Privacy Policy
Last updated: June 2026
Andean Bear Studios GmbH (“we,” “us,” “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your personal information when you visit our website, purchase or use our software products, or interact with us.
This policy complies with the Swiss Federal Act on Data Protection (FADP) and the European Union's General Data Protection Regulation (GDPR) where applicable.
1. Data Controller
The data controller responsible for your personal data is:
For all privacy-related inquiries, questions about your data, or to exercise your rights, please contact us at the above email address.
2. Personal Data We Collect
2.1 Information You Provide
We collect information you voluntarily provide to us when you:
- Contact us through forms on our website (name, email address, message content)
- Purchase software products (billing information, payment details processed by Apple (for App Store purchases) or Paddle (for direct purchases))
2.2 Website Analytics
We use Vercel Analytics to understand which pages are visited and how the site performs. This is cookieless and does not collect personal data: no IP addresses are stored, no cross-site tracking, no advertising profiles. The data we see is anonymous, aggregated page-view counts and Core Web Vitals (load time, layout shift). Your theme preference (light/dark mode) is stored locally in your browser and is never transmitted to us. See Vercel's privacy documentation for full details. Data handling for the Zenden desktop app and its file transfers is described in Section 6 below.
2.3 Third-Party Data
We may receive information about you from our payment processors (Apple and/or Paddle) or email service provider (Resend) when you interact with us through those platforms.
3. How We Use Your Personal Data
We process your personal data for the following purposes:
- Product delivery and support: To deliver software products, process support requests, and respond to your inquiries
- Payment processing: To process transactions and manage billing (via Apple for App Store purchases, or Paddle for direct purchases)
- Communication: To send transactional emails, product updates, and respond to your messages
- Legal compliance: To comply with legal obligations, resolve disputes, and enforce our agreements
- Security: To protect against fraud, unauthorized access, and other security threats
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and Switzerland, we process your personal data based on the following legal grounds:
- Contractual necessity: Processing is necessary to perform a contract with you (e.g., delivering products you purchased)
- Consent: You have given explicit consent for specific processing activities (e.g., marketing emails)
- Legitimate interests: Processing is necessary for our legitimate business interests (e.g., analytics, fraud prevention) that do not override your rights
- Legal obligation: Processing is required to comply with applicable laws and regulations
5. Sharing Your Personal Data
We do not sell your personal data. We may share your data with the following third-party service providers who help us operate our business:
5.1 Payment Processors
App Store purchases (Zenden on the Mac App Store) are processed by Apple Inc. via StoreKit. Apple acts as the seller and handles billing in accordance with Apple's Privacy Policy.
Direct purchases (non–App Store) are processed by Paddle.com, which acts as the Merchant of Record for that channel. Your payment information is collected and processed by Paddle in accordance with their privacy policy.
5.2 Email Service Provider
We use Resend to send transactional emails and communications. Your email address and related communication data may be processed by Resend.
5.3 Newsletter / Marketing Emails
If you subscribe to our newsletter, your email address is sent to Resend (Resend.com) and stored in a Resend Audience for the purpose of sending occasional product updates and launch announcements. We use double opt-in: Resend sends a confirmation email and only adds you to the list after you click the confirmation link. You can unsubscribe at any time using the link in every email; this removes your address from the audience. The legal basis is your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time without affecting processing carried out prior to withdrawal.
5.4 Legal Disclosures
We may disclose your personal data if required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of others.
6. Zenden File Transfers — Product Data Handling
Zenden is a peer-to-peer file transfer app. File bytes travel directly from the sender's device to the recipient's browser over WebRTC — no accounts required, and in normal (direct) transfers we do not store your files or file metadata on our servers. All transfers are end-to-end encrypted. Protected shares are gated by a six-word passphrase or a key embedded in the link fragment; our servers never see the passphrase or the key.
6.1 Connection Negotiation
To establish a direct connection, both devices exchange connection information — known as ICE candidates — through our signaling server. ICE candidates can include IP addresses. This exchange is used only to negotiate the peer-to-peer connection; the signaling server does not receive or relay file contents.
6.2 TURN Relay (Pro tier fallback)
When a direct peer-to-peer connection cannot be established, Zenden Pro automatically falls back to a TURN relay. The relay forwards encrypted bytes between the sender and recipient; it cannot read your files.
Pro subscriptions include up to 100 GB of relayed traffic per monthly billing period. Direct P2P transfers — which represent the majority of Zenden sessions — are not relayed and are not subject to any metering.
Cloudflare processes connection metadata when relay is used, including IP addresses. Specifically, Cloudflare's TURN servers process: sender IP address, recipient IP address, session duration, and bytes relayed. File content is not affected — Cloudflare relays opaque DTLS-encrypted datagrams and cannot read what is inside. This metadata may be subject to US legal process (Cloudflare is a US entity).
Note: the “no IP addresses are stored” statement in Section 2.2 refers to our website analytics only and does not apply to the TURN relay or signaling paths described in this section.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Contact form inquiries: Retained for up to 2 years after last contact
- Purchase records: Retained for 10 years for tax and accounting purposes (legal requirement)
You may request deletion of your data at any time by contacting us (subject to legal retention obligations).
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Switzerland and the European Economic Area (EEA), including countries that may not provide the same level of data protection.
When we transfer data internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission and Swiss authorities
- Adequacy decisions recognizing certain countries as providing adequate protection
- Other legally recognized transfer mechanisms as applicable
9. Your Data Protection Rights
Under Swiss FADP and GDPR (where applicable), you have the following rights regarding your personal data:
9.1 Right of Access
You have the right to request a copy of the personal data we hold about you.
9.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data.
9.3 Right to Erasure (“Right to be Forgotten”)
You have the right to request deletion of your personal data under certain conditions (e.g., when data is no longer necessary or consent is withdrawn).
9.4 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
9.5 Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
9.6 Right to Restrict Processing
You have the right to request restriction of processing under certain circumstances (e.g., while we verify accuracy of disputed data).
9.7 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
9.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority if you believe we have violated your data protection rights.
To exercise any of these rights, please contact us at contact@andeanbearstudios.com. We will respond to your request within 30 days.
10. Cookies and Tracking Technologies
Our website does not use cookies. We use Vercel Analytics for anonymous, cookieless page-view counts and performance metrics — it stores no identifiers about you on your device or our servers. Your theme preference is held in local storage and never sent to us.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (HTTPS/TLS) and at rest where appropriate
- Regular security assessments and updates
- Access controls and authentication mechanisms
- Employee training on data protection and security practices
- Secure third-party service provider agreements
While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.
12. Children's Privacy
Our products and website are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will notify you by:
- Updating the “Last updated” date at the top of this page
- Posting a notice on our website homepage
- Sending an email notification (if you have provided your email address)
We encourage you to review this Privacy Policy periodically. Your continued use of our products or website after changes constitutes your acceptance of the updated policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: