ZenSport
0
Home/Privacy Policy
Effective 1 January 2026

Privacy Policy

This policy explains what personal data ZenSport collects, why we collect it, how long we keep it and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

ZenSport is a trading name of ZenSport Limited, a UK-registered retailer based at Innovation Way, Stoke-on-Trent ST6 4BF. We are the data controller for the personal data we collect through this website. You can reach our data protection contact at ZenSport@proton.me or by post at the address above.

2. What data we collect

We collect only what we need to fulfil orders, manage fan-club memberships and improve the site. The categories below describe what may end up in our systems and why.

Information you give us directly

  • Account details: name, email address, optional date of birth (only used to flag age-restricted merch).
  • Order details: billing and delivery address, telephone, items purchased, gift-message text.
  • Payment data: processed by our payment partners (Stripe and PayPal). We never see or store your full card number.
  • Fan-club submissions: chant suggestions, photos, voluntary written contributions you choose to share.
  • Customer-care messages: emails, live-chat transcripts, returns requests.

Information we collect automatically

  • IP address, device type, browser version and operating system, used for fraud screening and accessibility tuning.
  • Approximate location derived from your IP address (country and region only, not street-level).
  • Page-visit logs, referral source, on-site search terms, basket events.
  • Cookies and similar technologies as detailed in our Cookies Policy.

3. Why we use it (lawful bases)

We process personal data on the following lawful bases under Article 6 UK GDPR:

  • Contract (Art. 6(1)(b)): to take payment, ship orders, manage refunds and operate fan-club memberships you have signed up to.
  • Legal obligation (Art. 6(1)(c)): to keep accounting records (six years under the Companies Act), respond to tax authorities and comply with consumer-protection law.
  • Legitimate interests (Art. 6(1)(f)): to defend the site against fraud, monitor performance, send service emails and analyse anonymised traffic.
  • Consent (Art. 6(1)(a)): for marketing emails, optional analytics cookies and fan-club photo features. You can withdraw consent at any time without affecting prior processing.

4. Who we share it with

We share data only with carefully chosen processors who help us operate the service. Each is bound by a written agreement that meets UK GDPR requirements.

  • Payment providers — Stripe Payments UK Ltd, PayPal (Europe) S.à r.l.
  • Couriers — Royal Mail, DPD UK, Evri (depending on the delivery method you pick).
  • Email and notification — Postmark (transactional), Mailerlite (newsletter, only if you opt in).
  • Cloud infrastructure — Hetzner (data centres in Germany) and Cloudflare for caching and DDoS protection.
  • Customer-care tools — internal CRM hosted in the UK.

We do not sell your personal data to anyone, ever. We may share information when legally required (court order, regulator request) and would inform you unless legally prevented from doing so.

5. International transfers

Most of our processing happens in the UK and EEA. Where data leaves the UK, we rely on either an adequacy decision or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, with supplementary measures (encryption in transit, restricted access) as guidance from the Information Commissioner's Office (ICO) requires.

6. How long we keep it

  • Order records: 6 years from the order date for accounting and warranty.
  • Account data: while your account is active, then 24 months of inactivity, then deletion.
  • Fan-club submissions: until you remove them or close your membership.
  • Marketing consent: 36 months since last engagement, refreshed at re-confirmation.
  • Server logs: 90 days, then deleted or aggregated.

7. Your rights

You have the right under UK GDPR to:

  • Be informed about how we handle your data (this policy).
  • Access a copy of the personal data we hold.
  • Request rectification of inaccurate data.
  • Request erasure ("right to be forgotten") where applicable.
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with the ICO at ico.org.uk if you believe we have acted unlawfully.

To exercise any right, email ZenSport@proton.me. We respond within 30 calendar days.

8. Children

Our services are not directed at children under 16. If you are under 16, please do not create an account. We delete data we discover belongs to a child unless a parent or guardian has provided documented consent.

9. Security

We use TLS 1.3 across the entire site, role-based access control on internal systems, hardware-backed key storage for production secrets and quarterly third-party penetration tests. No system is infallible — if a breach materially affects your rights, we will notify you and the ICO within 72 hours.

10. Changes to this policy

We may update this policy. The version date sits at the top of the page. Material changes are emailed to active customers in advance.

11. Contact

Questions, concerns or rights requests: ZenSport@proton.me · +44 1782 643 905 · ZenSport Limited, Innovation Way, Stoke-on-Trent ST6 4BF, United Kingdom.