1. Data Controller

The controller responsible for data processing within the meaning of the GDPR is:

2. Data We Collect

We collect and process the following categories of personal data when you use our online store:

2.1 Account Data (Google OAuth)

When you sign in with Google, we receive the following data from Google:

• Email address (primary Google account email)
• Display name (your Google profile name)
• Google user ID (internal identifier, not displayed)

We do not access your Google contacts, Google Drive, Gmail, calendar, photos, or any other Google service data. The OAuth scope is limited to basic profile information only. Authentication uses the secure PKCE (Proof Key for Code Exchange) flow. You can revoke access at any time in your Google Account Permissions.

2.2 Profile Data (User-Provided)

You may optionally provide: first name, last name, phone number (with country code), and delivery address (street, apartment/suite, city, postal code, country). Phone number and street address are encrypted with AES-256-GCM at the application level before storage. City, postal code, and country are stored unencrypted to enable shipping calculations. You can view, edit, or delete this data at any time in your account settings.

2.3 Ethereum Wallet Address

You may provide an Ethereum wallet address (ERC-20 compatible, starting with 0x) to participate in our rewards programme. This address is stored unencrypted as it must be verifiable on-chain. Once saved, the address is permanently locked via a database trigger and cannot be changed. If your account is compromised, contact security@zentachain.io.

2.4 Order and Payment Data (Stripe)

When you place an order, Stripe processes the following on our behalf:

• Credit/debit card number, expiry date, CVV — processed exclusively by Stripe, never sent to or stored on our servers
• Billing name and billing address — collected by Stripe during checkout
• Shipping name and shipping address — collected by Stripe during checkout, stored in our database for order fulfilment
• Payment amount and currency (EUR)
• Payment status (succeeded, failed, pending)
• Stripe Checkout Session ID (internal reference for payment verification)

We store: order items, quantities, total amount, shipping address, Stripe session ID, and order status. We do not store any card numbers, CVVs, or sensitive payment credentials. Stripe is PCI DSS Level 1 certified.

2.5 Cookies and Session Data

We use the following cookies:

Strictly necessary / functional cookies:

• sb-*-auth-token — Supabase authentication session cookie (encrypted JWT, strictly necessary, expires on logout or after session timeout)
• theme — Stores your light/dark mode preference (functional, no personal data)
• zentanode-cookie-consent — Stores your cookie consent choice ("accepted" or "declined"). Functional, no personal data. Persists in localStorage.

Analytics cookies (only if you accept via the consent banner):

• _ga — Google Analytics cookie used to distinguish unique users. Expires after 2 years.
• _ga_* — Google Analytics cookie used to maintain session state. Expires after 2 years.

Analytics cookies are only set if you accept cookies via the consent banner displayed at the bottom of the page. You can decline analytics cookies or revoke your consent at any time by clicking "Cookie Settings" in the footer. If you decline or revoke consent, no analytics cookies are set and no data is sent to Google Analytics. We do not use Facebook Pixel, advertising trackers, or any other third-party tracking tools. No user profiling or behavioural advertising takes place.

2.6 Data We Do NOT Collect

We do not collect: browsing history, device fingerprints, location data (GPS), biometric data, health data, political opinions, religious beliefs, or data about minors. Our store is intended for users aged 18 and over.

2.7 Business Account Data

If you register as a business customer, we additionally collect:

• Company name
• VAT identification number (USt-IdNr.)
• Company registration number (e.g. HRB)
• Billing address (encrypted with AES-256-GCM)
• Billing email address

This data is required for B2B invoicing and tax compliance under German commercial law (HGB) and EU VAT regulations.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Consent (Art. 6(1)(a) GDPR) — Registration and login via Google OAuth, provision of optional profile data (phone number, delivery address), provision of your Ethereum wallet address, and use of analytics cookies (Google Analytics). You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Performance of a contract (Art. 6(1)(b) GDPR) — Processing of your order, payment handling, shipping, delivery, and customer account management. This data is necessary for us to fulfil our contractual obligations to you.
• Legal obligation (Art. 6(1)(c) GDPR) — Retention of order and payment records to comply with German tax law, in particular the retention requirements under Section 147 of the German Fiscal Code (Abgabenordnung, AO).
• Legitimate interest (Art. 6(1)(f) GDPR) — Fraud prevention, security of our systems, and ensuring the integrity of transactions. Our legitimate interest lies in protecting our business and our customers from fraudulent activity.

4. Third-Party Data Processors

We use the following third-party service providers who process personal data on our behalf or as independent controllers:

4.1 Stripe — Payment Processing

4.2 Google — OAuth Login

4.3 Supabase — Database & Authentication

4.4 Vercel — Website Hosting

4.5 Google Analytics — Website Analytics

4.6 Services We Do NOT Use

We do not use: Google Tag Manager, Facebook Pixel, Meta/Instagram trackers, TikTok Pixel, HotJar, Mixpanel, Segment, Amplitude, or any other tracking or advertising services. No data is shared with advertising networks. No retargeting or behavioural profiling takes place.

5. International Data Transfers

Some of our third-party processors are located outside the European Economic Area (EEA). Where personal data is transferred to countries outside the EEA, we ensure appropriate safeguards are in place, including the EU-US Data Privacy Framework (where the recipient is certified), Standard Contractual Clauses (SCCs) approved by the European Commission, and data processing agreements pursuant to Art. 28 GDPR. You may request a copy of the applicable safeguards by contacting us at legal@zentachain.io.

6. Cookies

Our online store uses strictly necessary and functional cookies, as well as optional analytics cookies that require your consent.

Strictly necessary cookies (Supabase authentication, theme preference) cannot be disabled as they are essential for the operation of the service. Without them, you would not be able to log in or use the store.

Analytics cookies (Google Analytics: _ga, _ga_*) are only set if you explicitly accept via the cookie consent banner. These cookies help us understand how visitors use our store so we can improve the experience. They expire after 2 years. IP anonymisation is enabled, and no personal data is collected.

You can decline analytics cookies or revoke your consent at any time by clicking "Cookie Settings" in the footer bar. We do not use advertising cookies, and no data is shared with advertising networks. No user profiling or behavioural advertising takes place.

7. Data Encryption

We take the protection of your personal data seriously. Your data is protected at multiple levels:

7.1 Data Encrypted by Us (AES-256-GCM)

The following data is encrypted by our servers using AES-256-GCM before it is stored in the database. Even if an attacker gained access to our database, this data would be unreadable without the encryption key:

The encryption key is derived using HKDF (HMAC-based Key Derivation Function) with SHA-256 and stored exclusively on the server. Each encrypted value includes a unique random initialisation vector (IV) and authentication tag to ensure both confidentiality and integrity. The key never leaves the server and is not accessible to the client or the database.

7.2 Data Encrypted by Third Parties

7.3 Data Not Encrypted at Rest — and Why

Some data is stored without additional application-level encryption. Here is why for each field:

7.4 Encryption in Transit

All data transmitted between your browser and our servers is protected by TLS 1.3 (Transport Layer Security). This means every request — whether you are logging in, saving your profile, or making a payment — is encrypted during transport. Our HSTS (HTTP Strict Transport Security) policy with a 2-year max-age ensures your browser always uses HTTPS.

8. Your Rights Under the GDPR

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at legal@zentachain.io.

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data and receive a copy.
• Right to rectification (Art. 16 GDPR) — You have the right to request the correction of inaccurate personal data and the completion of incomplete data. You can also update your profile data directly in your account settings.
• Right to erasure (Art. 17 GDPR)— You have the right to request the deletion of your personal data ("right to be forgotten"). You can delete your account at any time via Profile > Delete Account (see Section 10 below). Please note that certain data may be retained where required by law.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request the restriction of processing of your personal data under certain circumstances.
• Right to notification (Art. 19 GDPR) — You have the right to be notified about any rectification, erasure, or restriction of processing of your personal data.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data where processing is based on legitimate interests (Art. 6(1)(f) GDPR).
• Right regarding automated decision-making (Art. 22 GDPR) — You have the right not to be subject to a decision based solely on automated processing, including profiling. We do not use automated decision-making or profiling.
• Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (see Section 12 below).

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account data — Retained until you delete your account.
• Profile data — Removed immediately upon account deletion.
• Order data — Retained for 10 years from the end of the calendar year in which the order was placed, in accordance with Section 147 of the German Fiscal Code (Abgabenordnung, AO).
• Payment records — Retained for 10 years in accordance with Section 147 AO.
• Ethereum wallet address — Removed upon account deletion, unless linked to pending reward distributions.

When your account is deleted, all personal profile data is permanently removed. Order records are anonymised by setting the user reference to NULL, but the order itself is retained to meet our legal obligations under German tax law.

10. Account Deletion

You can delete your account at any time by navigating to Profile > Delete Account. Upon deletion:

• Your profile data (name, phone number, delivery address, Ethereum wallet address) is permanently deleted.
• Your Supabase Auth account and all associated session data are removed.
• Your order records are anonymised (the user_id field is set to NULL) but retained to comply with the 10-year retention period required by German tax law (Section 147 AO).
• Google OAuth access can be additionally revoked in your Google account settings.

This process is irreversible. Once your account is deleted, we cannot recover your data.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include AES-256-GCM encryption of sensitive profile data, TLS encryption for all data in transit, secure server-side key management, access controls and authentication via Supabase, and regular security reviews of our systems. Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at support@zentachain.io.

12. Supervisory Authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Zentachain GmbH is:

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this Privacy Policy periodically. Continued use of our online store after changes constitutes your acceptance of the revised policy. For material changes, we may notify you via email or through a notice on our website.

14. Contact

For all data protection inquiries, requests to exercise your rights, or questions about this Privacy Policy, please contact us at:

We will respond to your inquiry within 30 days in accordance with Art. 12(3) GDPR.