GDPR Compliance
Introduction to GDPR Compliance
Cenario Limited (Hong Kong Reg. No. 77193979) is fully committed to protecting your privacy and ensuring compliance with applicable data protection laws. This page outlines how we comply with the EU General Data Protection Regulation (GDPR) and related regulations. We understand the sensitive nature of the personal data we collect – especially information about your mental health and wellness – and we handle all data lawfully, fairly, and transparently. Your trust is our priority: we only collect data necessary to serve you, we never sell or rent your personal data, and we implement strict security measures to safeguard your information. Please read below for details on what data we collect, why we collect it, how we use and protect it, and the rights you have. This GDPR Compliance page should be read alongside our broader Privacy Policy and Cookie Policy for a complete understanding of our practices.
Our Legal Basis for Processing Data
We will only process your personal data when we have a valid legal basis under GDPR. Depending on the context, one or more of the following bases apply:
- Consent: In many cases, we rely on your consent. For example, we obtain your explicit consent to process special categories of data (such as health-related quiz responses) and to send you marketing emails or newsletters. You have the right to withdraw consent at any time.
- Contractual Necessity: When you purchase our products or use our services, we process personal data to fulfill our contract with you. This includes processing payments, creating your custom supplement formula, and delivering your order. We cannot provide our services without this information.
- Legal Obligation: We may process personal data to comply with laws and regulations. For instance, we keep transaction records for accounting/tax purposes and may retain certain information to meet consumer protection or product safety obligations.
- Legitimate Interests: We may process data for our legitimate business interests, provided those interests are not overridden by your rights and interests. Examples include improving our products and website, preventing fraud, securing our IT systems, or sending marketing to existing customers about similar products (where permitted). When relying on legitimate interests, we carefully consider and balance any potential impact on your rights, and you have the right to object to such processing.
We will always identify the appropriate legal basis before processing your data and will inform you of that basis (for example, via consent forms or in our Privacy Policy). If our purpose for using your data changes, we will obtain your consent or ensure another legal ground applies before proceeding.
What Data We Collect and Why
We collect personal information from you only for specific, explicit purposes to serve you better. Here’s an overview of the types of data we gather and how we use them:
- Identity and Contact Information: This includes your name, email address, phone number, billing/shipping address, and account login details (if you create an account). We collect this information to identify you, communicate with you, process your orders, deliver products, and provide customer support.
- Order and Transaction Data: When you make a purchase, we collect information about the order, such as the products selected, custom formulation details, order date, and payment method. We use this data to fulfill your purchase (manufacture your custom supplements, process payment, arrange shipping) and maintain proper business records. Financial details like credit card numbers are handled securely by our payment processors (e.g. Stripe, Airwallex) and are not stored in full by Cenario.
- Health and Wellness Quiz Responses: If you take our mental health quiz or otherwise provide information about your symptoms, lifestyle, or wellness goals (e.g. anxiety levels, stress, sleep patterns, cognitive concerns), we collect this special category data to personalize your supplement recommendations. We use your responses to generate a tailored formula and advice that best fits your needs. We treat this sensitive data with extra care and only use it for personalization and research as described (see Special Category Data below for more details).
- Communication Data: This includes any information you send us via contact forms, emails, or chat inquiries. For example, if you reach out with a question about a product or request help, we will collect the details of your inquiry and our response. We use this to assist you, improve our customer service, and train our support team (we may also record calls or chats for quality assurance, but we will inform you if we do).
- Marketing and Preference Data: If you subscribe to our newsletter or promotional communications, we record your preferences (e.g. language, topics of interest) and engagement with our emails (such as open and click rates, handled via our email platform). This helps us send you relevant content and avoid overloading you with unwanted messages. You can opt out of marketing at any time. We also note your consent choices (for example, whether you agreed to receive emails or allowed cookies) to respect your privacy preferences.
- Website Usage and Device Data: When you visit our site, we automatically collect some data about your device and browsing actions via cookies and similar technologies. This may include your IP address, browser type, operating system, referring URLs, and information on how you navigate our pages or interact with elements on the site. We use this data to analyze site performance, troubleshoot issues, and improve user experience. For instance, understanding which pages are most popular or where users encounter errors helps us refine our content and design. (For more details, see Cookies and Tracking Technologies below and our Cookie Policy.)
- Aggregated and Anonymized Data: We may also derive insights from personal data by removing identifying details. For example, we might aggregate quiz results to see general trends (such as the percentage of users reporting high stress) or compile statistics on how many customers prefer a certain ingredient. This aggregated data does not identify you personally and is used to improve our products and services, develop new features, or contribute to mental wellness research.
We will not use your personal data for any purposes that are incompatible with the ones described above. If we ever need to process your data for a new purpose, we will update our policies and, if required, seek your consent.
Special Category Data
As a provider of customized mental health supplements, we collect information that relates to your health and wellness. Under the GDPR, data about health (including mental health) is considered “special category” personal data, which receives a higher level of protection. This means we take extra steps to ensure the confidentiality and security of any health-related information you share with us. What we collect: The primary instance of special category data we handle is the information from your online quiz and any follow-up wellness questionnaires. This may include details about your mental health symptoms (for example, feelings of anxiety, stress levels, mood patterns, sleep quality, or cognitive concerns like memory issues), as well as lifestyle factors (such as exercise habits or diet) that you choose to share. In some cases, if you communicate health information to us (for example, mentioning a medical condition in a support email), that would also be treated as sensitive data. How we use it: We use your health-related inputs only for specific, limited purposes. The primary purpose is to analyze your needs and create a personalized supplement formula or recommendation plan. Our AI-driven quiz logic and team of experts use your answers to determine which ingredients and dosages might benefit you. We may also use health data in a de-identified manner to improve our recommendation algorithms over time (for example, to see overall how effective certain recommendations are, or to conduct internal research on mental wellness trends). We do not use your sensitive data for any form of advertising targeting, nor do we disclose it to third parties for their own purposes without your explicit permission. Consent and protection: We will always obtain your explicit consent before collecting or processing your special category data. This consent is typically obtained when you begin the quiz or provide any health information – we make it clear that by submitting the quiz (or similar assessment), you agree to us using that data to personalize your experience. You have the right to refuse or withdraw this consent; however, please understand that if you do, we may not be able to provide certain personalized services or product recommendations. All sensitive data is stored securely with heightened safeguards: for example, we may encrypt this data in our database and restrict access to only authorized personnel who require it to create your supplement plan or provide support. Our staff are trained in handling sensitive information confidentially. We also pseudonymize data where feasible (meaning we separate your identity from your health answers and use an ID code internally) to reduce privacy risk. No secondary use without consent: We will never use your health information for purposes like marketing medical products to you, or share your quiz answers with insurance companies, employers, or anyone else, unless you explicitly ask us to or we are required to by law (which is highly unlikely and would be done only with proper legal process). Your mental health data is kept strictly within Cenario and our core service providers as needed to serve you (see Third Party Processors for who might process it, such as our quiz platform or data storage provider, all under strict agreements). In summary, we recognize the highly personal nature of the information you entrust to us about your mind and health. We handle it with the utmost care, ask your permission clearly, use it only for your benefit, and protect it to the highest standards. If you have any concerns about how your sensitive data is used, please contact us and we will be happy to explain or accommodate your requests.
How Consent Is Obtained and Documented
Consent is a cornerstone of our data practices. Whenever we rely on your consent to process personal data, we ensure that you are fully informed and that your consent is given freely and unambiguously. Here are the ways we obtain and manage consent in different situations:
- Explicit Opt-In Forms: For any optional data collection or communications, we use opt-in methods. For example, when you sign up for our newsletter or download a free e-book, you will see a checkbox (unchecked by default) asking for your consent to receive email updates. Similarly, before you start our mental health quiz, we present a consent notice (or include clear language in the introduction) explaining that you will be sharing sensitive information and asking you to proceed only if you agree to our use of that data to personalize your results. You must actively check the box or click “I agree” (or a similar affirmative action) to give consent; we do not use pre-ticked boxes or assume consent from silence/inactivity.
- Cookie Consent Banner: On your first visit to our site (and periodically thereafter), you will encounter a Cookie Consent banner. Through this tool, we ask for your consent to use non-essential cookies and tracking technologies. You have the option to accept all cookies, reject non-essential ones, or customize your preferences. We honor your choices: for instance, if you decline analytics or marketing cookies, those tools will remain inactive. (Essential cookies necessary for site function are used regardless, but they do not capture personal data for marketing.) Our Cookie Policy provides detailed information, and you can adjust your settings anytime via the banner or browser.
- Special Category Consent: As noted in Special Category Data, we ask for explicit consent to process any health-related data. This may be done through a statement at the start of a quiz or a separate pop-up/form where you confirm your agreement. We make sure the request is clear about what data we collect and why (e.g., “By proceeding, I consent to Cenario using my quiz answers, which include health information, to provide personalized supplement recommendations.”). Without this consent, the quiz can be exited and no data will be saved.
Documentation and record-keeping: We maintain records of when and how we obtained your consent. Our systems log the relevant details such as: the consent form or statement presented, the date/time it was agreed to, and the specific purposes covered. For example, if you subscribe to our newsletter, our email platform (Klaviyo) records the date of sign-up and the method (e.g., via website form) along with your IP address for verification. If you fill in the quiz, our database notes that you agreed to the privacy terms associated with it. Keeping these records allows us to demonstrate our GDPR compliance and helps us respond to any queries you may have about what you’ve consented to. Withdrawal of consent: You have the right to withdraw your consent at any time. We strive to make this as easy as giving consent. For instance, every marketing email from us includes an “Unsubscribe” link at the bottom – clicking that will remove you from further mailings (or you can adjust your email preferences if you’d rather reduce frequency or change topics). If you want to withdraw consent given for processing your health data or any other specific consent, you can contact us (see How to Exercise Your Rights below). Once we receive your withdrawal request, we will stop the related processing promptly. There is no penalty or detriment to you for withdrawing consent; however, do note that if the consent was necessary to provide a service (for example, using your health data to create a supplement plan), then withdrawing may mean we cannot continue that service for you. We will inform you if that is the case and discuss possible solutions. In summary, we ensure that consent is always informed (we tell you exactly what you’re agreeing to), voluntary (it’s your genuine choice), specific (tied to a particular purpose, not a blanket agreement), and documented. If you have any questions about any consent you’ve given or if you are unsure whether you have given consent for something, please let us know. We can provide evidence of your consent and, if desired, help you withdraw or modify it.
Your Data Rights Under GDPR
Under the GDPR, individuals (called “data subjects”) have a range of rights regarding their personal data. We honor all these rights and have processes in place to enable you to exercise them. In simple terms, you are in control of your personal information. Here are your key data protection rights:
- Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we use it. This is sometimes called a “Data Subject Access Request.” Upon verification of your identity, we will provide you with a summary or full copy of your data, and explain the purposes, categories of data, and any parties with whom we have shared it.
- Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if you notice we have the wrong spelling of your name or an outdated address, you can ask us to fix it, and we will do so promptly.
- Right to Erasure: Commonly known as the “right to be forgotten,” this allows you to request the deletion of your personal data. You can ask us to erase your data when it’s no longer necessary for the purpose it was collected, if you have withdrawn your consent (and no other legal basis for processing applies), or if you believe we have processed your data unlawfully. We will honor valid erasure requests and delete your data, except for information we are required to keep by law or compelling legitimate interests (we will inform you of any such retention).
- Right to Restrict Processing: You can ask us to limit the processing of your data in certain circumstances. This means we would store your data but not actively use it for anything. You might exercise this right if, for instance, you contest the accuracy of your data (while we verify it), or if you objected to processing and we are considering that objection. When processing is restricted, we will not use the data except to the extent allowed (e.g., to secure it or if needed for legal claims).
- Right to Data Portability: You have the right to receive your personal data that you provided to us, in a structured, commonly used, machine-readable format (for example, a CSV or JSON file). You can also request that we transmit this data directly to another controller (e.g., another service provider) where technically feasible. This right applies when the processing is based on your consent or a contract and is carried out by automated means. In practice, if you request it, we will compile the data you gave us (and any data we have about your usage that is in scope) into a portable file for you or your nominated recipient.
- Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests or on public interest tasks. If you object, we must stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your rights or if the processing is needed for legal claims. Importantly, you have an absolute right to object to direct marketing. This means if you object to or opt out of marketing communications, we will immediately stop using your data for those purposes with no exceptions. (You can object to marketing by using the unsubscribe link in emails or contacting us directly.)
- Right to Withdraw Consent: If we are processing any of your data based on your consent, you have the right to withdraw that consent at any time (as discussed in the consent section above). Withdrawing consent will not affect the lawfulness of any processing we did before your withdrawal, but once withdrawn, we will cease the processing going forward. For example, you can withdraw consent for us to use your health data, or to email you newsletters, and we will comply.
- Rights in Relation to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on you, unless it is necessary for entering into or performing a contract, authorized by law, or based on your explicit consent. In simpler terms, for any high-impact decisions about you, you can request human intervention. As we will explain later, Cenario does use automated systems to personalize recommendations (profiling), but these do not make final decisions with legal or serious effects on you. You always have the ability to seek clarification or an alternative from a human expert. Nonetheless, this right ensures that if you ever felt a purely automated decision was unfair, you can challenge it and ask for a person to review the outcome.
These rights are designed to give you transparency and control over your personal data. They are not absolute in every case (there are some conditions or exceptions for certain rights under GDPR), but we will always do our best to honor your request and explain any limitations. For example, if you request deletion of data that we are legally required to keep (say, for financial reporting), we might not be able to delete that specific information, but we will inform you and isolate it from active use. Rest assured, exercising your rights is free of charge and we will not retaliate or refuse service just because you exercised your privacy rights. Our goal is to facilitate your requests in a seamless and timely manner.
How to Exercise Your Rights
Exercising your GDPR rights with Cenario is straightforward. We have a dedicated team to address privacy inquiries, and we will respond promptly to any legitimate request regarding your personal data. Here’s how you can exercise your rights or ask questions: Contact us with your request: To make any request (access, correction, deletion, etc.), the best way is to reach out to us via the contact information provided in the Contact Information for Privacy Requests section below. You can send us an email specifying which right you wish to exercise and describing your request. For example, you might write, “I’d like to access my personal data,” or “Please delete my account and all associated data.” You can also use our online Contact & Help Center to submit a request, or send a written request by mail if you prefer (though email is usually faster). Verification of identity: For your security, we may need to verify your identity before fulfilling certain requests, especially for access, deletion, or portability of data. This is to ensure that we do not disclose or erase someone’s data to the wrong person. Typically, if you contact us from the email address associated with your Cenario account or order, that is sufficient verification. If we need additional confirmation (for example, if someone else is emailing on your behalf or if the email doesn’t match our records), we will politely ask for more information to confirm identity. We might request details like a recent order number, or other information only you would know, or in rare cases a government ID (but we try to avoid that unless absolutely necessary). We will never ask for more information than needed, and any additional verification info you provide will only be used to verify your identity and will be deleted once the verification is complete. Process and timeline: Once we receive your request, our privacy team logs it and begins processing. We aim to respond to all requests as quickly as possible. Under GDPR, we will provide a response or outcome no later than one month from receiving your request. In many cases, we’ll resolve it much sooner. If a request is complex or we received many requests, GDPR allows us to extend this timeline by up to an additional two months, but if that happens, we will inform you within the first month and explain why more time is needed. (This is uncommon, but we mention it to be transparent.) Our response will typically be in writing, usually via email, unless you request another method. For access requests, we will provide your data in a secure electronic format (or paper if you specifically want that). Fees: We handle reasonable requests free of charge. In the vast majority of cases, you will not have to pay anything to exercise your rights. However, GDPR does permit a company to charge a “reasonable fee” or refuse to act on requests that are manifestly unfounded or excessive (for example, repetitive requests with no reasonable basis). If we ever believe a request falls into that category, we would explain our reasoning to you. But our default approach is to help you with your request without any cost. What you can expect: Depending on your request, here’s what will happen:
- If you requested access, we will compile the data we have about you and send it to you with explanations of our processing.
- If you requested correction, we will update our systems and confirm to you that the data has been rectified (or if we declined because it was already correct, we will inform you).
- For deletion requests, we will erase the data from our active systems (and let you know once done, or explain if any data was retained and why). We will also instruct our processors to delete your data as needed. Keep in mind deletion might include deactivating your account and removing personal identifiers; once done, you may lose access to prior personalization or order history (which is the intention of erasure).
- If you object to processing (for example, for marketing), we will stop that processing. If you object to something like analytics tracking, we will honor it via our cookie settings or internal suppression. For objections to legitimate interest uses, we will evaluate if we have any overriding necessity – if not, we’ll comply fully and confirm to you.
- If you withdraw consent, we will cease the activities that were based on consent. For instance, if you withdraw consent for health data processing, we will stop using your quiz information in any future algorithm or analysis, and if possible we will delete or anonymize that data (unless you want us to retain it for future reference).
- For data portability, we will send you your data in a commonly used format (like a CSV file with your quiz answers and profile info) or transfer it to a new provider if you have instructed us to (and if that provider can receive it directly).
Throughout this process, our team may reach out to you for clarifications to ensure we understand and fulfill your request correctly. We value your privacy and will do everything we can to make the exercise of your rights effective and hassle-free. If you have any questions before making a formal request (for example, you’re not sure which right applies to your situation), feel free to ask – we’re here to help and guide you. Finally, if you make a request and feel that we have not adequately addressed it, please let us know. We welcome follow-ups. And remember, you also have the right to contact a supervisory authority if you’re not satisfied (see Supervisory Authority and Complaints below), but we genuinely prefer to work it out directly and ensure you’re happy with the outcome.
Data Storage and Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal and business obligations. This section explains how long we typically keep different types of data. Our goal is to minimize storage duration while making sure we can serve you well and meet our legal requirements. When data is no longer needed, we either securely delete it or irreversibly anonymize it. Active account data: If you create an account on our website or continue to use our services, we will keep your personal information for as long as your account is active or as long as is needed to provide you with your requested services. This ensures we can recognize you on return visits, maintain your quiz results and personal supplement formula, and provide continuity in our service. If you decide to close your account or you have been inactive for an extended period, we will either delete your data or archive it in a secure manner (after notifying you, when required). “Extended period” is generally 24 months of inactivity for many of our services, but we assess this periodically. Orders and transaction records: We retain records of purchases and transactions for a period necessary to process the order and handle any post-purchase issues (like customer support, refunds, or replacements). Beyond that, we may need to keep certain order data for a longer duration to comply with financial reporting and tax laws. For example, in many jurisdictions (including Hong Kong and EU countries), businesses are required to keep invoice and payment records for a minimum number of years (often 7 years) for auditing purposes. Thus, while your online account might not show your order history after a certain time, internally we may archive basic transaction data (name, contact, date of purchase, amount, and product details) for the legally mandated period. This data will be kept secure and only used if needed for audits, tax filings, or legal compliance checks. Health and quiz data: The information you provide in our mental health quiz or similar assessments is used to formulate your personalized supplement plan. We will retain your quiz responses and resulting recommendations for as long as you are actively engaged with our service. This allows us to refer back to your answers when formulating refills or adjusting your formula, and also to show you your progress or changes over time. If you have not interacted with us or ordered a product in a long time, we will review whether to continue holding this data. We recognize that health data is sensitive, so we generally will not keep it indefinitely if there is no ongoing need. If, for example, you take a quiz but never make a purchase and do not return to our site, we might delete your responses after a reasonable period (say, 1 year) to protect your privacy. On the other hand, if you’re a recurring customer, we’ll retain your history to serve you better unless you request deletion. Of course, if you ask us to delete your health data, we will do so (provided we do not need to keep it for legal reasons). We may keep anonymized aggregates derived from your data (which no longer identify you) for statistical analysis, and those do not have a fixed retention – but they contain no personal information anymore. Communications and support inquiries: If you contact us via email or support channels, we may retain those communications for a certain period so that we have a record of what was discussed. This can help in providing you continuous support and is also useful if similar issues arise. Typically, routine customer service emails/tickets are kept for 1-2 years. This timeframe allows us to reference past issues if you reach out again, but we do not keep them longer than necessary. Where possible, we may delete or anonymize support data earlier if it’s not needed. If communications include sensitive data (for instance, you emailed us health information), those are treated securely and still subject to deletion upon request. Marketing data: If you have consented to receive marketing communications, we will retain the minimal data needed for that (such as your name, email, and marketing preferences) until you opt out or unsubscribe. Once you unsubscribe, we will remove you from our mailing list promptly. We may keep a suppression list (email addresses of individuals who unsubscribed or opted out) to ensure we don’t accidentally send you emails in the future – this is a standard practice to uphold your opt-out. Such suppression data is kept solely to enforce your preferences. Legal and backup retention: There may be scenarios where we retain data for longer than normal if required for legal reasons. For example, if we are handling a dispute or an investigation, we might need to preserve relevant data until it is resolved. Similarly, our IT systems may maintain encrypted backups for disaster recovery. These backups are usually overwritten periodically. We don’t actively use backup data except if needed for restoration, but it’s possible some data remains in backup storage for a few extra months even after deletion from live systems. We have procedures to ensure that if we need to restore from backup, any deleted records aren’t reintroduced or are re-deleted. End of retention and deletion process: When the retention period for any personal data expires, or when we receive a valid deletion request, we undertake a secure deletion process. We remove the data from our databases and request the same from any third-party processors who were handling that data on our behalf. Physical records (if any) are shredded or securely disposed of. In some cases, rather than outright deletion, we may anonymize the data – for instance, we might strip personal identifiers so the remaining data can no longer be linked to you. Anonymized data may be kept for analytics, but it cannot be used to identify or impact you. We periodically review the data we hold and erase or anonymize what’s no longer needed. Our aim is not to hold your personal data indefinitely, but rather only for as long as it remains useful for the purposes specified and permissible by law. If you have specific questions about our retention practices or want to know if we still have certain information about you, feel free to contact us. We can provide you with our records of retention or, if appropriate, delete data sooner based on a justified request.
International Data Transfers
Cenario Limited is based in Hong Kong and we serve customers around the world, including in the European Union, United Kingdom, United States, Canada, and beyond. As a result, the personal data we collect from you may be transferred to, stored in, or processed in multiple countries, including countries outside the European Economic Area (EEA). We understand that GDPR imposes strict rules on such international data transfers, and we take steps to ensure that your information remains protected to the GDPR standard no matter where it is located. Transfers outside the EEA: When we transfer personal data from the EU/EEA (or UK) to Hong Kong or any other country that the European Commission has not deemed to have “adequate” data protection laws, we rely on approved safeguards. The primary safeguard we use is the European Commission’s Standard Contractual Clauses (SCCs). These are legal contracts that bind the recipient of the data (e.g., Cenario or our service providers in third countries) to protect the data in line with EU privacy standards. In practice, this means if your data is moved to our servers or a partner in a country like the United States or Hong Kong, there are contractual commitments in place to handle your data securely, keep it confidential, and respect your rights, just as if it never left the EU. Our commitment: Whenever your personal data is exported internationally, we assess the context of the transfer to ensure appropriate protection. This includes reviewing local laws (to the extent feasible) and implementing additional technical measures if needed. For example, for particularly sensitive data, we might employ encryption in transit and at rest, so that even if the data resides on a server overseas, it remains unreadable without the proper keys. We also limit which of our team members around the world can access EU personal data – access is given only as necessary and under duties of confidentiality. Third-party international transfers: Many of our third-party processors (see the Third Party Processors section) are global companies that may process data in various data centers worldwide. We ensure each of these partners also adheres to GDPR transfer rules. If they are based in the US, we verify if they participate in frameworks like the EU-U.S. Data Privacy Framework (if applicable) or ensure SCCs are in place in our contract with them. For instance, our contracts with providers like Stripe, Meta (Facebook), Google, etc., include data protection addendums with SCCs or equivalent clauses for UK data. Some of these companies have their own approved binding corporate rules or certifications – regardless of the mechanism, we contractually require that your data receives a level of protection equivalent to that in the EU. Hong Kong data protection: While Hong Kong has its own Personal Data (Privacy) Ordinance (which provides protections for personal data), it is not currently recognized by the EU as having “adequate” status. Therefore, we treat transfers to our Hong Kong headquarters with the same care as any other international transfer. By using SCCs and internal policies, we effectively extend GDPR-like protections to data handled in Hong Kong. We want you to have peace of mind that your data is as safe with us in Hong Kong as it would be in the EU. Transparency and consent: We inform you that such international transfers occur (as we’re doing here). In situations where a specific transfer falls outside of the regular safeguards (for example, if we ever needed to transfer data to a new country or a new type of recipient without standard safeguards), we would seek your consent or apply another permitted derogation under GDPR Article 49 – but such cases are rare and would typically involve one-off user-driven scenarios. As a rule, we try to rely on structural protections (like SCCs) rather than individual consent for transfers, because we know it’s our responsibility to secure your data globally. If you would like more information about our international data transfer mechanisms, please contact us. We can provide copies of relevant contractual clauses (subject to commercial confidentiality) or answer any specific concerns you might have about where your data is handled. We continually monitor the legal landscape for international transfers (for example, changes after the Schrems II decision, new SCC updates, etc.) and will adapt our practices to remain compliant and protect your privacy. In summary, the global nature of the internet means your data may cross borders, but our high standards of privacy travel with your data. No matter where your information is processed – be it Europe, Asia, North America, or elsewhere – we treat it with the same level of care and security, and in accordance with this GDPR compliance commitment.
Third Party Processors
To run our business efficiently and provide you with various features and services, Cenario utilizes a number of trusted third-party service providers. These entities process personal data on our behalf – meaning they are our “processors” under GDPR (or “service providers” under other laws). We only share data with third parties to the extent necessary for the purposes described in our Privacy Policy and this page, and never for their own marketing or unrelated uses. Each third-party we work with is carefully vetted for security and privacy practices, and we have Data Processing Agreements in place to ensure they protect your data according to GDPR standards. Here are the key categories of third-party processors we use, and examples of each:
- Payment Processors: We use Stripe and Airwallex to handle payments on our website. When you make a purchase, your payment details (such as credit card number or bank information) are transmitted securely to these processors. They specialize in payment security and are PCI-DSS compliant. Stripe and Airwallex process your payment data to authorize and complete transactions, and then provide us with the outcome (success/failure) and necessary details like confirmation of payment. We do not store your full payment card information on our servers; that is handled by these payment gateways. These companies may be based outside the EU (Stripe is US-based with EU subsidiaries; Airwallex is based in Hong Kong/Australia with global operations), but our agreements with them include standard data protection clauses and they only use your data for payment processing and compliance (not for their own marketing).
- Analytics and Advertising Partners: To understand how users interact with our site and to reach out to customers who might benefit from our products, we rely on analytics and ad platforms. Specifically, we use Google services (such as Google Analytics) to collect website usage statistics (e.g., page visits, time on site, demographics if available) which helps us improve site content and design. Google Analytics may set cookies and collect your IP address and browsing data; we have configured it to anonymize IPs for EU users and we respect your cookie consent preferences (Google Analytics only runs if you’ve consented to analytics cookies). We also use Meta Platforms (Facebook/Instagram) advertising tools (like the Facebook Pixel) to help with our marketing campaigns – for instance, to measure ad effectiveness or show you relevant Cenario ads on Facebook if you’ve visited our site. These advertising partners might set cookies or device identifiers for targeting ads (again, only with your consent where required). All data shared with Google or Meta is pseudonymized where possible (we don’t send them your name or contact info, just user IDs or pixel events). They act as our processors for analytics/ads; we have agreements that restrict their use of the data to providing services to us. You can opt out of these tracking technologies any time via our cookie settings or using browser signals (like Do Not Track or Global Privacy Control, which we endeavor to honor for California users).
- Email Marketing Platform: We use Klaviyo (an email marketing and automation platform) to manage our email communications. If you subscribe to our newsletter or opt in to receive promotional emails, your name and email address, and possibly certain preference data (like language or segments of interest), are stored in Klaviyo. This platform helps us design and send emails, and track basic engagement (such as open rates or link clicks) to gauge the effectiveness of our content. Klaviyo acts only on our instructions – for example, sending you the monthly newsletter or a special offer if you consented. They do not use your data for any purpose other than to facilitate our communications. Klaviyo is a US-based company, but they maintain rigorous security standards and we’ve put in place GDPR-compliant terms including SCCs for any EU data. You can unsubscribe from our emails at any time, and if you do, we will ensure Klaviyo no longer processes your data except to honor the suppression (opt-out).
- Website Hosting and IT Infrastructure: Our website (including the WooCommerce webshop) is hosted on secure servers provided by third-party hosting companies. While we won’t name the specific host here for security reasons, rest assured that our hosting provider is reputable, and bound by confidentiality and data protection obligations. They may process data that flows through the site (including potentially storing personal data in databases or logs on the server). We ensure that hosting is done in a secure environment – for example, our servers might be located in data centers within the EU for EU user data, or if not, we apply transfer safeguards. Additionally, we use cloud infrastructure and storage for backups and file storage (for instance, services like Amazon Web Services or equivalent). Any such infrastructure providers are considered processors as well, and we encrypt or secure the data stored with them.
- Quiz and Survey Tools: Our personalized quiz is a key part of our service. We currently use Typeform (a third-party survey platform) to deliver the quiz to you in an interactive format. When you input answers into the quiz, Typeform securely collects those responses on our behalf. The data is then transmitted to us for analysis and formula creation. Typeform may temporarily hold the data (e.g., in their databases) but they do not use it for their own purposes. They are based in the EU (Spain) and are GDPR-compliant. We have ensured your quiz responses are treated confidentially and only accessible to Cenario. If in the future we use other survey or AI analysis tools, they will be held to the same standards.
- Business Operations Tools: We use certain software to run our internal operations that may incidentally include personal data. For example, ClickUp is a project management and task tracking tool that our team uses to coordinate work. If, say, we create a customer support ticket or an order fulfillment task in ClickUp, it might contain your order number or first name and request. This information is used internally to ensure we meet your needs (like following up on a custom request or tracking an issue resolution). ClickUp is a US-based company; we have a data processing agreement with them and they implement strong security. Similarly, Make.com (formerly Integromat) is an automation platform we use to connect different systems (for instance, automatically sending order details from our website to our fulfillment system, or adding an email to our mailing list after purchase if consented). Make.com processes data in a flow-through manner – it takes data from one approved system and sends it to another based on how we configure it. It might handle data like your name, email, order info in transit. We ensure any such automation is secure (using encryption and secure API connections) and that Make.com cannot access the content of data beyond performing the task. They are based in the EU (Czech Republic) and comply with GDPR.
- Logistics and Delivery Partners: If we deliver physical products to you, we share necessary information with shipping carriers or fulfillment centers. This typically includes your name, delivery address, and possibly phone/email (for delivery updates). These third parties (e.g., postal services, courier companies, or warehouse fulfillment services) are also bound to use that data only for delivering your package and related logistics (like customs clearance if needed). We only partner with established delivery companies that have appropriate data protection measures. They will not use your contact information except to ensure you receive your order (for example, a courier might text you a delivery notice if you provided a phone number for that purpose).
In all cases, our third-party processors are not allowed to use your information for their own marketing or purposes outside of what we’ve contracted them for. We require all our processors to implement adequate security measures, maintain confidentiality, and notify us if there are any data incidents. We also ensure that if any processor is located outside of our operating country, appropriate data transfer mechanisms (like SCCs mentioned earlier) are in place. We keep an updated list of the key processors that handle personal data. If you ever want more detail about third parties that may have handled your specific data (for example, which courier delivered your product or which payment gateway processed your purchase), you can contact us and we’ll provide that information. By using Cenario’s services, you acknowledge that your personal data will be shared with these third parties for the purposes stated. We take responsibility for the protection of your data even when it’s processed by others on our behalf. If any processor fails in their duties, we will take it seriously, up to and including terminating our relationship with them. Your data privacy is a top consideration in every outside partnership we engage in.
Profiling and Automated Decision Making
Profiling means analyzing personal data to evaluate or predict certain things about an individual – and automated decision-making involves letting a machine make decisions about a person without human involvement. At Cenario, we do use automated processes, including a form of profiling, to enhance your experience. However, we want to clarify what we do, what we don’t do, and what it means for you: Personalized quiz and recommendations: When you complete our mental health quiz, we use an AI-driven algorithm to analyze your responses. This algorithm (which was generated based on psychological research and expert input) will automatically suggest a custom blend of supplements tailored to the information you provided. In essence, this is a form of automated profiling – the system profiles your mental wellness status (e.g., levels of stress, sleep issues, etc.) and matches it with ingredients known to help those areas. The result might be a recommendation like: “We recommend Formula X with ingredients A, B, C at these dosages.” This process is largely automated for efficiency and consistency. However, no final binding decision is made without your involvement: the recommendation is offered to you, but it’s ultimately your choice whether to purchase that recommended product, choose a different product, or none at all. Our team oversees the logic of the quiz to ensure it’s reasonable and up-to-date, and we do not let the AI make uncontrolled decisions beyond the scope of suggesting products. No legal or adverse decisions: We do not use automated decision-making to deny services or produce outcomes that have legal effects or similarly significant effects on you. For example, we don’t have any automated system that refuses you service, impacts your credit score, or anything of that nature. Every customer who wants to use Cenario is welcome – the quiz just guides you to a personalized solution, it doesn’t decide whether you can have one. We also don’t adjust pricing individually by automated means (everyone sees the same pricing structure aside from any promotions you choose to use). In short, the profiling we do is benevolent and intended to help you, not to exclude or negatively affect you. Other profiling uses: Besides the quiz, we might use light profiling in our marketing or user experience. For instance, we might automatically categorize some customers as “interested in stress support” if their quiz or browsing indicates that, and then show them more content related to stress relief techniques. Or we might use purchase history to suggest other products (e.g., if you bought a sleep aid, our system might suggest reading material or another supplement for related wellness goals). These are meant to be helpful suggestions and personalizations. They are based on data (like your past actions) but any such profiling is again limited to recommendations. We do not make irreversible decisions based on these profiles. Human oversight and your options: We believe automated tools can enhance efficiency and personalization, but we also believe in human oversight. Our team monitors the outcomes of our quiz logic and algorithms to ensure they remain accurate, fair, and unbiased. If at any point you have questions or concerns about a recommendation or an automated outcome, you have the right to obtain human intervention. For example, if you feel that the supplement plan our system suggested doesn’t fit your situation, you can contact us for a manual review. We might have one of our wellness experts or product formulators review your profile and suggest an adjustment or alternative. We encourage feedback – if something about an automated result doesn’t make sense to you, let us know and a human will be happy to clarify or reconsider it. Right to object: You also have the right to object to profiling used for direct marketing. If you don’t want us to analyze or segment your data for tailored marketing, just opt out of marketing communications and we will cease any marketing-related profiling for you. As for the service profiling (like the quiz), if you prefer not to be subject to it, you can choose not to use the quiz; we can attempt to accommodate a manual process for you (though our service is built around the personalization algorithm, we’d do our best to help via consultation if needed). Transparency: We aim to be transparent about our use of AI and automated systems. We do not have any “black box” AI making mysterious decisions about you beyond what we’ve described. The logic behind our quiz can be explained in plain terms (e.g., if you indicated trouble sleeping, the system prioritizes ingredients known to aid sleep like magnesium or valerian). If you are curious about how a particular recommendation was derived, we will happily explain which answers led to which suggestion. There’s no secret profiling beyond the scope of improving your mental health regimen. In summary, yes, we use modern technology to profile preferences and automate recommendations in order to provide a highly personalized experience. But you are never just a number to us – we ensure humans remain in the loop for oversight, and you remain in control. No automated decision will ever be made that compromises your rights or interests without your explicit consent and without an opportunity for human review. And as always, you have the right to object to or opt out of any form of profiling that you’re not comfortable with.
Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to provide, optimize, and personalize your experience. Cookies are small text files stored on your device (computer, smartphone, etc.) when you visit websites. They serve a variety of functions on cenario.com, from keeping you logged in to remembering your quiz progress, analyzing site traffic, and marketing our products. Here’s an overview of how we handle cookies and tracking, and how you can manage your preferences: Types of cookies we use:
- Essential Cookies: These are necessary for the website to function properly. Without them, core features of the site (like adding items to your cart or logging into your account) would not work. For example, when you place products in your shopping cart or proceed through checkout, an essential cookie is used to remember those items as you navigate the site. These cookies do not gather information about you for marketing or analysis; they’re purely functional. Because they are needed for the service you’ve requested, they are used by default when you use our site.
- Analytics Cookies: We use analytics cookies (such as those from Google Analytics) to collect information about how visitors use our site. This data is aggregated and helps us understand things like which pages are most popular, how users move through the site, and if they encounter errors. For instance, an analytics cookie might tell us that “X number of users visited the Quiz page and 80% completed it fully.” This information is valuable for improving site content and performance. Importantly, we have settings in place to anonymize IP addresses for these analytics, and we don’t attempt to identify you through analytics data. We ask for your consent to use analytics cookies when you first visit. If you decline, we will not load these cookies.
- Advertising and Social Media Cookies: These cookies are set by third parties (like Facebook/Instagram, Google Ads, etc.) and help us with marketing and advertising efforts. They can track your browsing behavior on our site (and potentially combine it with browsing on other sites if you’ve accepted those cookies elsewhere) to serve you targeted advertisements or measure the effectiveness of our ad campaigns. For example, if you visit our site and view a particular product, a Facebook cookie might note that, and later you might see a Cenario ad on Facebook related to that product. We only use these tracking cookies if you give consent via the cookie banner. If consent is given, you might also have separate options within those platforms (e.g., you can adjust ad preferences on Facebook or Google). If you do not consent, we will not load advertising cookies, meaning you’ll see general ads rather than ones tailored from your site usage.
- Preference Cookies: These remember your preferences and settings to provide a more personalized experience. For example, a preference cookie might remember the language or region you selected, so you don’t have to set it each time. It could also recall that you’ve already taken the quiz so we might greet you with your results rather than asking you to start over (provided you haven’t cleared your cookies). While not strictly essential, these cookies enhance convenience. We usually treat these similar to essential cookies because they improve service, but you can control them via browser settings if you wish.
Cookie consent and control: When you first visit our site from the EU (or where required by law), you will see a cookie consent banner clearly explaining that we use cookies and asking for your preferences. You can choose to “Accept All,” “Reject All” (except essentials), or pick specific categories (if our banner offers granular control). Your selection will be remembered, typically via a cookie that stores your consent state. You can change your mind anytime – either by clicking a “Cookie Settings” link on our site (usually found in the footer or the banner if you revisit) or by clearing cookies in your browser, which will trigger the consent prompt again on your next visit. Additionally, most web browsers allow you to manage cookies (e.g., block third-party cookies, delete cookies when closing the browser, etc.) through their settings. We respect the choices you make both on our site’s banner and in your browser. Other tracking technologies: In addition to cookies, we may use web beacons (pixel tags) in our emails or on our site. For example, when we send an email, it may contain a tiny invisible image that lets us know if you opened the email (only if your settings allow images to load). This helps us gauge engagement. On the website, similar pixels from our analytics or ad partners may be present – but they function similarly to cookies in needing your consent (they won’t fire if you’ve opted out of that category of tracking). We may also use local storage or session storage on your browser for certain functionalities (for instance, temporarily storing quiz inputs as you move from question to question). These are purely first-party and used to improve your experience. Cookie Policy: For full details on every cookie and tracker in use, including their names, purposes, and lifespans, please refer to our Cookie Policy (if available) or the cookie table on our Privacy Policy. That resource will list specific cookies (e.g., _ga for Google Analytics, which lasts 14 months, etc.) so you know exactly what’s on your device from our site. We aim to keep that information up-to-date as we add or remove cookies. Do Not Track and Global Privacy Control: We honor browser signals such as “Do Not Track” (DNT) and the Global Privacy Control (GPC) to the extent feasible. If our systems detect a GPC signal indicating that you do not want your data to be sold or shared (under CCPA terminology) or tracked, we will treat it as an opt-out of advertising cookies. Note: DNT is a legacy signal that not all sites honor uniformly, but GPC is emerging as a more standardized control for privacy preferences. We are monitoring developments and will adjust our technology to align with recognized standards. In summary, cookies help us provide you with a functional and personalized experience, but we want to ensure you are in control. Nothing is hidden: we strive to be transparent about what we’re doing with cookies, and you won’t find surprise third-party tags collecting data without your knowledge on our site. We obtain your consent where needed, and you can change your preferences anytime. Using our site with cookies enabled implies you are okay with the practices described, but if you ever have questions or concerns about cookies or tracking on Cenario.com, please reach out to us. We will be happy to explain or assist in opting out as needed. (For more information, see our dedicated Cookie Policy and the cookie management tool on our website.)
Children’s Data
Protecting the privacy of children is extremely important to us. Our services and products are not directed to individuals under the age of 16, and we do not knowingly collect or solicit personal data from children. The nature of our business – providing mental health supplements and wellness content – is tailored to adults (and possibly older teenagers with parental guidance), but it is not meant for young children. Age restrictions: If you are under 16 years old (or under the applicable minimum age in your country for providing consent to data processing), please do not use our website, take our quiz, make purchases, or provide us with any personal information. We do not intend for minors to be using our personalized supplement service without parental consent. During account sign-up or checkout, if we ever ask for age information and find that you are below the cutoff, we will not proceed with collecting your data or fulfilling the service. For users in the United States, our content is not intended for children under 13 in compliance with the Children’s Online Privacy Protection Act (COPPA). We similarly do not want to collect information from anyone under 13. For those in the EU, we adhere to the GDPR provisions that require parental consent for processing data of children under 16 (although some EU Member States set this age at 13–16; we choose to generally use 16 as a safe default, unless local law dictates otherwise). No targeted marketing to children: We do not target our ads or marketing toward children. Our advertising audiences are set for adult demographics. We do not knowingly segment or analyze data of anyone under 16 for marketing or any other purpose. If a child interacts with Cenario: In the event that we discover we have collected personal data from someone under the relevant age without proper consent, we will take immediate action to delete that information. For example, if a parent or guardian contacts us saying, “My 14-year-old entered their email and info on your site,” we will promptly remove the data from our systems. If the child made a purchase (which would be unusual, since payment methods typically require adult involvement), we would cancel and refund it, and still erase the account. Guidance for parents/guardians: We encourage parents and legal guardians to be involved in their children’s online activities and to talk with their children about not sharing personal information on websites without permission. If you are a parent or guardian and have any concerns about your child’s personal data in relation to our services, please contact us. We will be transparent about any data we might hold and will work with you to address it. Teenagers (16-17 years): While 16 and 17-year-olds are not “children” under GDPR definitions (since they can consent to data processing themselves), we recognize that privacy and suitable content are still considerations. Our products (dietary supplements) might have health guidance recommending usage for adults. If you are 16 or 17 and using our site, we assume you are doing so with a good understanding of the content. Nonetheless, if we become aware of a user in this age who may not fully appreciate the implications, we might reach out or take steps to ensure they have guardian consent, especially when health-related information is involved. Generally though, 16+ we treat as capable youths under GDPR and will respect their rights as any adult user. In summary, we aim to avoid collecting data from anyone under 16. If it happens inadvertently, we will rectify it by deletion. We urge our younger audience to seek guidance from parents or guardians before exploring sites like ours. And we remain at your disposal for any questions or concerns regarding children’s privacy.
Security Measures
Cenario takes the security of your personal data very seriously. We implement a variety of technical and organizational measures to ensure that your information is protected from unauthorized access, disclosure, alteration, or destruction. While no website or digital system can be 100% immune to threats, we follow industry best practices and continually improve our safeguards to minimize risks. Here are some of the key security measures we have in place:
- Encryption: Our website is secured with SSL/TLS encryption (you’ll notice the padlock and “https://” in the address bar). This means that any data you submit through the website (such as filling out the quiz, entering login credentials, or making a payment) is encrypted in transit between your browser and our servers. It protects against eavesdropping by third parties on the network. Additionally, whenever feasible, we encrypt personal data at rest in our databases and storage. For example, sensitive fields or identifiers might be encrypted or hashed in the database, so even if someone were to gain unauthorized access to the stored data, it would not be easily intelligible.
- Access Controls: We maintain strict internal controls over who at Cenario can access personal data. Employee and contractor access to user data is granted on a need-to-know basis. For instance, our customer support team can view your account details and order history to assist you, but they might not have access to more sensitive information like your full payment details (which we don’t store) or your quiz answers unless necessary for support. Our formulators might see quiz results tied to an order ID to prepare your custom supplement, but they do not necessarily see your identity unless needed for service. We use role-based access management and unique user accounts for staff, with strong authentication (such as two-factor authentication) to prevent unauthorized login. Administrative access to servers and databases is tightly controlled and logged – only authorized IT personnel have that level of access.
- Secure Infrastructure: We host our applications and data on secure servers with reputable providers. Our servers are behind firewalls that help protect against external attacks. We regularly update and patch our systems to guard against vulnerabilities. All development and testing of our website and AI logic is done in secure environments; we avoid using real personal data in testing whenever possible (using dummy data instead) to reduce risk. We also segregate environments (for example, the production database with real user data is separate and more tightly controlled than a development database).
- Monitoring and Threat Detection: We employ security monitoring tools that alert us to unusual activities or potential intrusions. For example, we have systems that detect repeated failed login attempts (which could indicate a brute-force attack) and automatically take countermeasures like temporary blocking. We monitor network traffic for suspicious patterns and use anti-malware/anti-virus solutions on our servers to detect and prevent malicious code. In the event of any security alert, our IT and security team can respond quickly, 24/7, to investigate and mitigate any issue.
- Data Minimization and Pseudonymization: As a principle, we try to collect only the data we need (as discussed earlier) which inherently reduces risk – less data means less to protect. For sensitive data like health info, we often pseudonymize it in our internal processes. That means we separate your personal identifiers (name, email) from your quiz responses by using unique codes. So, an analyst improving our AI might work with quiz data labeled by user codes, not by actual names. If those results need to be re-linked to a user for service, only specific authorized systems can do the re-linking. This way, even if there were a partial data exposure, it’s less likely to directly identify individuals.
- Employee Training and Policies: We invest in training our team about data privacy and security. All team members and contractors with access to personal data must sign confidentiality agreements and are instructed on GDPR obligations and our internal privacy policies. We conduct regular training sessions on topics like phishing awareness (so our staff can spot and avoid malicious emails), proper data handling procedures, and how to respond in a potential security incident. We maintain clear policies that, for instance, forbid staff from downloading personal data to unsecured devices or sharing user info via unauthorized channels. Our culture emphasizes that protecting user data is everyone’s responsibility.
- Vendor Security Assessments: When we work with third-party processors (as listed earlier), we don’t take their security for granted. We review their security measures, and only choose partners who demonstrate strong protective measures. We include clauses in our contracts requiring them to maintain certain security standards and to notify us immediately in case of any breach on their side.
- Backups and Recovery: We perform regular backups of critical data to ensure that, in the event of a hardware failure or other incident, we can recover information. These backups are encrypted and stored in secure locations. We periodically test our backup restoration process to verify that we can reliably restore data if needed. This is part of our business continuity and disaster recovery planning.
- Physical Security: Although we operate in the digital realm, any physical infrastructure (like data centers hosting our servers) have robust security as well. Our data center partners have 24/7 security personnel, surveillance cameras, controlled entry, etc. On our company side, any physical documents (rare, but e.g., if you mailed us something with personal info) are kept secure and shredded when no longer needed.
Despite all these measures, it’s important to remain vigilant. We also recommend that you take steps to protect your own data when using our services, such as keeping your account password confidential and using a strong, unique password. If you ever suspect that your account or data might be compromised (for example, if you notice unusual activity), please alert us immediately so we can investigate and help secure your account. In summary, we employ a multi-layered security approach – from technical defenses to human procedures – to guard your personal data. We treat your data as we would want our own data to be treated. We also regularly review and update our security practices to adapt to new threats and technologies. Your peace of mind is important to us; when you share information with Cenario, you can trust that we are doing everything reasonably possible to keep it safe and secure.
Data Breach Notification Procedures
In the unlikely event of a data breach – meaning a security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data – Cenario has a detailed procedure in place to respond quickly and effectively. Our goal is to contain and mitigate the breach, minimize any harm to affected individuals, and fulfill all legal obligations for notification. Here’s what would happen if we were to experience a significant data breach involving your personal data: 1. Immediate Response and Containment: The moment a potential breach is detected (through our monitoring systems or a report from an employee, user, or partner), our incident response team is activated. This team includes our security experts and management. Their first step is to contain the breach – for example, isolating compromised systems, revoking any unauthorized access, and patching whatever vulnerability was exploited. We work to stop any further data leakage or unauthorized activity as quickly as possible. Concurrently, we start an investigation to understand the scope of the incident: what happened, which systems or data sets are affected, who might be responsible, and what personal data (if any) has been compromised. 2. Assessment of Risk: We will assess the likely risk to your rights and freedoms as a result of the breach. Not all breaches require user notification – GDPR sets a threshold: if a breach is unlikely to result in a risk to individuals, we might not need to notify you (though we would still document it internally and fix it). However, if there is any chance that the breach could result in harm – such as financial loss, identity theft, confidentiality breaches, or other significant impacts – then it’s considered a “high risk” and we will notify both regulators and affected individuals. We err on the side of caution: our default mindset is to be transparent if there’s any meaningful risk. For example, if a breach involved your contact information and health quiz data being accessed, we’d consider that quite sensitive and would likely inform you given the sensitivity of health information. If, on the other hand, a breach was immediately contained and affected only encrypted data or pseudonymized data with no way to link to individuals, we might conclude there’s minimal risk. 3. Notification of Supervisory Authority: Under GDPR, if a personal data breach is likely to result in a risk to individuals, we must notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of the breach (when feasible). Since Cenario is based outside the EU, we may notify the supervisory authority in the EU member state where our designated representative is located (if we have one), or otherwise the authority of a member state where affected users reside. (If many countries’ citizens are affected, we might notify multiple authorities or the one we think is most appropriate – we’d seek guidance if needed). The notification to the authority will include details of the breach, such as what data is involved, how many individuals are affected (approximate), the consequences we anticipate, and what measures we’ve taken or plan to take to address it. We also keep the authority updated as we learn more. In Hong Kong, we also have obligations under the PDPO and would inform the Privacy Commissioner if required by local guidelines when a breach involves personal data. 4. Notification of Individuals: If a breach is likely to result in a high risk to you (for example, sensitive data exposure, or something that could seriously impact you), we will inform you without undue delay. This typically means as soon as we have accurate information and have made contact information ready, we will send out notifications. We won’t unnecessarily wait up to 72 hours if we believe you should know sooner. Our notification will be in clear, plain language, describing the nature of the breach, the data concerned (e.g., “It included your name, email, and possibly the answers you provided in the mental health quiz”), and the likely consequences (e.g., “there is a risk of phishing emails because your email was exposed” or “there is a risk to confidentiality of your health-related info”). We will also tell you what steps we are taking to address the breach (like what we have done to secure our systems and prevent a recurrence) and any steps we recommend you take to protect yourself. For instance, we might suggest changing your password if credentials were involved, or being vigilant for suspicious communications. We will provide contact details so you can reach our team for more information or assistance. Notification may be done via email (to your registered email address), via in-app or website notice (if appropriate), or even via public announcement if individual communication is too difficult (though that’s usually a last resort). We will choose the method likely to reach you fastest and most securely. 5. Follow-up and Remediation: After containment and initial notifications, we continue to investigate the breach thoroughly to understand exactly how it happened and what data was affected. We document everything – this helps us improve and also provides a record for authorities. We take remediation steps such as: resetting systems, enhancing security controls, retraining staff if needed, and possibly offering support to affected users. For example, if the breach was large and involved sensitive info, we might offer free credit monitoring to those affected (commonly done in cases of identity theft risk) – whatever is appropriate to help mitigate any damage. Our goal is to restore trust and make sure something similar doesn’t happen again. We will update you if further important details emerge or if we have additional advice as our investigation concludes. 6. No Delay Policy: GDPR says we should not delay notifying individuals if the risk is high. The only reason we might ever delay individual notice a bit is if law enforcement asks us to (e.g., if notifying users immediately would hinder an ongoing investigation into a cybercriminal, authorities can request a short delay). If that scenario happens, we would inform you as soon as that reason no longer exists. We hope to never have to send a breach notification. Our proactive security measures are aimed at preventing incidents entirely. However, we want you to know that if something does go wrong, we will be honest and proactive about it. Your safety and trust come first. Transparency is key in these situations – we won’t hide a breach or downplay it. We will follow the law to the letter and likely even go beyond minimum requirements to ensure you’re informed and protected. In summary, we have an incident response plan that aligns with GDPR and other applicable laws: it’s about acting fast, communicating clearly, and fixing the issue. If you ever have concerns or suspect any security issues (for example, if you think your account might have been compromised), please notify us immediately through the contact channels provided. We will treat it with utmost priority.
Supervisory Authority and Complaints
We want to resolve any privacy concerns or issues you might have directly and efficiently. However, it’s important for you to know that under GDPR and other privacy laws, you have the right to seek help or lodge a complaint with a regulatory authority if you believe your data has been mishandled or your rights infringed. We fully acknowledge and respect this right. Contact us first (optional but recommended): We encourage you to reach out to us with any complaints or questions about how we handle your personal data. Our dedicated privacy team will do everything possible to address your concerns swiftly and thoroughly. Often, misunderstandings can be cleared up or issues resolved through a direct conversation. We value feedback, and even if you’re unhappy about something, it gives us a chance to make it right. Please see Contact Information for Privacy Requests below for how to get in touch. We will treat any complaint with seriousness and confidentiality. Right to lodge a complaint with a Supervisory Authority: If you are in the European Union, you have the right to lodge a complaint with any EU Data Protection Supervisory Authority, particularly in the country of your habitual residence, place of work, or place of the alleged infringement. For example, if you live in Germany, you can complain to the data protection authority in Germany; if you’re in France, to the CNIL in France; and so on. You do not have to complain to Hong Kong authorities or anything – GDPR gives you the choice to go to your local authority or the one you feel is appropriate. The supervisory authority will then decide how to handle your complaint, possibly coordinating with others.
- If we have an EU representative or lead authority (since we’re based outside the EU), we would mention them here. As of now, you can approach any authority and they will reach out to us. We will cooperate fully with any inquiry or investigation they undertake.
- For reference, you can find a list of EU national data protection authorities and their contact details on the European Data Protection Board’s website. The process usually involves you submitting details of your concern, and the authority will investigate or mediate.
United Kingdom: If you are in the UK, you can lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK’s supervisory authority for data protection. The ICO’s website (ico.org.uk) provides information on how to make a complaint online or via mail/phone. Again, you can raise your issue with us or directly with the ICO. We note that UK data protection law (UK GDPR and Data Protection Act 2018) mirrors the EU’s in many respects, and we uphold those standards as well. Other jurisdictions: If you reside outside the EU/UK, you may have similar rights with your local authorities:
- In Hong Kong, the relevant authority is the Office of the Privacy Commissioner for Personal Data (PCPD). Individuals in Hong Kong can contact the PCPD to file a complaint if needed.
- In Singapore, the Personal Data Protection Commission (PDPC) handles complaints under PDPA.
- In Australia, the Office of the Australian Information Commissioner (OAIC) would be the body to approach regarding the Privacy Act.
- In Canada, the Office of the Privacy Commissioner of Canada (OPC) oversees PIPEDA (though Canada isn’t explicitly in our list, we do have customers in Canada).
- For California residents, while your mechanism is slightly different (via the California Attorney General or the CPPA for CCPA issues), we address that in the International Compliance Notes.
The key message is: you have the right to seek help from regulators, and you will not be penalized or discriminated against for doing so. No waiver of rights: Nothing in our terms or policies will ever strip you of your right to complain to a regulator. Even if you have agreed to arbitration or any other dispute resolution with us (for example, via our Terms & Conditions), you can still bring issues to data protection authorities as per your statutory rights. Cooperation: If a supervisory authority contacts us regarding a complaint, we will cooperate promptly and fully. We view regulators as partners in ensuring data protection. Our approach is to be transparent and provide whatever information is needed to resolve any matter. Updates on complaints: If you do lodge a complaint (with us or an authority), we’ll keep you informed of progress. We aim to acknowledge any direct complaint within a short time (e.g., within a week or sooner) and provide a substantive response typically within one month. If it’s something complex that takes longer, we’ll let you know. We hope it never reaches the stage where you feel a need to contact an authority. But we want you to feel empowered: your data, your rights. We stand by that principle. Our sincere request is, give us a chance to address your concern first – there might be a simple fix or explanation. However, ultimately the choice is yours, and we will respect it. For your convenience, here are a couple of examples of authorities’ contacts (just a few key ones):
- Germany: Die Bundesbeauftragte für den Datenschutz (different for each state, e.g., Bavarian DPA).
- France: CNIL – 3 Place de Fontenoy, 75007 Paris, +33 1 53 73 22 22.
- Ireland: Data Protection Commission – Canal House, Station Road, Portarlington, Co. Laois, +353 57 8684800.
- UK: ICO – Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, +44 303 123 1113.
(We will provide more specific representative information here if we appoint an EU or UK representative as required by GDPR Article 27 for entities outside the EU. In absence of that info here, it means we will accept queries directly.) Remember, using our services does not mean you waive any rights. On the contrary, we strive to uphold all your rights. If something’s not right – you have the voice, and authorities are there to back you up. We fully support fair oversight in the realm of privacy.
Contact Information for Privacy Requests
Your questions, requests, and feedback about privacy are always welcome. We are here to help you exercise your rights or address any concerns related to your personal data. Below is how you can reach us regarding privacy matters:
- Email: The most convenient way to contact us is via email. Please send your inquiries or requests to privacy@cenario.com. If you prefer, you may also email support@cenario.com (just include “Privacy” in the subject line to ensure it’s routed correctly). Using email allows us to document your request and respond in writing for your records. We monitor these inboxes closely and aim to reply as soon as possible, typically within a few business days or sooner for urgent matters. When emailing, please provide your name and the email associated with your Cenario account or interactions, and clearly state your request (for example, “I’d like to access my data” or “I have a question about how my data is used”). Do not include sensitive information like passwords in your email. Once we receive your email, we will confirm receipt and guide you through any verification steps if needed.
- Postal Mail: You can also reach us by traditional mail. Our mailing address for privacy or data protection inquiries is: Cenario Limited
Room 409, Beverley Commercial Centre
87–105 Chatham Road South, Tsim Sha Tsui
Kowloon, Hong Kong SAR Please direct the letter to “Privacy Team” or “Data Protection Officer” (if applicable) at the above address. If you are sending a formal notice or legal correspondence, this address is suitable for that purpose as well. Kindly note that postal inquiries may take longer for us to receive and respond to (especially internationally), so for time-sensitive requests (like exercise of rights with a 30-day timeline), email or our web contact form is recommended. However, we will treat mailed requests with the same diligence once received. If you send us a letter, please include a way to contact you (email or postal address, phone if you prefer) and as much detail as possible about your request. We will respond via your preferred contact method. - Contact & Help Center: On our website, you may find a Contact & Help Center page (or a support form). You can submit inquiries there as well. Simply select the topic closest to your issue (if privacy is an option, choose that, or otherwise general inquiry) and provide your question or request. Those submissions are routed to our support team, who will involve the privacy team as needed. If you use this channel to exercise a data right, please mention it explicitly (e.g., “GDPR Data Access Request”) so we can prioritize and handle it appropriately. The Help Center might also contain FAQs that address common privacy questions.
- Telephone: We currently handle privacy requests in writing to ensure clarity and proper record-keeping. We have found that written requests reduce misunderstandings. Therefore, we generally do not list a dedicated privacy phone line, and we kindly ask you to use the above methods. If speaking by phone is necessary (for example, to clarify a complex request), we can arrange a call after the initial written contact. Our customer support phone (if listed on our site) is primarily for product inquiries and orders, and while they can take a message regarding a privacy matter, they will likely refer you to submit via email or escalate it internally. So email or mail is the best route to reach the actual privacy team.
Contact person: If you have a very specific question that you feel needs to be directed to an individual, you can address it to our Data Protection Officer (DPO), in case we have appointed one, or just to the Privacy Team. Currently, our privacy compliance is handled by a team rather than a single named DPO (as we are not legally required to have a DPO in all cases). In any case, rest assured that any communication marked “Attn: Privacy” will reach the correct personnel with expertise in data protection. What to expect: When you contact us, we will acknowledge your request as soon as possible (usually within a few days maximum). For rights exercises (like access or deletion), we will log the date of your request as the start of the timeline and guide you through any identification verification if needed. We will then process your request and respond within the timeframe discussed earlier (typically within one month for formal GDPR rights requests). Our response will usually be in writing (email or letter) for documentation purposes, unless you request another method. If your inquiry is a general question, we’ll strive to answer it fully. If it’s a complaint or concern, we’ll investigate and come back with a resolution or explanation. We approach every privacy request with care and attention, recognizing that behind every request is a person trusting us with their information. Language: You can write to us in English (preferred for fastest response as our privacy team primarily operates in English). If you write in another language, we will do our best to translate and respond accordingly, but it might add some delay. For EU users, we will try to accommodate major European languages for communication whenever possible. Alternate contacts (representatives): If we appoint an EU and/or UK representative under GDPR Article 27, their contact details will be provided here as an additional channel, especially for regulatory contacts. At the moment, you should contact us directly as above. Finally, here’s a recap of our primary privacy contact: Email: privacy@cenario.com
Mail: Cenario Limited – Privacy Team, Room 409, Beverley Commercial Centre, 87-105 Chatham Road South, Tsim Sha Tsui, Hong Kong. We are here to help and we appreciate you reaching out for any privacy-related matter.
Last Updated Date and Policy Changes
This GDPR Compliance page is a living document. We may update it from time to time to reflect changes in our data practices or to ensure it remains aligned with the latest legal requirements and best practices. We are transparent about these changes and will not significantly alter how we handle your personal data without informing you. Last Updated: July 1, 2025.
(This is the effective date of the current version of this page. Any changes made after this date are not reflected here unless we update the date.) When we make updates to this page or our Privacy Policy, we will change the “Last Updated” date accordingly. If the changes are substantial, we may also provide additional notice to you of the update. For example, we might post a prominent notice on our website’s homepage or send you an email notification summarizing the key changes, especially if you are a registered user or subscriber. Minor adjustments (like clarifications or typographical corrections) may not be individually notified, but will still be captured by the updated date. What constitutes a significant change? Changes that might affect you significantly include, for instance: adding new categories of personal data we collect, changing how or why we use data in a way that you wouldn’t expect, changing our contact information or the identity of the data controller, or updates to reflect new rights or legal requirements. If we were ever to engage in new processing that requires your consent, we would obtain that separately, but we would also update our documentation here. We encourage you to review this GDPR Compliance page (and our Privacy Policy and Cookie Policy) periodically to stay informed about how we are protecting your data. Your continued use of our website and services after any changes signifies your acceptance of the updated terms, to the extent permitted by law. If we update this page, we may archive prior versions and make them available upon request for transparency. If you have any questions or concerns about any change, you are welcome to contact us (see Contact Information for Privacy Requests). Our team will be happy to explain the changes or how they might impact you. In summary, we pledge to keep you informed about our privacy commitments. We won’t surprise you with hidden changes. And if something big changes, you’ll hear from us. Thank you for reading and staying informed about your rights and our obligations.
International Compliance Notes (UK GDPR, CCPA/CPRA, PDPA, Privacy Act 1988)
Privacy laws around the world share common principles, but they also have unique requirements. Cenario is committed to complying not only with the EU GDPR, but also with other relevant data protection laws in the regions where we operate or have customers. Below, we provide notes on how we address key international regulations: the UK GDPR, California’s CCPA/CPRA, Singapore’s PDPA, and Australia’s Privacy Act 1988. We consider these in addition to our core GDPR approach, ensuring that we meet or exceed the obligations in each jurisdiction.
United Kingdom (UK GDPR)
After Brexit, the UK implemented its own version of GDPR, often referred to as the UK GDPR, coupled with the Data Protection Act 2018. In practice, UK GDPR is very similar to the EU GDPR – it guarantees the same rights to individuals and imposes similar obligations on organizations. Our approach: If you are a user in the United Kingdom, rest assured that everything we’ve outlined in this GDPR Compliance page applies equally to your data. We treat UK residents’ data with the same high standard of care, lawfulness, and transparency. References to GDPR in this policy should be read to include the UK GDPR for UK users. For example, your rights to access, correction, deletion, etc., are equally available under UK law, and you may contact the UK’s ICO as your supervisory authority (as mentioned earlier) if needed. We acknowledge that, as a company outside the UK, we may be required to appoint a UK representative under UK GDPR Article 27 if we are processing UK personal data on a large scale. Should we designate such a representative, we will include their contact information in our privacy documentation and on our website so UK individuals and the ICO can reach them. Regardless, you can always reach us directly, and we will respond to UK data subject requests in accordance with UK law. Data Transfers: The UK currently deems EEA countries adequate and also honors the EU’s adequacy decisions and SCCs structure (with slight legal tweaks). Since we already facilitate EU transfers with SCCs, those mechanisms also cover transfers from the UK to Hong Kong or other countries. If needed, we use the UK’s International Data Transfer Agreement (IDTA) or addendums as appropriate for UK-specific transfers with third parties. In short, from a user perspective, there’s no difference – your data will not be treated any differently whether you’re in London or Paris. We ensure compliance with UK GDPR just as we do with EU GDPR.
California, USA (CCPA/CPRA)
California has enacted strong privacy laws for its residents – the California Consumer Privacy Act (CCPA) of 2018, amended by the California Privacy Rights Act (CPRA) which took effect in 2023. Together, these laws give Californians rights regarding their personal information and impose obligations on businesses on how they collect, use, and share that information. Scope: CCPA/CPRA applies to certain businesses that meet thresholds (like revenue or data volumes) and that collect personal info of California residents. Even if we might not meet those thresholds yet, we strive to honor the spirit of these laws for our California customers. Rights for California residents: If you are a California resident, you have the following rights (in addition to the GDPR-style rights we already honor):
- Right to Know: You can request that we disclose the categories of personal information we have collected about you, the categories of sources of that info, the business or commercial purpose for collecting (or selling/sharing) it, the categories of third parties with whom we share it, and specific pieces of personal information we hold about you. Essentially, transparency on what we have and with whom it’s shared. (Much of this is covered throughout our privacy disclosures, but you can also ask for a more personalized report).
- Right to Delete: Similar to GDPR’s right to erasure, you can request deletion of personal information we collected from you (with some exceptions; e.g., we may retain data needed to complete a transaction, for legal compliance, or other CCPA-exempt purposes). We will delete and direct our service providers to delete your info unless an exemption applies.
- Right to Correct: Under CPRA, you have the right to request that we correct inaccurate personal information we hold about you. We will take into account the nature of the info and purpose of processing and work to correct it if it’s indeed inaccurate.
- Right to Opt-Out of Sale or Sharing: CCPA defines “sale” broadly as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal info to another business or third party for monetary or other valuable consideration. “Sharing” (added by CPRA) refers to providing personal info for cross-context behavioral advertising (targeted ads). Cenario does not sell your personal information for money. We also do not share your personal information for third parties’ own advertising purposes. The only case that might be considered “sharing” under CPRA is the use of analytics/advertising cookies (like Facebook Pixel or Google Analytics) which could be deemed as sharing data for behavioral advertising. We have implemented a mechanism to respect opt-out of such sharing – effectively, our cookie consent tool serves as a “Do Not Sell or Share My Personal Information” opt-out. If you are a California resident and want to ensure your data isn’t shared for advertising, simply decline marketing cookies on our site or use the Global Privacy Control (GPC) signal in your browser which we honor (as stated in the Cookies section). You can also contact us to manually record an opt-out of sale/sharing, and we will ensure no such data transfers occur for your data.
- Right to Limit Use of Sensitive Personal Information: CPRA introduces this right if a business uses or discloses sensitive personal info beyond what’s “necessary” for providing goods or services. Sensitive info in California’s context includes things like precise geolocation, health information, etc. We do collect health-related info (quiz responses). However, we only use this sensitive info to provide you the service (personalized supplements), which is considered a necessary use. We do not use it for secondary purposes like targeted advertising. So in essence, we are already limiting our use of sensitive info to the core service. If you still have concerns, you can of course request deletion or withdraw consent for us to use that info, which we will honor.
- Right of Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights. This means, for example, we won’t deny you services, charge you a different price, or provide a lesser quality of service just because you opted out of data sharing or asked for your data to be deleted (except if the deletion means we can’t provide a certain service, but that’s a logical consequence rather than a punishment).
How to exercise California rights: You can use the contact methods in this policy (email or mail) to submit requests under CCPA/CPRA. You can also use any “Your Privacy Choices” link that may be on our website footer. We will need to verify your identity for access/Deletion/Correction requests (just like for GDPR). If an authorized agent is making the request on your behalf, we may require proof of authorization and still verify your identity with you directly. Metrics and disclosures: We don’t currently post metrics about CCPA requests (like number of requests received, complied with, denied, etc.), as we are not at the scale requiring that, but we keep track internally. Also, in our main Privacy Policy, we provide a summary of the categories of personal info we collect, the sources, purposes, and disclosures in a format aligning with CCPA requirements (for those who prefer that format). We ensure that California residents are provided with all required information at collection (for instance, a notice at the point of quiz or checkout informing what data is collected and why, as per CCPA’s notice requirement). In summary, we handle California personal information in compliance with CCPA/CPRA. Even though much of it overlaps with GDPR, we make sure to account for the differences (like the definition of “sale” and the specific rights enumerated). If you’re a California customer, you have the peace of mind that you essentially have two layers of strong privacy protection: European-level and California-level, and we uphold both.
Singapore (PDPA)
Singapore’s Personal Data Protection Act (PDPA) governs the collection, use, and disclosure of personal data by private organizations. It emphasizes consent, purpose limitation, and reasonableness, and provides individuals with certain rights like access and correction. Consent and Purpose: PDPA generally requires consent for the collection, use, or disclosure of personal data, unless an exception applies. In our operations, we align with this by seeking your consent for various activities (as described in our consent section). For instance, by participating in our quiz or providing your data, you consent to us using it for the specified purposes (personalized recommendations, etc.). We do not use your data for purposes beyond what we have informed you of, in accordance with the Purpose Limitation Obligation under PDPA. If we ever need to use your data for a new purpose, we will seek fresh consent unless an exception (like it being clearly in your interest, or necessary for legal reasons) applies. Access and Correction: Singaporean customers have the right to request access to their personal data that we have and to know how we have used or disclosed it in the past year. They also can request corrections of their data to ensure it is accurate and complete. We will handle such requests similarly to GDPR access/correction requests – within a reasonable time and at a reasonable cost (PDPA allows charging a minimal fee for access to cover costs; to date we have not charged any fees for such requests). If you’re in Singapore, you can use the contact methods to request access or correction. We’ll verify your identity and respond typically within 30 days. If we cannot provide certain data (maybe due to legal exceptions), we will inform you with the reason (PDPA has some exceptions like data that’s part of an investigation, or opinion data not subject to access, etc.). Withdrawal of Consent: PDPA gives individuals the right to withdraw consent, with reasonable notice, for the continued use or retention of their data. We fully respect that – as explained, you can withdraw consent and we will cease the activities and inform you if it means we can’t provide certain services. Care of Personal Data: We comply with PDPA’s provisions on protection (making reasonable security arrangements to prevent unauthorized access, etc. – which we’ve detailed in Security Measures), as well as retention limitation (we don’t keep data longer than needed, as detailed in Data Retention). PDPA also has requirements for transfer of data outside Singapore – essentially ensuring comparable standards overseas. Our safeguards like SCCs and strict contracts ensure that if Singapore data is transferred to Hong Kong or elsewhere, it remains protected in line with PDPA expectations. Data Breach Notification: As of 2021 amendments, PDPA requires notification to PDPC and affected individuals if a data breach results in (or is likely to result in) significant harm, or if a certain volume of data is affected. Our breach procedures already cover notifying users and relevant authorities. If we had Singaporean users affected in a qualifying breach, we would ensure to notify PDPC within the required timeline (which is similar to GDPR’s 72 hours in practice) and notify individuals as required by PDPA. Do Not Call (DNC) Provisions: PDPA has specific rules if we were making marketing calls or texts to Singapore numbers. Currently, we mainly use email and online channels for marketing. If we ever use phone or SMS for marketing in Singapore, we would scrupulously comply with DNC rules (checking numbers against the DNC registry, obtaining clear consent if necessary, etc.). As of now, we don’t engage in telemarketing to Singapore consumers. We also note that Hong Kong (our base) and Singapore have some similar strong privacy expectations culturally and legally. We strive to meet the higher of any standards. So Singapore users should feel that our service is PDPA-compliant and likely even more stringent by virtue of GDPR practices. If you’re in Singapore and have any PDPA-specific query or need to contact our Data Protection Officer (if one is designated for PDPA), you can reach out via the contact info. We will assist in accordance with PDPA.
Australia (Privacy Act 1988)
Australia’s Privacy Act 1988 (including the Australian Privacy Principles – APPs) regulates how organizations handle personal information. While Cenario is not an Australian company, if we have customers in Australia or we target that market, we aim to adhere to the APPs to ensure Australian users’ data is respected. Australian Privacy Principles compliance: Here’s how we map to key APP requirements:
- APP 1 – Open and transparent management: We maintain a clearly expressed and up-to-date privacy policy (of which this page is a part) describing how we manage personal information. The information here and in our full Privacy Policy aligns with APP 1 by outlining what personal data we collect, how we use/disclose it, etc. We are committed to transparency for Australian users just as for others.
- APP 2 – Anonymity: Australian individuals have the option of not identifying themselves or using a pseudonym when dealing with a company, except when impractical. For Cenario’s services (custom supplements), it may be impractical to be completely anonymous because we need an address to ship products, and health info to personalize them. However, we do allow a level of pseudonymity where possible – e.g., you might browse our site without giving a name, or take the quiz without immediately identifying (until purchase). If someone wanted to consult us without giving their name initially, we’d try to accommodate, but eventually to transact, some data is needed. We do not mandate more identification than necessary.
- APP 3 & 5 – Collection and Notification: We only collect personal info that is reasonably necessary for our functions (which we’ve detailed, data minimization principle) and we usually collect directly from the individual. We also take steps to notify individuals about the collection and how we’ll use it at the time of collection (much of which is done via this policy and just-in-time notices on forms). If any data is collected from a third-party (uncommon, maybe if a friend gifts a product to you and gives us your address), we would take reasonable steps to inform you.
- APP 6 – Use and disclosure: We use and disclose personal info only for the purposes for which it was collected (primary purposes) or for related purposes you’d reasonably expect, or as otherwise permitted by law (similar to our Purpose Limitation principle under GDPR). For instance, using order info to fulfill and then for record-keeping is expected; using health data for personalization is expected; we wouldn’t, say, sell that info to an insurance company – that would violate this principle (and our own values). If we ever needed to use data for a new purpose, we’d seek consent (like APP 6 allows with consent).
- APP 7 – Direct marketing: We will not use or share sensitive personal information for direct marketing without consent. For non-sensitive info, if we ever used it for direct marketing, we provide opt-outs. Practically, we obtain consent for marketing communications (as described earlier) for all users. And any marketing email you get has an unsubscribe. We also respect requests (like an email to support) to not receive marketing. We do not disclose personal info to third parties for their direct marketing unless you have consented (which we currently do not do at all). This aligns with APP 7’s requirements.
- APP 8 – Cross-border disclosure: If we transfer personal info about an Australian individual overseas, we have to ensure the recipient will handle it under standards comparable to the APPs, or otherwise we remain accountable. As described in International Transfers, we implement safeguards like SCCs which, while an EU concept, also means those recipients are contractually bound to strong privacy standards. For Australian data, we essentially take responsibility that our processors abroad (in e.g., US or HK) protect the data. There’s no formal adequacy list in Australia like the EU’s; the onus is on us. We treat Australian user data with the same protection as EU data, so by doing so, we exceed Australian requirements in most cases. We consider that compliant with APP 8, as we would be accountable if a foreign recipient mishandles Aussie data (we don’t just say “not our problem” – it is our problem).
- APP 10 & 11 – Data quality and security: We take reasonable steps to ensure personal info is accurate, up-to-date, and complete (e.g., giving you the ability to correct info, as described). And we protect personal info from misuse, interference, loss, and unauthorized access/modification/disclosure – our Security Measures section details our approach, aligning with APP 11.
- APP 12 & 13 – Access and correction: Similar to GDPR and PDPA, Australians can request access to their personal info and correction of it. We will respond within a reasonable time (and typically free of charge). The process would be similar to what we described for others: verify identity, then provide the data or make the correction. If we ever refused access (the Privacy Act has some exceptions, like if giving access would unreasonably impact others’ privacy or is frivolous/vexatious, etc.), we would explain the reason and the mechanisms to complain. But refusal is rare and we default to granting access. For corrections, if we disagree that something needs correction, we’ll at least note the request or allow you to add a statement, as APP 13 provides.
Sensitive information: Australia considers health information as “sensitive information,” which requires consent to collect. We indeed ask for (explicit) consent for collecting and using the quiz health data, satisfying that requirement. Complaints in Australia: If you’re in Australia and have a privacy concern, you can contact us (as in the complaints section) or the OAIC. We will cooperate with any OAIC inquiries. We also are aware of notifiable data breaches rules in Australia (which set criteria similar to GDPR’s for reporting significant breaches to OAIC and individuals). Our breach plan accounts for that too. No Overseas Spam: While not directly Privacy Act, we are also mindful of the Spam Act when sending emails to Australia – we ensure we have consent and include unsubscribe in all marketing emails (which is consistent globally for us). In summary, we strive to meet the Australian Privacy Principles: being transparent, using data properly, securing it, and giving individuals control. If you are an Australian user and need any specific reassurance or have questions about your data under Australian law, please reach out – we’re happy to clarify how we meet our obligations to you.
Closing note: Cenario operates with a global mindset on privacy – we aim to comply with the strictest laws (like GDPR) and in doing so, we often exceed local requirements. The international notes above demonstrate our commitment in key regions. As privacy laws evolve (new ones are popping up in many U.S. states, for example), we keep updating our practices. Our promise to you, no matter where you live, is that we value your privacy and handle your data lawfully and respectfully. Thank you for reading our GDPR Compliance page. If you have any further questions about our privacy practices, please don’t hesitate to contact us. Your peace of mind is part of our mission in supporting your mental health and wellness journey.