Privacy Policy

Effective May 16, 2026

This Privacy Policy describes how Zondra handles information when you use the Zondra mobile application and our website at zondra.app.

Zondra is a product of Frequency Domain Technologies LLC, a Florida limited liability company ("Zondra," "we," "us," or "our").

01What this policy covers

This policy applies to two things:

• The Zondra mobile application for iOS (the "App"), available on the United States App Store.
• The Website at zondra.app (the "Website"), where this policy and our Terms of Use are hosted and where you may optionally support development by leaving a tip.

Throughout this policy, where a clause applies only to the App or only to the Website, we say so. Where no scope is given, the clause applies to both.

Zondra is a private journal for cannabis. It helps you log products you try, sessions you have, and how those sessions land for you. It is not a medical service, a treatment tool, or a source of health advice. Always consult a qualified healthcare professional for medical decisions.

02What we don't do

Before describing what we do, here is what we don't:

• We do not operate any servers that store your data. There is no backend.
• We do not have user accounts or any way to identify you across sessions.
• We do not collect, sell, share, or rent your personal information.
• We do not use analytics, telemetry, advertising SDKs, crash reporting, or third party tracking inside the App.
• We do not show ads.
• We do not have access to your journal entries, photos, notes, symptoms, ratings, or any other content you create in the App.
• We do not profile you, build behavioral models on you, or transmit your data to anyone.

Everything you log in the App stays on your device. The only times information leaves your device are when you explicitly initiate it: by tapping a dispensary link to fetch a Certificate of Analysis, by exporting your data as a CSV file, or by visiting our Website.

03Information you store on your device when you use the App

When you use the App, you create journal data. This data is stored locally on your device, in a private database inside the App's sandboxed storage area. We have no copy, no access, and no ability to retrieve it.

The categories of information you may store include:

Products. Information about cannabis products you have tried, such as strain name, brand, product category, type, batch number, weight, cannabinoid concentrations (THC and CBD percentages and milligrams, total cannabinoids, total terpenes), terpene profiles, dispensary, expiration date, the URL you fetched a Certificate of Analysis from (if applicable), and free text notes.

Sessions. Records of consumption, including the linked product, method (such as flower, vape, edible, concentrate), amount (optional), context, the intentions or outcomes you were hoping for (we call these "intent chips," for example "Pain relief" or "Sleep"), free text notes about your experience, the timestamp, and your overall rating.

Follow ups. Check ins you log after a session, including the linked session, symptoms or effects you noticed (we call these "outcome chips," for example "Eased pain" or "Felt calm"), free text notes, your rating, and the timestamp.

Insights. When you view the Insights tab, the App analyzes the data above to surface patterns (such as which products you use most, which terpenes correlate with which outcomes, or how your usage frequency has changed over time). These analyses are computed on your device each time you open the Insights tab and are not stored separately. They never leave your device.

Preferences. Small settings stored in your device's secure storage (the iOS Keychain): your acceptance of our Terms of Use and Privacy Policy along with timestamps and version numbers, and a one time flag indicating whether you have seen certain in app explainers.

All of this stays on your device. None of it is uploaded to us, because we do not operate any servers that could receive it.

04Encryption and protection of your data

Your data is protected on your device by two layers.

Layer 1: Application level encryption

Specific text fields that are the most identifying and the most clinically sensitive are encrypted on your device before being saved. These include:

• Strain name, brand, batch number, dispensary
• Notes (on products, sessions, and follow ups)
• Intent chips and outcome chips (the symptom and effect tags you tap when logging sessions and follow ups)

These fields are encrypted using AES with a 256 bit key. The key is generated once on your device when you first use the App. It is stored in your device's iOS Keychain with the strictest local accessibility setting available. The key never leaves your device, is never sent to us, is never uploaded to iCloud, and is not included in any device backup.

Other database fields (such as cannabinoid concentrations, terpene percentages, ratings, methods of consumption, timestamps, and dates) are not encrypted at the application layer. They rely on Layer 2.

Layer 2: iOS Data Protection

All data in the App's database is stored in the App's sandboxed storage area and is protected by iOS Data Protection. iOS Data Protection encrypts files at rest when your device is locked, but only if you have set a passcode on your device. If your device has no passcode, this layer provides no meaningful protection. We strongly recommend setting a device passcode.

Backup exclusion

The App's journal database is explicitly excluded from iCloud and iTunes backups. This is structural to our privacy posture: your data stays on your device. If you replace your phone, restore it from a backup, or move to a new device, your journal does not transfer to the new device. We made this trade off intentionally so that your information remains where you created it.

If your encryption key becomes inaccessible

In rare edge cases (such as a device migration or a corrupted Keychain state), the App may be unable to decrypt your stored data. When this happens, the App shows a recovery screen with two options: "Wipe and Start Over" (which deletes your local data and resets the App) or "Contact Support." We have no copy of your data and cannot recover it. This is by design.

05Network use by the App

The App makes a limited set of network requests, all of which you initiate. Here is the full list:

Dispensary Certificate of Analysis (COA) fetches. When you scan a barcode, QR code, or batch number that points to a dispensary's lab report, the App contacts that dispensary's public website to download the lab report PDF. The dispensaries the App currently supports include Trulieve, Curaleaf, Sunburn, Jungle Boys, and MÜV. This list may change over time. When you tap to fetch a COA, your device communicates with that dispensary's web server. The dispensary's web server, like any web server, may receive standard request information such as your IP address, the time of the request, and your User Agent string. We do not see, collect, or receive any of this information. The dispensary handles your request under its own privacy policy.

External links to dispensary pages and educational sources. When you tap a dispensary product page link or an external citation in the Discover tab, the App opens that link in a secure in app web view (Safari View Controller). That web view is the destination website's environment, governed by its own privacy policy and protected by Apple's standard browser sandbox. We have no access to it.

That is the entire network surface of the App. The App does not phone home. There are no analytics calls, no telemetry, no crash reports, no advertising network calls, no over the air update servers, and no model download servers. The on device text recognition model used by Smart Scan is bundled with the App and never reaches the network.

06Permissions the App requests

Camera. Requested when you use Smart Scan or scan a QR code or barcode. The camera feed is processed entirely on your device through on device optical character recognition and barcode scanning. Images from the camera are not saved to your device, are not transmitted to us, and are not transmitted to any third party. You can revoke camera access at any time in iOS Settings.

Photo library. Requested if you choose to scan an existing image from your photo library instead of using the camera. The selected image is read, processed locally for text recognition, and then discarded. The image is not copied, saved, or persisted by the App. You can revoke photo library access at any time in iOS Settings.

The App does not request location, microphone, contacts, calendars, reminders, motion, health data, push notifications, or any other system permission.

07The Website at zondra.app

The Website at zondra.app is a static informational site. It exists to host this Privacy Policy and our Terms of Use, to describe what Zondra is, and to allow you to optionally support development by leaving a tip.

Hosting. The Website is hosted on Netlify, a third party static site hosting provider. When you visit the Website, your browser communicates with Netlify's servers. Netlify maintains standard web server logs that include your IP address, User Agent, the page you requested, and a timestamp. We do not have direct access to those logs in any usable form. Netlify's privacy practices are described at netlify.com/privacy.

Cookies. The Website does not set cookies.

Analytics. The Website does not use Google Analytics, Plausible, Fathom, Mixpanel, or any other analytics service. We have no way to see how you use the Website.

Embedded content. The Website does not embed third party scripts, advertising pixels, tracking widgets, or social media share buttons that load remote code.

08Tips and donations

You may optionally support development by leaving a voluntary tip. Tips are processed by Ko-fi, a third party donation processor, on a Ko-fi page linked from our Website.

When you visit the Ko-fi page and complete a tip transaction:

• Ko-fi (and Ko-fi's underlying payment processors, such as Stripe or PayPal) handle your payment information. We never see your credit card number, debit card number, bank account details, or full billing address.
• Ko-fi may receive your name, the amount you tipped, the message you left (if any), and your email address (if you provide one).
• We receive from Ko-fi only the information necessary to acknowledge your tip: typically a display name (which may be a pseudonym you choose), the amount, and the message if you left one.
• If you leave a message visible on the public Ko-fi page, it is visible to anyone who visits that page. That is your choice.

Ko-fi's privacy practices are described at ko-fi.com/privacy. Tipping is entirely optional and is not required to use Zondra.

09What Zondra is not

To be explicit about our limits:

Zondra is not a medical service. Nothing in the App or on the Website is medical advice, a diagnosis, a treatment plan, or a prescription. The App does not evaluate, treat, diagnose, or prevent any condition. Always consult a qualified healthcare professional for medical decisions.

Zondra is not a HIPAA covered entity. We are not a healthcare provider, health plan, or healthcare clearinghouse. We do not perform any function of a business associate as defined under HIPAA. If your interactions would otherwise be subject to HIPAA, FISMA, GLBA, or other industry specific regulations, you should not use the App to store information you would otherwise protect under those frameworks.

Zondra is not a substitute for professional advice of any kind, including medical, legal, financial, or other professional advice.

You are responsible for complying with the laws that apply to you, including laws related to cannabis, privacy, and age. The App may not be legal for all users in all jurisdictions, and we do not warrant that your use of the App is lawful where you live. By using the App, you confirm that you are at least 21 years of age.

10Your rights regarding your information

Depending on where you live, you may have rights regarding personal information about you. These rights are typically granted by state privacy laws in the United States or by similar laws in other jurisdictions.

Common rights include the right to access, correct, delete, port, or restrict processing of personal information; the right to opt out of sale or sharing for cross context behavioral advertising; the right to limit use of sensitive personal information; and the right to non discrimination for exercising these rights.

For data stored on your device, the App gives you direct control through its own interface. You can view, edit, archive, or permanently delete any product, session, or follow up entry. You can also choose "Delete All Data" in the Profile tab to wipe your entire local database, your encryption key, and your saved preferences. Because your data lives only on your device, you can exercise most rights directly through the App without involving us.

If you have a privacy rights request, such as a question about what data we hold (we hold none) or a request to delete data on our servers (we have no servers), you can contact us at feedback@zondra.app. We will respond to verifiable requests within the timeframe required by applicable law.

Global Privacy Control. The App does not engage in cross context behavioral advertising, profiling, sale, or sharing of personal information, so there is nothing for the Global Privacy Control signal to opt you out of. The Website does not use scripts that would respond differently to a Global Privacy Control signal because it has no tracking to suppress.

11Washington Consumer Health Data Notice

This section is provided in good faith and applies to Washington residents and any user whose data would otherwise fall under the Washington My Health My Data Act (RCW 19.373).

We believe Zondra is not a "regulated entity" under WA MHMDA. A regulated entity, under that statute, is one that, alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling consumer health data. We do not collect consumer health data because we operate no backend. Your symptom logs, outcome chips, intent chips, ratings, and free text notes are processed entirely by you on your device, and we have no access to any of them.

Voluntary commitment. Even though we believe we are not a regulated entity, we voluntarily honor the spirit of WA MHMDA in our design:

• We do not collect, sell, share, lease, rent, or trade consumer health data.
• We do not use geofencing at any radius around healthcare facilities, including cannabis dispensaries, because we do not use any location services at all.
• We do not authenticate Washington residents differently than any other user. The App is identical for everyone.
• Sensitive health adjacent data you create in the App (intent chips, outcome chips, and free text notes) is encrypted on your device alongside your strain, brand, batch, and dispensary information. Other fields you create (such as numeric ratings, timestamps, terpene profiles, and cannabinoid concentrations) are not encrypted at the application layer; they rely on iOS Data Protection, as described in Section 4.

Washington residents may contact us at feedback@zondra.app with questions about our handling of consumer health data.

12California users

If you are a California resident, this notice is provided under California Civil Code Section 1789.3.

Zondra is provided by Frequency Domain Technologies LLC. The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Boulevard, Suite N 112, Sacramento, California 95834, or by telephone at (800) 952-5210.

13Children

The App is not directed to children. You must be at least 21 years of age to use the App, and the App's age gate requires you to affirm this before first use. We do not knowingly collect personal information from anyone under 21.

If you are a parent or guardian and believe your child has used the App, please contact us at feedback@zondra.app. Because all data is stored on the child's device and not on our servers, the parental remedy is typically to access the device and use the App's "Delete All Data" function in the Profile tab, or to uninstall the App.

14Retention and deletion

Data stored on your device. Your journal data remains on your device until you delete it through the App, uninstall the App, or wipe your device. Because we have no copy of your data, we have nothing to retain on our side.

The App provides two deletion paths:

• Archive (soft delete). Products and sessions you archive are hidden from normal views but remain on your device. You can restore them later from the archive. Archived data does not appear in the Insights tab or in any aggregated view.
• Permanent deletion (hard delete). From the Profile tab, you can choose "Delete All Data" to permanently delete every journal record, your encryption key, and your saved preferences. This is irreversible. Because your data has never been on any server, we cannot recover it once you have wiped it.

Caches on your device. When you fetch a dispensary Certificate of Analysis PDF, the file is stored in your device's cache directory. iOS evicts items from this cache automatically when device storage runs low. The App does not actively delete these cached PDFs. The cache directory is not included in any device backup, and you can manually clear all caches by uninstalling the App.

CSV exports. When you tap "Export to CSV" in the Profile tab, the App writes a plaintext CSV file containing your products (the export currently does not include sessions, follow ups, intent chips, or outcome chips) and hands the file to the iOS share sheet. From there, you decide where the file goes (Files, AirDrop, email, and so on). The temporary file is stored in your device's cache directory and is not included in any device backup. CSV exports are unencrypted by design, so that the file is readable in any spreadsheet program. Treat exported files as you would any sensitive document.

15International data transfers

Zondra is offered in the United States and is intended for users in the United States. The App is available only through the United States App Store, and the Website is intended for a United States audience.

The App. Because all journal data stays on your device, no international transfer of journal data occurs.

The Website. Netlify (our Website host) operates a global content delivery network. When you visit zondra.app, you are served from a Netlify edge node geographically close to you. Netlify processes only standard web server log information; we do not transmit personally identifiable information to or from the Website.

If you are accessing Zondra from outside the United States, the App is not intended for you, and we do not represent that the App complies with the laws of jurisdictions outside the United States.

16Third party services we rely on

The App and Website rely on the following third parties:

• Apple Inc. provides the iOS platform, the App Store, and the iOS Keychain that protects your encryption key. Apple's privacy policy is at apple.com/legal/privacy.
• Netlify, Inc. hosts the Website at zondra.app. Netlify's privacy policy is at netlify.com/privacy.
• Ko-fi (Ko-fi Labs Ltd) processes voluntary tips when you choose to support development. Ko-fi's privacy policy is at ko-fi.com/privacy.
• Dispensary websites (Trulieve, Curaleaf, Sunburn, Jungle Boys, MÜV, and any others added over time) provide Certificate of Analysis PDFs that the App fetches when you scan a product. Each dispensary has its own privacy policy; please consult the dispensary directly for details.

We have no business relationships with these parties beyond the consumer terms of the products and services we use. None of them receive your journal entries, your notes, your symptoms, or any other content you create in the App.

17Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the "Effective" date at the top of this document.
• If the changes are material (for example, adding a new data collection practice, or changing how data is used), we will prompt you in the App to review and accept the updated policy before continued use.
• The current Privacy Policy is always available at zondra.app/privacy.

Continued use of the App after a material change indicates your acceptance of the updated policy.

18Contact

For privacy questions, requests regarding your information, or any complaints, contact us at:

Frequency Domain Technologies LLC
Orange County, Florida
Email: feedback@zondra.app
Website: zondra.app

We aim to respond to privacy related inquiries within 30 days, or sooner where required by applicable law.

Version 1.0 · Last updated May 16, 2026