Privacy Policy

Last updated: [1. July 2025] 

Cenario Limited (Registration No. 77193979) (“Cenario”, “we”, “us” or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website (www.cenario.com) or purchase our mental health supplement products, and how we comply with applicable privacy laws including the EU/UK GDPR, the California CCPA, Singapore’s PDPA, and Australia’s Privacy Act 1988, among others. It also describes your rights and choices regarding your personal data. We have structured this Policy with clear sections for ease of reading and integration into our site’s design.

By using our website or services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please discontinue use of our services. For any questions or privacy-related requests, you can contact us at support@cenario.com.

1. Information We Collect

We collect various types of personal and sensitive information from you through our WordPress/WooCommerce website and related services. This includes:

• Information You Provide to Us: When you engage with our site (such as making a purchase, filling out forms, or taking a wellness quiz), you may provide certain personal details, including:
  
  
  • Contact Details: Your name, email address, telephone number, billing and shipping address, and other contact information.
    
    
  • Account Information: If you create an account, we collect login credentials (username, password) and any profile information you choose to provide.
    
    
  • Order and Transaction Data: Information about the products you order or purchase from us, such as items purchased, order date, and payment method. Payment details (like credit card numbers or bank information) are collected via our payment processors (e.g. Stripe, Airwallex) and we do not store your full card numbers on our servers. (We may retain non-sensitive payment identifiers like transaction IDs or last 4 digits for record-keeping).
    
    
  • Health and Wellness Information: If you voluntarily complete our online quizzes or surveys about your mental or physical health (for example, questions about symptoms of anxiety, depression, insomnia, stress levels, lifestyle habits), we collect your responses. This may include sensitive health data, such as information about your mood, sleep patterns, or other well-being indicators. We treat this as sensitive personal data and will only collect and use it with your explicit consent given the special nature of this information (see Section 2 below on Usage and Legal Basis).
    
    
  • Communications: Any communications you send us, such as emails, customer support inquiries, or live chat messages. This can include feedback, questions, or other details you choose to share. We may also keep records of correspondence and any information provided during customer service interactions.
    
    
  • Marketing Preferences and Survey Data: Your preferences in receiving marketing from us (e.g. whether you subscribed to our newsletter) and information you provide in any surveys or feedback forms. For instance, if you join our mailing list or participate in promotions, we collect the details you submit (with your consent).
    
    
• Information from Third-Party Sources: We may receive information about you from third parties in some situations, and combine it with data we have. For example:
  
  
  • Social Media or Login Services: If you choose to register or log in via third-party platforms (such as signing in with Google or Facebook), we may receive personal data such as your profile name, email, or other details from those services, as allowed by your privacy settings on that platform.
    
    
  • Marketing Partners: We might obtain leads or contact information from authorized partners or referrals, or receive information from advertising networks if you interacted with our ads.
    
    
  • Public Sources: We could also use publicly available information (e.g. public social media profiles) to verify or supplement our records, where lawful.
    
    
• Information Collected Automatically: When you visit our site or interact with our emails, we and our service providers automatically collect certain data about your device and usage of the site. This data helps us improve our services and ensure the site functions properly. It includes:
  
  
  • Technical Data: Your device’s IP address, browser type and version, operating system, device identifiers, language preferences, and general location (such as city or region) inferred from your IP. We also log timestamps of your visits and pages viewed.
    
    
  • Usage Data: Information about how you navigate and use our website, such as the pages or products you view, the amount of time spent on pages, links clicked, the page that referred you to our site, and similar browsing behavior. If you receive our marketing emails, we may record if you open them or click on links.
    
    
  • Cookies and Similar Technologies: We use cookies, pixels, and other tracking technologies to collect some of the above data. Cookies are small text files stored on your browser that allow us to recognize your browser and capture and remember certain information. For example, cookies help run the shopping cart and remember your site preferences. Some cookies are also used for analytics and advertising (see Section 5 on Cookies & Tracking). We will obtain your consent for non-essential cookies where required by law. You can find more details in our separate Cookie Policy (see Section 5 below).
    
    

Note: Personal data, as used in this Policy, generally means any information that can identify you as an individual or that relates to an identifiable individual. Anonymous data (which cannot identify you) is not considered personal data and we may use it for any purpose.

2. How We Use Your Personal Data (Purposes and Legal Bases)

We process your personal information for the following purposes, and rely on a lawful basis for processing each type of personal data as required under GDPR and other laws. The ways we use data include:

• To Provide Our Products and Services: We use your information to process orders, fulfill and deliver your purchases, and provide you with the products or services you have requested. This includes managing payments (through secure third-party processors) and communicating with you about your orders or account. Legal basis: This is generally necessary for the performance of a contract with you (e.g. our Terms of Sale) or to take pre-contract steps at your request.
  
  
• Customer Support and Communication: We will use contact details and communications to respond to your inquiries, provide customer support, handle returns or complaints, or notify you of important service updates (such as changes to this Policy or security alerts). Legal basis: Performance of contract for service-related messages, and/or our legitimate interests in ensuring customer satisfaction and addressing your queries.
  
  
• Personalized Recommendations and Wellness Assessment: The health and wellness information you provide (for example, your quiz responses about symptoms or lifestyle) is used to generate personalized product recommendations or supplement plans tailored to your needs. We may analyze your answers to suggest which of our products might be most beneficial for you. Legal basis: Your explicit consent (for processing special category health data under GDPR) at the time you take the quiz or provide that information. We will explain the intended use and obtain your consent before you submit such sensitive data. In contexts where health data consent is not mandated (e.g. outside GDPR jurisdiction), we still treat your health-related responses as sensitive and process them only to serve you (which may also be considered implied consent or necessary for providing a service you requested under laws like PDPA). You are not required to provide health information – it is voluntary and only used to enhance your experience.
  
  
• Improving and Customizing Our Services: We analyze personal data (including aggregated health data, usage data, and feedback) to understand our customers’ needs, improve our products, develop new supplements or features, and enhance your website experience. For example, we may track how users navigate our site to optimize design, or review quiz responses in aggregate to identify trends for product development. We also use cookies and analytics tools to personalize content and remember your preferences (e.g. retaining your shopping cart or showing products you may be interested in). Legal basis: Our legitimate interests in operating, optimizing, and improving our business and user experience. We always consider your rights and ensure our interests do not override your privacy. In cases where analytics or personalization cookies are not strictly necessary, we will obtain your consent as required by law (see Section 5).
  
  
• Marketing and Promotional Communications: With your permission, we use your contact information (such as email or phone number) to send you newsletters, product updates, special offers, and promotional content about Cenario’s products that we think may interest you. For example, if you sign up to our mailing list or request a free guide, we will send you marketing emails via our provider (e.g. Klaviyo). Legal basis: Consent (opt-in) – we will only send you marketing emails or texts if you have subscribed or explicitly agreed to receive them. Where applicable law allows “soft opt-in” (for example, sending marketing to existing customers about similar products), we will still honor any opt-out request. You can withdraw your consent at any time (see Section 6 and Section 9 on how to opt out). We may also rely on legitimate interests for certain limited direct marketing to customers, but will always provide an easy opt-out. We do not use sensitive health data for marketing without your explicit consent.
  
  
• Advertising and Retargeting: We partner with third-party advertising networks (like Google and Meta/Facebook) to show you relevant ads for our products on other websites or social media platforms. For example, we use the Meta Pixel on our site to help deliver ads to you or similar audiences on Facebook/Instagram. These partners may use cookies or similar identifiers to collect information about your website usage and interactions with our ads, in order to tailor advertisements you see on their platforms. Legal basis: Our legitimate interests in promoting our business, but your consent where required. In jurisdictions (like the EU/UK) that require opt-in for advertising cookies, we will obtain consent via the cookie banner before deploying these trackers. You can also opt out of targeted advertising as described in Section 6. Please note that the use of some advertising tools might be considered a “sale” or “share” of personal information under certain U.S. state laws, since we may receive analytics or marketing insights in return (see Section 8 and 13 for your rights to opt out).
  
  
• Analytics and Aggregated Research: We use data (mostly in aggregate or de-identified form) to conduct analytics on website performance and product efficacy. For instance, we may look at aggregated quiz results or customer demographics to research general wellness trends or measure how our supplements are used. We may create anonymous, aggregated datasets (stripping out personal identifiers) to improve our algorithms or share statistical insights (but not personal details) in marketing materials. Legal basis: Legitimate interests in understanding and improving our products and the health of our customer community. Where required by law, we will obtain consent for using certain analytics cookies or processing data for analytics beyond the original purpose.
  
  
• Fraud Prevention and Security: We process personal data to protect our website, business, and customers from fraud, misuse, or security threats. This includes using certain data to verify accounts and transactions, detect suspicious activity (like multiple failed login attempts or fraudulent payments), and ensure the integrity of our platform. We also may use automated tools to screen for security issues (for example, using Google reCAPTCHA on forms to distinguish bots from human users). Legal basis: Legitimate interests in maintaining security and preventing fraud or legal obligation in some cases (such as complying with anti-fraud laws).
  
  
• Compliance with Legal Obligations: We will use and retain personal information as needed to comply with our legal and regulatory obligations. This includes using data for:
  
  
  • Accounting and Tax: Keeping transaction records as required by tax law or financial regulations.
    
    
  • Regulatory Reporting: If required, providing information to authorities (for example, fulfilling product recall duties or responding to government inquiries).
    
    
  • Consumer Rights Compliance: Meeting obligations under privacy laws (like honoring opt-out signals or data access requests).
    
    
  • Legal Process: Where necessary, we may process data to respond to subpoenas, court orders, or other legal processes, or to establish or defend legal claims.
    Legal basis: Legal obligation – processing is necessary for compliance with laws to which we are subject, and in some cases legitimate interests (such as cooperating with law enforcement or enforcing our terms, which also helps protect the rights and safety of us and others).
    
    
• Other Purposes with Your Consent: If we ever need to process your personal data for a purpose materially different from the original reason we collected it, we will explain the purpose to you and, if required, request your consent. For example, if we ever wish to use your health information in a new research project or share your contact with a partner for their own marketing, we would only do so with your prior consent (unless another legal basis applies).
  
  

We will clearly indicate where providing personal data is optional. However, if you decline to provide information that is necessary for us to perform a requested service or contract (such as essential contact or payment information for an order), we may not be able to fulfill that service.

3. Marketing Communications and Consent

We take your privacy preferences seriously, especially when it comes to marketing. Here’s how we handle marketing communications:

• Opt-In Required: We will only send you promotional emails, newsletters or SMS messages if you have opted in to receive them. For example, by ticking a checkbox to subscribe or by explicitly requesting our newsletter, you give us consent to send you marketing content. We use a reputable email service (such as Klaviyo) to manage our mailing list. We may also use a “double opt-in” process for email subscriptions: this means after you sign up, we might send a follow-up email asking you to confirm your subscription to ensure it was you who subscribed. This extra step helps us verify consent and protect against unsolicited sign-ups.
  
  
• Content of Marketing: Our marketing communications will include tips for mental wellness, information about new products or promotions, special offers, and other updates related to our supplements and services. We aim to tailor the content to be relevant – for instance, if you took a quiz indicating interest in sleep improvement, we may send offers related to sleep support.
  
  
• Right to Unsubscribe: You can opt out of marketing messages at any time. Every marketing email we send will contain an “unsubscribe” link at the bottom; clicking that will stop further emails. You may also withdraw your consent by contacting us at support@cenario.com with a request to remove you from our marketing list, or by adjusting your account preferences if you have an online account. Once you opt out, we will cease sending you promotional messages. (Please note it may take a few days to process your opt-out across all systems, but we strive to do so promptly.) There is no fee or penalty for unsubscribing, and we will honor your choice without disadvantaging you.
  
  
• Transactional and Service Emails: Even if you opt out of marketing communications, we may still send you non-promotional emails as needed for our services. For example, we will email you regarding your orders, shipping updates, account changes, password resets, or other important service or legal notices. These are not marketing messages but essential service communications, which you cannot opt out of as long as you use our services (except by discontinuing service).
  
  
• Third-Party Marketing: We will not sell or share your contact information with third-party companies for their own direct marketing uses without your explicit consent. If we ever run a joint promotion with a partner and you need to consent to have them contact you, we will present you with that choice clearly. Otherwise, any marketing about Cenario will come directly from us or from service providers sending on our behalf (like our email platform), and you can always opt out through us.
  
  
• Do Not Call and Do Not E-mail: We comply with applicable “Do Not Call” laws and anti-spam laws. If you are in a jurisdiction with a Do Not Call registry or similar (such as Singapore or Australia), we will not contact you via phone or SMS if you have registered your number on the applicable Do Not Call list, except as permitted by law or if you have given consent. Our emails will always include our identity and contact info, and will abide by CAN-SPAM Act and other anti-spam regulations.
  
  

Your consent for marketing is separate from any consent you give for our other data practices. Declining or withdrawing marketing consent will not affect your ability to use our core services. We will also maintain records of your marketing consent (when and how you subscribed) for compliance purposes, and we may ask you to renew consent periodically as laws require.

4. Cookies and Tracking Technologies

As mentioned, we use cookies and similar tracking technologies on our website to provide and improve our services. This section explains these technologies and how you can manage them.

• What Cookies Are: Cookies are small data files placed on your browser or device when you visit a website. They allow the site to recognize your device and store certain information about your preferences or past actions. Other tracking technologies include pixels (small image files embedded in pages or emails) and local storage. We also use JavaScript and device identifiers to collect information about your interactions.
  
  
• Types of Cookies We Use:
  
  
  • Essential Cookies: These are necessary for our site to function properly. For example, when you add items to your cart or proceed to checkout, session cookies keep track of your cart items. They also help with security and basic functionality. Without these cookies, our website and e-commerce features would not work correctly, so they are always active.
    
    
  • Preferences Cookies: These remember your choices and settings to enhance your experience (for instance, your preferred language or region).
    
    
  • Analytics Cookies: We use these to collect information about how visitors use our site – which pages are visited, how long, and which links are clicked. This helps us improve the website’s design, functionality, and content. (See “Analytics Tools” below for specifics).
    
    
  • Advertising Cookies: These cookies gather data about your browsing habits and interests in order to show you relevant ads on other sites or social media. They can track when you visit our site and may combine that info with other data to target ads (see “Advertising Tools” below).
    
    
  • Functional and Performance Cookies: These support additional features (like playing videos or chat widgets) and help us measure performance of our site and campaigns (for example, measuring open rates on emails via a pixel).
    
    
• Analytics Tools: We use third-party analytics services that set cookies or use similar technologies:
  
  
  • Google Analytics: This tool from Google helps us understand website traffic and usage. Google Analytics uses cookies to collect data such as your IP address (anonymized where possible), pages visited, time on site, and referring sites. We have enabled features like IP anonymization so that Google truncates IP addresses for EU users, reducing identifiability. Google Analytics provides reports that help us gauge the effectiveness of our pages and marketing. Google may process data on servers in the United States, so we have taken measures (like standard contractual clauses or reliance on adequacy frameworks) to safeguard such transfers. You can opt out of Google Analytics by using the official browser opt-out plugin or by adjusting your cookie preferences (see “Managing Cookies” below). For more details, see Google’s own Privacy Policy.
    
    
  • Hotjar: We use Hotjar, a user experience analytics tool, to understand how users interact with our site through heatmaps, session replays, and surveys. Hotjar may record things like where you click or scroll on our pages, which helps us identify usability issues. Hotjar’s tracking code uses cookies and other technology to collect device information (like IP, which is stored in anonymized form, device type, browser) and user behavior data. Hotjar does not collect any payment details or passwords, and we configure it to avoid capturing any sensitive fields. All usage data is aggregated and helps us improve site design. You can opt out of Hotjar’s tracking by using their Do Not Track header solution or visiting Hotjar’s opt-out page.
    
    
  • Other Analytics: We may use additional analytics or A/B testing tools from time to time to improve our service (for example, Google Optimize or similar). Any such tool will be listed in our Cookie Policy and will only be used in compliance with applicable laws.
    
    
• Advertising and Social Media Tools: We also utilize cookies and pixels for advertising purposes:
  
  
  • Meta (Facebook) Pixel: We have installed Meta’s Pixel on our site. This is a small snippet of code that tracks certain actions (such as when you view a product or make a purchase) and reports them to Facebook. This helps us retarget ads to you on Facebook/Instagram and measure ad campaign effectiveness. For example, if you visited our site and viewed a particular supplement, we may later show you an ad for that product or similar on Facebook. The Pixel may collect information such as your Facebook User ID (if you are logged in), device information, and the specific pages you visited on our site. Meta may consider this a “data share” and use the data per their privacy policy. We do not see your personal Facebook data; we only receive aggregate ad performance reports. Legal note: Because Pixel involves sharing your device identifiers and browsing info with Meta, some privacy laws (like CCPA/CPRA) may treat it as a “sale”/“sharing” of personal info (see Section 8). We will only use Pixel for users who have consented to advertising cookies where required, and you can opt out anytime (see below).
    
    
  • Google Ads & Analytics Advertising Features: We may use Google Ads cookies to serve you ads on other websites (via Google’s advertising network) based on your past visits to our site (a practice called remarketing). We might also use Google Analytics Advertising Features (like demographic and interest reporting, or integrated services that require Google advertising cookies). These cookies and identifiers help show you tailored ads and provide us with insights about ad performance. You can opt out through Google’s Ad Settings or via our cookie preferences.
    
    
  • Email Tracking Pixels: In our marketing emails, we may include a tiny image (pixel) to tell us if you open the email or click on links. This helps us understand engagement with our content. You can disable this type of tracking by not downloading images in the email (most email clients do that by default) or unsubscribing if you prefer not to be tracked at all.
    
    
  • Other Third-Party Cookies: Our site might include features from third parties (like a YouTube video embed, or a social media “share” button) that set cookies. For example, if we embed a YouTube video, YouTube may set cookies to track video views.
    
    
• Consent and Managing Cookies: On your first visit to our site (and periodically thereafter), you will see a cookie notice or banner. We currently use this to inform you that we use cookies and, in jurisdictions where it’s required, to obtain your consent for non-essential cookies (like analytics and advertising cookies). We are in the process of implementing a more detailed cookie consent manager to allow you to customize your preferences (e.g. accept only certain categories of cookies). In the meantime, you can manage cookies as follows:
  
  
  • Browser Settings: Most web browsers allow you to refuse or delete cookies. You can set your browser to block all cookies or to alert you when cookies are being sent. Check your browser’s help section for instructions. Keep in mind, if you disable all cookies, some parts of our site (like the shopping cart or account login) may not function properly.
    
    
  • Opt-Out Mechanisms: For specific opt-outs: use the Google Analytics opt-out extension as noted, use Hotjar’s opt-out, or adjust your ad preferences on platforms (Google Ad Settings, Facebook Ad Preferences, etc.). You can also utilize browser privacy features or extensions to block trackers.
    
    
  • Do Not Track Signals: Our site honors Global Privacy Control (GPC) or “Do Not Track” signals for California residents and others where required. If our site detects a GPC signal from your browser, we will treat it as a valid opt-out of cookies that constitute a “sale”/“share” under CCPA/CPRA. Note that essential cookies will still function.
    
    
• Cookie Policy: For more detailed information about the specific cookies and tracking technologies we use, their purposes, and their lifespans, please refer to our Cookie Policy (linked in our website footer). That policy is incorporated by reference into this Privacy Policy. It also explains how you can change your cookie settings at any time.
  
  

By using our site without disabling cookies via your browser or other tools, you consent to our use of cookies and trackers as described. However, you always have the ability to adjust your cookie preferences as explained above. We do not currently use an automated cookie preference center, but you can control cookies manually, and we will update our practices continuously to comply with evolving cookie consent requirements.

5. Sharing Your Personal Data with Third Parties

We do not sell your personal information to third parties for money. However, we do share your data with certain trusted third parties who help us run our business (service providers) or in other circumstances described below. Whenever we share data, we ensure we have a legal basis to do so and that appropriate safeguards are in place to protect your information. Here are the categories of third parties with whom we share data and why:

• Service Providers (Processors): These are third-party companies that perform services on our behalf and need access to personal data to do so. We contractually bind them to protect your information and use it only for our specified purposes. Key service providers include:
  
  
  • Website Hosting and IT Infrastructure: Our website is hosted on servers provided by Kinsta (a managed WordPress hosting provider). The data you provide (site usage, form submissions, etc.) is stored on Kinsta’s servers. Kinsta in turn uses Google Cloud data centers, and we have chosen servers in regions that best serve our users. Kinsta may process basic technical data for uptime monitoring and backup. We’ve signed a Data Processing Agreement with Kinsta to ensure your data is handled securely.
    
    
  • Payment Processors: When you make a purchase, your payment details are handled by third-party payment processors such as Stripe and Airwallex. These companies will receive your payment information (like credit card number or PayPal details) directly to process transactions. We do not see or store your full credit card information; that is handled securely by the payment processor. These processors may store your payment data (e.g. card tokens) for easier future payments and to comply with their legal obligations. Each has its own privacy policy which governs use of your payment data. We share only necessary information with them (like charge amount, order ID, and your contact/shipping info for verification).
    
    
  • Email Service & Marketing Platform: We use Klaviyo (an email marketing service) to send our newsletters and promotional emails. If you subscribe to our mailing list or if we need to send order confirmations, your name and email address (and potentially engagement info like open/click rates) will be stored on Klaviyo’s platform. Klaviyo acts as a data processor, handling our mailing campaigns and analytics.
    
    
  • Shipping and Logistics Partners: To deliver your orders, we share necessary details with shipping carriers or fulfillment partners (e.g. USPS, FedEx, DHL, or local postal services, and any third-party warehouse or fulfillment center we use). This typically includes your name, shipping address, phone number (for delivery updates), and package contents/value (for customs if applicable). They use this data solely for delivery and comply with privacy and security standards.
    
    
  • Customer Support and CRM Tools: We may use third-party platforms for customer relationship management (CRM) and support ticketing (for example, a tool like Zendesk or HubSpot) to track communications. If you contact us for support, your contact info and issue details may be logged in such a system for follow-up. All such providers are bound to keep data confidential.
    
    
  • Business Operations Tools: We also use cloud software to run our business internally. For example, ClickUp (project management) or Make.com (workflow automation) might process snippets of personal data indirectly, when they help us automate tasks like syncing order info between systems or reminding our team of customer requests. Similarly, standard office tools (Google Workspace/Microsoft 365) may handle personal data if, say, we email you or store a document with your order. These providers are reputable companies that implement strong security. We limit the personal data shared through these tools to the minimum needed for operational purposes.
    
    
• Analytics and Advertising Partners: As described in Section 4, we use third-party analytics and advertising services that involve sharing certain data:
  
  
  • Google: Apart from being a processor for analytics (Google Analytics), Google may receive data when we use Google Ads/remarketing. We share identifiers and site visit info to allow Google to show our ads on other sites. We have configured Google Analytics to avoid collecting direct identifiers wherever possible. Google acts as our service provider in analytics, but for ads, Google may act as a separate controller of the data it receives. We have appropriate agreements in place (including Standard Contractual Clauses for EU data transfer as needed).
    
    
  • Meta/Facebook: When we use the Meta Pixel, some of your browsing info on our site (and hashed identifiers if applicable) are shared with Meta Platforms, which uses it to help us target ads and measure results. Meta may combine this with your user profile if you have one. We do not receive personal data like your Facebook account details; we receive aggregated ad reports. Meta may consider itself an independent data controller for the data it collects via Pixel. We ensure that we obtain consent for this data sharing where required, and you can opt out as noted. Under California law, this kind of sharing for cross-context behavioral advertising may be considered a “share” of personal info; we provide opt-out options for California residents (see Section 8).
    
    
  • Hotjar: Hotjar collects data on our behalf as a processor to provide heatmaps and analytics. They do not share your data with anyone and we control the data they store for us.
    
    
  • Other Ad Partners: If we participate in any other advertising networks or use social media “audience” tools (for example, uploading a list of customer emails to a platform to create a custom audience), we will only do so in compliance with law and with appropriate safeguards (e.g. hashing of data). We will disclose such practices in our Cookie Policy or at the point of data collection and obtain consent if required.
    
    
• Third-Party Platforms You Access Through Us: If our site links to third-party sites or you interact with embedded content (e.g. a YouTube video, or a social media login), those third parties receive data directly from your browser. For example, when you click “Share” to post our content on Facebook, that action may share information with Facebook. Those third parties operate under their own privacy policies, and we do not control their data handling. We encourage you to review the privacy notices of any third-party services you access.
  
  
• Affiliates and Corporate Transactions: Currently, Cenario Limited operates as a single company. If in the future we have affiliates or subsidiaries, we may share your information within our corporate family on a need-to-know basis (for example, if we establish a branch in the EU to serve European customers, that branch might access necessary customer data). Additionally, if Cenario undergoes a business transaction such as a merger, acquisition by another company, or sale of all or part of its assets, your personal data may be transferred to the successor entity as part of the transaction. If such a transfer occurs, the use of your personal data will remain subject to this Privacy Policy’s protections (unless you are notified of changes). We will notify you (for example, via email or a notice on our site) of any change in ownership or new uses of your personal information, if you have provided us an email to contact.
  
  
• Legal and Safety Disclosures: We may disclose personal information to third parties (such as courts, law enforcement, regulators, or legal counsel) when required or allowed by law, or when we believe in good faith that such disclosure is necessary to:
  
  
  • Comply with a legal obligation or respond to lawful requests (e.g. subpoenas, court orders, or government demands).
    
    
  • Enforce our terms and conditions or other agreements, and investigate potential violations.
    
    
  • Detect, prevent, or address fraud, security, or technical issues.
    
    
  • Protect our rights, property, and safety, or that of our users, customers, or others. For example, we might share information with law enforcement to report suspected illegal activity or threats.
    
    
• Such disclosures will be made only in accordance with applicable laws. Whenever feasible and legally permissible, we will inform you if we need to provide your data to third parties as part of the legal process.
  
  
• With Your Consent: Aside from the above, we will only share your personal data with third parties when you have given us explicit consent to do so. For example, if you agree to let us share your testimonial with your name on our website, or if you opt in to a program where we collaborate with another company to provide a service. In such cases, we will explain what data will be shared, with whom, and why, so you can make an informed decision.
  
  

No “Sale” of Personal Data for Monetary Consideration: We do not exchange your personal information with third parties for money. We also do not disclose your personal information to data brokers or unrelated parties for their independent marketing. The only sharing we do is as described above – mostly with service providers or for our own advertising/analytics needs. However, as noted, some data sharing (particularly with advertising networks) might be classified as a “sale” or “sharing” under broad definitions in laws like the CCPA/CPRA, because we get some benefit (like ad services) from the exchange. We address how you can opt out of such sharing in Section 8.

All third parties who process personal data on our behalf must agree to protect data per our requirements. We choose reputable providers with strong security practices. If you have questions about specific third parties that may have access to your data, you can contact us for more information. We strive to be transparent about the companies that help us deliver our services.

6. International Data Transfers and Safeguards

Cenario Limited is based in Hong Kong, and our website is accessible to customers around the world. Because we serve an international customer base, your personal data may be transferred to or accessed by entities outside your home country. In particular:

• Servers and Infrastructure Locations: The data we collect may be stored and processed in multiple countries, primarily Hong Kong, the United States, the European Union (EU), or other locations where our service providers maintain facilities. For example, our hosting provider (Kinsta) might store data on a server in the US or EU (depending on the server location we select), and many of our third-party providers (Stripe, Google, Klaviyo, Meta, etc.) are headquartered in the United States. This means your personal information could be transferred to, or accessed from, a jurisdiction that is different from your own, and which may not provide the same level of data protection as the laws in your country.
  
  
• Our Safeguards for Cross-Border Transfers: Whenever we transfer personal data across international borders, we take steps to protect it:
  
  
  • If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we will ensure that your data is transferred in compliance with GDPR/UK GDPR requirements. This may involve:
    
    
    • Transferring data only to countries that the European Commission (or UK government) has formally deemed to have an “adequate” level of data protection; or
      
      
    • Implementing standard contractual clauses (SCCs) or other approved transfer mechanisms with the data importer, to contractually require that your data receives a level of protection equivalent to EU standards.
      
      
    • In limited cases, relying on your explicit consent for the transfer or other exceptions allowed under Article 49 GDPR (for instance, if a transfer is necessary to fulfill a contract with you).
      
      
  • For transfers from Australia, we comply with the Privacy Act 1988’s cross-border disclosure requirements. This means either the foreign recipient is subject to a law or scheme substantially similar to the Australian Privacy Principles, or we contractually require them to protect the data to the same standard, or we obtain your consent.
    
    
  • For transfers from Singapore (PDPA) or other countries with data export restrictions, we similarly ensure that the overseas recipients are bound to provide a standard of protection comparable to the local law’s requirements, typically via contractual agreements.
    
    
  • We also evaluate on a case-by-case basis any additional measures needed (such as encryption in transit and at rest, access controls, etc.) to secure data being transferred internationally.
    
    
• Third-Party International Transfers: Many of our service providers are multinational companies (e.g., Google, Meta, Stripe). We carefully select providers that have robust privacy and security programs. For example, Stripe and Google participate in frameworks and use SCCs for data transfer. When we engage a service provider, we review their data protection commitments and ensure they meet legal requirements for international data handling. In our contracts with them, we include data protection clauses as needed (for instance, the SCCs or equivalent).
  
  
• Your Acknowledgment: By interacting with our website or buying our products, you acknowledge that your personal data may be transferred to and processed in countries other than your own. We will handle your data in accordance with this Privacy Policy no matter where it is processed, and will take appropriate protective measures as described. If you prefer not to have your data transferred internationally, please refrain from using our services (unfortunately, it is not practical for us to provide our services without moving data across borders, given the global nature of internet and cloud services).
  
  
• Data Privacy Framework (DPF): Note: At this time, Cenario has not self-certified under the new EU-U.S. or UK-U.S. Data Privacy Framework. However, we continue to monitor developments in cross-border data transfer mechanisms. We primarily rely on the safeguards mentioned above (like SCCs) for EU->US data flows. If in the future we choose to participate in any official framework (such as the DPF) to facilitate data transfers, we will update this Policy accordingly.
  
  
• Requests for Information by Authorities: In rare cases, personal data stored abroad may be subject to lawful requests by foreign courts or law enforcement. If a government or law enforcement authority (outside your country) requests access to personal data, we will carefully verify the request’s lawfulness. We only disclose data if required by applicable law or an enforceable order (see also Section 5 on legal disclosures). We will push back on unlawful or overly broad requests and, whenever possible, notify you of such requests unless legally prohibited.
  
  

If you have questions about our international data practices, or if you need more information about specific transfer safeguards (for example, if you want to see a copy of the standard contractual clauses we use), you can contact us at support@cenario.com. We will be happy to provide additional details as permitted by confidentiality obligations.

7. Your Rights Regarding Personal Data

You have important rights regarding the personal data we hold about you. These rights may vary depending on the laws that apply to you (for example, GDPR grants extensive rights to EU individuals, CCPA grants specific rights to California residents, etc.), but we strive to honor all legitimate requests from any user, regardless of jurisdiction, to the extent feasible. Below, we outline key privacy rights and how you can exercise them:

• Right to Access: You have the right to request a copy of the personal data we hold about you. This includes information on how we use it, who we share it with, and details of the data itself. We will provide this in a commonly used format (and, if you are an EU/UK resident invoking GDPR, in a structured, machine-readable format). For example, you can ask: “What personal information do you have about me?” and we will supply, subject to verification and some exemptions, the data we have (such as account info, order history, etc.).
  
  
• Right to Rectification (Correction): If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, you can ask us to correct a misspelled name or update an out-of-date email address. Many changes (like updating your contact info) can be done by you directly through your account settings as well.
  
  
• Right to Deletion: You can request that we delete your personal data under certain circumstances. This is sometimes called the “right to be forgotten” under GDPR. We will honor deletion requests to the extent we are permitted by law. For example, if you withdraw consent or believe our processing is unlawful, you can ask that your data be erased. Do note that we may retain some information if required for legal obligations or legitimate business purposes (see Data Retention section below). If you have an account, you may also have the option to delete your account from within your account settings, which will remove most personal data. If you simply unsubscribe from marketing, we may retain your email in a suppression list to ensure we respect your opt-out (but we’ll inform you of that if so).
  
  
• Right to Restrict Processing: You have the right to request that we limit or “pause” the processing of your data in certain cases. For example, if you contest the accuracy of data or have objected to processing (see below), you can ask us to restrict processing until the issue is resolved. While restricted, we will still store your data but not use it for the contested purpose.
  
  
• Right to Object to Processing: You have the right to object to our processing of your personal data when we base it on legitimate interests or when we are performing profiling (automated processing) based on our legitimate interests. If you object, we will review whether our legitimate grounds override your rights and freedoms. You also have an absolute right to object to your data being used for direct marketing purposes – meaning, you can tell us to stop using your data to send you marketing or for targeted advertising, and we will comply. (See Section 3 and Section 5 regarding how to opt out of marketing and targeted ads).
  
  
• Right to Data Portability: For data you provided to us and that we process by automated means on the basis of consent or contract, you have the right to receive that data in a portable format and/or have us transmit it to another service provider (when technically feasible). In other words, you can ask for a digital file of the personal data you gave us (for example, your account information and purchase history) to move to another service.
  
  
• Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing we carried out prior to withdrawal, but it means we will stop the specific processing that was based on consent. For example, you can withdraw consent for marketing emails (as described earlier), or withdraw consent for us to use your health questionnaire responses. Once withdrawn, we will cease the processing and, if no other legal basis applies, delete or anonymize the data in question. Important: If you withdraw consent for certain essential uses (like use of health info to make product recommendations), we may not be able to continue providing that particular service to you – but general use of our site would remain unaffected.
  
  
• California Privacy Rights (CCPA/CPRA): If you are a California resident, you have some additional rights under the California Consumer Privacy Act (as amended by CPRA):
  
  
  • Right to Know: You can request that we disclose the specific pieces of personal information we have collected about you, as well as the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom we share it, and if we sold or shared any personal info (we note that we do not sell data for money, and we only “share” for targeted advertising as explained).
    
    
  • Right to Delete: As mentioned above, you can request deletion of your personal information, with similar exceptions (e.g., we may keep data required for legal purposes).
    
    
  • Right to Correct: You can request correction of inaccurate personal information (new under CPRA).
    
    
  • Right to Opt Out of Sale/Sharing: You have the right to direct us not to sell your personal info to third parties, or to stop sharing it for cross-context behavioral advertising. As explained, we don’t sell data in exchange for money. The “sharing” we do is for targeted ads. You can exercise this right by using the “Do Not Sell or Share My Personal Information” link on our website (if available) or by contacting us (see below). We also recognize Global Privacy Control signals for opting out of sales/sharing, as noted in Section 4.
    
    
  • Right to Limit Use of Sensitive Personal Information: If we collect “sensitive personal information” (as defined by CPRA, e.g. precise geolocation, health info, etc.) about you for reasons other than providing you our services, you can ask us to limit its use/disclosure. In our case, any sensitive data (like health quiz responses) is used only to provide you services (recommendations) and with consent, so this likely doesn’t apply. We do not use or disclose sensitive data for inferring characteristics or for any purpose other than what you provided it for.
    
    
  • Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. This means we won’t deny you goods or services, charge you different prices, or provide a different quality of service because you exercised your rights. (However, note that if you ask us to delete data that is necessary for providing a service, we may not be able to continue providing that service – e.g., deleting your account data will mean you can no longer log in, but that’s a consequence of deletion, not discrimination).
    
    
  • Authorized Agent: You can designate an authorized agent to make requests on your behalf under CCPA. If you do so, we will take steps to verify that the person is authorized to act for you, for example by requiring a written permission from you or proof of power of attorney, and we may still ask you or the agent for information to verify your identity.
    
    
• Singapore PDPA Rights: If you are in Singapore, under the PDPA you have the right to request access to your personal data that we have and information about how we have used or disclosed it in the past year. You also have the right to request correction of your personal data if it is inaccurate. We will provide access and make corrections except in limited circumstances where we are exempted from doing so (for example, if it would threaten someone’s safety or involve someone else’s personal data). You also have the right to withdraw consent at any time (as noted above). We will also upon request provide information about how your personal data has been handled, to the extent required by PDPA’s Access and Correction obligations.
  
  
• Australian Privacy Rights: Under Australia’s Privacy Act, you similarly have the right to access the personal information we hold about you and to request corrections. We will respond to access or correction requests within a reasonable time. If we refuse access (for example, if it unreasonably impacts others’ privacy or is frivolous), we will provide a written explanation. If you request a correction and we refuse for some reason, you can request that we take reasonable steps to attach a statement to your personal information noting your correction request. Australia does not currently provide a right to deletion in all cases, but we will honor deletion requests as described above when possible.
  
  
• Other Jurisdictions: If you reside in other regions (e.g., Canada, UK, etc.), you likely have rights similar to those listed above. For instance, UK law mirrors the GDPR rights, Canadian individuals under PIPEDA have rights to access and correction, etc. We intend to respect all such rights to the extent we are able.
  
  

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@cenario.com with your request. Please include your name and the email address associated with your interactions with us (and, if applicable, your account) and clearly state which right you wish to exercise (e.g., “I want to access my data” or “Please delete my account and data”). For California opt-out of sale/sharing, you may also use the “Do Not Sell/Share” link on our site homepage if available, or simply email us with “CCPA Opt-Out” in the subject line.

We will need to verify your identity before fulfilling certain requests. This is to protect your privacy – we wouldn’t want to give your data to an imposter. Verification might involve checking that the request comes from the email we have on file for you, or asking you to provide two or three pieces of information that we can match to our records. For sensitive requests (like accessing data or deleting), we may employ stricter verification (for instance, a signed declaration or, if applicable, government ID – though we’ll avoid this unless absolutely necessary).

We will respond to your request as soon as we can, generally within one month for GDPR requests, and within 45 days for CCPA requests (with the possibility of a 45-day extension which we would inform you about). If we need more time or cannot comply with your request (due to a legal exemption), we will inform you of the reason and any options you have (for example, if we must retain certain data for legal reasons, we will tell you that).

Exercising these rights is free of charge in most cases. If a request is manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on it, but we will explain our decision if that happens.

We will not retaliate or discriminate against anyone for exercising their privacy rights. Our service offerings and prices will remain the same regardless of whether you exercise rights (aside from any differences that result from your data preferences themselves – e.g., if you opt out of email, you won’t receive email-only discount offers, but that’s just a consequence of your choice).

If you have any questions about your rights or how to exercise them, you can always reach out to us at support@cenario.com for guidance.

8. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements. This means retention periods will vary depending on the type of data and the reasons we have it. Below is a general outline of how long we keep different categories of data:

• Account Information: If you create an account on our site, we will keep your account data for as long as your account is active. You can choose to delete your account, in which case we will remove or anonymize personal data associated with your profile (except for data we must keep for legal reasons, as noted below). If your account is inactive for an extended period, we may contact you to ask if you want to maintain it; if not, we may delete or anonymize the account data.
  
  
• Purchase and Transaction Data: We retain records of your purchases, transactions, and communications related to purchases for a period necessary to provide services and as required by law. Typically, we keep order information (including personal data in invoices, receipts, shipping records) for at least 7 years to comply with tax and accounting laws (for example, to have evidence in case of audits, and because certain jurisdictions mandate retention of financial records for 5-7 years). Even if you request deletion of your data, we may retain invoice data as needed for legal compliance but will restrict it to that purpose only.
  
  
• Health & Quiz Data: Information you provide in quizzes or assessments, being sensitive, will not be kept longer than needed to serve its purpose. If you do not create an account or make a purchase after taking a quiz, we will generally delete or anonymize your quiz responses after a reasonable period (for example, within 12 months) once we have aggregated the data for research. If you do create an account or purchase based on quiz results, your quiz data might be stored with your customer profile to inform future recommendations. You can request its deletion at any time. We will also periodically review and purge sensitive health data that is no longer actively used or needed. Any health-related information that we keep for analytical purposes will be de-identified, so it’s no longer linked to you personally.
  
  
• Marketing Data: If you have subscribed to our newsletter or promotional emails, we will retain your contact details for marketing until you unsubscribe or withdraw consent. Upon unsubscribing, we will promptly remove you from the active mailing list. We may retain a minimal record of your email address on a suppression list thereafter, to ensure we honor your opt-out (as permitted by law), or as a record of when you gave/withdrew consent. If you have not engaged with our marketing emails for a long time, we may also remove your contact from our list as part of regular list cleaning.
  
  
• Communications and Support: Correspondence you send us (emails, chat logs, support tickets) is retained for as long as necessary to address your inquiry and maintain a history of your communications. We may retain customer service communications for up to 2-3 years after resolution (to train our team, handle any follow-up issues, or demonstrate how we dealt with inquiries). If you exercise privacy rights or give consents, we will keep records of those communications/consents as required by law (often 5 years or more, under GDPR accountability principle).
  
  
• Website Logs and Analytics: Our web server logs and security logs (which may include IP addresses) are generally kept for a short period, typically a few months, unless used for incident investigation. Aggregated analytics data (which does not directly identify individuals) may be kept longer for trend analysis, without identifiable components.
  
  
• Legal and Compliance Retention: We may hold on to certain data for longer if necessary to comply with legal obligations or defend our interests. For example:
  
  
  • Information relevant to a legal dispute or claim may be retained for as long as the dispute is ongoing and for the statute of limitations period thereafter.
    
    
  • Data needed to enforce our agreements or to ensure platform security might be kept as long as needed for those purposes.
    
    
  • If a law or regulation prescribes a certain retention period (like certain health and safety records, or electronic transaction logs), we will keep the data for at least that minimum duration.
    
    

After the applicable retention period ends, or if we no longer have a legitimate reason to keep your data, we will either securely delete it or anonymize it (so it can no longer be associated with you). For example, we might anonymize order data by removing personal identifiers but keep sales figures for statistical purposes. Backup systems and archived data will eventually cycle out as well – we maintain a schedule to ensure old data is removed from backups in a reasonable timeframe.

Please note: Due to technical reasons, complete erasure of data might not be immediate from all systems (for instance, data may remain in routine backups for a short period). However, we have processes to ensure that once the retention period expires or a deletion request is honored, the data is no longer accessible or used in our active systems, and is overwritten or purged from backups in due course.

If you have any specific questions about how long we keep a particular type of information, feel free to contact us. We aim to be transparent and not keep personal data indefinitely “just in case” – only as long as it is truly necessary.

9. Children’s Privacy

Our products and services are not directed to children, nor do we knowingly collect personal data from individuals under the age of 16 (or under the relevant minimum age in your jurisdiction) without appropriate consent. The supplements we sell are intended for purchase and use by adults. You must be old enough to form a valid contract in your country (in many places, that’s 18 years old) to make purchases on our site. If you are under the age of 16, please do not provide any personal information on this website.

We do not knowingly allow minors to create accounts or submit personal health information. In the event that we learn we have inadvertently collected personal data from a child under 16 (for example, a child submitted a contact form with their information), we will take prompt steps to delete that information from our records unless we are legally obligated to retain it. If deletion is not immediately feasible for technical reasons, we will ensure the data is not used for any purpose until it can be removed.

If you are a parent or guardian and believe that your child under 16 (or under 13, in the case of U.S. COPPA law) has provided personal information to us without your consent, please contact us at support@cenario.com. We will investigate and, if applicable, work with you to remove the data and address any concerns. We may ask for proof of your relationship to the child before taking action, to ensure we do not delete or disclose a minor’s data to someone falsely claiming to be a parent.

Note: In some jurisdictions, the age threshold for requiring parental consent is 13, in others 14, 15, or 16. We have chosen 16 as a general policy to err on the side of caution for GDPR (which sets it at 16 by default). For U.S. compliance (COPPA), we treat anyone under 13 as a child. Essentially, we aim not to collect data from anyone under the higher of 13 years or the age defined by local law. If a minor aged 13-17 uses our services (for example, a 17-year-old might lawfully buy a supplement in some places), we expect that they do so with parental knowledge and consent, but our site does not verify age beyond perhaps asking for it in certain contexts. We reserve the right to cancel orders or delete accounts if we suspect they were placed by minors.

10. Data Security and Breach Notification

We employ a variety of technical, administrative, and physical security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

• Encryption: Our website is secured with HTTPS encryption (TLS). This means that information you send via forms (like payment details or login credentials) is encrypted in transit between your browser and our servers. We also encrypt sensitive data at rest where appropriate. For instance, passwords are stored hashed (not in plain text) and payment info is handled by PCI-compliant providers (as noted, we don’t store card numbers ourselves).
  
  
• Access Controls: We restrict access to personal data to authorized personnel and service providers who need it to perform their job duties. Our staff are trained on the importance of confidentiality. Administrative access to systems containing personal data is limited and protected with strong authentication (such as multi-factor authentication) wherever possible.
  
  
• Firewalls and Monitoring: Our servers are protected by firewalls, and we employ threat detection and monitoring tools to guard against malicious activity. We keep our software, website platform, and plugins up to date to patch vulnerabilities. Suspicious logins or actions may trigger alerts.
  
  
• Data Minimization: We strive to collect only the data that we need. By limiting the personal information in our systems, we reduce the risk exposure. For example, as explained, we never see full credit card numbers, and we purge sensitive data when it’s no longer necessary.
  
  
• Testing and Audits: We periodically review our security practices and may conduct security audits or penetration testing through qualified experts to identify and address potential weaknesses.
  
  
• Organizational Measures: We have internal policies and incident response plans for data security. Our team knows to report any suspected issues promptly. We also choose reputable third-party providers with demonstrated security standards and review their security certifications (like ISO 27001, SOC 2, or similar where applicable).
  
  

While we do our best to safeguard your data, please be aware that no security measures are infallible. The transmission of information via the internet is not completely secure, and we cannot guarantee the absolute security of data, especially data transmitted to our site. However, once we receive your data, we follow strict procedures and security features to try to prevent unauthorized access.

Data Breach Notification: In the unlikely event of a data breach that compromises your personal information, we will act swiftly in accordance with applicable laws. Our procedures include:

• Investigating the scope and impact of the breach.
  
  
• Notifying the relevant data protection authorities when required. For example, under GDPR, if a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the supervisory authority (in the EU, this would be within 72 hours of becoming aware of the breach). Under Australia’s Notifiable Data Breaches scheme, we would notify the OAIC and affected individuals if the breach is likely to result in serious harm. Similar obligations exist under Singapore’s PDPA (which requires notification to the PDPC and affected individuals for significant harm breaches).
  
  
• Notifying Affected Individuals: If the breach is likely to result in a high risk of harm or adverse consequences to you, we will notify you without undue delay, except in cases where law enforcement requests a delay or if we have taken measures that eliminate the risk. We will contact you via email or other direct communication, providing information about what happened, what data was involved (to the best of our knowledge), and recommendations for your protection (like resetting passwords, if applicable).
  
  
• Taking steps to contain and remediate the breach, such as closing off unauthorized access, expiring credentials, restoring data from backups, etc., and reviewing our security practices to prevent similar incidents in the future.
  
  

We maintain a breach response plan and log all security incidents, even small ones, to ensure continuous improvement of our security posture.

Your role: You also play an important role in keeping your data secure. We encourage you to use a strong, unique password for your account on our site and to keep it confidential. Do not share your login credentials with others. If you suspect any unauthorized access to your account or a vulnerability on our site, please notify us immediately at support@cenario.com. We also advise being cautious with suspicious emails or links – we will never ask you for your password via email, and any official communications will come from our verified domain.

11. Consent Documentation and User Controls

We believe in giving you control over your personal data and maintaining clear records of your choices. Here’s how we document consent and what tools we provide for you to manage your privacy preferences:

• Consent Documentation: Whenever we rely on consent as the legal basis for processing your personal data, we make sure to record when and how you gave that consent. For example:
  
  
  • If you subscribe to our newsletter, our email system logs the date and time of your opt-in (and, if using double opt-in, the time you confirm). It also records the source of the consent (e.g., signup form on our website).
    
    
  • If you fill out a health quiz that includes a consent checkbox (e.g., “I agree to let Cenario use this information to recommend products”), we log that you ticked the box at the time of submission. Our databases attach a timestamp to such submissions.
    
    
  • If we ever present you with a consent request (say, for using cookies or for processing sensitive info), our systems will note your selection (consent given or withheld) and we retain that info, often in a consent management log.
    
    
  • We maintain these records to demonstrate compliance with laws like GDPR which require proof of consent, and to ensure we honor the consent you’ve given. For instance, if you later question when you signed up for marketing, we can reference our records to provide that information.
    
    
• Withdrawal of Consent: As noted, you can withdraw consent at any time, and we will update our records accordingly. We keep track of withdrawn consents so that we do not accidentally contact you or include you in processing that you opted out of. For example, if you unsubscribe from emails, our mailing list reflects an “unsubscribed” status with the date of removal. If you withdraw consent for processing of health data, we will mark that in your profile and exclude your data from any further processing, and initiate deletion of that data if applicable.
  
  
• Preference Center (User Controls): We are working on implementing a user-friendly Privacy Preference Center on our website, where you will be able to view and adjust certain settings. Until that is live, you currently have the following controls:
  
  
  • Account Settings: If you have created an account on our site, you can log in and access a dashboard where some of your personal information can be reviewed and edited. For example, you can update your contact info, change your password, or view past orders. We plan to add more privacy controls here in the future, such as the ability to download your data or delete your account without needing to contact support.
    
    
  • Email Preferences: Every promotional email from us contains an unsubscribe link, as mentioned. Additionally, if we send different categories of emails (newsletters, product updates, etc.), the unsubscribe page or email preference center (if available) might allow you to opt out of some and not others. (For instance, you might opt out of general newsletters but still want to receive back-in-stock notifications – we will offer such granular choices when possible).
    
    
  • Cookie Settings: As described in Section 4, you can manage cookies via browser settings. Once our cookie management tool is implemented, you will be able to click a “Cookie Settings” link on our site to adjust which categories of cookies you accept (e.g., toggling analytics or advertising cookies on/off). We will honor your choices and store that preference (likely via a cookie) so that the site remembers your settings. You can change your mind any time by revisiting the settings.
    
    
  • Opt-Out of Targeted Ads: We have provided methods in Section 4 and Section 7 (Right to Opt Out of Sale/Sharing) for you to opt out of targeted advertising. This includes contacting us or using an on-site “Do Not Sell or Share” link. Additionally, tools like the DAA’s WebChoices or YourAdChoices and the NAI’s opt-out page let you opt out of many third-party ad cookies at once. Using browser extensions for privacy can also give you fine-grained control over trackers.
    
    
  • Do Not Track Signals: As mentioned, if you enable Global Privacy Control (GPC) or Do Not Track in your browser, we treat that as an opt-out of third-party tracking cookies for California and wherever applicable. We encourage you to utilize such signals if you want a broad, browser-level control.
    
    
• Profile and AI Recommendations: If at any point we offer a more interactive profile (for example, saving your quiz results to continuously update recommendations), we will also offer controls to edit or reset that profile. You could be able to clear your quiz answers or update them, thereby changing the recommendations. We want you to have control over the personal inputs that our AI/algorithm uses for suggestions.
  
  
• Verification and Authentication: To protect your privacy, certain controls require verification. For instance, accessing account settings requires you to log in with your password. Requesting data or deletion via email requires identity verification as noted. These measures ensure that only you (or an authorized agent) can change sensitive preferences or get access to your data.
  
  
• Continuous Updates: We keep our privacy management practices under review. As new user control tools or consent frameworks emerge (for example, new browser features, or updated industry standards for consent), we will adopt those that enhance user choice and transparency. Our goal is to make it as easy for you to manage your data preferences as it was for you to originally provide the data.
  
  

In summary, you are in the driver’s seat. We provide you the information and tools needed to make informed decisions about your personal data. If anything is unclear or if you feel you don’t have sufficient control over your data in a certain aspect, please let us know. We welcome feedback and will try to accommodate reasonable requests to strengthen user control.

12. Automated Decision-Making and AI Use

We want to be transparent about how we use technology, including any artificial intelligence (AI) or automated systems, in processing your data. Currently, Cenario uses AI in a limited way to help us formulate our product recommendation logic (particularly for our health quiz), but we do not use AI to make any decisions that produce legal or similarly significant effects on you without human involvement.

• AI-Generated Quiz Logic: We have employed AI tools and data analysis to design the questionnaire and the underlying algorithm that suggests products based on your quiz answers. In other words, AI was used during the development phase to determine, for example, that certain symptoms or answers correlate with recommending a particular supplement. This helps ensure our recommendations are as personalized and evidence-based as possible. However, this process is essentially a form of data-driven decision support for us as a company, not an automated decision made on the fly about you individually. The logic is applied uniformly to users who provide similar answers.
  
  
• How Recommendations Work: When you complete the quiz, the responses you provide are input into our recommendation system. The system might classify your answers into certain categories or scores (e.g., level of stress, difficulty sleeping, etc.) and then match those to products in our catalog that are formulated to address those issues. This could be considered a form of automated profiling – we are using your data to assess aspects of your health and preferences in order to present relevant products. However, the final decision on what to purchase (if anything) is entirely up to you. The recommendations are suggestions for your consideration, not binding outcomes.
  
  Additionally, our team periodically reviews the recommendations for quality and may fine-tune them. We do not solely rely on the algorithm without oversight. For instance, if the quiz logic were ever to produce an obviously unsuitable recommendation, our team would adjust the rules or intervene as needed.
  
  
• No Automated Decision with Legal Effect: We do not have any automated process that denies you a service, changes your legal rights, or significantly affects you without a possibility of human review. For example, we do not use algorithms to decide pricing on an individual basis, or to refuse service to someone. Any decision that could have a substantial impact on an individual (like a suspected fraud hold on an order) involves human verification and is done under clear policies.
  
  
• Transparency and Your Rights: Under laws like the GDPR, you have rights related to automated decision-making and profiling. Specifically, if a fully automated decision (with no human involved) that has legal or similarly significant effects were made, you’d have the right to be informed and to request human intervention or challenge the decision. In our case, we do not engage in such processing as of now. The profiling we do for marketing (like segmenting customers into groups for email targeting) or recommendation is done in the service of providing a more personalized experience, and you always have the option to not use the personalized features. For instance, you can ignore a product recommendation or choose to get a manual consultation if we offer it.
  
  If you have concerns about the quiz’s recommendation or believe it has mis-characterized you, you are welcome to reach out to us. We can review your results with you and even provide a human-curated suggestion if needed.
  
  
• AI in Other Contexts: Aside from the quiz logic, we might use AI tools internally for things like analyzing feedback or optimizing inventory (e.g., predicting demand). These uses don’t directly affect individual profiles, but help us be more efficient. Any content generation (like AI-written wellness tips) is reviewed by our staff to ensure accuracy and appropriateness.
  
  
• No Selling of Personal Data to AI Companies: We want to clarify that we do not provide your personal data to any AI or machine learning companies for them to build their models. If we use AI services (like an AI-powered analytics or email subject line generator), we ensure that personal data is either not used or is protected (for example, using such tools on anonymized data or under agreements that prohibit the AI provider from using our data for their own purposes).
  
  

In summary, AI is a tool we use to improve our services, but it is not in charge – we are. There is always a layer of human oversight or final decision-making in matters that impact you. We include this section to be open about our practices and to assure you that we do not engage in unchecked automated profiling that could negatively affect you. If you have any questions about how our recommendation algorithm works or any other automated processes, feel free to contact us and we will provide as much information as we can.

13. Third-Party Links and Features

(Note: This section is included for completeness, as many privacy policies include it, even though it wasn’t explicitly asked. It addresses how external links and embedded third-party features are handled.)

Our website may contain links to third-party websites or include features from other platforms (such as a social media widget or embedded videos). This Privacy Policy does not cover those external sites or services, and we are not responsible for the privacy practices of any website that we do not operate.

• If you follow a link from our site to another website (for example, an article about mental health on a partner’s blog, or a social media page), any data you provide to that other site is governed by their privacy policy, not ours. We encourage you to review the privacy policies of every site you visit.
  
  
• Similarly, if we integrate a third-party service on our site – for instance, using Google Maps to show a store location, or allowing you to log in via Google/Facebook, or showcasing customer reviews through a third-party plugin – those services may collect data directly from you (such as your IP address or cookies) in line with their own privacy policies. We ensure that we have agreements or that the use of those plugins is compliant (for example, we might load such features only after you click to activate them, to avoid unwanted data sharing).
  
  

We do not control the data collection of these third parties, so use those features at your discretion. If you have questions about what information is being collected by a third-party feature on our site, you can contact us or refer to the third party’s official policy (e.g., Google’s privacy policy for Google Maps, Facebook’s policy for their plugins, etc.).

14. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will notify users in an appropriate manner:

• Posting the Updated Policy: We will post the revised Privacy Policy on this page with a new “Effective Date” at the top. The latest version will always be available on our website for you to review.
  
  
• Advance Notice for Material Changes: If we propose any material changes to how we collect, use, or share your personal data, we will provide prominent notice. For significant changes, we might notify you via email (if you have provided one) or by placing a notice on our homepage. For example, if we were to start collecting new types of personal data or using data for new purposes not originally disclosed, we would inform you and, if required, obtain your consent.
  
  
• Reviewing Changes: We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you continue to use our services after a Privacy Policy update, it will signify your acceptance of the changes to the extent permitted by law. (In certain cases, especially if required by law, we might explicitly request your consent to new processing activities.)
  
  
• Archived Versions: For transparency, we may keep prior versions of this Privacy Policy accessible or provide a summary of changes upon request, so you can see how our practices have evolved.
  
  

If you disagree with any changes to the Privacy Policy, you should stop using our services and can request us to delete your personal data if applicable. We will not make any retrospective changes that reduce your privacy rights without your consent.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Cenario Limited (Hong Kong)
Email: support@cenario.com

This dedicated support email is the best way to reach our privacy team. We will strive to respond promptly to any inquiries.

For formal communications or if you prefer postal mail, you may write to our Hong Kong office address (please email us to obtain the most current mailing address for privacy inquiries, as our physical office location might change).

Data Protection Officer (DPO)/Representative: Given our size and processing activities, we may not be legally required to appoint a formal DPO under GDPR or PDPO. However, we do have personnel responsible for privacy compliance. If you address your email to “Privacy Officer” or similar, it will be directed appropriately. If we later designate an EU or UK representative (as Article 27 GDPR might require for our Hong Kong company targeting the EU), we will update this section with their contact details as well.

Complaints: We are committed to resolving any privacy concerns directly and efficiently. If you are not satisfied with our response to a privacy issue, you also have the right to lodge a complaint with a supervisory authority or regulator in your jurisdiction. For example:

• In the EU, you can contact the Data Protection Authority in your country of residence.
  
  
• In the UK, you can reach out to the Information Commissioner’s Office (ICO).
  
  
• In Singapore, you can contact the Personal Data Protection Commission (PDPC).
  
  
• In Australia, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
  
  
• In California, you can contact the California Privacy Protection Agency or the state Attorney General’s office.
  
  

We would appreciate the chance to address your concerns before you approach a regulator, so please consider contacting us first, and we will do our utmost to help.

Thank you for reading our Privacy Policy. We value your trust and are dedicated to safeguarding your personal information while providing you with quality mental wellness products and services.