RareInfowayRareInfowayBack to Home

ZamZam App

by Rare Infoway Private Limited

Privacy Policy

Last updated: 22 April 2026·Android: com.zamzam·iOS: com.zamzam

Jurisdiction: Republic of Zambia — Data Protection Act, 2021 (Act 3 of 2021)

Our Apps

This Privacy Policy applies to the ZamZam app. Rare Infoway also publishes the following mobile applications:

ZamZam

Digital platform for Zambia

Google PlayApp Store

VChat

Messaging & communication

Google PlayApp Store

1. Who We Are

Rare Infoway Private Limited ("we", "us", "our") is the data controller for the ZamZam mobile application (the "App").

Privacy & data rights contactdhairy@rareinfoway.com
Postal address105 NARAYAN NAGAR, SATYSAI ROAD, Raiya, Rajkot, Rajkot-360005, Gujarat
This policyhttps://rareinfoway.com
DPA 2021 registrationRare Infoway Private Limited — confirm registration with counsel

Under the Data Protection Act, 2021, we maintain accountability measures required by section 50 and register with the Office of the Data Protection Commissioner where required.

2. What ZamZam Is

ZamZam is a multi-role digital platform for Zambia connecting students, teachers, mentors, employees, entrepreneurs, HR professionals, and government users. It provides:

  • Accounts and profiles — registration, login, role-based dashboards, portfolio, resume builder, skills, education and experience records, certificates.
  • Marketplace — listing, browsing, searching, and negotiating the sale or exchange of goods and services.
  • Messaging — one-to-one and group text chat, voice messages, image and document sharing, and GIF exchange (via GIPHY).
  • Video sessions — live audio/video calls and screen sharing powered by Jitsi Meet.
  • Jobs and internships — job postings, applications, tracking, saved jobs, and internship listings.
  • Mentorship — mentor discovery, requests, sessions, and guidance.
  • Learning and courses — course listings, enrolment, course content, and certificates of completion.
  • AI guidance chatbot — conversational AI assistant powered by Google Gemini, available to all roles.
  • Push notifications — call alerts, message notifications, and platform updates via Firebase Cloud Messaging.
  • Startups and funding — startup discovery and funding-tracking features for entrepreneurs.
  • Workspace tools — resume builder, skills tracker, session management, and My Courses.

3. Lawful Bases for Processing

We process personal data only where a lawful condition under section 13 of the Act is met:

Consent (ss. 13(a) & 15)

Optional profile fields, optional location attachment, analytics, AI conversation improvement

Contract / pre-contract (s. 13(b)(i))

Account creation, marketplace, messaging, video calls, job applications, course enrolment

Legal obligation (s. 13(b)(ii))

Court orders, regulatory requests, tax records

Vital interests (s. 13(b)(iii))

Safety emergencies

Legitimate interests (s. 13(b)(v))

Fraud prevention, platform security, abuse detection, diagnostic logging

Children: Section 17 of the Act requires verifiable parental/guardian consent before we process data of a child or vulnerable person. Contact dhairy@rareinfoway.com if you believe a child's data was collected without appropriate authority.

4. What We Collect and Why

4.1 Account and Identity

  • Username, email address, hashed password, phone number (optional), country (optional).
  • Profile photo, biography, role (student / teacher / mentor / entrepreneur / employee / government / HR / administrator).
  • Education history, work experience, skills, organisation affiliation (optional).
  • Session tokens stored locally on your device via AsyncStorage to maintain login state.

Lawful basis: contract (s. 13(b)(i)); consent for optional fields.

4.2 Portfolio and Professional Documents

  • Portfolio items, descriptions, and attached files.
  • Uploaded or AI-assisted CV / resume content.
  • Certificates generated or uploaded inside the App.

Lawful basis: contract (s. 13(b)(i)); consent for AI-assisted document generation.

4.3 Marketplace

  • Listing content: title, description, price, category, subcategory, condition, negotiability, ownership details, images.
  • Optional location text you type, or — if you tap the location button — device GPS coordinates (not continuously tracked).
  • Offer amounts, negotiation messages, saved-item records.

Lawful basis: contract (s. 13(b)(i)); consent (s. 13(a)) for precise location.

4.4 Messaging and Media

  • Message text, timestamps, delivery/read metadata, conversation identifiers, group membership.
  • Attachments: images, voice notes (audio recordings), documents.
  • GIF selections via GIPHY integration.
  • Microphone: requested solely for recording voice messages and Jitsi call audio. Not continuously monitored.
  • Camera: requested solely for capturing photos for chat or marketplace listings. No silent capture.

Lawful basis: contract (s. 13(b)(i)); legitimate interests for platform security (s. 13(b)(v)).

4.5 Video Sessions (Jitsi)

  • Audio and video streams, screen-share content — processed through Jitsi Meet infrastructure.
  • Short-lived JWT access tokens issued by our backend.
  • Call metadata: initiator, recipient(s), duration, call type, outcome.

Lawful basis: contract (s. 13(b)(i)); consent implied by joining.

4.6 Push Notifications (Firebase Cloud Messaging)

  • FCM device registration token registered on our servers.
  • Notification payloads: call type, routing identifiers, message preview (configurable).
  • iOS notification permissions as granted through the OS system dialogue.

Lawful basis: contract (s. 13(b)(i)); device/OS consent mechanism.

4.7 Jobs, Internships, and Applications

  • Job seeker: job preferences, uploaded or App-generated CV/resume, application submissions, tracking status.
  • Employer / HR / Mentor: job postings, internship postings, applicant-management data.

Lawful basis: contract (s. 13(b)(i)).

4.8 Learning and Courses

  • Course enrolment records, progress, completion certificates.
  • Teacher-uploaded course content: titles, descriptions, category, materials.

Lawful basis: contract (s. 13(b)(i)).

4.9 AI Guidance Chatbot (Google Gemini)

  • Text messages you send to the chatbot, conversation history retained on our servers.
  • Your messages are sent to Google Gemini via our backend. Google processes message text to generate responses.
  • We do not use chatbot conversations to build advertising profiles.

Lawful basis: contract (s. 13(b)(i)) for core access; consent for optional AI features.

4.10 Behavioural Analytics (Amplitude)

  • App events: screens viewed, features used, button taps, session duration — sent to Amplitude.
  • Amplitude may process a device identifier and session data. No payment or health data is included.
  • You may opt out via in-app Settings > Privacy or by contacting dhairy@rareinfoway.com.

Lawful basis: consent (s. 13(a)) where required; legitimate interests (s. 13(b)(v)).

4.11 Device and Technical Data

  • Device model, OS version, app version, network type, IP address, crash logs, and performance diagnostics.
  • Used for security, reliability, fraud prevention, and debugging.

Lawful basis: legitimate interests (s. 13(b)(v)); legal obligation where applicable (s. 13(b)(ii)).

5. Android & iOS Permissions

READ/WRITE_EXTERNAL_STORAGE, READ_MEDIA_*

Selecting images, videos, and audio files from your device for chat or marketplace listings

RECORD_AUDIO, MODIFY_AUDIO_SETTINGS

Recording voice messages in chat; audio during Jitsi video calls

CAMERA (Android + iOS)

Capturing photos for chat attachments or marketplace listings

INTERNET

All network communication with our servers and third-party services

POST_NOTIFICATIONS

Displaying message and call push notifications

USE_FULL_SCREEN_INTENT

Displaying incoming call screens over the lock screen

WAKE_LOCK

Keeping audio alive during Jitsi calls to prevent dropped calls

RECEIVE_BOOT_COMPLETED

Re-registering FCM token after device restart

iOS Microphone (NSMicrophoneUsageDescription)

Voice messages and call audio

iOS Camera (NSCameraUsageDescription)

Photo capture for chat and listings

We request permissions only when the relevant feature is first used. On Android 13+ we use granular READ_MEDIA_* permissions rather than broad storage access.

6. Sharing, Processors & Third-Party Services

6.1 Our Processors

Application hosting (AWS Africa af-south-1)

Core backend

Cape Town, South Africa. Cross-border transfers subject to Part X safeguards.

Amazon S3 (or equivalent)

Media storage

Images, audio, documents; accessed via short-lived presigned URLs

Google Firebase / FCM

Push notifications

Device token and notification payloads

Jitsi Meet

Video and audio calls

Session audio/video processed by Jitsi infrastructure

Google Gemini API

AI chatbot responses

Message text sent to Google for generative AI response

Amplitude

Product analytics

App usage events and session data

GIPHY

GIF search in chat

Search queries and GIF selection identifiers

6.2 User-to-User Sharing

  • Your public profile (name, photo, role, bio, skills) is visible to other registered users where configured as public.
  • Marketplace listings are visible to all App users.
  • Chat messages are shared only with the intended recipient(s) or group members.

6.3 Cross-Border Transfers (Part X)

Our processing involves transfers outside Zambia (including Google FCM, Google Gemini, AWS, Jitsi, Amplitude, and GIPHY). We implement safeguards under section 71, including contractual mechanisms where available. Primary application and database servers are hosted on AWS Africa (af-south-1, Cape Town, South Africa).

7. Data Retention

We retain personal data only as long as necessary, consistent with section 12(1)(e) and the minimum one-year rule in section 51(1) of the Act.

Account data

Retained while account is active, plus a period after deletion for legal obligations

Chat messages & media

Retained while account is active; in-app deletion available where provided

Marketplace listings

Retained until deleted by you or removed by us; residual metadata for fraud/legal purposes

Job applications

Retained as required for recruitment compliance under Zambian employment law

Analytics events

Per Amplitude data retention settings and our configuration

Server & security logs

Limited retention period for security and incident response

8. Security

  • TLS/HTTPS for all data in transit.
  • Password hashing (no plaintext storage).
  • Short-lived JWT tokens for video session access.
  • Short-lived presigned URLs for media file access.
  • Access controls and role-based permissions on backend systems.
  • Incident response procedures.

Data breaches: We will comply with section 49 of the Act — notify the Data Protection Commissioner within 24 hours where required, and notify affected users as soon as practicable.

9. Your Rights

Subject to the Act (including section 67 derogations), you have:

Access and confirmation of processing

Section 58

Rectification of inaccurate or incomplete data

Section 59

Erasure in specified circumstances

Section 60

Object to processing (including direct marketing)

Section 61

Restriction of processing

Section 63

Data portability

Section 65

Information at point of data collection

Section 64

Not to be subject to solely automated significant decisions

Section 62

Compensation for contravention of the Act

Section 72

To exercise any right, contact dhairy@rareinfoway.com. We will verify your identity before acting and respond within a reasonable period.

Complaints: Lodge with the Data Protection Commissioner under section 68. Appeals lie to the High Court within 30 days (section 69).

10. Direct Marketing

We will not send direct marketing without a lawful basis and, where required, your consent. Every marketing communication will include an unsubscribe mechanism as required by section 61 of the Act.

11. Changes to This Policy

We will publish updates at https://rareinfoway.com and update the "Last updated" date. For material changes, we may seek fresh consent or take other steps required by Zambian law.

12. Regulator

Office of the Data Protection Commissioner — oversight, registration, complaints, and guidelines under the Data Protection Act, 2021.

Public portal: https://www.dataprotection.gov.zm/

13. Contact

Privacy & data rights

dhairy@rareinfoway.com

Post

105 NARAYAN NAGAR, SATYSAI ROAD, Raiya, Rajkot, Rajkot-360005, Gujarat

This document is a practical privacy notice aligned with the Data Protection Act, 2021 (Act 3 of 2021) of Zambia. It is not legal advice. Statutory text prevails.
RareInfoway© 2026 Rare Infoway Private Limited
Terms & ConditionsHome