Privacy Policy — ZUD Passenger

Zud Technology is the company that owns and operates the ZUD Passenger app and the Zud platform. Zud Technology is the data controller responsible for personal data processed through the App.

For the purpose of this policy, our contact details are:

This policy applies to the ZUD Passenger app on Android and iOS, and to any features within it, including:

• Booking, taking, and paying for rides offered through the Zud network of drivers;
• Real-time trip tracking and route navigation;
• The School Bus Parent feature, which lets parents register children and follow school bus pickups; and
• Customer support, communications, and account management.

It does not cover services provided by independent third parties (for example, the payment processor or Google Maps), each of which has its own privacy policy. Where we use such services we explain what they do and link to their policies in Section 7.

We collect only the information we need to provide the App and the trips you book through it. We group it into three categories: information you provide directly, information generated by your use of the App, and information collected automatically by the App and its components.

3.1 Information you give us

• Phone number — required to create your account; we send a one-time password (OTP) by SMS to verify it.
• First name and last name — required so drivers know whom to pick up and so receipts can be issued.
• Email address — optional; used to send receipts or account communications if you provide it.
• Home address — optional; saved so you can quickly select it as a pickup or drop-off point.
• Profile photo — optional; helps drivers identify you. You can choose an image from your photo library or take a new one with the camera.
• Payment details — if you choose to pay by card, you enter the cardholder name, card number, expiry date, and CVV when adding the card. These card details are transmitted to and processed by our payment processor; Zud does not store full card numbers or CVVs on our servers.
• School Bus child profile— if you use the School Bus Parent feature, you may add your child’s name, age, salutation, designated bus stop, and an optional avatar photo.
• Communications — messages you send to our support team, ratings, and feedback you submit about a trip.

3.2 Information generated by using the Services

• Trip data — origin, destination, route taken, time, distance, fare, payment method, and the driver assigned to the trip.
• Precise device location (Android ACCESS_FINE_LOCATION, iOS “While Using” location) — collected only while you are actively using the App for a trip, in order to match you with nearby drivers, calculate routes, show real-time progress on the map, and produce an accurate fare and receipt.
• Approximate device location (Android ACCESS_COARSE_LOCATION) — used for the same purposes when precise location is unavailable.
• Push notification token — an identifier issued by Apple or Google so we can send you trip-related notifications (driver arrival, trip status, school bus updates).

3.3 Information collected automatically

• Device and technical information — device model, operating system and version, app version, language, time zone, and device-level identifiers used by Firebase and the operating system.
• Crash and diagnostic data — if enabled, anonymous crash reports and performance metrics that help us find and fix bugs.
• Install / uninstall and session events — basic events such as opening the app or completing a trip, used in aggregate to understand reliability.

We do not intentionally collect special categories of data such as health data, biometric data, religious beliefs, or political opinions.

The table below maps each category of personal data to the specific purposes we use it for.

We do not sell your personal data and we do not use it to display third-party advertising inside the App.

Where data protection law (such as the EU GDPR or other comparable frameworks) requires us to identify a legal basis, we rely on the following:

• Performance of a contract — we need to process certain data (phone number, name, location during a trip, trip history, payment information) to provide the ride-hailing service you requested through the App.
• Consent — for optional information such as your profile photo, email, home address, and child profile; for sending push notifications; and for using your precise location while the App is in use. You can withdraw consent at any time by deleting that information from your profile or by changing the relevant permission in your device settings.
• Legitimate interests — for keeping the App secure, preventing fraud, debugging, and improving the Service, where this is balanced against your privacy.
• Legal obligation — where we are required to retain certain trip or financial records, or to respond to lawful requests from competent authorities in Tajikistan or other relevant jurisdictions.

We share personal data only when it is needed to operate the Service, when you direct us to, or when we are required to do so by law. The main recipients are:

• Drivers matched with your trip. While a trip is being matched and during the trip itself, the driver assigned to you sees your first name, your phone number (so they can call or message you about the trip), your pickup and drop-off points, and your live location on the map. After the trip ends, this access is removed.
• You see the driver.During an active trip you see the driver’s first name, the vehicle details, and the driver’s real-time location on the map, so you can find each other and follow progress.
• Payment processor. When you pay by card, your card details are shared directly with our payment processor, Alif Bank, which is responsible for securely storing and processing the card information through its acquiring platform. You can read Alif Bank’s privacy practices on their website: alif.tj.
• Service providers acting on our behalf. We use a small number of trusted vendors that help us run the App, including Firebase by Google for authentication and push notifications, and Google Maps Platform for maps and routing. These vendors only receive the data they need and are bound by their own privacy and security obligations. See Section 7 for the full list.
• Legal and safety reasons. We may disclose personal data to courts, regulators, or law-enforcement authorities where we are legally required to do so, to enforce our terms, to investigate fraud or abuse, or to protect the rights, safety, or property of users, drivers, the public, or Zud Technology.
• Business transfers. If Zud Technology is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the new entity, subject to the same protections described in this policy.

The App relies on the following third-party services. Each provider has its own privacy policy that explains how it handles data it receives.

On Android and iOS the App asks for the following permissions. You can grant or revoke any of them at any time in your device’s system settings.

• Location (precise + approximate) — required during an active trip so drivers can find you, the App can show real-time tracking, and we can calculate the correct fare. We do not collect background location after a trip is over.
• Internet — required for the App to communicate with our servers and with Google Maps. This is a normal Android permission that does not need explicit user approval.
• Photo library and camera— only used when you tap to add or change a profile photo, or a child’s avatar in the School Bus feature. The App uses the system Photo Picker where available, so it does not need broad access to your photo library.
• Push notifications — used to send you trip-related and school-bus-related updates. You can disable these in your device settings.

We keep personal data only as long as we need it for the purposes set out in this policy and as required by law.

• Account information (phone number, name, optional profile fields) — while your account is active.
• Trip history — for as long as your account is active and for a reasonable period afterwards (typically up to several years) to comply with tax, accounting, and dispute-resolution obligations.
• Payment metadata (transaction reference, amount, time) — retained for the period required by applicable financial-records law. Full card numbers and CVVs are not stored by Zud.
• Location data tied to a specific trip — retained as part of the trip record. Live location ceases to be collected when the trip ends.
• Crash and diagnostic data — retained for a limited period sufficient to investigate the issue, then aggregated or deleted.
• School Bus child profiles — retained while the parent maintains the profile and uses the feature; deleted when the parent removes the profile or closes the account.

When you delete your account, we delete or anonymise data we no longer need, except where the law requires us to keep it longer (for example, financial or fraud-prevention records).

We use a combination of technical and organisational measures to protect your data, including:

• Encryption of data in transit using HTTPS / TLS between the App, our servers, and our service providers.
• Restricted access to backend systems, granted on a need-to-know basis to authorised personnel.
• Authentication, audit logging, and monitoring of administrative access.
• Use of established providers (Firebase, Google Maps, AWS) that maintain industry-standard security practices.
• Regular software updates and dependency monitoring to address known vulnerabilities.

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If we ever become aware of a data breach that affects you, we will notify you and the relevant authorities as required by law.

Zud Technology operates primarily in Tajikistan, but some of our service providers (such as Firebase by Google, Google Maps Platform, and AWS) process data in data centres located in other countries, including in the European Union and the United States. This means your personal data may be transferred to, stored in, or processed in countries with data-protection laws different from those in Tajikistan.

Where such transfers happen, we rely on the safeguards offered by those providers, including their own contractual commitments and, where applicable, standard contractual clauses or comparable legal mechanisms. By using the App, you understand that your data may be processed in those locations.

Depending on the laws that apply to you, you may have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct information that is inaccurate or incomplete. You can edit most of your profile fields directly inside the App.
• Deletion — ask us to delete your account and associated personal data. See Section 13 for how to do this.
• Portability — request a copy of certain personal data in a machine-readable format.
• Objection / restriction — object to or restrict certain processing where the law allows.
• Withdraw consent — where we rely on consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Opt out of marketing — we currently do not send marketing emails or SMS as a routine matter, but if we ever do, every message will include an opt-out link or instruction.
• Complaint to a supervisory authority — if you believe we have not handled your data properly, you may complain to the data-protection authority in your country.

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity, for example by confirming your phone number, before we act on a request. We will respond within the time required by applicable law (in most cases, within 30 days).

You can delete your account and associated personal data in either of the following ways:

1. Open the App, go to Profile → Account → Delete account and follow the on-screen confirmation, where this option is available; or
2. Send an email from the address linked to your account (or quoting the phone number used for sign-up) to [email protected] with the subject “Delete my account”.

Once we verify your request, we will delete your account and remove or anonymise the personal data linked to it, except for information we are legally required to retain (for example, financial records, fraud-prevention logs, or trip records that law-enforcement authorities have asked us to keep). Records we are required to retain are kept securely and used only for those legal purposes.

ZUD Passenger is intended for adults (in most jurisdictions, persons aged 18 or over, or who have reached the age at which they can enter into a contract). The App is not directed at children under 13, and we do not knowingly create accounts for children under that age.

The School Bus Parentfeature is offered to parents and legal guardians, not to children. The account holder is the parent. When a parent uses this feature, they may add limited information about their own child — the child’s name, age, salutation, designated bus stop, and an optional avatar photo — so that the parent can be notified about the school bus.

The parent is responsible for the information they enter about a child and for telling Zud if any of that information becomes inaccurate or should be removed. A parent can remove a child profile at any time inside the App. If you believe we have collected personal data about a child without proper authorisation, please contact us at [email protected] and we will take appropriate action.

ZUD Passenger is a mobile app and does not use traditional browser cookies. The App uses on-device storage and identifiers strictly to keep you signed in, remember your preferences, and operate features such as push notifications and crash reporting. Some of our third-party SDKs (such as Firebase) may use device identifiers as described in their own privacy policies; see Section 7.

If you visit our website at https://zud.app, that site may use a small number of essential cookies for basic functionality. If we ever use analytics or marketing cookies on the website, we will display a separate cookie notice and ask for your consent where required.

We may update this policy from time to time, for example to reflect changes in the App, in our service providers, or in the law. The version published at https://zud.app/tg/privacy-policy is always the current one, and the “Last updated” date at the top tells you when it last changed.

For significant changes, we will give you reasonable notice before they take effect — for example, by an in-app message or by sending you a notification. Your continued use of the App after the changes take effect means that you accept the updated policy.

If you have questions about this policy, want to exercise any of your rights, or wish to raise a privacy concern, please contact us:

We aim to respond to every privacy enquiry as quickly as possible and within the period required by applicable law.