Privacy policy

This Privacy Policy explains how Zenyu Ltd ("Luvaur," "we," "us," or "our") collects, uses, shares, and protects personal data when you visit luvaur.com (the "Site"), place an order, create an account, interact with our customer service, or engage with our marketing. Zenyu Ltd is the data controller responsible for your personal data.

  • Company: Zenyu Ltd
  • Company number: 16840342
  • Registered office: 182-184 High Street North, Office 15597, London E6 2JA, United Kingdom
  • Email: help@luvaur.com We are committed to processing your personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. What Personal Data We Collect

We collect the following categories of personal data: 1.1 Data you give us directly

  • Contact and identity data: name, email address, phone number, billing and shipping address
  • Account data: login credentials, preferences, wishlists (only if you create an account)
  • Order data: products purchased, order history, order value
  • Communications data: messages you send us via email, live chat (Shopify Inbox), or contact forms
  • Marketing preferences: whether you have opted in to receive marketing emails
  • Quiz data: answers you provide in our on-site quiz, including symptom-related responses and preferences
  • User-generated content: reviews, testimonials, photographs, or social media posts you submit 1.2 Data collected automatically when you use the Site
  • Device and browser data: IP address, browser type, operating system, device identifiers, screen size
  • Usage data: pages visited, time on site, referring URL, links clicked, search terms used
  • Cookie and tracking data: see our Cookie Policy for the full list of cookies and tracking technologies used
  • Location data: approximate location derived from IP address (country/region level, not precise location) 1.3 Data we receive from third parties
  • Payment data: transaction status, partial card details (last 4 digits), and fraud signals from our payment processors. We do not store full payment card details.
  • Analytics and advertising data: aggregated performance data from Meta and Google related to our advertising
  • Fulfilment data: shipping status and tracking information from our carriers

2. How We Use Your Personal Data (Legal Bases)

Under GDPR, we must have a lawful basis for every use of your data. Here is how we use it and why:

Processing and delivering your order Data used: contact, order, payment, shipping data Legal basis: Contract — necessary to fulfil our agreement with you

Providing customer service and handling complaints Data used: contact, order, communications data Legal basis: Contract and legitimate interests (responding to customer enquiries)

Managing your account (if you create one) Data used: account data, order history Legal basis: Contract

Detecting and preventing fraud Data used: device, transaction, behavioural data Legal basis: Legitimate interests (protecting our business and customers from fraud)

Complying with legal obligations (tax, accounting, consumer law) Data used: order, transaction, identity data Legal basis: Legal obligation

Analysing and improving the Site Data used: usage, device, cookie data Legal basis: Legitimate interests and, where required, consent

Sending you transactional emails (order confirmations, shipping updates) Data used: contact, order data Legal basis: Contract

Sending you marketing emails Data used: contact, preference data Legal basis: Consent — opt-in only

Running and measuring advertising on Meta and Google Data used: cookie, usage, email (hashed) data Legal basis: Consent

Using your reviews and user-generated content in our marketing Data used: user-generated content Legal basis: Consent (granted under our Terms of Service)

You have the right to withdraw consent at any time. Withdrawing consent does not affect processing that has already taken place.

3. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (pixels, web beacons, local storage) to make the Site work, analyse usage, and deliver relevant advertising. When you first visit the Site, our Shopify Customer Privacy banner appears, allowing you to:

  • Accept all cookies
  • Reject all non-essential cookies
  • Customise your preferences by category You can change your preferences at any time by clicking the cookie preferences link in the footer of the Site. The main categories of cookies we use are:
  • Essential cookies — required for the Site to function (e.g., checkout, account login). These cannot be disabled.
  • Analytics cookies — help us understand how visitors use the Site (Shopify analytics).
  • Advertising and marketing cookies — used by Meta Pixel and Google Ads to measure the effectiveness of our ads and show you relevant products. These only load if you consent. For the full list and details, please see our Cookie Policy.

4. Sharing Your Personal Data

We share personal data only with the parties listed below, and only as necessary for the purposes described. 4.1 Service providers (data processors acting on our behalf)

  • Shopify Inc. — e-commerce platform hosting the Site, processing orders, storing customer data, sending transactional and marketing emails via Shopify Email, and providing live chat via Shopify Inbox
  • Shopify Payments (operated by Stripe Payments Europe) — primary payment processor
  • PaymentCloud and other integrated third-party payment providers — alternative payment methods at checkout
  • 4PX, Yun Express, and regional delivery carriers (PostNL, Bpost, PostNord) — order fulfilment and delivery
  • Our fulfilment partners (EU-based 3PLs and international manufacturing partners) — processing and dispatching orders
  • Third-party email marketing platforms — if we add a dedicated email marketing provider in future, we will update this Policy and name the provider
  • Accounting and bookkeeping providers — tax filing and financial record-keeping 4.2 Marketing and advertising partners
  • Meta Platforms Ireland Ltd (Facebook, Instagram) — we use Meta Pixel and Conversions API to measure advertising performance. We also upload hashed customer email addresses to Meta Ads Manager to build Custom Audiences and Lookalike Audiences. This only happens where you have consented to advertising cookies and marketing communications.
  • Google Ireland Ltd (Google Ads) — we use Google Ads tracking to measure advertising performance. We may also upload hashed customer email addresses to Google Customer Match for retargeting. This only happens where you have consented to advertising cookies and marketing communications. 4.3 Quiz and funnel tools We use a third-party quiz platform to host our on-site quiz. The platform collects your responses and may associate them with your email if you choose to share it at the end of the quiz. Responses are used to personalise product recommendations and follow-up communications (where you have opted in). 4.4 Legal and regulatory disclosures We may disclose personal data where required by law, including to tax authorities (HMRC and relevant EU tax authorities), regulators, law enforcement, or in response to a valid legal request. We may also disclose data to enforce our Terms of Service or protect our rights, property, or safety. 4.5 Business transfers If Zenyu Ltd is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred to the acquiring party. We will notify affected customers and ensure continued protection of their data under GDPR. We do not sell your personal data to third parties.

5. International Data Transfers

Some of our service providers and partners are located outside the European Economic Area (EEA), including:

  • United Kingdom — where Zenyu Ltd is established (UK has an EU adequacy decision, meaning transfers are considered safe)
  • United States — where Shopify, Meta, Google, and certain payment processors operate infrastructure
  • China — where some of our fulfilment partners operate Where we transfer personal data outside the EEA, we rely on one of the following safeguards:
  • Adequacy decisions issued by the European Commission (e.g., UK)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework for applicable US-based recipients You can request a copy of the specific safeguards applied to any particular transfer by emailing help@luvaur.com.

6. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

  • Order and transaction data: 7 years from the date of the order (required by UK and EU tax law)
  • Account data: retained while your account is active, and for 2 years after account closure (for fraud prevention and legal defence)
  • Marketing data: retained until you unsubscribe or withdraw consent, then deleted within 30 days
  • Customer service emails and chat logs: retained for 2 years from the last interaction
  • Quiz responses: retained for 2 years, unless you create an account or opt in to marketing (in which case retention follows those rules)
  • Website analytics data: retained in aggregated, non-identifiable form for up to 2 years
  • Cookie data: retention varies by cookie — see our Cookie Policy After the applicable retention period expires, data is either deleted or fully anonymised.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements
  • Right to restrict processing — limit how we use your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format, or have it transferred to another controller
  • Right to object — object to processing based on legitimate interests, and to object to direct marketing at any time
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior lawful processing
  • Right not to be subject to automated decision-making — we do not make decisions about you based solely on automated processing that produces legal or significant effects How to exercise your rights: email help@luvaur.com with your request. We will respond within one month (extendable to three months for complex requests, with notification). We may ask you to verify your identity before acting on a request, to protect your data from unauthorised access. No fee is charged for reasonable requests. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

8. EU Representative (Article 27 GDPR)

As Zenyu Ltd is established in the United Kingdom, which is outside the European Economic Area, we are in the process of appointing an EU Representative in accordance with Article 27 of the GDPR. Once appointed, their contact details will be published here. In the meantime, EU data subjects may contact us directly at help@luvaur.com regarding any GDPR-related matter.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. You can contact:

  • Netherlands — Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl)
  • Belgium — Gegevensbeschermingsautoriteit / Autorité de protection des données
  • Sweden — Integritetsskyddsmyndigheten (IMY) (https://www.imy.se)
  • United Kingdom — Information Commissioner's Office (ICO) (https://ico.org.uk) We would appreciate the opportunity to address your concerns before you contact a supervisory authority — please email us at help@luvaur.com first.

10. Security

We take the security of your personal data seriously. Measures we have in place include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of payment data in accordance with PCI-DSS
  • Access controls limiting who within our organisation can view your data
  • Use of reputable, security-certified service providers (Shopify is PCI-DSS Level 1 certified)
  • Regular security reviews and updates No system is perfectly secure. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, as required by GDPR.

11. Children's Data

Our Site and products are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at help@luvaur.com and we will delete it.

12. Automated Decision-Making and Profiling

We use limited automated processing to:

  • Personalise product recommendations based on quiz responses and browsing behaviour
  • Display relevant advertising on Meta and Google platforms based on aggregated audience data These activities do not produce legal effects or significantly affect you. You can object to profiling for marketing purposes at any time by withdrawing marketing consent or adjusting your cookie preferences.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, new services, or legal requirements. The "last updated" date at the top of this page reflects the most recent changes. If we make material changes, we will notify you by email (where you have provided one) or through a prominent notice on the Site before the changes take effect.

14. Contact

For any questions about this Privacy Policy or how we handle your personal data: Email: help@luvaur.com Response time: Within 2 business days (for general enquiries) or 1 month (for formal GDPR requests) Postal address: Zenyu Ltd, 182-184 High Street North, Office 15597, London E6 2JA, United Kingdom