Privacy Policy


At Enda Athletic (Enda), we are committed to protecting and respecting your privacy. This Privacy Policy explains when and why we collect personal information about people who visit our website, how we use it, the legal basis on which we do so, the conditions under which we may disclose it to others, how we keep it secure, and what rights you have over it.

SECTION 1 – WHAT IS ENDA?

Enda is a Swahili word that means "Go!". Enda Athletic, Inc. is a Benefit Corporation and an athletic footwear and apparel brand and production company that is building on and contributing to Kenya's reputation as the world champion of distance running. We bring together world-class shoe designers, developers, and Kenyan athletes to create performance running shoes that capture the skills and experience of Kenyan athletes. We make our products in Kenya and sell them to the world.

Through Kenyan production, global sales, and persistent storytelling, Enda Athletic provides a means through which runners globally can connect with Kenya's running greatness. We are also greatly increasing the amount Kenya benefits from its running reputation as we create jobs, contribute to communities, and build the reputation of Kenya as a place that develops quality products.

SECTION 2 – WHO IS RESPONSIBLE FOR YOUR DATA?

Enda Athletic, Inc., 8 The Green STE B, Dover, Kent County, Delaware, US 19901, is the data controller responsible for your personal data as described in this policy. You can contact us at hello@endarunning.com for any privacy-related queries.

As a US-based company directing services to individuals in the European Union, we have appointed an EU Representative as required under Article 27 GDPR. Contact details for our EU Representative are available upon request by emailing hello@endarunning.com.

If you have concerns about how we handle your data, you also have the right to lodge a complaint with your local Data Protection Authority (DPA). In the EU, you can find your national DPA via the European Data Protection Board at edpb.europa.eu.

SECTION 3 – WHAT INFORMATION DO WE COLLECT AND HOW?

We collect the following categories of personal data:

Browsing and technical data: We collect your IP address, pages accessed, and timestamps via cookies and similar technologies. See Section 10 for full details on cookies and how to manage your preferences.

Contact and account data: When you subscribe to our mailing list or create an account, we collect your name, email address, postal address, and phone number.

Transaction data: When you purchase from our store, we collect your name, delivery address, email address, and payment details to process your order.

Communications data: If you contact our customer service team, your message and contact details are collected to manage your enquiry.

Shopify: Our store is hosted on Shopify Inc., which provides us with our e-commerce platform. Your data is stored through Shopify's secure infrastructure. For more detail, see Shopify's Privacy Statement at https://www.shopify.com/legal/privacy.

Payment: If you pay via direct payment gateway, Shopify processes and stores your credit card data encrypted to PCI-DSS standards. Payment transaction data is retained only as long as necessary to complete the transaction, after which it is deleted. All payment gateways adhere to PCI-DSS standards as managed by the PCI Security Standards Council.

SECTION 4 – LEGAL BASIS FOR PROCESSING YOUR DATA

Under GDPR Article 6, we only process your personal data where we have a valid legal basis to do so. The legal bases we rely on are:

Contract (Article 6(1)(b)): Processing your name, address, email, and payment details to fulfil an order you have placed, process a return, or manage your account.

Legitimate Interests (Article 6(1)(f)): Monitoring website usage, improving our services, managing customer communications, and detecting fraud. We have balanced these interests against your rights and determined they do not override them.

Legal Obligation (Article 6(1)(c)): Retaining certain transaction and financial records to meet our statutory and accounting obligations.

Consent (Article 6(1)(a)): Sending you marketing emails, placing non-essential cookies (analytics, advertising, personalisation), and sharing your data for research purposes. You may withdraw consent at any time, see Section 6.

We do not rely on implied consent. Where consent is required, we ask for it explicitly and separately from other actions such as making a purchase.

SECTION 5 – WHAT DO WE DO WITH YOUR INFORMATION?

We use your personal data to:

Process an order or return that you have made; carry out our obligations under any contract entered into between you and us; notify you of changes to our services; send you marketing emails, with your explicit prior consent, including information about our website, campaigns, and events; monitor how you use our website and how you arrived at it; seek your views or comments on products and services we provide; handle entries into any competitions we run; and respond to customer service enquiries.

Retention: We review retention periods regularly. Data collected for order fulfilment is retained for as long as required by applicable law (typically up to 7 years for financial records). Marketing data is retained until you withdraw consent or unsubscribe. Customer service communications are retained for up to 3 years. Browsing and analytics data is retained in aggregated or anonymised form after 26 months.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may transfer to the new entity under the same protections described in this policy.

SECTION 6 – CONSENT AND YOUR RIGHT TO WITHDRAW IT

Where we rely on your consent to process personal data (such as for marketing emails or non-essential cookies), you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To withdraw consent for marketing, click the 'unsubscribe' link at the bottom of any marketing email, or contact us at hello@endarunning.com.

To withdraw consent for cookies, update your preferences at any time via our Cookie Preference Centre, accessible from the footer of our website.

For all other consent withdrawal requests, contact us at hello@endarunning.com or write to us at: Enda Athletic, Inc., 8 The Green STE B, Dover, Kent County, Delaware US 19901.

SECTION 7 – WHO HAS ACCESS TO YOUR INFORMATION?

We will not sell or rent your personal data to third parties. We will not share your personal data with third parties for their own marketing purposes. We may share anonymised, aggregated data with academic institutions for research purposes only — this cannot be used to identify you.

We share personal data with carefully selected third-party processors who act on our behalf under formal Data Processing Agreements (DPAs) as required by GDPR Article 28. These processors may only use your data for the purposes we specify and are contractually prohibited from using it for their own purposes.

SECTION 8 – THIRD-PARTY SERVICE PROVIDERS

The following processors handle personal data on our behalf. We have listed them to ensure full transparency:

Shopify — e-commerce platform and hosting. Privacy policy: https://www.shopify.com/legal/privacy

Google Analytics — website analytics. We use Google Analytics with IP anonymisation enabled. Data is processed in the United States under the EU–US Data Privacy Framework adequacy decision (confirmed September 2025). You can opt out via Google's opt-out browser add-on: https://tools.google.com/dlpage/gaoptout. Data is only collected after you have given cookie consent.

Facebook (Meta) Pixel — advertising measurement. We use Facebook's visitor action pixel to measure the effectiveness of our advertising. Enda and Meta operate as joint controllers in respect of this data, in accordance with Meta's joint controller agreement. Data is shared with Meta only after you have given explicit cookie consent. Meta's data policy: https://www.facebook.com/about/privacy/. You can manage your Facebook ad preferences at https://www.facebook.com/settings?tab=ads.

Klaviyo — email marketing and customer database. Klaviyo places cookies to track behaviour on our site in order to personalise communications. This only occurs after you have consented to marketing cookies. Privacy policy: https://www.klaviyo.com/privacy/policy

Cognito Forms — survey and form management. Privacy policy: https://www.cognitoforms.com/privacy

JustUno — sign-up and pop-up forms. Privacy policy: https://www.justuno.com/legal/privacy-policy.html

Zapier — data transfer between services (e.g., passing a survey opt-in to Klaviyo). Privacy policy: https://zapier.com/privacy/

Gorgias — customer service communications management. Privacy policy: https://www.gorgias.com/privacy/privacy

Shipstation — shipping label creation and returns management. When you place an order, relevant details are passed to Shipstation to generate your shipping label. Privacy policy: https://www.shipstation.com/privacy-policy/

Once you leave our website or are redirected to a third-party site, you are no longer covered by this policy. We encourage you to read the privacy statements of any third-party sites you visit.

SECTION 9 – INTERNATIONAL DATA TRANSFERS

Some of our third-party processors are located outside the European Economic Area (EEA), including in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

The EU–US Data Privacy Framework adequacy decision, applicable to qualifying US processors (confirmed as adequate by the European Commission in September 2025); Standard Contractual Clauses (SCCs) approved by the European Commission where the adequacy decision does not apply; or other lawful transfer mechanisms under Chapter V of the GDPR.

You may request details of the specific transfer safeguards we rely on for any given processor by contacting us at hello@endarunning.com.

SECTION 10 – COOKIES AND HOW WE USE THEM

Cookies are small text files placed on your device when you visit our website. We use them to make our website function correctly, remember your preferences, improve security, and, where you have given consent, to analyse usage and support our advertising.

We use the following categories of cookies:

Strictly necessary cookies: Required for the website to function. These do not require your consent and cannot be switched off.

Analytics cookies: Used by Google Analytics and Klaviyo to understand how visitors use our site, on an anonymised basis. These are only set after you give consent.

Marketing and targeting cookies: Used by Facebook Pixel and Klaviyo to measure advertising performance and personalise communications. These are only set after you give consent.

Functional cookies: Used to remember your preferences such as country and currency settings.

Managing your cookie preferences: When you first visit our site, you will be shown a cookie banner asking for your consent to non-essential cookies. You can accept all, reject all, or choose by category. You can update your preferences at any time via our Cookie Preference Centre in the website footer. Rejecting non-essential cookies is as simple as accepting them.

Specific cookies we use include: _session_id (sessional, Shopify session data); _shopify_visit (30 minutes, internal stats); _shopify_uniq (daily, unique visitor counting); cart (2 weeks, cart contents); _secure_session_id (sessional); storefront_digest (indefinite, password-protected store access); PREF (short-term, set by Google for analytics).

You can also manage cookies through your browser settings. Note that disabling all cookies may affect the functionality of our website. For more information: Shopify cookie policy: https://www.shopify.com/legal/cookies.

SECTION 11 – SECURITY

We take the security of your personal data seriously. All sensitive information, including payment details, is encrypted using SSL/TLS technology and stored with AES-256 encryption. Our website uses HTTPS throughout. We follow PCI-DSS requirements for all payment data handling.

Non-sensitive data such as email addresses is transmitted over standard internet connections. While we implement industry-standard protections, no method of transmission over the internet is entirely risk-free. Where you have been given a password to access parts of our site, you are responsible for keeping it confidential.

We have procedures in place to deal with suspected personal data breaches and will notify you and the relevant supervisory authority where we are legally required to do so (within 72 hours of becoming aware, as required by GDPR Article 33).

SECTION 12 – CHILDREN AND AGE

Our website and services are not directed at children under 16. We do not knowingly collect personal data from anyone under 16 without verifiable parental or guardian consent. If you believe we have inadvertently collected such data, please contact us at hello@endarunning.com so we can delete it promptly.

Users under 16 should obtain a parent or guardian's permission before providing us with any personal information.

SECTION 13 – YOUR RIGHTS UNDER GDPR

If you are in the EU or EEA, you have the following rights regarding your personal data under the General Data Protection Regulation:

Right to be informed — to know how and why your data is being used, as set out in this policy.

Right of access — to request a copy of the personal data we hold about you.

Right to rectification — to ask us to correct inaccurate or incomplete data.

Right to erasure — to ask us to delete your data where there is no legitimate reason to continue processing it.

Right to restrict processing — to ask us to pause processing your data in certain circumstances.

Right to object — to object to processing based on legitimate interests or for direct marketing.

Right to data portability — to receive your data in a structured, machine-readable format and transfer it to another controller.

Right to withdraw consent — where we rely on consent, you may withdraw it at any time (see Section 6).

Right to lodge a complaint — you have the right to complain to your national Data Protection Authority (DPA) at any time. In the EU, find your DPA at edpb.europa.eu.

To exercise any of these rights, please contact us at hello@endarunning.com or write to Enda Athletic, Inc., 8 The Green STE B, Dover, Kent County, Delaware US 19901. We will respond within one month of receipt.

SECTION 14 – CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Where we make material changes, we will notify you by email or by a prominent notice on our website before the changes take effect. The date of the most recent update is shown at the bottom of this page. We encourage you to review this policy periodically.

If our business is acquired or merged with another company, your information may be transferred to the new owners, who will be bound by the terms of this policy or an equivalent.

SECTION 15 – CONTACT US

For any questions about this policy, to exercise your data rights, or to raise a concern, please contact:

Navalayo Osembo Email: hello@endarunning.com Post: Enda Athletic, Inc., 8 The Green STE B, Dover, Kent County, Delaware US 19901