Legal
ZALA Privacy Policy
Effective Date: July 8, 2026
This Privacy Policy (the “Policy”) explains how GDiz LLC (“ZALA,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the ZALA platform — including the websites at zala.net and related domains, the shared ZALA mobile applications, co-branded and white-label applications powered by ZALA, giving features, and related software and services (collectively, the “Service”).
This Policy should be read together with the ZALA Terms of Use (for individual users) and the ZALA Terms of Service (for subscribing organizations), available at zala.net/legal. If you do not agree with this Policy, do not use the Service.
1. Our Two Roles: Service Provider and Controller
ZALA is a multi-tenant platform used by churches, ministries, and other organizations (“Organizations”) to engage their communities. Because of this, we handle personal information in two distinct roles:
1.1 ZALA as a service provider / processor (Member Data). When you use the Service as a member, visitor, donor, volunteer, or attendee of an Organization, the personal information collected within that Organization’s community — such as your contact record, profile, posts, prayer requests, group memberships, event registrations, attendance, messages, and giving history (“Member Data”) — is controlled by your Organization. ZALA processes Member Data on the Organization’s behalf and under its instructions, solely to provide the Service. Your Organization decides who in its community can see what, how it communicates with you, and how it uses your information; its own privacy practices also apply. If you want to access, correct, or delete Member Data, or have questions about how your Organization uses it, contact your Organization first. We will support Organizations in responding to such requests and will refer requests we receive directly to the relevant Organization where appropriate.
1.2 ZALA as a controller (our own data). ZALA is the controller of personal information we collect for our own purposes, including: account and billing information for Organization administrators; information about visitors to zala.net; support communications; marketing data; and technical, security, and product-usage data we use to operate, secure, and improve the Service.
2. Information We Collect
2.1 Information you provide directly.
- Account and profile information: name, email address, phone number, profile photo, and organization affiliation. ZALA uses passwordless sign-in, so we do not collect or store passwords; we process one-time passcodes and/or passkey credentials to authenticate you.
- Content you create: posts, comments, reactions, prayer requests, testimonies, messages, media uploads, event registrations and responses, and group activity.
- Giving and transaction details: donation amounts, designations (funds/campaigns), dates, and receipts. Payment card and bank details are collected and processed directly by our payment processor (currently Stripe, Inc.) — ZALA does not store full card numbers or bank credentials.
- Organization administrator information: business contact details, billing information, tax-exemption documentation, and payment-onboarding information collected by our payment processor (which may include identity-verification and beneficial-ownership information required by law).
- Support and communications: information you provide when you contact support, complete forms, or respond to surveys.
2.2 Information collected automatically. When you use the Service, we and our service providers automatically collect technical and usage information: IP address, device identifiers, device type and operating system, app version, browser type, language, referring/exit pages, dates and times of access, crash logs, and interactions with features. We use cookies, SDKs (software development kits), and similar technologies for authentication, preferences, security, performance measurement, and product analytics (see Section 7).
2.3 Information from Organizations and other sources. Organizations may add or import information about you into the Service (for example, contact records from a previous system, attendance, or group assignments) — this is Member Data controlled by the Organization (Section 1.1). We may also receive information from authentication providers, payment processors (transaction confirmations and fraud signals), app stores, and security and analytics vendors.
2.4 Location information. We may derive general (city-level) location from your IP address for security, regional settings, and analytics. Precise device location is collected only if you affirmatively enable it for a specific feature, and you can disable it in your device settings at any time.
2.5 Sensitive information, including religious information. By its nature, use of the Service may reveal or include information about religious affiliation or beliefs — for example, membership in a church community, prayer requests, small-group participation, baptism interest, or pastoral-care notes. We treat this as sensitive personal information: we process it only to provide the Service requested by you and your Organization, to secure the Service, and to comply with law. We do not use sensitive information for advertising, do not sell it, and do not disclose it except as described in this Policy. Visibility of content like prayer requests is determined by the settings you and your Organization choose — review visibility options before posting.
3. How We Use Information
We use personal information to:
- Provide, operate, administer, and maintain the Service and your accounts;
- Authenticate users (including delivering one-time passcodes), secure accounts, and prevent fraud and abuse;
- Process donations and other transactions you initiate, and deliver receipts;
- Deliver notifications, reminders, and messages configured by you or your Organization;
- Provide features such as feeds, groups, events, livestreams, and — where enabled — AI-assisted features like transcription, captions, and translation;
- Provide customer support and respond to questions, requests, and feedback;
- Understand how the Service is used, and improve, develop, and test the Service and new features;
- Communicate with Organization administrators and, where permitted, prospective customers about products, updates, and offers (with opt-out at any time);
- Enforce our terms, protect the safety of users (including minors), and comply with legal obligations.
We may aggregate or de-identify personal information so it no longer reasonably identifies anyone, and use that information for any lawful purpose. Where required by law, we maintain de-identified data as de-identified and do not attempt to re-identify it.
4. How We Disclose Information
We do not sell personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only as follows:
4.1 To your Organization. Member Data is, by design, available to your Organization and its authorized staff according to its roles, permissions, and location-access settings — including your contact details, activity, and, if you donate, donor information needed to record and receipt your gift (name, contact information, amount, designation, and date).
4.2 To other users. Content you post is visible to other users according to the visibility settings of the post, group, or feature — organization-wide, group-only, staff-only, or public, as applicable. Information shared in community areas may be read, collected, or reshared by others; post accordingly.
4.3 To service providers. We use vetted third parties to run the Service, under agreements that restrict their use of personal information and require appropriate safeguards. Categories include: cloud hosting and infrastructure; content delivery and media storage/streaming; payment processing; communications delivery (email, SMS, push notifications); product analytics and crash reporting; customer support tooling; AI processing for features such as transcription, captioning, and translation; security, fraud-prevention, and abuse-detection (including child-safety scanning of uploaded media); and professional advisors.
4.4 Payment processing. Payments are processed by Stripe, Inc. (and, in some regions, other processors we may add). Payment data you provide at checkout is collected by the processor under its own privacy policy and terms. Your Organization is the recipient/merchant of record for donations.
4.5 Legal, safety, and compliance. We may disclose information where we believe in good faith it is necessary to: comply with law, legal process, or government requests; enforce our agreements; detect, prevent, or address fraud, security, or technical issues; protect the rights, property, or safety of ZALA, our users, minors, or the public; or meet anti-money-laundering, sanctions, and reporting obligations. We report apparent child sexual abuse material to the National Center for Missing & Exploited Children (NCMEC) as required by law.
4.6 Business transfers. If ZALA or GDiz LLC is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this Policy’s commitments; we will provide notice and, where required by law, choices.
5. Communications: Email, SMS, and Push
We send transactional and account communications (such as sign-in passcodes, receipts, and security notices) as part of the Service. Marketing emails are sent only where permitted and always include an unsubscribe mechanism, honored in accordance with applicable law (including the CAN-SPAM Act). SMS messages are sent only where permitted by law and, where required, only with prior express consent obtained by us or your Organization; reply STOP to opt out of SMS at any time (message and data rates may apply). Push notifications can be managed in your device or in-app settings. Organizations are responsible for the messages they send to their communities through the Service and for obtaining any consents required for those messages.
6. Cookies and Analytics
We and our providers use cookies, SDKs, pixels, and similar technologies to keep you signed in, remember preferences, secure the Service, measure performance, and understand feature usage. We use product analytics (including session-level usage analytics) to understand how the Service is used and improve it; analytics identifiers are pseudonymous where feasible. You can control cookies through browser settings; disabling them may affect functionality. Because we do not sell personal information or engage in cross-context behavioral advertising, there is generally no sale/sharing activity to opt out of; where we receive a legally recognized opt-out preference signal such as Global Privacy Control (GPC), we will process it consistent with applicable law.
7. Security
We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect personal information — including encryption in transit, access controls, tenant isolation between Organizations, permission- and location-scoped staff access, and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Protect access to your email inbox, phone number, and devices, since passwordless sign-in relies on them. If a breach affecting personal information occurs, we will notify affected Organizations and/or individuals and regulators as required by applicable law.
8. Retention
We retain personal information for as long as reasonably necessary to provide the Service and maintain accounts; to comply with legal, tax, accounting, payment-network, and reporting obligations; to resolve disputes and enforce agreements; and to protect the security and integrity of the Service. Member Data is retained according to the subscribing Organization’s instructions and subscription status: following termination of an Organization’s subscription, its tenant data is made available for export for thirty (30) days and then deleted or de-identified within a commercially reasonable period, except for residual copies in routine backups (which expire on schedule) and records we must keep by law. De-identified or aggregated data may be retained longer.
9. Children and Minors
9.1 Children under 13 (COPPA). The Service is a general-audience service and is not directed to children under 13. Children under 13 may not create their own accounts, and we do not knowingly collect personal information directly from children under 13. Organizations and parents/guardians may create or administer child-associated profiles (for example, for children’s ministry rosters or check-in); in those cases, the parent/guardian and the Organization are responsible for the profile, and we process the information as a service provider to the Organization. Where we have actual knowledge that we are collecting personal information directly from a child under 13, we will obtain verifiable parental consent as required by the Children’s Online Privacy Protection Act (COPPA) or delete the information. We do not use children’s personal information for advertising and do not disclose it to third parties for marketing.
9.2 Parents and guardians. Parents or guardians may review, correct, or request deletion of their child’s information, or revoke consent, by contacting their Organization (for Member Data) or us at hello@zala.net; we will respond promptly and delete information collected without proper consent.
9.3 California minors. California residents under 18 who are registered users may request removal of content they publicly posted by contacting hello@zala.net. Removal may not be complete or comprehensive (for example, where content was reshared by others or must be retained by law).
10. Your Privacy Rights (U.S. State Laws)
Depending on where you live (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws), you may have rights to: know/access the personal information we hold about you and obtain a copy; correct inaccuracies; delete your personal information; data portability; opt out of sale, sharing for targeted advertising, or certain profiling (we do not engage in these activities, but you may still submit a request); limit the use of sensitive personal information to what is necessary to provide the Service; and non-discrimination for exercising your rights.
How to exercise your rights. For Member Data, contact your Organization (Section 1.1); we will assist it in fulfilling your request. For information ZALA controls, email hello@zala.net. We will verify your identity (for example, against your account email and recent activity) before acting, and will respond within the timeframes required by applicable law (generally 45 days, with permitted extensions). You may use an authorized agent, subject to verification, and you may submit requests on behalf of your minor child. If we deny a request and your state provides an appeal right, you may appeal by emailing hello@zala.net with the subject line “Privacy Request Appeal”; we will respond within the legally required period.
California-specific disclosures. In the preceding 12 months, we have collected these categories of personal information (as defined by the CCPA (California Consumer Privacy Act)): identifiers (name, email, phone, IP address, device and online identifiers); customer records (billing and giving history, processed by our payment processor); protected classifications (religion, only as inherent in your voluntary use of a faith-based service); commercial information (donation records and feature engagement); internet/network activity (usage and log data); geolocation (general location from IP; precise only if you enable it); audio/visual information (profile photos and media you post); professional information (role within an Organization, where provided); inferences (to provide and personalize the Service); and sensitive personal information (information revealing religious beliefs, such as prayer requests or group participation, where you choose to share it). Sources and purposes are described in Sections 2–3; disclosures are described in Section 4. We do not sell personal information and do not share it for cross-context behavioral advertising, including personal information of minors under 16. We use sensitive personal information only for purposes permitted under California law. We do not offer financial incentives in exchange for personal information. We do not track users across third-party websites for targeted advertising and therefore do not respond to Do Not Track signals; we honor GPC signals as described in Section 6.
Nevada. We do not sell covered information as defined under Nevada law. Nevada residents may contact hello@zala.net with questions.
11. Users Outside the United States
The Service is operated from the United States, and the initial market for the Service is the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the United States (and in other locations where our infrastructure or service providers operate), where privacy laws may differ from those in your jurisdiction. Where the Service is offered to Organizations in other regions, ZALA will implement transfer and localization measures required by applicable law, and region-specific terms may be provided in the applicable Data Processing Addendum. If you do not consent to processing in the United States, do not use the Service.
12. Changes to This Policy
We may update this Policy from time to time. When we do, we will post the revised Policy and update the “Effective Date”. For material changes, we will provide additional notice (through the Service or by email) at least 30 days before the change takes effect where feasible and required by law. Please review this Policy periodically.
13. Contact Us
GDiz LLC 440 N Barranca Ave #4348, Covina, CA 91723, United States Email: hello@zala.net Web: zala.net
If you have questions, concerns, or complaints about this Policy or our privacy practices, contact us at hello@zala.net; we will review and address privacy-related concerns in good faith and in accordance with applicable law.
