Zendure Privacy Policy

Privacy Policy for zendure.com

Table of Contents

1. Controller

2. Data Protection Officer

3. Contact

4. Purposes and Legal Bases of Processing

5. Categories of Personal Data

6. Rights of Data Subjects

7. Right to Lodge a Complaint

8. Retention Periods 8.1 Server Log Files 8.2 Analytics and Tracking Services 8.3 Customer Accounts and Contract Data 8.4 Email Marketing 8.5 Affiliate and Marketing Data

9. Data Security

10. Disclosure of Personal Data

11. Cookies and Consent Management 11.1 Technically Necessary Cookies 11.2 Cookies Requiring Consent 11.3 Consent Management Tool 11.4 Withdrawal of Consent 11.5 Documentation of Consent

12. Server Log Files

13. Google Analytics 4

14. Google Tag Manager

15. Google Consent Mode v2

16. Google Signals

17. Google reCAPTCHA

18. Microsoft Clarity

19. Marketing and Remarketing Services (Google Ads, Meta Pixel)

20. Google Ads Enhanced Conversions

21. Google Fonts

22. Meta Conversions API

23. Push Notifications (UpPush)

24. Email Marketing

25. ActiveCampaign

26. Affiliate Marketing (Awin)

27. Affiliate Marketing (ShareASale)

28. Affiliate Marketing (WEBGAINS)

29. Affiliate Marketing (Tradedoubler)

30. Cloud Hosting (Amazon Web Services – AWS)

31. E-Commerce Platform (Shopify)

32. Cloudflare (Content Delivery Network and Security)

33. Order Processing

34. Embedded Videos (YouTube)

35. YouTube Analytics

36. Review and Rating Tools (Trustpilot, judge.me)

37. Surveys and Feedback

38. Payment Service Providers 38.1 PayPal 38.2 Google Pay 38.3 Shop Pay 38.4 Credit Card Payments (Visa, Mastercard) 38.5 Bancontact 38.6 Klarna 38.7 Transfers to Third Countries (applicable to all providers)

39. Automated Decision-Making

40. External Links

41. Changes to this Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is: Zendure DE GmbH, Rheinallee 1, 40549 Düsseldorf, Germany Represented by the Managing Director: Mr Yanan Deng Telephone: +4921179518954 E-Mail: de@zendure.com

Further information is available in our legal notice: https://www.zendure.de/pages/impressum

2. Data Protection Officer

The appointed Data Protection Officer is: Rechtsanwalt Dr. Jörg Brettschneider Alter Wall 32, 20457 Hamburg, Germany Telephone: (+49) 40 33 46 64 190 E-Mail: office1@brettschneider.law

If you have any questions or concerns about data protection, you may contact our Data Protection Officer at any time.

Important Notice – Customer Service & Product Enquiries

For all customer service enquiries and product-related questions, please contact us exclusively through the following official channels:

Email: support@zendure.com

Phone: +49-800-627-3067

Support Portal: https://support.zendure.com/portal/de/home 

Postal Address: Rheinallee 1, 40549 Düsseldorf Germany

*(This address is not a return address, please do not send goods back to this address)

Please note that enquiries submitted through any other channels including via the data protectin officer CANNOT be processed and will not receive a response.

3. Contact

If you contact us by email, contact form or any other means, the personal data you provide (e.g. name, email address, content of the request) will be processed solely for the purpose of handling and responding to your enquiry. The legal basis is Art. 6(1)(b) GDPR (contract or pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in effective communication).

4. Purposes and Legal Bases of Processing

If you use our website for purely informational purposes, i.e. without registering or otherwise providing us with information, we process the personal data transmitted by your browser to our server. This processing is technically necessary to display our website and to ensure stability and security. We process personal data in particular for the following purposes: - to provide the features and services of our website that you use, - to ensure the technical stability, security and functionality of the website, - to design our online offering in a user-friendly and needs-based manner and to continuously improve it, - to comply with legal obligations, and - to analyse and optimise our services.

Depending on the specific purpose, processing is carried out on the basis of Art. 6(1)(a), (b), (c) or (f) GDPR.

5. Categories of Personal Data

Depending on how you use our website and services, we process in particular the following categories of personal data: - Contact data, - Usage and interaction data, - Technical data (e.g. IP address, browser data), - Contract and payment data.

6. Rights of Data Subjects

You have the right to access, rectification, erasure, restriction of processing, data portability and to object to processing (Arts. 15–21 GDPR). Where we process data on the basis of Art. 6(1)(f) GDPR, you may object to such processing at any time on grounds relating to your particular situation. Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with a competent data protection supervisory authority. The competent authority is, inter alia: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany E-Mail: poststelle@ldi.nrw.de Website: https://www.ldi.nrw.de/

8. Retention Periods

Unless a more specific retention period is stated in this Privacy Policy, we store personal data only for as long as is necessary to achieve the respective processing purpose. Certain personal data (e.g. IP address, browser information) are technically required to display the website correctly. Beyond this, we retain personal data only to the extent that statutory retention obligations apply (e.g. commercial or tax-law retention periods of up to 10 years). Once the respective processing purpose ceases or retention periods expire, the data are deleted.

8.1 Server Log Files

Server log files are stored for a maximum period of 14 days and then automatically deleted, unless further storage is required for security-related investigations.

8.2 Analytics and Tracking Services

Personal data processed for analytics and marketing purposes (e.g. Google Analytics 4, Microsoft Clarity) are stored for a maximum period of 14 months, unless a shorter retention period is configured technically.

8.3 Customer Accounts and Contract Data

Personal data processed in connection with customer accounts and orders are stored for the duration of the contractual relationship and thereafter in accordance with statutory retention obligations (in particular commercial and tax-law retention periods of up to 10 years).

8.4 Email Marketing

Personal data processed for the sending of newsletters are stored until you withdraw your consent. Following withdrawal, your email address will be added to a suppression list to ensure that no further marketing emails are sent.

8.5 Affiliate and Marketing Data

Tracking and marketing data collected on the basis of consent are stored until consent is withdrawn or until the respective cookie expires.

9. Data Security

We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to ensure a level of protection appropriate to the risk (in particular encryption [HTTPS/TLS], access restrictions, data minimisation, regular security reviews).

10. Disclosure of Personal Data

Personal data are only disclosed to third parties where this is permitted by law or necessary for the performance of a contract (e.g. to processors, payment service providers, IT service providers).

11. Cookies and Consent Management

Cookies are small text files stored on your device. They support the user-friendly, effective and secure provision of our website.

11.1 Technically Necessary Cookies

Technically necessary cookies are required to ensure the basic functions and security of the website. Legal basis: Art. 6(1)(f) GDPR, § 25(2) No. 2 TDDDG.

11.2 Cookies Requiring Consent

Cookies and similar technologies that are not technically necessary are only used with your explicit consent. Legal basis: Art. 6(1)(a) GDPR, § 25(1) TDDDG.

11.3 Consent Management Tool

To manage your consents, we use a consent management tool provided by Händlerbund e. V., which acts as a processor within the meaning of Art. 28 GDPR.

11.4 Withdrawal of Consent

You may grant or withdraw your consent at any time with effect for the future via the integrated consent management tool. The lawfulness of processing carried out prior to withdrawal remains unaffected.

11.5 Documentation of Consent

We document and store consents granted by users (including consent status, timestamp, truncated IP address, browser/device information) in order to fulfil our obligation to demonstrate consent under Art. 7(1) GDPR. Consent data are stored for a maximum of three years, unless statutory retention obligations require longer storage.

Note: The retention periods of individual cookies and services are set out in the consent management tool.

12. Server Log Files

When you visit our website, the hosting provider automatically collects server log files (e.g. IP address, date and time of access, browser type, operating system). Processing is carried out to ensure the functionality, stability and security of our website, for error analysis, and for the detection and prevention of misuse or attack scenarios. Legal basis: Art. 6(1)(f) GDPR.

13. Google Analytics 4

We use Google Analytics 4 (Google Ireland Limited) to analyse the use of our website and to obtain aggregated information about user behaviour in order to improve technical performance, functionality and usability. Personal data processed include in particular: IP address (in anonymised form), device, browser and usage data, interaction data (e.g. page views, clicks, session duration). IP anonymisation is activated by default. Processing takes place exclusively on the basis of your prior consent (Art. 6(1)(a) GDPR). Google acts as a processor (Art. 28 GDPR). Personal data may be transferred to third countries, in particular the USA; the requirements of Arts. 44 et seq. GDPR are complied with (e.g. EU Standard Contractual Clauses or adequacy decision).

14. Google Tag Manager

We use Google Tag Manager (Google Ireland Limited) to manage and deploy website tags. The tool itself does not create user profiles, perform analyses or store personal data for its own purposes; the IP address may be technically transmitted to enable connection and ensure proper tag delivery. The Tag Manager only loads services requiring consent after consent has been granted. Legal bases: Art. 6(1)(f) GDPR (technical integration) and Art. 6(1)(a) GDPR (for integrated services). A data processing agreement with Google is in place.

15. Google Consent Mode v2

Consent Mode v2 controls the behaviour of Google services (e.g. Analytics, Ads, Tag Manager) based on the consent status you set via our consent management tool. Data processed include in particular consent signals, technical information (e.g. IP address, browser/device data) and interaction/usage data. Processing for consent-requiring purposes takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR). A data processing agreement is in place; any transfers to third countries are carried out in compliance with Arts. 44 et seq. GDPR.

16. Google Signals

We use Google Signals to enable cross-device analytics and to obtain aggregated insights across devices (for users who are signed into their Google account and have activated personalised advertising). Data processed include in particular anonymised IP addresses, cookie IDs/advertising IDs, device, browser and usage data, and cross-device interaction data. Used only with consent (Art. 6(1)(a) GDPR). Depending on the configuration, joint controllership within the meaning of Art. 26 GDPR may apply; you may exercise your rights against either controller. Transfers to third countries are possible (Arts. 44 et seq. GDPR).

17. Google reCAPTCHA

We use Google reCAPTCHA to protect our website and online forms against abusive, automated access (spam/bots). Data processed include in particular IP address, device and browser information, interaction behaviour, and referrer URL. reCAPTCHA is only activated after your consent (Art. 6(1)(a) GDPR). A data processing agreement is in place; transfers to third countries are possible (Arts. 44 et seq. GDPR).

18. Microsoft Clarity

We use Microsoft Clarity (Microsoft Corporation) to analyse user interaction with our website via heatmaps and session recordings in order to identify usability issues. Data processed include in particular IP address (anonymised/truncated), device, browser and usage data, and interaction data (e.g. mouse movements, scrolling, clicks). Form inputs and sensitive data are masked or excluded from recording. Used only with consent (Art. 6(1)(a) GDPR). A data processing agreement is in place; transfers to third countries are possible (Arts. 44 et seq. GDPR).

19. Marketing and Remarketing Services (Google Ads, Meta Pixel)

We use marketing and remarketing services to measure the effectiveness of our advertising campaigns and to display interest-based advertising. Data processed include in particular IP address, cookie IDs/advertising IDs, device, browser and usage data, pages visited and interaction data. Used exclusively on the basis of your consent (Art. 6(1)(a) GDPR). Depending on the service and configuration, joint controllership (Art. 26 GDPR) may apply; you may exercise your rights against either controller. Transfers to third countries are possible (Arts. 44 et seq. GDPR).

20. Google Ads Enhanced Conversions

We use Google Ads Enhanced Conversions to improve conversion measurement accuracy. Certain user-provided data (e.g. email address, telephone number, name, and where applicable postal address) may be hashed using secure cryptographic hash functions before transmission. Hashing does not constitute anonymisation; Google uses the hashed data solely to match conversions with Google accounts and ad interactions. Used only with consent (Art. 6(1)(a) GDPR). Depending on configuration, joint controllership may apply; Google also acts as a processor. Transfers to third countries are possible (Arts. 44 et seq. GDPR).

21. Google Fonts

The fonts are hosted locally on our servers. When the website is accessed, no connection to Google’s servers is established; consequently, no personal data (in particular no IP address) are transmitted to Google in this context. Legal basis: legitimate interest in a consistent and appealing presentation of our online offering (Art. 6(1)(f) GDPR).

22. Meta Conversions API

We use the Meta Conversions API to transmit information about user interactions with our website directly from our server to Meta. Data processed include in particular IP address, user agent/device information, event data (e.g. page views, cart events, purchases), timestamps/referrer URLs, and where applicable hashed identifiers (e.g. email address, telephone number). Used only with consent (Art. 6(1)(a) GDPR). Depending on configuration, joint controllership may apply. Transfers to third countries are possible (Arts. 44 et seq. GDPR).

23. Push Notifications (UpPush)

We use UpPush to send browser- or device-based push notifications (e.g. updates, product information, service notifications). Data processed include in particular device/browser information, a unique push token/device identifier, IP address, and delivery/interaction information. Used only with consent (Art. 6(1)(a) GDPR). Consent may be withdrawn at any time via browser/device settings or the consent management tool. A data processing agreement is in place; transfers to third countries are possible (Arts. 44 et seq. GDPR).

24. Email Marketing

We send newsletters and other marketing emails to users who have subscribed. Data processed include in particular name/email address, subscription/consent information, interaction data (e.g. opens, clicks), and where applicable segmentation and preference data. Processing takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR); subscription is carried out via a double opt-in procedure. You may withdraw your consent at any time via the unsubscribe link in any email or by contacting us directly; following withdrawal, your address will be added to a suppression list to prevent further sending. Note: You may object to the receipt of direct marketing at any time.

25. ActiveCampaign

We use ActiveCampaign for marketing automation and CRM (management/automation of email campaigns, customer communication, analysis of interactions). Data processed include in particular name/email address, contact/customer data, subscription/consent information, interaction data (e.g. opens/clicks), website/event data, and segmentation/profile information. Processing takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR). ActiveCampaign acts as a processor; transfers to third countries are possible (Arts. 44 et seq. GDPR). No automated decision-making with legal or similarly significant effects takes place (see Section 39).

26.–29. Affiliate Marketing (Awin, ShareASale, WEBGAINS, Tradedoubler)

We use affiliate networks to manage affiliate partnerships and track performance. Data processed include in particular IP address, device/browser/usage data, tracking IDs/partner IDs, and information about clicks, referrals and conversions. Used exclusively with consent (Art. 6(1)(a) GDPR). The networks generally process personal data for their own purposes as independent controllers (in particular tracking, attribution, commission calculation, fraud prevention, network optimisation). We may be jointly responsible for the initial collection and transmission of event data. Transfers to third countries are possible (Arts. 44 et seq. GDPR). Note: The providers listed are only relevant to the extent they are actually used.

30. Cloud Hosting (Amazon Web Services – AWS)

Our website and IT systems are hosted on servers provided by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, in data centres within the European Union. AWS processes personal data on our behalf as a processor (Art. 28 GDPR) for the purposes of website hosting, data storage, system availability and IT security. Data processed may include IP addresses, usage and customer data, and system logs. Transfers to third countries may take place on the basis of Arts. 44 et seq. GDPR.

31. E-Commerce Platform (Shopify)

Our website and online shop are operated via Shopify (technical infrastructure including hosting components, order processing, checkout functionality and security). Data processed include in particular contact/identification data, order/payment information, usage/interaction data, and technical data (e.g. IP address, browser/device information). Legal bases: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in the secure, efficient and reliable operation of our online shop). Shopify generally acts as a processor; in certain cases (e.g. fraud prevention, legal obligations) as an independent controller. Transfers to Canada and the USA may take place on the basis of Arts. 44 et seq. GDPR.

32. Cloudflare (Content Delivery Network and Security)

We use Cloudflare (CDN/security service) to protect our website against attacks (e.g. DDoS), improve loading times and ensure stability and performance. Data processed include in particular IP address, device/browser/usage data, access times/pages accessed, and security-relevant data (e.g. firewall logs). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in availability, integrity and security). Cloudflare acts as a processor; transfers to third countries are possible (Arts. 44 et seq. GDPR).

Note on the allocation of roles: - Shopify: shop/checkout functions, - AWS: hosting/IT infrastructure, - Cloudflare: protection and optimised delivery at network level.

33. Order Processing

We have entered into data processing agreements in accordance with Art. 28 GDPR with all service providers that process personal data on our behalf. Transfers to third countries are carried out in compliance with Arts. 44 et seq. GDPR (e.g. EU Standard Contractual Clauses or adequacy decision) and, where necessary, with additional safeguards; access by authorities in third countries cannot be entirely excluded.

34. Embedded Videos (YouTube)

We embed videos from YouTube (where available in “extended data protection mode”). Personal data (e.g. IP address and technical information) are only transmitted to Google when you actively play the video. Embedding takes place exclusively on the basis of your consent (Art. 6(1)(a) GDPR).

35. YouTube Analytics

We operate YouTube channels and use YouTube Analytics (statistical evaluations of views, reach, interaction rates, audience development). Data processed include in particular IP address, device/browser/usage data, interaction data, and aggregated demographic/interest-based information. Use may be subject to consent (Art. 6(1)(a) GDPR). Depending on configuration, joint controllership (Art. 26 GDPR) may apply; transfers to third countries are possible (Arts. 44 et seq. GDPR).

36. Review and Rating Tools (Trustpilot, judge.me)

We use external platforms to display customer reviews. Processing may include names, review content and, where applicable, order information. The legal basis is, depending on the circumstances, Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest).

37. Surveys and Feedback

We use services such as SurveyMonkey and Google Forms to conduct surveys and collect feedback. Where you participate, we process voluntarily provided data (e.g. name, email address, responses) for the purposes of evaluating results, improving our services, and where applicable responding to enquiries. Participation is voluntary; mandatory fields are indicated. Data processed include in particular contact data, content of responses/form submissions, and technical data (e.g. IP address, browser/device information). Legal basis: consent (Art. 6(1)(a) GDPR); where there is a contractual context, Art. 6(1)(b) GDPR. The providers act as processors; transfers to third countries are possible (Arts. 44 et seq. GDPR).

38. Payment Service Providers

We use external payment service providers; payment processing is carried out directly by them. Data processed include in particular name, billing address, payment data, IP address and transaction information. Legal basis: Art. 6(1)(b) GDPR.

38.1 PayPal

Processing as independent controller; data include identification, contact, payment, transaction and IP data as well as fraud prevention data; identity and credit checks may be carried out.

38.2 Google Pay

Processing as independent controller; payments via payment methods stored in the Google account; payment data are processed by Google and the relevant payment networks.

38.3 Shop Pay

Processing as independent controller; accelerated checkout using stored payment/shipping data; processing for the purposes of payment processing and fraud prevention.

38.4 Credit Card Payments (Visa, Mastercard)

Processing via the card network and the acquiring bank; card organisations and payment processors act as independent controllers. We do not store full card numbers or security codes.

38.5 Bancontact

Processing as independent controller; data processing for the purpose of executing the payment transaction and fraud prevention.

38.6 Klarna

Processing as independent controller; may carry out identity and credit checks (scoring) for risk assessment; processing for the purposes of payment processing, fraud prevention and risk management.

38.7 Transfers to Third Countries (applicable to all providers)

Personal data may be transferred to third countries, in particular the USA, on the basis of EU Standard Contractual Clauses or an adequacy decision in accordance with Arts. 44 et seq. GDPR.

39. Automated Decision-Making

We do not carry out automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. Certain service providers (e.g. payment services such as Klarna) may carry out automated credit checks in their own responsibility.

40. External Links

Our website may contain links to external websites. We accept no responsibility for their content or data protection practices.

41. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy to reflect changes in legal, technical or organisational requirements.

Last updated: 25 March 2026