Privacy Policy

Enzyme ("Enzyme," "we," "us," or "our")

Version 1.0 | Effective: January 1, 2025 | Last Updated: December 26, 2025

1. Introduction

This Privacy Policy describes how Enzyme, operating as Enzyme ("we," "us," or "our"), collects, uses, discloses, and protects your personal information when you visit our website at enzymehq.com (the "Site") or use our services.

We are committed to protecting your privacy and handling your personal information with transparency. This Privacy Policy applies to all visitors, users, and others who access the Site.

By using our Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Site.

2. Data Controller

For the purposes of applicable data protection laws, the data controller is:

Enzyme

Email: privacy@enzymehq.com

Website: enzymehq.com

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@enzymehq.com.

3. Information We Collect

3.1 Information You Provide Directly

When you register for our waitlist or interact with our Site, we may collect:

Information	Purpose	Legal Basis
Name	Personalize communications and manage your waitlist registration	Contract performance
Email address	Send waitlist updates, launch announcements, and (with consent) marketing communications	Contract performance; Consent (marketing)
Primary use role	Understand whether you are an athlete, coach, or other user type	Legitimate interest
Additional description	If you select "other," we collect your description to understand your needs	Legitimate interest
Marketing consent	Your preference for receiving promotional communications	Consent

3.2 Information Collected Automatically

When you visit our Site, we automatically collect certain information:

With Your Consent (Analytics):

Browser type and version
Device information
Pages visited and interactions
Referring website
Session duration and navigation patterns

Without Requiring Consent (Necessary Operations):

IP address (for security, rate limiting, and abuse prevention)
UTM parameters (marketing attribution: utm_source, utm_medium, utm_campaign)
Request timestamps

3.3 Information We Do Not Collect

Payment or financial information
Social Security numbers or government identifiers
Health or biometric data
Location data (beyond IP-based country/region)
Information from children under 16

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis (GDPR)
Process and manage your waitlist registration	Performance of contract
Send transactional communications (registration confirmations, launch announcements)	Performance of contract
Send marketing communications (only with your consent)	Consent
Analyze Site usage and improve user experience	Consent (analytics); Legitimate interest
Protect against fraud, abuse, and security threats	Legitimate interest
Comply with legal obligations	Legal obligation
Enforce our terms and policies	Legitimate interest

We will never sell your personal information.

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

Category	Cookie/Storage	Purpose	Consent Required
Strictly Necessary	None currently	N/A	No
Functional	enzyme-analytics-consent	Remember your cookie preferences	No
Analytics	PostHog cookies (ph_*)	Understand how visitors use our Site	Yes
Performance	Vercel Analytics	Monitor Site performance	Yes

5.2 Your Cookie Choices

When you first visit our Site, we display a cookie banner asking for your consent to analytics cookies. You may:

Accept: Enable analytics tracking to help us improve the Site
Decline: Disable all non-essential cookies and tracking

To change your preferences: Clear your browser's localStorage for our Site, then revisit and make a new selection on the cookie banner.

5.3 Do Not Track

Some browsers include a "Do Not Track" (DNT) feature. Our Site does not currently respond to DNT signals, but we honor your cookie consent preferences.

6. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

6.1 Service Providers (Sub-Processors)

We use trusted third-party service providers to operate our Site:

Provider	Purpose	Data Processed	Location
Supabase Inc.	Database hosting	Name, email, preferences, timestamps	United States
PostHog Inc.	Analytics (consent-based)	Usage data, device info, interactions	United States
Vercel Inc.	Website hosting and edge delivery	Request logs, IP addresses	Global (Edge Network)
Upstash Inc.	Rate limiting	IP address hashes (temporary)	United States

Each provider is contractually obligated to protect your information and process it only as we direct.

6.2 Legal Requirements

We may disclose your information if required to:

Comply with applicable law, regulation, or legal process
Respond to lawful requests from public authorities
Protect our rights, privacy, safety, or property
Enforce our terms and policies

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

7. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with each sub-processor
Verification that recipients participate in recognized frameworks (e.g., EU-U.S. Data Privacy Framework, where applicable)

8. Data Retention

We retain your personal information only as long as necessary for the purposes described in this Privacy Policy:

Data Type	Retention Period
Waitlist registration data	Until you request deletion, or until product launch plus a reasonable transition period
Analytics data	Per PostHog retention settings (typically 12 months)
Rate limiting data (IP hashes)	1 hour
Cookie consent preferences	Until you clear your browser storage

After the retention period, we securely delete or anonymize your information.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

Technical Measures:

Encryption in transit (TLS 1.3)
Encryption at rest (database-level encryption)
Secure HTTP headers (HSTS, CSP, X-Frame-Options, etc.)
Input validation and sanitization
Rate limiting (5 requests per IP per hour)
Bot protection mechanisms

Organizational Measures:

Access controls (principle of least privilege)
Service role keys restricted to server-side only
No client-side exposure of sensitive credentials
Regular security reviews

While we strive to protect your information, no method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at privacy@enzymehq.com.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

10.1 Rights for All Users

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information
Withdraw Consent: Withdraw consent for marketing communications or analytics at any time

10.2 Additional Rights for EEA/UK Residents (GDPR)

Portability: Receive your data in a structured, machine-readable format
Restriction: Request restriction of processing in certain circumstances
Object: Object to processing based on legitimate interests
Automated Decision-Making: Not be subject to solely automated decisions with legal effects (we do not make such decisions)
Lodge Complaint: File a complaint with your local supervisory authority

10.3 Additional Rights for California Residents (CCPA/CPRA)

Categories of Personal Information Collected:

Identifiers (name, email, IP address)
Internet activity (browsing history, interactions - with consent only)
Inferences (user segment: athlete/coach/other)

Your California Rights:

Right to Know: Request disclosure of personal information collected, used, and shared
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Authorized Agents: You may designate an authorized agent to make requests on your behalf by providing written authorization.

10.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@enzymehq.com

We will respond to your request within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA).

We may need to verify your identity before processing your request. For California residents, we may request that you provide sufficient information to match you with information we maintain.

11. Children's Privacy

Our Site is not directed to children under 16 years of age, and we do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@enzymehq.com. If we learn we have collected personal information from a child under 16, we will promptly delete that information.

12. Third-Party Links

Our Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we will notify you:

Material changes will be announced via email to registered users and/or a prominent notice on our Site
The "Last Updated" date at the top of this policy will be revised
We encourage you to review this Privacy Policy periodically

Your continued use of our Site after any changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@enzymehq.com

Website: enzymehq.com/contact

For EEA/UK residents, you also have the right to lodge a complaint with your local data protection supervisory authority.

15. Additional Disclosures

15.1 Nevada Residents

We do not sell your personal information as defined under Nevada law. If you wish to submit a request regarding the sale of your information, please contact us at privacy@enzymehq.com.

15.2 Virginia, Colorado, Connecticut, and Other U.S. State Residents

Residents of states with comprehensive privacy laws may have similar rights to those described for California residents. Please contact us at privacy@enzymehq.com to exercise your rights.