Your Privacy and Security

Zults handles some of the most personal information there is — your sexual-health results. We treat it that way. This page explains, in plain language, what we collect, why, where it lives, who can ever see it, and the protections around it. No jargon, no hidden clauses.

Our two promises: When you delete something, it's really deleted. And nothing about your health is ever shared without your explicit say-so.

What we collect and why we collect

We only collect what we genuinely need to run Zults:

Your account — email, a hashed password, your username, and (if you add one) a profile photo.
Your health results — STI test results, test dates, test types, and the testing provider, used solely to create your Rezults card.
Identity verification — your ID document and a selfie, used once to confirm it's really you, then deleted by our verification partner.
Messages — your chats with other users.
A few technical basics — device push token, app version, and IP address, kept briefly for security and reliability.

We do not collect your precise location, your contacts, your browsing history, or any financial data. Payments are handled entirely by Apple, Google and our billing provider — we never see your card details.

Health data gets the highest protection

Your STI results are "special category" data under GDPR. We process them only with your explicit consent, only to build and display your Rezults card, and never for advertising, profiling, or any secondary purpose. We never infer anything about your behaviour or relationships from how you use Zults.

How we protect your data

Encrypted in transit. All traffic uses modern TLS (1.2+), with HSTS and forced HTTPS — so data is protected as it travels between your device and us.
Encrypted at rest. Data is stored with AES-256 encryption, and your sensitive Rezults card gets an additional layer of field-level AES-256 encryption. If that protection can't be applied, the system refuses to proceed (it "fails closed").
Strong authentication. Passwords are hashed with bcrypt; sessions use rotating tokens you can revoke by logging out.
Tight access controls & monitoring. Access is restricted, logged in an append-only audit trail, and continuously monitored. Those logs never contain your health information.
Built to recognised standards. Our security program is designed around SOC 2 and GDPR principles.

How identity verification is handled

To earn a verified badge, you verify your identity once. Your ID and selfie are sent over encrypted connections to our specialist verification partner, checked automatically, and deleted after verification. Your verified name is only ever used on your Rezults card — and you can choose to hide it when you share. Your ID and selfie are never shown on your profile and never shared.

You're in control

You decide who sees your results. Sharing only ever happens because you chose it.
Revoke any time. Disable a share link, stop sharing with someone, or remove a result — instantly.
Delete means delete. When you delete a result, a chat, or your whole account, we permanently remove it from our systems — no hidden "soft delete," no quiet retention.

Where your data lives

Your core database (identity, results, sharing state) is hosted in the EU (Ireland). Some processing — app infrastructure, image storage, face-matching, and real-time chat — runs in the United States under EU Standard Contractual Clauses, with field-level encryption protecting your sensitive data wherever it sits.

Transform your dating with Zults. No more awkward conversations. Stay in control. Stay informed. Stay healthy!

Powered by eWellness Limited since 2019