1. Data controller
The controller responsible for processing under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Dutch GDPR implementation law (Uitvoeringswet AVG) is:
Xlaxyronghchar
Leidsestraat 74-76
1017 GM Amsterdam
Netherlands
Email: notifyuse@xlaxyronghchar.world
Telephone: +31 20 422 0210
For privacy-specific requests you may use the email address above with the subject line “Privacy request”. We verify identity before disclosing or deleting records when required by law or reasonable risk assessment.
2. Scope and purpose of this policy
This Privacy Policy applies to processing activities connected with the website, customer service, order handling, marketing where permitted, analytics where consented, and compliance obligations. It is written to meet transparency expectations under Articles 12–14 GDPR and to align with Dutch market practice for business-to-consumer sales of food supplements.
We do not sell your personal data. We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
3. Categories of personal data
Depending on your interaction, we may process:
- Identity and contact data: name, delivery address, billing address where different, email address, telephone number if provided.
- Account and transaction data: order history, payment status, delivery status, returns, correspondence about your purchase.
- Technical data: IP address, browser type, device identifiers where available, referring URL, timestamps, and security logs.
- Communication content: messages you send through forms, email, or post.
- Preference and consent records: cookie choices, marketing preferences where collected, subscription status.
- Compliance data: records required for tax, accounting, consumer law, and dispute resolution.
Special categories of personal data under Article 9 GDPR are not requested. If you voluntarily disclose health information, we will avoid processing it beyond what is necessary to handle your message and may ask you to limit sensitive details.
4. Sources of data
Data originates from you when you place orders, create enquiries, subscribe to updates where offered, or contact us. We may receive limited data from payment service providers (for example authorisation outcomes) and carriers (for example delivery confirmations). Analytics tools may collect technical data on our behalf when you consent to non-essential cookies.
5. Purposes and legal bases
We process personal data for the following purposes and on the following legal bases:
- Contract performance (Article 6(1)(b) GDPR): processing orders, taking payment, delivery, customer support related to your purchase, handling withdrawal requests under consumer law.
- Legitimate interests (Article 6(1)(f) GDPR): fraud prevention, network security, improvement of website stability, measuring aggregate performance where configured to minimise identifying data, documenting commercial communications, asserting or defending legal claims.
- Legal obligation (Article 6(1)(c) GDPR): tax records, responding to lawful requests from regulators and courts, product traceability where applicable.
- Consent (Article 6(1)(a) GDPR): non-essential cookies and similar technologies where required, marketing communications if a consent-based channel is used, certain contact form processing where consent is the appropriate basis in context.
Where consent is the basis, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal may limit features that depend on optional technologies.
6. Cookies and similar technologies
Our Cookie Policy describes specific cookies, storage periods, and your choices. Essential cookies may rely on legitimate interests or the strict necessity exemption under ePrivacy rules as implemented. Analytics and marketing technologies are deployed only in line with your selections in the cookie interface where such technologies are active on the deployment you use.
7. Recipients and processors
We share personal data with service providers that process data on our instructions, including hosting providers, email delivery services, payment processors, logistics partners, and IT support. Contracts under Article 28 GDPR define confidentiality, security measures, subprocessors where relevant, and assistance with data subject requests.
We may disclose information to professional advisers such as lawyers and accountants under confidentiality obligations. We may disclose information when required by law or to protect rights, safety, and property.
8. International transfers
If data is transferred outside the European Economic Area, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented measures where required by case law, or reliance on adequacy decisions. You may request a summary of applicable safeguards by contacting us.
9. Retention periods
Retention follows necessity and legal requirements:
- Order and invoice data: retained for at least the duration required by Dutch tax and commercial bookkeeping rules, typically seven years unless a longer period applies to specific claims.
- Customer service records: typically up to three years after the last relevant interaction unless a dispute extends the need.
- Marketing consents and suppression lists: stored to demonstrate consent and honour unsubscribe requests.
- Security logs: rotated according to technical policy, often between thirty and ninety days unless an investigation requires longer retention.
- Cookie and analytics identifiers: as described in the Cookie Policy for each category.
When retention ends, we delete or irreversibly anonymise data where feasible.
10. Security measures
We apply organisational and technical measures appropriate to the risk, including access controls, separation of environments where practical, encryption in transit for website connections using TLS, patching procedures, and staff training on confidentiality. No method of transmission or storage is completely secure; we encourage strong passwords and caution with phishing.
11. Your rights
Subject to conditions and exceptions in the GDPR, you may have the following rights:
- Access: obtain confirmation whether we process your data and receive a copy.
- Rectification: correct inaccurate data.
- Erasure: request deletion where grounds apply.
- Restriction: request limitation of processing in defined situations.
- Data portability: receive structured, commonly used, machine-readable data for data you provided where processing is based on consent or contract and carried out by automated means.
- Objection: object to processing based on legitimate interests, including profiling in scope, and to direct marketing.
- Withdraw consent: where processing is consent-based.
- Complaint: lodge a complaint with a supervisory authority. In the Netherlands the primary authority is the Autoriteit Persoonsgegevens (AP).
To exercise rights, email us with sufficient detail to identify your request. We respond within one month as a default, extendable where permitted with notice.
12. Children
Our services are directed to adults. We do not knowingly collect data from children under sixteen without appropriate parental authority. If you believe a child provided data, contact us to remove it.
13. Third-party websites
Links to external sites are provided for convenience. Their privacy practices are governed by their own policies. Review those policies before submitting personal data.
14. Changes
We may update this Privacy Policy to reflect legal, technical, or business changes. Material updates will be indicated by revising the date above and, where appropriate, an on-site notice.
15. Contact
Questions about this Privacy Policy: notifyuse@xlaxyronghchar.world