# ZevGuard Privacy Policy

Effective date: May 3, 2026

Status: publication draft for review. Do not publish until the publisher identity, provider list, retention periods and applicable legal requirements are verified.

## 1. Controller and contact

ZevGuard is an Android security app providing antivirus/security checks, app reputation, Web Shield, Scam/Fraud Shield, Install Guard, Behavior Monitor and related features.

Controller/publisher: TODO_ADD_LEGAL_PUBLISHER_NAME

Address/country: TODO_ADD_PUBLISHER_DETAILS

Privacy and support email: zevqunofficial@gmail.com

## 2. Data we may process

We process data needed to provide security, accounts, payments, support and security engine improvement.

- Account data: email, account UID, sign-in provider and session status.
- Device data: device model, Android version, permission status, security posture and protection settings.
- App security data: package name or package hash, app name if available, version, installer, signer certificate SHA-256, local reputation, risk score, confidence and technical evidence.
- Web Shield data: normalized domain, SHA-256 URL hash, redirect chain when needed, verdict and reasons.
- Scan data: scan sessions, results, threat events, app/signer/domain/url reputation, false positive reports and trusted package/signer choices.
- Subscription data: plan, entitlement status, product ID, base plan and purchase token sent to the backend only for verification with the payment provider.
- AI data: user prompts, replies and minimum technical context needed to provide security assistance.
- Support data: email, bug description and attachments voluntarily sent by the user.

## 3. Why we use data

We use data to:

- run local scans and show clear verdicts;
- detect app, permission, network, URL, domain and device configuration risks;
- reduce false positives through reputation and feedback;
- sync reputation snapshots and threat-intelligence updates;
- manage login, registration, account recovery and sessions;
- verify subscriptions, Family/Business plans, extra seats and donations;
- send security notifications when enabled;
- provide Vyra AI replies and short AI-generated notifications;
- handle support requests and bug reports.

## 4. Optional cloud reputation learning

Cloud reputation learning is optional and must remain opt-in. If disabled, ZevGuard does not upload scan signals for global learning.

When enabled, ZevGuard should upload only minimized signals such as package hash, signer SHA-256, normalized domain, SHA-256 URL hash, local verdict, confidence, risk score, false positive correction, trusted package/signer feedback, engine version and timestamp.

We do not upload the full installed-app list in plain text unless necessary. We do not upload full URLs when a hash or canonical form is enough. We do not sell personal data.

## 5. Android permissions

Some features require sensitive Android permissions or access, such as VPN, notifications, usage access, accessibility, contacts or security settings. ZevGuard must explain why the permission is needed. If a permission is denied, some protections may be unavailable or limited.

## 6. AI and automated results

Vyra AI can help explain risks and actions. Replies may be incomplete, inaccurate or wrong. Automated verdicts and suggestions are not a guarantee and do not replace professional assistance.

## 7. Sharing with providers

ZevGuard may use technical providers:

- Google/Firebase for authentication, backend, notifications or cloud features;
- Google Play Billing for purchases, subscriptions and plan management;
- Cloudflare or another ZevGuard backend for threat intelligence and reputation;
- OpenRouter or another AI provider if configured;
- email providers for support and account recovery.

TODO: replace this list with final providers, processing countries, roles and privacy links.

## 8. Retention

Data is kept only for as long as needed for the purposes described above.

Initial proposal to confirm:

- account data: while the account is active or as needed for technical/legal obligations;
- account recovery codes: short-lived and deleted after use/expiry;
- local scan data: on device until the user keeps the app or deletes it;
- aggregated cloud reputation: up to 24 months unless reconfirmed or needed for security;
- bug reports/support: up to 24 months unless the request remains open;
- billing data: according to provider, tax and accounting requirements.

## 9. User rights

Users may request access, correction, deletion, restriction or portability where applicable law provides those rights.

Privacy and deletion requests: zevqunofficial@gmail.com.

Account deletion page: ACCOUNT_DELETION_EN.md.

## 10. Security

ZevGuard uses technical measures to protect data and tokens, including Android Keystore/encrypted storage where applicable, HTTPS and integrity checks. No system is 100% secure.

## 11. Children

ZevGuard is not intended for children without parent/guardian consent or supervision. TODO: define age threshold by distribution countries.

## 12. Changes

This policy may change. The updated version should be available in the app and store listing.