Privacy Policy

This Privacy Policy (“Policy”) describes how Zora Technologies LLC(“Zora,” “we,” “our,” or “us”) collects, uses, shares, and protects information about you when you use the Zora mobile application, visit zoraworld.com (the “Site”), or otherwise interact with our on-demand mobile car-wash service (collectively, the “Service”).

Zora is a California limited liability company headquartered at 33476 Alvarado Niles Rd Ste 7, Union City, CA 94587. We operate from the United States and currently provide the Service to customers in designated U.S. service areas.

By using the Service, you agree to the practices described in this Policy.

This Policy applies to information we collect:

• Through the Zora mobile application on iOS and Android
• On zoraworld.com and any subdomains
• In communications between you and Zora (email, in-app messaging, phone)
• From third-party services we use to provide the Service (such as Stripe for payments and Apple for sign-in)

It does not apply to third-party websites or applications you may reach through links from the Service. Their privacy practices are governed by their own policies.

By creating an account, booking a service, joining our waitlist, or otherwise using the Service, you accept this Policy. If you do not agree, do not use the Service.

3.1 Information You Provide Directly

Account information: When you create an account, we collect your email address and, if you choose, your phone number. We store a hashed (not readable) version of your password via our authentication provider. If you sign in with Apple, we receive a unique identifier from Apple and, only if you choose to share it, your name and email (which may be a private relay address).

Profile information: Your display name and contact preferences.

Saved addresses:Street address, latitude/longitude, and label (e.g., “Home,” “Work”) for locations where you want service.

Vehicle information: Make, model, year, color, license plate, and optionally VIN. If you provide a license plate, we may send it to a third-party plate-recognition service (see Section 5) to look up the corresponding make and model.

Booking information: Service date and time, service type, special instructions, parking-location details, and any notes you provide.

Payment information: When you save a payment method, the actual card data is collected and stored by Stripe, our payment processor. We never see or store your full card number or CVV. We receive only a token, the card brand, and the last four digits.

Communications: Messages you send to support@zoraworld.com, contact@zoraworld.com, or through any in-app contact mechanism.

3.2 Information Collected Automatically

Device information: Device type, operating system version, app version, language settings, time zone, and IP address.

Location information:With your permission, the Zora mobile app accesses your device’s location to (a) pre-fill your address during booking, (b) confirm you are within our service zones, and (c) for technicians, navigate to job sites. We request foreground location access only — we do not track your location in the background. You can revoke location permission at any time in your device settings.

Usage information: Screens viewed, features used, booking flow events, and performance data needed to operate the app. We currently do not use third-party analytics or telemetry SDKs.

Authentication logs: Sign-in timestamps and IP addresses (managed by our auth provider for security purposes).

3.3 Information from Third Parties

Apple Sign-In: If you sign in with Apple, Apple provides us with a unique identifier and, if you allow it, your name and email (which may be a private relay address).

Google Sign-In:If you sign in with Google, Google provides us with a unique identifier, your name, your email address, and (if available) your Google profile picture. Google’s use of your information when you authenticate is governed by the Google Privacy Policy.

Plate Recognizer: When you submit a license plate, the plate text is sent to Plate Recognizer to identify the corresponding vehicle make/model. We do not share your name, account, or location with Plate Recognizer.

NHTSA Vehicle API: A public U.S. government API used to decode VINs into vehicle specifications. No personal data is shared.

We use the information described above to:

• Create and maintain your account
• Schedule, dispatch, and complete car-wash services you book
• Route technicians to your address
• Process payments, refunds, and disputes through Stripe
• Generate before/after photos of the service (see Section 6)
• Communicate with you about your booking, account, or support requests
• Send service-related notifications (booking confirmations, ETA, completion)
• Show promotional content within the app and on our social media channels
• Send promotional or marketing emails only if you opt in— you can opt out at any time
• Operate, secure, debug, and improve the Service
• Detect and prevent fraud, abuse, and unauthorized access
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal information. We do not share your personal information with third parties for their own marketing.

5.1 Service Providers

We share information with companies that help us operate the Service. Each is bound by contractual confidentiality obligations and may use the information only to provide services to Zora.

• Supabase, Inc.— database, authentication, file storage. Receives all account and booking data.
• Stripe, Inc.— payment processing. Receives payment method, billing details, and charge amounts.
• Apple Inc.— Apple Sign-In authentication tokens.
• Google LLC (Sign-In)— Google Sign-In authentication tokens. Receives the authentication request and returns your unique identifier, name, email, and profile picture (if shared).
• Google LLC (Maps)— address geocoding and map display. Receives address text and approximate coordinates.
• Plate Recognizer— license plate to vehicle decoding. Receives license plate text only.
• Vercel, Inc.— marketing website hosting. Receives page-view data and IP addresses.
• Expo / EAS— mobile app build and over-the-air updates. Receives app version metadata.
• GoDaddy / Microsoft 365— email delivery. Receives email address and message content.

5.2 Zora Technicians

Zora technicians use company-issued devices. When a technician is assigned to your booking, the technician’s app shows:

• Your name (or display name)
• Service address and lat/long
• Vehicle make, model, color, and license plate
• Scheduled time window and service type
• Any special instructions you provided
• Your phone number, used only to contact you about the active booking (for example, if the technician has arrived but cannot reach you at the service location or needs to confirm parking access)

Technicians do not see your email address or payment information. Technicians are instructed to use your phone number only for service-related contact during an active booking and are prohibited from contacting you for any other purpose.

5.3 Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, subpoena, court order, or other legal process, (b) respond to lawful requests from public authorities (including for national security or law enforcement), (c) protect the rights, property, or safety of Zora, our customers, technicians, or the public, or (d) investigate and prevent fraud or unauthorized activity.

5.4 Business Transfers

If Zora is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share information for any other purpose with your explicit consent.

To document service quality, Zora technicians take before-and-after photos of your vehicle during each wash. These photos may incidentally capture your license plate, your driveway or parking spot, and other vehicles or property near your vehicle.

We use these photos to:

• Provide you proof of completed work (visible in your booking history)
• Resolve disputes about service quality
• Train our technicians and improve service standards
• Address any insurance, damage, or liability claims

Photos are stored in our cloud storage provider (Supabase Storage) with access restricted via signed URLs and role-based access controls to you, the assigned technician, and Zora staff who need access for the purposes above. Photos are retained for two (2) years unless a longer retention is required for legal or dispute resolution.

You may request deletion of photos from a completed booking by emailing privacy@zoraworld.com, subject to our right to retain photos needed for legal, accounting, or dispute-resolution purposes.

The Zora mobile app requests foreground location access only. We use location to (a) pre-fill your address during booking, (b) confirm you are within a serviceable zone, and (c) for technicians, navigate to and verify arrival at job sites.

We do not collect background location data, track you over time, or share your live location with anyone other than the assigned technician during an active booking.

You can revoke location permission at any time in your device’s Settings. If you do, you can still use the Service by typing your address manually.

The Zora marketing site (zoraworld.com) uses cookies and similar technologies for remembering your theme preference, session management, and security. We do not currently use third-party analytics or advertising cookies. The mobile app uses local device storage for session tokens and offline functionality.

Do Not Track. Because there is no industry standard for honoring DNT signals, the Site does not currently respond to them.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights:

• Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to access specific pieces of personal information we have about you.
• Right to delete personal information we have collected from you (subject to exceptions for legal, security, or dispute-resolution purposes).
• Right to correct inaccurate personal information.
• Right to opt out of “sale” or “sharing” of your personal information. Zora does not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information— Zora does not use sensitive personal information except as necessary to provide the Service.
• Right to non-discrimination for exercising these rights.

Categories of personal information collected in the past 12 months

• Identifiers: name, email, phone, IP address, device ID
• Customer records: saved addresses, vehicle info, payment method token
• Commercial information: booking history, transaction history
• Internet/network activity: app usage, page views
• Geolocation: approximate and (with permission) precise location
• Audio/visual: before/after vehicle photos
• Inferences: service preferences

We have not sold or shared personal information for cross-context behavioral advertising in the past 12 months.

Submitting a request

Email privacy@zoraworld.com with “California Privacy Request” in the subject. We will verify your identity by confirming the email on file and respond within 45 days as required by law. You may also use an authorized agent (with written permission).

Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. Zora does not share personal information with third parties for their own direct marketing.

The Service is not directed to children under 13 years of age, and our sign-up process includes an age confirmation. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it promptly. If you believe a child under 13 has provided information to us, contact privacy@zoraworld.com.

We retain personal information for as long as your account is active and for as long as needed to provide the Service. After account deletion or prolonged inactivity:

• Account profile (email, name, phone): deleted within 30 days of account deletion request
• Saved addresses: deleted with account
• Booking history: retained for 7 years (tax and dispute purposes)
• Payment records (via Stripe): retained per Stripe and IRS requirements
• Photos: 2 years
• Marketing email list: until you unsubscribe
• Authentication logs: 90 days

Aggregated or de-identified data may be retained indefinitely.

You may delete your account at any time by:

1. Opening the Zora mobile app → Settings → Account → Delete Account, or
2. Emailing privacy@zoraworld.com with “Account Deletion Request” from the email associated with your account.

After verification, we will delete your account within 30 days, except for information we are required to retain for legal, tax, accounting, or dispute-resolution purposes.

We use industry-standard measures to protect your information, including TLS/HTTPS encryption for all data in transit, encryption at rest for our database and file storage, role-based access controls (Supabase Row-Level Security), tokenization of payment data via Stripe (we never store full card numbers), and regular security audits of our codebase.

No system is 100% secure. We cannot guarantee absolute security and cannot be held liable for unauthorized access despite our reasonable safeguards.

If we become aware of a data breach affecting your information, we will notify you and applicable regulators as required by law (including California Civil Code § 1798.82).

The Service is offered only to users located in the United States. Our service providers store information primarily in the United States.

If you access the Service from outside the U.S., you consent to your information being transferred to and processed in the United States, which may have data-protection laws that differ from those of your home country.

Apple Sign-In

If you use Apple Sign-In, Apple may provide you with a private relay email address (...@privaterelay.appleid.com). Emails we send to that address are routed to your real email through Apple. If you later disable email relay or revoke the connection, we may lose the ability to contact you.

You can revoke Zora’s access to your Apple ID at any time via Settings → Apple ID → Sign in with Apple → Zora.

Google Sign-In

If you use Google Sign-In, Google provides us with a unique identifier, your name, your email address, and (if available) your Google profile picture. We use this information solely to create and authenticate your Zora account. Google’s handling of your information during sign-in is governed by the Google Privacy Policy.

You can revoke Zora’s access to your Google Account at any time by visiting myaccount.google.com/permissions and removing Zora from your connected apps. Revoking access does not delete your Zora account — to delete your account, see Section 12.

We may send marketing emails (such as service updates, promotions, or newsletters) only to users who opt in. We also share promotional content through in-app placements and Zora’s social media channels; viewing those does not require opting in.

You can unsubscribe from marketing emails at any time using the link in any marketing email or by emailing privacy@zoraworld.com. Unsubscribing does not affect transactional emails (booking confirmations, receipts, security alerts).

We comply with the CAN-SPAM Act.

We may update this Policy from time to time. When we make changes, we will update the “Last Updated” date at the top. If changes are material, we will provide additional notice — by email to registered users, by in-app notification, or by a prominent notice on zoraworld.com — at least 30 days before the changes take effect.

We encourage you to review this Policy periodically.

For questions, concerns, or requests regarding this Policy or your personal information:

For California residents: privacy@zoraworld.com (subject: “California Privacy Request”)

For account deletion: privacy@zoraworld.com (subject: “Account Deletion Request”)