Privacy Policy

Zinaps Fulfilment, also trading as Workneh Assets ("Zinaps", "we", "us", or "our"), located in Wieringerwerf, The Netherlands, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website, use our fulfilment services, or interact with our platform. This policy applies to all visitors, customers, sellers, and business partners who use our services. By using our website or services, you agree to the collection and use of information in accordance with this policy. Zinaps acts as a data controller for the personal data we process. We comply with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws.

We collect the following categories of personal data: Account & Contact Information: Name, email address, phone number, company name, KVK number, VAT number, and billing/shipping addresses when you register for an account or request a consultation. Order & Fulfilment Data: Order details, product information, shipping addresses, tracking numbers, and delivery status that we process on behalf of our seller customers. Website Usage Data: IP address, browser type, device information, pages visited, time spent on pages, and referral source. This is collected automatically through cookies and similar technologies. Communication Data: Records of correspondence when you contact us via email, WhatsApp, phone, or our booking system (Zoho Bookings). Payment Information: Billing details and payment history. We do not store full credit card numbers — all payments are processed securely through our payment processor.

We use your personal data for the following purposes: • Providing fulfilment services: Processing orders, managing inventory, shipping packages, and handling returns on behalf of our seller customers. • Account management: Creating and managing your Zinaps portal account, authenticating access, and providing customer support. • Communications: Sending order confirmations, shipping notifications, service updates, and responding to your enquiries. • Service improvement: Analysing usage patterns to improve our website, platform, and fulfilment operations. • Legal compliance: Meeting our obligations under Dutch and EU law, including tax reporting and record-keeping requirements. • Marketing: Sending promotional communications about our services, only with your explicit consent. You can opt out at any time.

Under the GDPR, we process your personal data based on the following legal grounds: • Contract performance: Processing necessary to fulfil our contract with you (e.g., providing fulfilment services, managing your account). • Legitimate interests: Processing necessary for our legitimate business interests (e.g., improving our services, preventing fraud), where these interests are not overridden by your rights. • Legal obligation: Processing required to comply with Dutch and EU legal requirements (e.g., tax records, financial reporting). • Consent: Where you have given explicit consent for specific processing activities (e.g., marketing emails, cookies).

We share your personal data only with the following categories of recipients, and only to the extent necessary: • Shipping carriers: PostNL, DHL, DPD, and other carriers to deliver packages. We share delivery addresses and order details. • Marketplace platforms: Bol.com, Amazon, Shopify, and other connected platforms to sync order status and tracking information. • Cloud infrastructure: Amazon Web Services (AWS) for secure data hosting within the EU (Frankfurt/Ireland regions). • Booking & CRM: Zoho for consultation scheduling and customer relationship management. • Analytics: Privacy-friendly analytics to understand website usage (no personal data is shared with advertising networks). We never sell your personal data to third parties. All our service providers are bound by data processing agreements compliant with GDPR.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy: • Account data: Retained for the duration of your active account, plus 12 months after account closure. • Order & fulfilment data: Retained for 7 years after the transaction date, as required by Dutch tax law (fiscale bewaarplicht). • Website analytics data: Aggregated and anonymised within 26 months. • Communication records: Retained for 2 years after the last interaction. • Marketing consent records: Retained for as long as consent is active, plus 1 year after withdrawal. After the retention period, data is securely deleted or anonymised.

Under the GDPR, you have the following rights regarding your personal data: • Right of access: Request a copy of the personal data we hold about you. • Right to rectification: Request correction of inaccurate or incomplete data. • Right to erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. • Right to restrict processing: Request limitation of how we process your data. • Right to data portability: Receive your data in a structured, machine-readable format. • Right to object: Object to processing based on legitimate interests or for direct marketing. • Right to withdraw consent: Withdraw consent at any time for processing based on consent. To exercise any of these rights, contact us at contact@zinaps.com. We will respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Your personal data is primarily stored and processed within the European Economic Area (EEA). Our cloud infrastructure is hosted on AWS servers in the EU. In cases where data is transferred outside the EEA (e.g., to marketplace platforms with global operations), we ensure appropriate safeguards are in place, such as: • EU Standard Contractual Clauses (SCCs) • Adequacy decisions by the European Commission • Binding Corporate Rules where applicable We do not transfer data to countries without adequate protection measures.

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including: • Encryption of data in transit (TLS/SSL) and at rest (AES-256) • Multi-factor authentication for system access • Regular security audits and vulnerability assessments • Access controls based on the principle of least privilege • Employee training on data protection and security practices • Incident response procedures for potential data breaches In the event of a data breach that poses a risk to your rights, we will notify the Dutch Data Protection Authority within 72 hours and inform affected individuals without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of significant changes by posting a prominent notice on our website or sending you an email. We encourage you to review this policy periodically. The "Last updated" date at the top indicates when the most recent changes were made.