until you sign out or the token is invalidated.
Crash logs: ~90 days. Analytics: up to 14 months.

7. Your rights & choices

Access & correction of your profile data, in-app or by request.
Account deletion — delete your account and associated data from within the app (Settings) or by contacting us.
Presence — hide your online/last-seen status.
Notifications — control or disable push notifications.
Translation/captions — turn these features off at any time.
Block & report — block users and report abuse.

8. Children

Zado is not intended for children under 13 (or the minimum digital-consent age in your country, which is 16 in some regions). We do not knowingly collect data from children below that age.

9. International transfers

Your data may be processed on servers outside your country (for example, Google Cloud infrastructure in the United States and other regions). Where required, we rely on appropriate safeguards for these transfers.

10. No advertising & no tracking

Zado does not show ads, does not use advertising identifiers, and does not use cross-app tracking.

11. Regional rights (GDPR / KVKK / CCPA)

EEA/UK (GDPR) & Türkiye (KVKK): we process your data to perform our contract with you (providing the service), on the basis of your consent for optional features, and for our legitimate interests (security, reliability). You may access, correct, delete, or port your data, and lodge a complaint with your local authority.

California (CCPA): you may request to know, delete, or correct your personal information, and we do not sell it. Exercise these rights at support@zadomessenger.com.

12. Changes

We may update this policy. Material changes will be announced in the app or by other means. Continued use after an update constitutes acceptance.

13. Contact

Privacy questions or requests: support@zadomessenger.com.