Privacy Policy

General

This privacy policy ("Privacy Policy") describes how Active Rehabilitation Distribution Company ApS ("us", "our", "we", "Zoof") collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

This Privacy Policy applies to all personal data we process through our website, webshop, and related services.

Active Rehabilitation Distribution Company ApS is the Data Controller for your personal information. We are committed to protecting your privacy and ensuring transparent handling of your personal data in compliance with GDPR requirements.

Data Controller Information

Active Rehabilitation Distribution Company ApS
Indiakaj 20
2100 Copenhagen, Denmark
CVR: DK30606280
Email: customerservice@zoof.com
Data Protection Officer: privacy@zoof.com

Legal Basis for Processing Personal Data (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b)): Processing necessary for order fulfillment, delivery, and customer service
Legitimate Interest (Article 6(1)(f)): Website analytics, security, fraud prevention, and business development
Consent (Article 6(1)(a)): Marketing communications and non-essential cookies
Legal Obligation (Article 6(1)(c)): Tax records, accounting requirements, and regulatory compliance

Personal Data We Collect

Information You Provide Directly

Account Information: Name, email address, phone number, billing/shipping address
Purchase Information: Product selections, payment details (processed securely), order history
Communication Data: Customer service inquiries, feedback, review submissions
Marketing Preferences: Newsletter subscriptions and communication preferences

Information Collected Automatically

Technical Data: IP address, browser type, device information, operating system
Usage Data: Pages visited, time spent, click patterns, referral sources
Location Data: General geographic location (country/city level) based on IP address
Cookie Data: Website preferences, session information, analytics data

Purposes of Processing

Order Processing: Fulfilling purchases, delivery coordination, payment processing
Customer Service: Responding to inquiries, providing support, handling returns
Website Improvement: Analytics, user experience optimization, technical maintenance
Marketing: Sending promotional emails (with consent), personalized recommendations
Legal Compliance: Tax obligations, consumer protection laws, regulatory requirements
Fraud Prevention: Security monitoring, suspicious activity detection

Google Analytics and Tag Manager

We use Google Analytics and Google Tag Manager to better understand how visitors interact with our website and to improve our services. These tools collect information such as:

Pages you visit and time spent on each page
How you arrived at our website (search engines, direct links, etc.)
Your general location (country/city level)
Device and browser information
User interactions with our website elements

This information is processed by Google Analytics (Google Inc.), which is established in the USA. Google has implemented appropriate safeguards for international data transfers under applicable data protection regulations.

You can opt-out of Google Analytics by installing the Google Analytics opt-out browser add-on available at: https://tools.google.com/dlpage/gaoptout

International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure adequate protection through:

Adequacy Decisions: Transfers to countries with adequate data protection levels as determined by the European Commission
Standard Contractual Clauses: EU-approved contractual protections for data transfers
Binding Corporate Rules: Internal data protection rules approved by supervisory authorities
Certification Mechanisms: Industry-standard certifications and codes of conduct

Specific Third-Party Processors

Google Analytics (Google LLC, USA): Website analytics - protected by Google's Data Processing Terms and compliance with EU-US Data Privacy Framework
Payment Processors: Secure payment processing with PCI DSS compliance
Email Services: Marketing communications with appropriate data protection agreements
Hosting Services: Website hosting with EU-based or adequately protected servers

Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Account Data: Until account deletion or 2 years after last activity
Purchase Records: 7 years for accounting and tax compliance (legal requirement)
Marketing Data: Until consent withdrawal or 2 years after last engagement
Website Analytics: 26 months (Google Analytics default retention)
Customer Service: 3 years for quality assurance and legal protection
Legal Claims: Until resolution of any legal matters or statute of limitations

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data. We will respond to valid requests within one month:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to your personal data along with information about:

The purposes of processing
Categories of personal data concerned
Recipients or categories of recipients
Retention period or criteria for determining the period
Your other GDPR rights
Source of data if not collected directly from you

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete personal data completed, including by providing a supplementary statement.

Right to Erasure/Right to be Forgotten (Article 17)

You have the right to have your personal data erased when:

Personal data is no longer necessary for the original purposes
You withdraw consent and there's no other legal ground for processing
You object to processing and there are no overriding legitimate grounds
Personal data has been unlawfully processed
Erasure is required for compliance with legal obligations

Note: This right may be limited when data retention is required for legal compliance, such as accounting records (7 years) or warranty obligations (2 years).

Right to Restrict Processing (Article 18)

You have the right to restrict processing when:

You contest the accuracy of personal data (during verification)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You have objected to processing (pending verification of legitimate grounds)

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when:

Processing is based on consent or contract
Processing is carried out by automated means

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will stop processing immediately. For other objections, we will assess whether we have compelling legitimate grounds to continue processing.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you. Currently, we do not engage in automated decision-making that would trigger this right.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@zoof.com or customerservice@zoof.com
Subject Line: "GDPR Rights Request - [Type of Request]"
Required Information: Please provide sufficient information to verify your identity and specify your request clearly

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement. For Denmark, this is:

Datatilsynet (Danish Data Protection Agency)
Website: www.datatilsynet.dk
Phone: +45 33 19 32 00

For UK residents, you can contact:

Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113

Data Security Measures

We implement appropriate technical and organizational measures to ensure the security of your personal data in compliance with GDPR Article 32:

Technical Measures

Encryption: Data transmission and storage encryption using industry-standard protocols
Access Controls: Role-based access limitations and multi-factor authentication
Network Security: Firewalls, intrusion detection, and secure hosting infrastructure
Regular Updates: Security patches and software updates for all systems
Backup Systems: Secure, encrypted data backups with tested recovery procedures

Organizational Measures

Staff Training: Regular data protection training for all employees
Access Policies: Strict need-to-know access policies and regular access reviews
Incident Response: Data breach response procedures and notification systems
Vendor Management: Due diligence and contractual safeguards for third-party processors
Regular Audits: Internal and external security assessments

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay if the breach poses a high risk
Document all breaches, including facts, effects, and remedial actions taken

Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

Automated Decision-Making and Profiling

We do not currently engage in automated decision-making or profiling that would produce legal effects or significantly affect individuals. Any future implementation of such systems will be disclosed in updates to this privacy policy with appropriate safeguards and user rights.

Contact Information

Active Rehabilitation Distribution Company ApS is the Data Controller for all personal data collected through our website and services.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Active Rehabilitation Distribution Company ApS
Indiakaj 20
2100 Copenhagen, Denmark
CVR: DK30606280

General Inquiries:
Email: customerservice@zoof.com
Website: www.zoof.com

Data Protection Inquiries:
Email: privacy@zoof.com
Subject Line: "Privacy Policy Inquiry" or "GDPR Rights Request"

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make changes, we will:

Update the "Last updated" date at the bottom of this policy
Notify you of material changes via email or prominent website notice
For significant changes affecting your rights, obtain consent where required by law
Maintain previous versions for reference upon request

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Governing Law and Jurisdiction

This Privacy Policy is governed by Danish law and EU regulations, including GDPR. Any disputes related to this policy or our data processing practices will be subject to the jurisdiction of Danish courts, while respecting your right to lodge complaints with supervisory authorities.

Last updated: June 30, 2025
Version: 2.0 (GDPR Compliant)