Privacy policy

Privacy Policy

Last updated: 5 May 2026 Effective date: 5 May 2026

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our website (zwim.com), our connected hardware and applications, our waitlist, and our customer-support channels.

This policy is provided jointly by:

  • ZEN8 Sports Ltd (registered in the United Kingdom), and
  • ZEN8 Sports Portugal Unipessoal Lda (registered in Portugal),

trading together as ZWIM ("ZWIM", "we", "us", "our").

A separate Cookie Policy explains how we use cookies and similar technologies on our website.

If you have any questions about this policy or your personal data, contact us at privacy@zwim.com.

1. Who we are (data controllers)

We operate as joint controllers under Article 26 of the EU and UK GDPR. This means both companies share responsibility for how your personal data is used.

ZEN8 Sports Ltd (UK)

  • Company number: 12662386
  • Registered office: 7 Bell Yard, London, England, WC2A 2JR
  • UK VAT: 370135426
  • Role: contracting and selling entity, payment processing controller, brand owner

ZEN8 Sports Portugal Unipessoal Lda (Portugal) — research and development entity

  • Registered office: Rua Professor Sousa da Câmara 207, 3E, 1070-216 Lisboa, Portugal
  • Role: EU establishment, research and development (hardware, firmware, software, training algorithms), product engineering, EU operations, customer support, and connected-product data processing

Essence of our joint controller arrangement (GDPR Art. 26). ZEN8 Sports Ltd is the contracting party for orders placed through zwim.com, holds payment and finance records, and is the primary point of contact for marketing consent. ZEN8 Sports Portugal Unipessoal Lda is our research-and-development arm and EU establishment; it runs the technical operations behind our hardware, firmware, app, and training algorithms, processes connected-product data, and is the primary point of contact for product, account, and training-data questions in the EU. You can exercise your rights against either entity. Both companies remain jointly responsible regardless of which one you contact.

Single privacy contact for all requests: privacy@zwim.com.

We appoint a Data Protection Officer only where the law requires us to. The contact above is the right channel for all privacy queries, including from EU and UK residents.

2. What personal data we collect

A) Information you give us directly

  • Account and waitlist data: name, email address, country, password (hashed), referral code status.
  • Optional profile data: age, gender, height, weight, swim ability or club affiliation, training goals.
  • Order data: delivery address, billing address, items purchased, order value, currency.
  • Payment data: processed by our payment providers (e.g. Shopify Payments, Klarna). We do not see or store your full card number.
  • Communications: survey responses, interview notes, feature requests, support messages, product feedback, reviews.

B) Health and performance data (connected training)

When you connect and use ZWIM hardware (e.g. Smart Swim Paddles, Bench, Propulsion Bands) we may process training metrics such as:

  • Propulsive Watts, stroke rate, left/right balance, efficiency, wasted energy.
  • Session duration, active meters, time, pace.
  • Calibration data and device telemetry.

Special note on health-related data. Some of these metrics may qualify as "data concerning health" or special-category personal data under EU and UK GDPR. We process this data only after you give explicit, informed consent inside the app, and only to deliver the training experience you have asked for. You can withdraw your consent at any time in the app's settings or by emailing privacy@zwim.com. Withdrawing consent does not affect processing carried out before withdrawal. Withdrawing consent may disable certain features (for example long-term progress history).

C) Information collected automatically

  • Device data: IP address, browser type, device model, operating system, app version, language, timezone.
  • Usage data: logins, session frequency, feature use, button taps, screen views, diagnostic logs and crash reports.
  • Cookies and similar technologies: see our Cookie Policy.

D) Information from third parties

  • Affiliate, referral, and partner platforms that legitimately share your contact details with your consent.
  • Social-media platforms, if you choose to log in or interact with us through them.
  • Service providers acting on our behalf (analytics, fraud prevention, customer support).

3. Legacy ZEN8 customer data

If you previously purchased from zen8swimtrainer.com or interacted with the ZEN8 brand before 2026, ZEN8 Sports Ltd may continue to hold:

  • contact details (name, email),
  • purchase history (orders, items, fulfilment),
  • support history.

We use this data to:

  • continue to support you on legacy ZEN8 hardware,
  • verify eligibility for loyalty upgrades and Founder offers,
  • migrate your account smoothly to ZWIM if you opt in.

Marketing to legacy customers. Where the law allows it, we may send legacy customers product news about ZWIM as a successor product line, relying on the existing customer relationship ("soft opt-in" under PECR in the UK and equivalent rules in the EU) and on legitimate interests. Every email contains an unsubscribe link, and you can opt out at any time by clicking it or by emailing privacy@zwim.com. Once you opt out, we will stop sending marketing.

4. How we use your personal data (purposes)

We use your data to:

A) Provide and run the service

  • Create and manage your account.
  • Process orders, payments, deliveries, and returns.
  • Generate your training metrics, session summaries, and performance feedback.
  • Operate connected hardware and apps.
  • Provide customer support.

B) Improve the product

  • Improve algorithms, calibration, and accuracy using aggregated and de-identified patterns (for example, average stroke-rate ranges across training types).
  • Debug issues, fix bugs, and improve app stability.
  • Run product research interviews and surveys with people who have agreed to take part.

C) Communicate with you

  • Service messages: order updates, shipping notifications, account alerts, security and policy changes.
  • Marketing messages where you have consented or where the law allows soft opt-in.
  • Waitlist updates, beta invitations, and product announcements.

D) Security and fraud prevention

  • Protect accounts against unauthorised access, abuse, and fraud.
  • Detect and investigate suspicious activity.

E) Legal and compliance

  • Meet our legal, accounting, and regulatory obligations.
  • Respond to lawful requests by public authorities.
  • Establish, exercise, or defend legal claims.

5. Legal bases for processing (UK and EU)

We rely on the following legal bases under UK GDPR and EU GDPR.

Performance of a contract. Processing necessary to provide the products and services you have ordered or signed up for. Examples: creating your account, fulfilling an order, generating session summaries, providing customer support.

Consent. Where we ask for your explicit agreement. Examples:

  • marketing emails and push notifications where consent is required,
  • health and performance data treated as special-category data,
  • non-essential cookies,
  • product research and interviews.

You can withdraw consent at any time without affecting processing that took place before withdrawal.

Legitimate interests. Where we have a genuine business need that does not override your rights. Examples:

  • improving the product and user experience,
  • protecting platform security and preventing fraud,
  • communicating with existing customers about similar products in line with applicable law,
  • analytics that help us understand site and app performance.

We carry out a balancing test for each legitimate-interest use. You have the right to object — see Section 11.

Legal obligation. Where the law requires us to keep records or share data with public authorities (for example tax records, anti-fraud, or court orders).

Vital interests and public interest. We rely on these only in narrow cases.

6. Leaderboards and community features

ZWIM may offer leaderboards, challenges, and community features.

Privacy-first default. Leaderboards and shared content are off by default. You choose whether to appear and what to show.

If you opt in, we may display:

  • your chosen username (you control what this is),
  • rank and selected training stats (for example Propulsive Meters or session count),
  • optional profile elements you have chosen to share.

You can turn leaderboard visibility off at any time in your settings.

7. Who we share your personal data with

We do not sell your personal data for money.

We share data with:

A) Group companies. Between ZEN8 Sports Ltd (UK) and ZEN8 Sports Portugal Unipessoal Lda (Portugal) for operations, support, and platform delivery, on the basis of our joint controller arrangement.

B) Service providers (processors). We use trusted suppliers to operate the service, including:

  • hosting and infrastructure (e.g. Amazon Web Services),
  • analytics and product diagnostics (e.g. Google Analytics, PostHog or similar),
  • email, SMS, and marketing platforms (e.g. Klaviyo),
  • ecommerce and payments (e.g. Shopify, Shopify Payments, Klarna),
  • customer support tools (e.g. Gorgias or Intercom or similar),
  • session-replay and feedback tools (e.g. Hotjar) where consent applies.

These providers are contractually required to safeguard your data and may only process it on our instructions.

C) Payment providers. If you choose Klarna, Apple Pay, Google Pay, or another payment method, we share order and identity data with that provider so they can process payment and, where relevant, run their own credit or fraud checks. Their use of your data is governed by their own privacy notices.

D) Carriers and logistics partners. For shipping and customs, we share name, address, contact details, and order content with our delivery partners.

E) Professional advisers and authorities. Where necessary for legal, accounting, audit, insurance, or regulatory reasons, or where required by law, court order, or public authority.

F) Business transfers. If we sell, merge, or reorganise the business, we may share or transfer personal data as part of that transaction. We will tell you and explain your choices if this materially affects you.

Relationship with Shopify

Our store at zwim.com is hosted on the Shopify ecommerce platform, operated by Shopify International Limited (Ireland) for European customers and by Shopify Inc. for global infrastructure. Information you submit through the store is transmitted to and shared with Shopify, and may be processed by Shopify and its sub-processors in countries other than your country of residence in order to provide and improve the platform.

To help us operate, secure, and improve the store, we use certain Shopify enhanced features that combine data from your interactions with our store with data from your interactions with other Shopify-powered merchants and with Shopify itself (for example, fraud prevention, personalised advertising, and merchant analytics). For these features, Shopify is responsible for its own processing of your personal information, including for handling your privacy rights in respect of that processing.

To learn more about how Shopify uses your personal information and to exercise rights against Shopify directly, see:

  • Shopify Consumer Privacy Policy: shopify.com/legal/privacy/app-users
  • Shopify Privacy Portal: privacy.shopify.com

You can also opt out of Shopify-powered cross-merchant personalised advertising in the Shopify Privacy Portal.

8. International data transfers

Your data may be processed in the United Kingdom, the European Economic Area, and the United States, as well as other countries where our service providers operate.

When we transfer data outside the UK or EEA, we use appropriate safeguards:

  • EU Standard Contractual Clauses (SCCs) for transfers from the EEA to third countries.
  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for UK transfers.
  • Reliance on adequacy decisions where they exist (for example, the EU-US Data Privacy Framework where applicable).
  • Supplementary measures where required, such as encryption and access controls.

You can request a copy of the relevant transfer mechanism by emailing privacy@zwim.com.

9. Data retention

We keep personal data only for as long as needed for the purposes described in this policy.

Waitlist data. Retained until you unsubscribe, request deletion, or have been inactive for 24 months, unless we have a lawful reason to retain it longer.

Account and training data. Retained while your account is active. If your account is inactive for 24 months we may delete it or anonymise it. You can request deletion at any time.

Order, billing, and tax records. Retained for at least 6 years from the end of the relevant tax year (UK) or up to 10 years under Portuguese tax law, as required by law.

Marketing consent records. Retained for the lifetime of your subscription and for a reasonable period after withdrawal so we can demonstrate consent was given.

Support communications. Retained for up to 3 years after the issue is resolved, unless legal obligations require longer.

Backups. May persist beyond active deletion for a limited period and are then overwritten on schedule.

10. Security

We use reasonable technical and organisational safeguards to protect your data, including:

  • access controls and least-privilege permissions for staff,
  • encryption in transit (TLS) and, where supported, at rest,
  • secure cloud hosting and managed databases,
  • monitoring, logging, and incident-response practices,
  • vetting and contractual safeguards for third-party processors.

No system is 100% secure. If we discover a personal-data breach that is likely to affect your rights, we will notify the relevant supervisory authority within the legal deadlines and inform you where required.

11. Your privacy rights

You have the following rights under UK and EU GDPR. Some are subject to legal limits and exceptions.

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — ask us to pause certain processing.
  • Objection — object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
  • Portability — receive your data in a machine-readable format and ask us to transmit it to another controller where technically feasible.
  • Withdraw consent — at any time, where processing is based on consent.
  • Not be subject to automated decisions that produce legal or similarly significant effects on you, except in narrow legal cases.

How to exercise your rights. Email privacy@zwim.com. We may need to verify your identity before we can act on a request. We aim to respond within one calendar month and will tell you if we need longer.

Right to complain. You can lodge a complaint with a supervisory authority, in particular:

  • Portugal: Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • Or the data protection authority in your country of residence.

We would appreciate the chance to address your concerns first, so please contact us before going to a regulator.

12. Children

ZWIM is not aimed at children. We do not knowingly collect personal data from children under the age where parental consent is required in their country (16 in the EU and UK by default; lower in some EU member states down to 13).

If you believe a child has provided us with personal data, contact privacy@zwim.com and we will take appropriate action, including deleting the data where required.

13. Automated decision-making and profiling

We may use automated processing to generate performance metrics and insights (for example calculating Propulsive Watts, training scores, or recommendations).

We do not make decisions that produce legal or similarly significant effects about you solely through automated decision-making. Where relevant law requires it, you can ask for human review of an automated outcome.

14. Cookies and similar technologies

We use cookies and similar technologies on our website and apps. Essential cookies are needed for the site to work. Non-essential cookies (analytics, attribution, marketing) are used only with your consent.

For details of what we use and how to manage your preferences, see our Cookie Policy at zwim.com/policies/cookie-policy or click "Cookie preferences" in the website footer.

15. US privacy notice

This section applies to residents of US states with privacy laws, including California, Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Florida, and Montana, and supplements the rest of this policy.

A) Categories of personal information we collect

  • Identifiers. Name, email, postal address, IP address, device IDs.
  • Customer records. Billing and shipping information.
  • Commercial information. Purchases, returns, subscriptions.
  • Internet or other electronic activity. Site and app usage, interaction data.
  • Geolocation data. Approximate location derived from IP address.
  • Sensory information. Limited app session interactions.
  • Inferences. Profiles drawn from your activity (e.g. training trends, content interests).
  • Sensitive personal information. Health-related training metrics, where you have enabled them.

B) Sources, purposes, and disclosure

We collect this information directly from you, automatically through your use of the service, and from third parties as described in Sections 2 and 7. We use and disclose it for the purposes described in Sections 4 and 7.

C) "Sale" or "sharing" under California law

We do not sell personal information for money. Some analytics and advertising tools we use, particularly those that enable cross-context behavioural advertising, may be considered "sharing" under California law. Where they are, you can opt out at any time using:

  • the "Do Not Sell or Share My Personal Information" link in our website footer,
  • the "Limit the Use of My Sensitive Personal Information" link in our website footer (where applicable), or
  • a Global Privacy Control (GPC) browser signal — we honour GPC where required.

D) Sensitive personal information

We use sensitive personal information (such as health-related training metrics) only to provide the service you have requested, to comply with law, or with your express consent. You can ask us to limit our use of sensitive personal information by emailing privacy@zwim.com.

E) Your rights

Subject to your state, you may have the right to:

  • know what personal information we collect, use, and disclose,
  • access a copy of that information,
  • correct inaccurate information,
  • request deletion,
  • opt out of "sale" or "sharing",
  • limit the use of sensitive personal information,
  • not be discriminated against for exercising these rights.

To exercise your rights: email privacy@zwim.com with the subject "US Privacy Request" and tell us your state of residence. We may need to verify your identity before completing the request.

You may use an authorised agent where state law permits. We will require proof of authorisation and may verify the request directly with you.

F) Retention

We retain US-resident personal information for the periods described in Section 9.

G) Shine the Light (California)

California residents can request information about disclosures of personal information to third parties for those parties' direct-marketing purposes. Email privacy@zwim.com to ask.

16. Brazil and other jurisdictions

If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) gives you rights similar to those in Section 11. Email privacy@zwim.com to exercise them. The supervisory authority is the ANPD (anpd.gov.br).

We comply with applicable privacy laws in other jurisdictions where we operate. Contact privacy@zwim.com for jurisdiction-specific information.

17. Changes to this policy

We may update this Privacy Policy as our products and services evolve. If changes are material we will notify you by email or through a notice on our website before they take effect. The "Last updated" date at the top of this policy shows when it was last revised.

18. How to contact us

For privacy questions, requests, or complaints:

Email: privacy@zwim.com

Postal address (EU): ZEN8 Sports Portugal Unipessoal Lda Rua Professor Sousa da Câmara 207, 3E 1070-216 Lisboa Portugal

Postal address (UK): ZEN8 Sports Ltd 7 Bell Yard London WC2A 2JR United Kingdom