Zarf

Legal

Privacy Policy

Effective July 6, 2026

This policy explains what Zarf collects, why we collect it, who can see it, and how to remove it. It applies to everyone who uses Zarf on iOS.

What Zarf is

Zarf is a private photo-sharing app for small groups of friends. Each week a group answers the same three prompts; the photos are sealed until reveal day, then opened together. There is no public feed, no algorithm, no advertising.

What we collect

To sign you in:

Because you use the app:

As a side effect of how the internet works:

We do not collect: your real legal name, your location, your contacts, your browsing activity outside Zarf, or any advertising identifiers. We do not use third-party analytics or trackers.

How we use your data

We use your data only to make Zarf work — to authenticate you, identify you to your friends, store and serve your photos within your group, and provide customer support if you contact us.

We do not sell, rent, license, or share your data with anyone for advertising, marketing, or analytics purposes.

Who can see your photos

This is the most important section in this policy.

Zarf has two visibility states for every photo:

Before reveal day, a photo you upload is visible only to you. Other group members cannot see it. This is enforced at the database level through row-level security policies — even if a member knew where to look, our system would refuse to return your photo to them until the month opens.

After reveal day, photos become visible to other members of that same group. They never become visible to anyone outside that group, to Zarf staff (we don't view group content), or to any third party.

We do not view, scan, train AI models on, or otherwise inspect your photos. They live in your private group and nowhere else.

Where your data is stored

Zarf uses Supabase, which stores data on Amazon Web Services infrastructure in the United States. Photos are stored in encrypted object storage; access is gated by per-group security rules described above.

Authentication credentials (Apple identity tokens, email OTP codes) are handled by Supabase's authentication service. We never see or store your Apple password.

How long we keep your data

We keep your data while your account is active. When you delete your account (Profile → Delete account), we immediately:

Photos that other group members uploaded to shared weeks remain part of those members' group archives — they are their data, not yours, and removing them would erase the group's shared history. The lines and reactions you left on other people's photos are anonymized (your name is removed and shows as "a friend") rather than deleted, so we don't tear holes in other members' archives; you can also choose to remove your own lines and reactions from a group when you leave it.

Backups may retain deleted data for up to 30 days, after which they are permanently overwritten.

Your rights

You can, at any time:

If you are in the EU, UK, or California, the rights above are part of GDPR, UK GDPR, and CCPA respectively. Same rights, same process.

Children

Zarf is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, email us and we will delete the account.

International transfers

If you use Zarf from outside the United States, your data may be transferred to and processed in the United States by Supabase and Amazon Web Services. By using Zarf, you consent to this transfer.

Changes to this policy

If we make a material change to this policy, we will update the Effective Date at the top and surface the update in the app the next time you open it. Continuing to use Zarf after a change means you accept the updated policy.

Contact

For privacy questions, deletion requests, or anything else:

Email: mertaslan16@gmail.com

We respond to all messages within 7 business days.