1. Purpose and scope of this Policy
This Policy applies to personal data we process about visitors to our website, individuals who submit order or contact forms, customers, prospective customers, and others who communicate with us by email, telephone, or post. It describes what data we collect, why we use it, how long we keep it, whom we share it with, which rights you have, and how you can exercise them.
This Policy should be read together with our Cookie Policy, which contains additional detail on cookies and similar technologies, and our Terms of Service and Return Policy, which govern commercial aspects of our relationship with you. If any provision appears inconsistent, the document that is more specific to the context applies, without prejudice to your mandatory statutory rights.
2. Regulatory framework
We comply with the GDPR as it forms part of Swedish law and as applied in the European Economic Area. Where we offer goods or services to individuals in the United Kingdom, we also take account of the UK GDPR and the Data Protection Act 2018. Electronic marketing and cookies may additionally be subject to the Swedish Electronic Communications Act (2022:482), the Swedish Marketing Act (2008:486), and the ePrivacy Directive as transposed in your country of residence.
Consumer protection rules under EU and Swedish law may impose further transparency duties or affect how we communicate about products; those rules do not replace data protection law but may influence how we phrase commercial information.
3. Definitions
For clarity, the following terms have the meanings set out below: “personal data” means any information relating to an identified or identifiable natural person; “processing” means any operation performed on personal data (including collection, storage, disclosure, and erasure); “controller” means the entity that decides why and how personal data is processed; “processor” means an entity that processes personal data on behalf of the controller under instructions; “recipient” means anyone to whom data is disclosed; “supervisory authority” means an independent public authority responsible for monitoring application of data protection law (in Sweden, IMY).
4. Categories of personal data we process
Depending on how you interact with us, we may process one or more of the following categories. Not every category applies to every individual.
4.1 Identity and contact data
Full name, billing and delivery addresses, email address, telephone number, country of residence, and similar identifiers you provide when ordering, registering an interest, or contacting us.
4.2 Transaction and account data
Order numbers, products purchased (including Vitalyra and related items), quantities, prices, payment status references (we generally do not store full payment card numbers; those are handled by payment processors), delivery preferences, return and refund history, and correspondence about your orders.
4.3 Communication content
Free-text messages you include in forms, emails, chats, or letters, including optional notes about delivery or product questions. We ask you not to send unnecessary sensitive information; if you do, we will treat it in line with Section 5.
4.4 Technical and usage data
Internet protocol (IP) address, approximate geographic location derived from IP, browser type and version, device type, operating system, referral source, pages viewed, time and date of access, click patterns, and diagnostic logs. Server and security logs may contain similar technical identifiers.
4.5 Marketing and preferences
Records of consent or objection to marketing, newsletter subscriptions, language preferences, and segmentation attributes you have explicitly provided or that we derive from your interactions where permitted by law.
4.6 Cookie and online identifiers
Cookie IDs, advertising identifiers where used, and comparable technologies as described in our Cookie Policy.
5. Special categories of personal data and criminal data
We do not seek to collect special categories of personal data within Article 9 GDPR (such as data concerning health, religious beliefs, or biometric data used for identification) or data relating to criminal convictions except where you voluntarily provide such information and processing is necessary for the establishment, exercise, or defence of legal claims, or another exemption applies.
If you disclose health-related information in an unstructured message, we will restrict access to authorised staff, use it only to respond to your enquiry where appropriate, and delete or anonymise it when no longer needed unless a longer retention is required by law.
6. Purposes of processing and legal bases
We process personal data only where a legal basis under Article 6 GDPR (and, where relevant, Article 9) applies. The table below summarises typical purposes and bases; specific situations may combine several bases.
- Contract and pre-contract (Article 6(1)(b)): Taking and fulfilling orders for Vitalyra and related products, arranging delivery, processing payments through partners, providing customer support, handling returns within the scope of our policies, and responding to requests prior to purchase.
- Legal obligation (Article 6(1)(c)): Accounting, tax, invoicing, product traceability, responding to lawful requests from courts or authorities, and compliance with consumer, food, and safety regulations where personal data is involved.
- Legitimate interests (Article 6(1)(f)): Securing our website and infrastructure, detecting and preventing fraud, enforcing our terms, improving website structure and performance using aggregated statistics where possible, training staff using anonymised or redacted examples, and asserting or defending legal claims. Where required, we balance our interests against your rights and offer opt-out mechanisms (for example for certain marketing or analytics via cookies).
- Consent (Article 6(1)(a)): Non-essential cookies and similar technologies, electronic direct marketing where consent is required, optional surveys, and any other processing we expressly describe as consent-based. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
7. Legitimate interests in more detail
When we rely on legitimate interests, we consider whether the processing is necessary, whether less intrusive means exist, and whether your interests or fundamental rights override our interests. Examples include maintaining network security (blocking malicious traffic), analysing aggregated traffic to fix broken links, and retaining limited contact history to resolve disputes. You may object to processing based on legitimate grounds relating to your particular situation; we will stop unless we demonstrate compelling legitimate grounds that override your interests or need the data for legal claims.
8. Sources of personal data
We obtain most data directly from you. We may also receive data from payment service providers (confirmation of payment or chargeback), logistics partners (delivery outcomes, access point information), fraud prevention services (risk scores or device reputation indicators), and, if you engage us through a marketplace or referral partner, from that platform as permitted by its terms and your settings. We do not purchase marketing lists that contain personal data without verifying a lawful basis.
9. Automated decision-making and profiling
We do not make decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Automated tools may assist humans (for example flagging potentially fraudulent orders); such cases are reviewed by staff before any adverse decision.
10. Recipients and categories of recipients
Personal data may be disclosed to: IT hosting and infrastructure providers; email and messaging services; customer relationship or ticketing tools; accounting and enterprise resource planning software vendors; payment acquirers and fraud screening services; carriers and fulfilment partners; professional advisers (lawyers, accountants) bound by confidentiality; and public authorities when required by law. We do not sell your personal data as a commodity.
11. International transfers of personal data
We primarily store and process data within the EU or EEA. If we transfer personal data to countries not covered by an adequacy decision of the European Commission, we implement appropriate safeguards such as Standard Contractual Clauses approved by the Commission, supplemented by technical and organisational measures where required by case law (including transfer impact assessments where appropriate). You may request a summary of the safeguards we use or copies of relevant redacted agreements where permissible.
12. Retention periods
We retain personal data only for as long as necessary for the purposes set out in this Policy, unless a longer period is required or permitted by law.
- Order and accounting records: Up to seven years after the end of the financial year in which the transaction occurred, in line with Swedish bookkeeping legislation, unless a longer period applies for ongoing disputes or regulatory investigations.
- Marketing consents and suppression lists: For the duration of your subscription plus a reasonable period thereafter to prove consent or honour unsubscribe requests.
- Customer service correspondence: Typically up to three years after the last relevant interaction, unless linked to a legal claim or order covered by the accounting retention rule.
- Website and security logs: Usually between thirty and ninety days, extended on a need-to-know basis for incident investigation.
- Cookie-related data: As specified in the Cookie Policy, often from session end up to thirteen months depending on the tool.
- Legal claims: Until final resolution plus any applicable limitation or appeal period.
At the end of the retention period we delete or irreversibly anonymise data so it can no longer be linked to you.
13. Security of processing
We implement technical and organisational measures appropriate to the risk, including: TLS encryption for data in transit; access controls and authentication for systems containing personal data; principle of least privilege for staff accounts; logging and monitoring of administrative actions; malware protection; backup and recovery procedures; physical security for premises where paper records exist; and confidentiality undertakings for personnel and contractors. We review these measures periodically and update them in response to technological developments and incidents.
No method of transmission or storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials if we introduce password-protected areas in the future, and for using secure devices and networks when contacting us.
14. Processors and due diligence
Processors act only on our documented instructions and are bound by a contract that meets Article 28 GDPR, imposing duties of confidentiality, security, assistance with data subject rights, deletion or return of data at the end of services, and allowing audits where appropriate. We assess processors before engagement and re-assess them periodically, including their use of subprocessors.
15. Personal data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify IMY without undue delay and, where feasible, within seventy-two hours, unless the breach is unlikely to result in such risk. If the breach is likely to result in a high risk to you, we will also communicate with you without undue delay unless an exception in Article 34 GDPR applies. Our notifications will describe the nature of the breach, likely consequences, and measures taken or proposed.
16. Your rights under the GDPR
Subject to applicable law, you have the following rights in relation to your personal data:
16.1 Right of access
You may obtain confirmation of whether we process your data, access to that data, and information about purposes, categories, recipients, retention, and your other rights.
16.2 Right to rectification
You may request correction of inaccurate data and completion of incomplete data.
16.3 Right to erasure (“right to be forgotten”)
You may request deletion where one of the grounds in Article 17 applies, for example where data is no longer necessary, you withdraw consent and no other basis exists, or you object to processing and there are no overriding grounds.
16.4 Right to restriction of processing
You may request restriction where you contest accuracy, processing is unlawful and you oppose erasure, we no longer need the data but you need it for legal claims, or you have objected pending verification of overriding grounds.
16.5 Right to data portability
Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
16.6 Right to object
You may object to processing based on legitimate interests or to direct marketing, including profiling related to such marketing. We will stop marketing processing immediately upon objection.
16.7 Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
16.8 Right to lodge a complaint
You may lodge a complaint with IMY (Swedish Authority for Privacy Protection), Box 8114, 104 20 Stockholm, Sweden, or with the supervisory authority in your habitual residence, place of work, or place of the alleged infringement within the EU/EEA.
17. How to exercise your rights
Submit requests to contact@phexroxxghor.world with the subject line “Data protection request” and sufficient detail for us to identify you. We may ask for proof of identity (for example a copy of an ID document with unnecessary data redacted) to prevent unauthorised disclosure. We will respond without undue delay and in any event within one month, extendable by two further months where complex, in which case we will inform you of the reasons.
There is no fee unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, explaining our reasons.
18. Children
Our website and products are intended for adults. We do not knowingly collect personal data from children below the age at which they can validly consent in their country (often sixteen in the EU context) without parental authority. If you believe we have collected such data, please contact us and we will take steps to delete it promptly.
19. Third-party websites and services
Our website may contain links to third-party sites or embeds. This Policy does not apply to those services. Please read their privacy notices before providing personal data.
20. Changes to this Policy
We may update this Policy to reflect legal, technical, or organisational changes. The version on this page with the effective date below is the current version. Where changes materially affect you and require new consent, we will obtain it in accordance with applicable law. We encourage you to review this page periodically.
Effective date: 19 March 2026.