1. Scope
This Privacy Policy explains how we collect, use, share, store, and protect personal data when you visit enrichroad.com, buy a product, join the partner program, subscribe to emails, or otherwise interact with our Services.
We comply with the EU General Data Protection Regulation (GDPR) and its national implementing laws, the UK GDPR and Data Protection Act 2018, applicable US state privacy laws (including the CCPA/CPRA for California, plus comparable laws in Virginia, Colorado, Connecticut, Utah, and other states as they take effect), the Canadian PIPEDA (and Quebec's Law 25), the Australian Privacy Act 1988 and Australian Privacy Principles (APPs), the Protection of Personal Information Act (POPIA) for South Africa, the Digital Personal Data Protection Act 2023 (DPDPA) for India, and the revised Federal Act on Data Protection (revFADP) for Switzerland. We honor the US CAN-SPAM Act and Canada's CASL for marketing emails. Wherever you live, any non-waivable privacy or data-protection right granted by your local law always applies, even if it is not named in this Policy.
2. The personal data we collect
We only collect what we need. Categories include:
a) Information you give us directly
- Name, email address, country, and (where required) billing address.
- Account credentials (username, hashed password).
- Order history and the product(s) you purchased.
- Partner/affiliate application data: payout email/PayPal/Wise, tax info where required.
- Messages you send us (support emails, comments, replies, survey answers, testimonials).
b) Payment information
Payments are processed by third-party PCI-DSS-compliant providers (e.g. Stripe, PayPal). We do not store full card numbers. We receive only the transaction confirmation, last 4 digits, card type, and billing country.
c) Information collected automatically
- Device and browser data: IP address, browser type, OS, screen size, language, referrer URL, pages visited, time on page, click events.
- Cookies and similar technologies (see Section 6).
- Affiliate-tracking identifiers (so partners are credited correctly).
d) Information from third parties
- Social log-in or sign-in providers, if you choose to use them.
- Affiliate networks, analytics, and ad platforms.
- Public business directories where we verify a Partner's identity.
We do not knowingly collect special categories of personal data (e.g. health, religion, political opinions). Please do not send such data to us.
3. Why we use your data and the legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Deliver products you bought, give access to courses/memberships, run accounts | Performance of a contract (Art. 6(1)(b)) |
| Process payments, prevent fraud, manage chargebacks | Contract + legitimate interest (Art. 6(1)(b),(f)) |
| Comply with tax, accounting, consumer-law, and AML obligations | Legal obligation (Art. 6(1)(c)) |
| Send transactional emails (receipts, login info, product updates) | Contract (Art. 6(1)(b)) |
| Send marketing emails about EnrichRoad products | Consent or soft opt-in (Art. 6(1)(a)) |
| Operate the Partner program and pay commissions | Contract (Art. 6(1)(b)) |
| Improve the Services, run analytics, secure the site | Legitimate interest (Art. 6(1)(f)) |
| Defend legal claims | Legitimate interest / legal obligation (Art. 6(1)(f),(c)) |
Where we rely on legitimate interests, we have balanced our interest against your rights and concluded the processing is proportionate. You can object, see Section 9.
4. Who we share data with
We never sell your personal data. We share it only with:
- Payment processors (e.g. Stripe, PayPal) to take payment and refund you.
- Email and CRM providers to send transactional and marketing emails.
- Hosting, file-storage, and CDN providers that run our website and product delivery.
- Analytics and advertising providers (e.g. Google Analytics, Meta Pixel, TikTok Pixel), only with your consent where required.
- Affiliate-tracking and partner-payout providers to credit and pay partners.
- Customer-support tools to help us answer your messages.
- Professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
- Authorities where we are required by law, court order, or to protect our rights.
- An acquirer or successor in the event of a merger, acquisition, restructuring, or sale of assets, subject to equivalent confidentiality obligations.
A current sub-processor list is available on request from [email protected].
5. International transfers
Some providers are based outside the EU/EEA (typically the UK and the United States). When we transfer personal data outside the EU/EEA we use a lawful transfer mechanism, such as the European Commission's Standard Contractual Clauses (SCCs), the EU–US Data Privacy Framework for certified US providers, or an adequacy decision where one applies. A copy of the safeguards used is available on request.
6. Cookies and similar technologies
We use cookies and similar technologies to make the site work, remember your preferences, measure performance, and (with consent) deliver relevant advertising. Categories:
- Strictly necessary — required for the site to function (login, cart, checkout). Always on.
- Functional — remember your settings (language, dark mode).
- Analytics — help us understand how the site is used.
- Marketing/advertising — measure ads, retarget visitors, attribute partner sales.
In the EU/EEA and UK we ask for your consent before setting non-essential cookies via our cookie banner. You can change or withdraw consent at any time using the "Cookie settings" link in the website footer. Most browsers also let you block or delete cookies.
7. How long we keep your data
- Account and order data: for the life of the account, plus the period required by accounting and tax law (typically 5–7 years from the end of the financial year).
- Marketing data: until you unsubscribe or after a period of inactivity (typically 24 months), whichever is sooner.
- Support tickets: typically 24 months.
- Cookies/analytics identifiers: as set out in our cookie banner (typically up to 13 months).
- Backups: for the rolling backup window of the relevant system, after which they are overwritten.
When retention ends, data is deleted or irreversibly anonymised, except where we are legally required to keep it longer.
8. How we protect your data
We use industry-standard technical and organisational measures: encryption in transit (TLS), encrypted password storage, role-based access controls, vetted sub-processors, and limited internal access on a need-to-know basis. No system is 100% secure. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the relevant authority within 72 hours and notify affected users without undue delay where required.
9. Your rights
Under GDPR / UK GDPR you have the right to: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection (including to direct marketing), withdraw consent at any time, not be subject to solely automated decisions with legal or similarly significant effects, and to lodge a complaint with the supervisory authority in your country of residence (for example, Datatilsynet, the UK ICO, the Canadian OPC, or your US State Attorney General).
California residents (CCPA/CPRA): rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against. We do not sell or "share" personal information for cross-context behavioural advertising without honoring opt-out signals (including Global Privacy Control). Virginia, Colorado, Connecticut, Utah, and other states with comparable laws have equivalent rights.
UK residents: rights mirror the EU GDPR with the ICO as supervisory authority. Canadian residents (PIPEDA / Quebec Law 25): access, correction, withdrawal of consent, and (in Quebec) portability and automated-decision disclosure. Australian residents (Privacy Act / APPs): access, correction, anonymity where practicable, and complaints to the OAIC. South African residents (POPIA): access, correction, deletion, objection, and complaints to the Information Regulator; Information Officer: [email protected]. Indian residents (DPDPA 2023): access, correction, erasure, nomination, and grievance redressal; Grievance Officer: [email protected].
Mandatory rights savings clause. Nothing in this Policy limits, restricts, or excludes any non-waivable privacy or data-protection right granted to you by the law of your country, state, province, or territory of residence. Named authorities and laws are illustrative and do not limit your right to contact your own local supervisory authority.
To exercise any right, email [email protected]. We may need to verify your identity. We will respond within 30 days (extendable by up to 60 days for complex requests, with notice).
10. Children
The Services are intended for adults (18+). We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
11. Marketing emails
We only send marketing emails where we have a lawful basis under applicable law, including GDPR / UK GDPR consent or soft opt-in, the US CAN-SPAM Act, Canada's CASL, Australia's Spam Act 2003, Singapore's Spam Control Act, and equivalent regimes. Every marketing email identifies us, includes our postal address, and contains a working unsubscribe link. You can also email [email protected] with the subject "Unsubscribe".
12. Do Not Track and Global Privacy Control
Because there is no industry standard for Do Not Track, we do not currently respond to DNT signals. We do honor recognised opt-out signals (such as Global Privacy Control) where required by applicable law.
13. Changes to this Policy
We may update this Policy as our Services or the law evolve. The current version is always posted at enrichroad.com/privacy-policy with an updated "Effective date". Material changes will be communicated via the site or email with reasonable notice before they take effect.
14. Contact
Email: [email protected]
Postal address: EnrichRoad.com, Odense, Denmark
Web: enrichroad.com/privacy-policy
See also: Terms of Service · Refund Policy · Disclaimer