1. Introduction and Data Controller

ZOO HOLDINGS LTD ("we," "our," or "us") operates the PollyWise service, a market research platform that conducts quick polls via WhatsApp Business API and Telegram Bot with instant cryptocurrency rewards. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Data Controller: ZOO HOLDINGS LTD, a company incorporated in England and Wales, is the data controller for your personal information under UK GDPR. Our Data Protection Officer can be contacted at info@pollywise.com.

We are committed to protecting your privacy and ensuring transparency about our data practices. This policy complies with UK GDPR, EU GDPR (for EU users), and other applicable data protection laws.

2. Information We Collect

Personal Information You Provide

• Contact Information: Phone number (WhatsApp), Telegram user ID and username
• Demographics: Age, gender, and country (required for poll matching and legal compliance)
• Survey Responses: Your answers to poll questions and market research surveys
• Payment Information: Crypto wallet addresses (for example, USDC, ETH, or other supported digital assets) in order to facilitate rewards or payments
• Communication Data: Messages sent through WhatsApp Business API or Telegram Bot
• Profile Updates: Any changes you make to your demographic information

Automatically Collected Information

• Usage Data: Response times, completion rates, interaction patterns, and session data
• Technical Data: Message timestamps, delivery status, and platform information
• Service Data: Account status, preferences, service history, and payout records
• Rate Limiting Data: Message frequency and timing for abuse prevention
• Error Logs: System errors and debugging information (anonymized where possible)

Information We Do NOT Collect

• Your other WhatsApp or Telegram conversations
• Your contact lists or address books
• Location data or GPS coordinates
• Device identifiers beyond what's necessary for service delivery
• Biometric data or sensitive personal characteristics

3. Legal Basis for Processing (GDPR Compliance)

Under UK GDPR and EU GDPR, we process your personal data based on the following legal bases:

Consent (Article 6(1)(a))

• Sending poll invitations and marketing communications
• Processing survey responses for market research
• Storing and reusing crypto wallet addresses for payments

Contract (Article 6(1)(b))

• Providing our polling and rewards service
• Processing payments and managing your account
• Delivering customer support

Legitimate Interest (Article 6(1)(f))

• Fraud prevention and security monitoring
• Service improvement and analytics
• Rate limiting and abuse prevention

Legal Obligation (Article 6(1)(c))

• Tax reporting and financial compliance
• Anti-money laundering requirements
• Regulatory reporting obligations

4. How We Use Your Information

We use your information for the following purposes:

Service Delivery

• Matching you with relevant polls based on demographics
• Delivering survey questions via WhatsApp or Telegram
• Processing and storing your survey responses
• Managing your account and preferences

Payment Processing

• Sending crypto rewards to your digital wallet
• Storing and reusing crypto wallet addresses for convenience
• Processing payment confirmations and receipts
• Maintaining payout records for tax compliance

Communication and Support

• Responding to your inquiries and support requests
• Sending service updates and important notifications
• Providing onboarding and user guidance
• Processing opt-out and data deletion requests

Analytics and Improvement

• Analyzing usage patterns to improve our service
• Generating aggregated, anonymized market insights
• Monitoring system performance and reliability
• Detecting and preventing fraud or abuse

5. WhatsApp and Telegram Integration

WhatsApp Business API

Our service operates through WhatsApp Business API. Important points:

• We receive messages you send to our WhatsApp Business number
• We send poll questions and reward notifications through WhatsApp
• WhatsApp's own privacy policy applies to your use of WhatsApp
• We do not access your other WhatsApp conversations or contacts
• Messages are encrypted in transit using WhatsApp's encryption

Telegram Bot (@pollywise_bot)

Our Telegram bot provides the following functionality:

• Receives messages you send to @pollywise_bot
• Provides native contact sharing for phone number collection
• Sends poll questions and reward notifications through Telegram
• Enables crypto wallet address reuse for seamless payments
• Telegram's own privacy policy applies to your use of Telegram
• We do not access your other Telegram conversations or contacts
• Admin reset functionality available for testing purposes

Platform Security

Both platforms provide security features:

• End-to-end encryption for message transmission
• Webhook signature verification for message authenticity
• Rate limiting to prevent spam and abuse
• IP address validation for security
• You can stop receiving messages by sending "STOP" at any time

6. Information Sharing and Disclosure

We do not sell your personal information. We may share information only in these limited circumstances:

Aggregated and Anonymized Data

We may share aggregated, non-personally identifiable data with research clients for market insights. This data cannot be used to identify individual users and is processed to ensure anonymity.

Service Providers (Data Processors)

We may share data with trusted service providers who help us operate our service under strict data processing agreements:

• Meta (WhatsApp Business API): For messaging delivery and communication
• Telegram: For bot messaging and communication
• Supabase: For secure database hosting and data storage
• Vercel: For application hosting and serverless functions
• Base Network: For USDC payment processing
• Analytics Services: For service improvement (anonymized data only)

Legal Requirements

We may disclose information if required by law, court order, or to protect our rights, safety, and the safety of our users. We will notify you of such disclosures unless prohibited by law.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice and ensure the same privacy protections apply.

7. Your Rights Under GDPR

Under UK GDPR and EU GDPR, you have the following rights:

Right to Access (Article 15)

You can request a copy of your personal data we hold about you. This includes survey responses, demographic information, and payment records. We will provide this within 30 days of your request.

Right to Rectification (Article 16)

You can update your demographic information by messaging "PROFILE" to our WhatsApp number or Telegram bot, or by contacting info@pollywise.com.

Right to Erasure (Article 17)

You can request deletion of your account and personal data by:

• Contacting info@pollywise.com
• Sending "STOP" followed by "DELETE" to our service
• Requesting account deletion through our support team

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we resolve any disputes about accuracy or processing.

Right to Data Portability (Article 20)

You can request your data in a machine-readable format (JSON/CSV) to transfer to another service.

Right to Object (Article 21)

You can object to processing based on legitimate interests. Send "STOP" to opt out of polls and messages.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that significantly affects you. Poll matching is based on simple demographic criteria you provide.

Right to Withdraw Consent

You can withdraw consent at any time by sending "STOP" or contacting us. This will not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), which is our lead supervisory authority. If you are located in the EU/EEA, you may also complain to your local data protection authority.

8. Data Security and Protection

We implement comprehensive security measures to protect your information:

Technical Safeguards

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access and multi-factor authentication
• Database Security: Row-level security and encrypted database connections
• Network Security: Webhook signature verification and IP validation
• Rate Limiting: Protection against spam and abuse (50 messages/minute max)

Organizational Safeguards

• Regular security audits and penetration testing
• Employee training on data protection and privacy
• Data processing agreements with all service providers
• Incident response procedures and breach notification protocols
• Privacy by design principles in system development

Data Minimization

• We collect only data necessary for service provision
• Automatic deletion of inactive accounts after 2 years
• Anonymization of data used for analytics
• Regular data purging and cleanup processes

9. Data Retention and Deletion

We retain your information only as long as necessary for the purposes outlined in this policy:

Active Users

• Account Data: Retained while your account is active
• Survey Responses: Retained for service delivery and research purposes
• Payment Records: Retained for 7 years for tax compliance

Inactive Users

• Account Data: Deleted after 2 years of inactivity
• Personal Identifiers: Deleted after 2 years of inactivity
• Aggregated Data: May be retained longer for research (anonymized)

Legal Obligations

• Tax Records: Retained for 7 years as required by UK law
• Fraud Prevention: Retained as necessary for legal compliance
• Regulatory Requirements: Retained per applicable regulations

User-Requested Deletion

We delete inactive accounts after 2 years. Survey response data is retained for as long as necessary to fulfil research and analysis purposes, or until you request its deletion. You may request deletion of your personal data at any time, and we will comply unless we are legally required to retain it.

10. International Data Transfers

Data Storage and Hosting

We store your personal data with Supabase, whose servers are located in Ireland (EEA). Transfers of data between the UK and the EEA are permitted under the UK Government's adequacy regulations, which recognise the EU/EEA as providing an adequate level of protection.

International Data Transfers

If we transfer your data outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs), to ensure your personal data remains protected.

Transfer Mechanisms

• UK Adequacy Decisions: Transfers to EEA countries under UK adequacy regulations
• UK IDTA: UK International Data Transfer Agreement for third-country transfers
• UK Addendum to SCCs: UK-approved addendum to Standard Contractual Clauses
• Data Processing Agreements: Binding agreements with all service providers
• Technical Safeguards: Encryption and security measures for all transfers

11. Children's Privacy

Our service has specific provisions for different age groups:

Under 16 Years

Our service is not intended for users under 16. We do not knowingly collect personal information from users under 16. If you believe we have collected information from a user under 16, please contact us immediately at info@pollywise.com.

Ages 16-17

Users between 16-17 may use the service, but parental consent may be required in some jurisdictions under GDPR. We recommend parental awareness for users in this age group.

Ages 18-100

Adult users between 18-100 years old may use the service without additional restrictions. Users over 100 years old are not eligible for our service.

12. Cookies and Tracking

Our messaging-based service operates primarily without cookies. However:

• Website Cookies: Our website may use essential cookies for functionality
• No Tracking: We do not use advertising or tracking cookies
• Analytics: Anonymous usage analytics may be collected on our website
• Bot Sessions: Temporary session data for bot functionality only

You can control cookies through your browser settings. Disabling cookies will not affect the core messaging service functionality.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• Authority Notification: We will notify the ICO within 72 hours
• User Notification: We will notify affected users without undue delay
• Breach Details: We will provide clear information about the breach and our response
• Remedial Actions: We will take immediate steps to contain and remedy the breach
• Prevention: We will implement additional safeguards to prevent future breaches

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will:

• Notify Users: Send notifications through our service for material changes
• Website Updates: Post the updated policy on our website
• Advance Notice: Provide at least 30 days' notice for significant changes
• Consent: Obtain fresh consent for material changes to processing purposes

The "Last updated" date at the top of this policy indicates when it was last revised.

15. Contact Us and Data Protection Officer

If you have any questions about this Privacy Policy, want to exercise your rights, or have concerns about our privacy practices, please contact us:

16. Regulatory Compliance Summary

This Privacy Policy ensures compliance with:

• UK GDPR: Data Protection Act 2018 and UK General Data Protection Regulation
• EU GDPR: General Data Protection Regulation (for EU users)
• PECR: Privacy and Electronic Communications Regulations
• DPA 2018: Data Protection Act 2018
• ICO Guidelines: Information Commissioner's Office guidance and codes of practice
• Financial Regulations: Relevant cryptocurrency and payment processing regulations