GDPR — Your Data Rights

Last updated: 2026-06-15 · Applies to users in the EEA, UK, and Switzerland

Zenbrox is committed to protecting and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection (nFADP). This page describes your rights under these laws, how to exercise them, and how we handle your personal data.

1. Data Controller

For the purposes of the GDPR, the data controller responsible for your personal data is:

Organisation: Zenbrox
Website: zenbrox.com
Contact: Use our Contact page for all data-related requests.

We do not have a statutory obligation to appoint a Data Protection Officer (DPO) at this time, but all data-related enquiries are handled with priority. We will respond to all verified data subject requests within 30 days.

2. Legal Bases for Processing

We process your personal data only where we have a lawful basis to do so. The lawful bases we rely on are:

2.1 Contract Performance (Article 6(1)(b) GDPR)

When you register an account or purchase a Pro subscription, processing your email address and account data is necessary to perform the contract between us. Without this processing, we cannot create your account, authenticate you, or deliver the services you have paid for.

2.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data on the basis of our legitimate interests, which include:

Operating and securing the website — preventing fraud, abuse, and unauthorised access;
Improving the Service — analysing how users interact with features to identify bugs and improve the product;
Communicating with users about their accounts, technical issues, and service updates;
Storing session data (focus durations, session counts) to provide the dashboard and progress tracking features you have requested.

We have conducted a Legitimate Interests Assessment (LIA) for each of these processing activities and have concluded that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests — see section 4.6 below.

2.3 Consent (Article 6(1)(a) GDPR)

We rely on your consent for:

Analytics cookies — Google Analytics is only activated if you accept analytics cookies via the cookie banner;
Personalised advertising cookies — Google AdSense personalised advertising is only activated where you have provided explicit consent (EEA/UK/Switzerland users).

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. To withdraw consent, use the "Reset cookie preference" button on the Cookie Policy page.

2.4 Legal Obligation (Article 6(1)(c) GDPR)

We may be required to process your data to comply with legal obligations — for example, retaining payment records for tax and accounting purposes (typically 7 years under EU financial regulations).

3. Categories of Personal Data We Process

Category	Examples	Purpose	Legal Basis
Identity data	Email address, username	Account creation and authentication	Contract performance
Authentication data	Hashed password, session tokens	Secure login, session management	Contract performance, legitimate interests
Usage data	Focus session durations, modes, dates	Dashboard, progress tracking	Contract performance, legitimate interests
Payment data	Subscription status, payment confirmation (via Stripe)	Subscription management, revenue records	Contract performance, legal obligation
Analytics data	Anonymised page views, session counts (via Google Analytics)	Product improvement	Consent
Advertising data	Cookie-based interest profiles (via Google AdSense)	Personalised advertising	Consent (EEA/UK/CH)
Communication data	Contact form messages, support emails	Responding to enquiries	Legitimate interests, consent

4. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data. These rights are not absolute and may be subject to conditions and exceptions under applicable law.

4.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how we process it — including the purposes of processing, the categories of data, the recipients with whom it is shared, and the retention period. We will provide this information free of charge within 30 days.

How to exercise: Contact us via the Contact page with the subject "Data Access Request" and verify your identity.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected or incomplete data completed. You can update your email address directly from your account settings. For other corrections, contact us.

How to exercise: Update via account settings, or contact us directly for data we hold that you cannot access through the interface.

4.3 Right to Erasure — "Right to Be Forgotten" (Article 17)

You have the right to request deletion of your personal data where:

The data is no longer necessary for the purposes for which it was collected;
You withdraw consent and there is no other legal basis for processing;
You object to processing and there are no overriding legitimate grounds;
The data has been unlawfully processed;
The data must be erased to comply with a legal obligation.

Deleting your account will erase your email address, hashed password, session history, and any notes or content you have submitted. Some data (e.g. payment records required by law) may be retained for the legally required period even after account deletion.

How to exercise: Contact us via the Contact page with "Account Deletion Request" in the subject line.

4.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your data — meaning we may store it but not use it — where:

You contest the accuracy of the data (pending verification);
Processing is unlawful but you prefer restriction over erasure;
We no longer need the data but you require it for legal claims;
You have objected to processing pending verification of our legitimate grounds.

How to exercise: Contact us with a description of the processing you wish restricted.

4.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit that data to another controller. This applies to data you have actively provided — your account data and session history.

How to exercise: Contact us with "Data Portability Request" in the subject line.

4.6 Right to Object (Article 21)

You have the right to object at any time to processing of your personal data where the legal basis is legitimate interests or a task carried out in the public interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is for the establishment, exercise, or defence of legal claims.

You have an absolute right to object to processing for direct marketing purposes. We do not currently send marketing emails, but if we introduce this in future, you will have the right to opt out at any time.

How to exercise: Contact us with "Data Processing Objection" in the subject line.

4.7 Rights in Relation to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects concerning you. Zenbrox does not currently make any automated decisions that produce legal or similarly significant effects. If we introduce such processing in future, we will update this page and provide appropriate safeguards.

4.8 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. To withdraw consent for analytics or advertising cookies, use the Cookie Policy page.

5. International Data Transfers

Some of our third-party service providers are located outside the EEA. Where we transfer personal data to countries that do not provide an equivalent level of data protection to the EEA, we ensure appropriate safeguards are in place:

Stripe (USA): Transfers covered by Standard Contractual Clauses (SCCs) and Stripe's participation in the EU-US Data Privacy Framework;
Google (USA — Analytics, AdSense): Transfers covered by SCCs and Google's participation in the EU-US Data Privacy Framework;
Formspree (USA): Transfers covered by Standard Contractual Clauses.

You may request a copy of the safeguards in place for any specific transfer by contacting us.

6. Data Retention

Data Type	Retention Period	Reason
Account data (email, password hash)	Until account deletion + 30 days	Contract performance; brief buffer for accidental deletion
Focus session history	Until account deletion	Core feature provision
Payment records	7 years from payment date	Tax and financial regulation compliance
Contact form messages	3 years from last interaction	Legitimate interests (dispute resolution)
Analytics data (Google Analytics)	26 months (Google default)	Product improvement (anonymised)
Server access logs	90 days	Security and debugging

7. Cookies and Tracking

Our Cookie Policy provides full information on the cookies we use, their purpose, duration, and how to manage your preferences. See our Cookie Policy for details.

For users in the EEA, UK, and Switzerland, non-essential cookies (analytics and advertising) are not placed without your prior consent. You can change your cookie preferences at any time via the cookie banner or the Cookie Policy page.

8. Security of Your Data

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, damage, alteration, or unauthorised disclosure or access. These measures include:

All data transmitted between your browser and our servers is encrypted using TLS (HTTPS);
Passwords are stored using bcrypt hashing — we never store plain-text passwords;
Access to production data is restricted to authorised personnel only;
We conduct regular security reviews of our infrastructure.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and notifying affected users within the legally required timeframes.

9. Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by Article 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34 GDPR), unless an exception applies.

10. Complaints

If you believe we have not complied with our obligations under the GDPR, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In EU member states, contact your national data protection authority.

UK: Information Commissioner's Office (ICO) — ico.org.uk
EU: Your national DPA — full list at edpb.europa.eu

We ask that you contact us first before lodging a complaint — we will do our best to resolve your concern directly and quickly.

11. How to Exercise Your Rights

To exercise any of the rights described above:

Contact us via the Contact page;
Include your full name, the email address associated with your account, and a clear description of your request;
We may ask you to verify your identity before processing the request (to protect your data from unauthorised access);
We will respond within 30 days of receiving a verified request. In complex cases, we may extend this by a further 60 days and will inform you of the extension.

All requests are processed free of charge. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable administrative fee or decline to act on the request.

12. Changes to This Page

We may update this GDPR information page from time to time to reflect changes in our processing activities or applicable law. Material changes will be announced on the website. Continued use of the Service after changes constitutes acknowledgement of the updated information.

Last updated: 2026-06-15.