GDPR Policy

This GDPR Policy explains how Zenvy Beauty processes personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It complements our Privacy Policy, which contains the full detail of what we collect and why.

Who is the data controller?

Zenvy Beauty is the data controller for personal data collected through zenvy-beauty.com, our customer-care email, and any in-person events we run. To exercise any of the rights below, email privacy@zenvy-beauty.com.

Lawful bases we rely on

We process personal data under the following lawful bases:

  • Contract — to fulfil orders, process payments, and ship products you've bought.
  • Consent — for marketing email, the AI Hair Analyser photo upload, and non-essential cookies. You can withdraw at any time.
  • Legitimate interests — for fraud prevention, basic analytics, and product improvement, balanced against your rights.
  • Legal obligation — for tax records, accounting, and compliance with HMRC and consumer-protection law.

Your rights under UK GDPR

You have the right to:

  • Access a copy of the personal data we hold about you (Subject Access Request)
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten") where there's no overriding lawful basis to keep it
  • Restrict how we process your data while a dispute is resolved
  • Object to processing based on legitimate interests, including direct marketing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent for any processing where consent is the lawful basis

How to exercise a right

Email privacy@zenvy-beauty.com with your request. We'll respond within one calendar month. We may ask for ID to verify the request before disclosing personal data.

Data we transfer outside the UK

Some of our processors are based outside the UK. Where this happens we rely on adequacy decisions, Standard Contractual Clauses, or the UK International Data Transfer Agreement to ensure your data is protected to UK GDPR standards. The main international transfers are:

  • Shopify Inc. (Canada/USA) — store hosting, order processing
  • Anthropic PBC (USA) — Claude vision API for the AI Hair Analyser
  • Cloudflare Inc. (USA) — CDN, security, the Worker that proxies the analyser
  • Stripe / Shopify Payments / Klarna — payment processors

Data retention

Customer order data: 7 years (HMRC requirement). Marketing consent: until you unsubscribe. AI Hair Analyser photos: not stored — discarded immediately after the analysis returns. Curl-type result tags: retained as long as you remain a customer or subscriber.

Complaints

If you believe we've handled your data incorrectly, raise it with us first at privacy@zenvy-beauty.com. If you're not satisfied, you have the right to complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.