Privacy Policy
Last Updated: February 25, 2026
Zemio Labs Ltd ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Ohh ("App"), a product of Zemio Labs Ltd, including our website (ohh.world) and related services (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must not use the Service.
Zemio Labs Ltd is registered in England and Wales. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, and other applicable data protection laws including the California Consumer Privacy Act (CCPA) for users in California.
1. Data Controller
Zemio Labs Ltd is the data controller responsible for your personal data processed through Ohh.
Contact Details:
Product: Ohh
Company: Zemio Labs Ltd
Email: support@ohh.world
Website: https://ohh.world
2. Information We Collect
2.1 Information You Provide
Account Information:
- Display name
- Username/handle (your unique ohh code)
- Profile information you choose to provide
- Avatar/profile picture (if uploaded)
User Content:
- Responses to conversation cards (Sparks and Circles)
- Messages and answers sent through the Service
- Content shared with connections
Communications:
- Messages you send to us via email or in-app support
- Feedback, surveys, or suggestions you voluntarily provide
2.2 Information Collected Automatically
Device Information:
- Device identifier (for authentication)
- Device type and model
- Operating system version
- App version
- Language and locale settings
Usage Information:
- Features used and actions taken
- Time and date of access
- Session duration
- In-app navigation patterns
- Crash logs and performance diagnostics
Transaction Information:
- Subscription status and plan type
- Purchase history (processed via Apple App Store)
- Anonymous transaction identifiers via RevenueCat
2.3 Information We Do NOT Collect
- We do not collect your email address or phone number (unless you contact support)
- We do not access your device contacts or address book
- We do not collect precise geolocation data
- We do not use facial recognition or biometric data
- We do not sell, rent, or trade your personal data to third parties for marketing purposes
- We do not collect financial information directly (all payments handled by Apple)
3. How We Use Your Information
3.1 To Provide and Maintain the Service
- Create and manage your account
- Enable connections with other users via ohh codes
- Process and deliver conversation cards, Sparks, and Circles
- Manage subscriptions and premium features via RevenueCat
- Deliver push notifications you have opted into
- Provide customer support and respond to your requests
3.2 To Improve the Service
- Analyze aggregated, anonymized usage patterns to enhance features
- Debug and fix technical issues using crash reports and diagnostics
- Develop new features, decks, and services
- Surface relevant conversation cards through smart card algorithms
- Optimize app performance and user experience
3.3 To Ensure Safety and Security
- Detect and prevent fraud, abuse, and unauthorized access
- Enforce our Terms of Service and community standards
- Protect users from harmful content, behavior, or security threats
- Monitor for policy violations including harassment and prohibited content
- Investigate and address reported violations at our sole discretion
3.4 To Protect Our Legal Interests
- Comply with applicable laws, regulations, and legal processes
- Establish, exercise, or defend legal claims
- Protect the rights, property, and safety of Zemio Labs Ltd, its users, and the public
- Enforce our contractual agreements
3.5 How We Do NOT Use Your Information
- We do not use your conversation responses to train machine learning or AI models
- We do not sell your personal data to advertisers or data brokers
- We do not use your data to build advertising profiles
- We do not share your conversation content with anyone outside your chosen connections
4. Legal Basis for Processing (UK/EU GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract |
| Account management | Performance of contract |
| Customer support | Performance of contract |
| Subscription management | Performance of contract |
| Safety and security | Legitimate interests |
| Service improvement and analytics | Legitimate interests |
| Fraud prevention | Legitimate interests |
| Protecting legal interests | Legitimate interests |
| Marketing (if opted in) | Consent |
| Legal compliance | Legal obligation |
Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
5. Data Sharing and Disclosure
5.1 With Other Users
- Your display name and ohh code are visible to your connections
- Responses you share in Sparks are visible only to the intended recipient
- Responses you share in Circles are visible only to Circle members after all members have answered
- Your profile information you choose to make visible
You are solely responsible for the content you share with other users through the Service. We are not liable for how other users may use, share, or disclose content you have shared with them.
5.2 With Service Providers
We share data only with trusted service providers who are contractually bound to protect your information and process it only on our instructions:
| Provider | Purpose | Data Shared |
|---|---|---|
| RevenueCat | Subscription management | Anonymous user ID, purchase data |
| Expo / Apple Push | Push notifications | Device tokens |
| Cloud hosting (encrypted) | Data storage and processing | All app data (encrypted at rest and in transit) |
5.3 We Do NOT Share Data With
- Advertisers or advertising networks
- Data brokers or data aggregators
- Social media platforms for advertising purposes
- Any third parties for their own marketing purposes
5.4 For Legal Reasons
We may disclose your information if required to do so by law, in response to valid legal process (such as a court order, subpoena, or government investigation), or to protect the rights, property, or safety of Zemio Labs Ltd, Ohh, our users, or the public. We reserve the right to disclose information we believe is necessary or appropriate to enforce our Terms of Service, respond to claims that any content violates the rights of third parties, or protect the personal safety of users or the public.
5.5 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of the assets of Zemio Labs Ltd, your personal data may be transferred as part of that transaction. In such circumstances, we will use reasonable efforts to notify you via in-app notification before your data is transferred and becomes subject to a different privacy policy. Your continued use of the Service following such transfer constitutes your acceptance of any new privacy terms.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| User content (card responses) | Until account deletion + 30 days |
| Usage analytics | 24 months (anonymized and aggregated) |
| Customer support records | 3 years from last interaction |
| Payment and transaction records | As required by law (typically 7 years) |
| Security and fraud logs | 3 years |
After the retention period, data is permanently deleted or irreversibly anonymized. We may retain certain data for longer periods if required by law, to resolve disputes, or to enforce our agreements.
7. International Data Transfers
Your data may be processed on servers located outside the United Kingdom and European Economic Area. When we transfer data internationally, we ensure adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK Secretary of State or European Commission
- Transfers to countries with adequate data protection (adequacy decisions)
- Appropriate technical and organizational measures to protect your data during transfer
By using the Service, you acknowledge and consent to the transfer of your data to jurisdictions outside your country of residence, which may have different data protection rules.
8. Your Rights
8.1 UK/EU GDPR Rights
Under the UK and EU GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your data where there is no compelling reason for its continued processing
- Right to Restrict Processing: Request that we limit how we use your data in certain circumstances
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing based on legitimate interests where your particular circumstances justify it
- Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing
These rights are not absolute and may be subject to exemptions under applicable law. We may refuse to comply with a request if we have a lawful basis to do so, including where the request is manifestly unfounded, excessive, or where compliance would adversely affect the rights and freedoms of others.
8.2 California Residents (CCPA)
If you are a California resident, you additionally have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt-out of the sale of your personal information (note: we do not sell personal information)
- Non-discrimination for exercising your privacy rights
8.3 Exercising Your Rights
To exercise any of your rights, please contact us using the methods below. All requests are handled directly by Zemio Labs Ltd.
- Use the in-app settings (Account → Privacy)
- Email us at support@ohh.world
We will respond within 30 days (or sooner where required by law). We may ask you to verify your identity before processing your request to protect your data from unauthorized access. If we cannot verify your identity, we reserve the right to decline the request.
9. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Strict role-based access to personal data with audit logging
- Device Authentication: Secure device-based authentication, no passwords stored
- Infrastructure: Hosted on SOC 2 compliant cloud providers with redundancy
- Monitoring: Continuous security monitoring and anomaly detection
- Incident Response: Documented data breach response procedures including notification within 72 hours as required by UK GDPR
While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee absolute security. You acknowledge that you provide your personal data at your own risk. Zemio Labs Ltd shall not be liable for any unauthorized access to or alteration of your data except where such access results from our gross negligence or willful misconduct.
10. Children's Privacy
The Service is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under the age of 16.
If we learn that we have collected personal data from a child under 16, we will promptly delete that information and terminate the associated account. If you believe a minor is using the Service, please contact us at support@ohh.world.
11. Third-Party Links and Services
The Service may contain links to third-party websites or services not operated by Zemio Labs Ltd. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We are not liable for any loss or damage arising from your interaction with third-party services. We encourage you to review the privacy policy of every site you visit.
12. Cookies and Tracking Technologies
Our website (ohh.world) may use essential cookies for basic site functionality. The mobile App does not use browser cookies, but may use local storage and device identifiers for authentication and functionality purposes. We do not use cookies or similar technologies for advertising or cross-site tracking.
13. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy at any time at our sole discretion. We will notify you of material changes by:
- Posting the updated Privacy Policy on this page
- Updating the "Last Updated" date
- Sending an in-app notification for material changes
Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, your sole remedy is to discontinue use of the Service and delete your account.
14. Limitation of Liability
To the maximum extent permitted by applicable law, Zemio Labs Ltd shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to any data processing activities described in this Privacy Policy, including but not limited to unauthorized access to or alteration of your data by third parties, data loss, or service interruptions.
15. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us directly:
Ohh, a product of Zemio Labs Ltd
Email: support@ohh.world
Website: https://ohh.world
All privacy-related inquiries and requests are handled directly by Zemio Labs Ltd. We are committed to resolving any concerns you may have regarding our data practices.