Phaltronith.world

Privacy charter

Privacy Policy

Instrument honoured in full on · Applies wherever you engage Phaltronith.world

Preamble and interpretive discipline

This Privacy Policy describes how Phaltronith.world (“Controller”, “we”, “us”) processes personal data in connection with the marketing, sale, and aftercare of Xavico food supplements through phaltronith.world and affiliated correspondence channels. The vocabulary below aligns with the EU General Data Protection Regulation (679/2016, “GDPR”) and the Finnish Data Protection Act (1050/2018), supplemented by sector guidance from the Finnish Office of the Data Protection Ombudsman.

We treat privacy as an editorial discipline: clarity of purpose, restraint in collection, and predictable retention. Nothing herein diminishes mandatory consumer protections or professional secrecy duties that may attach to future regulated services.

If you are browsing only and never identify yourself, many technical events still generate server logs. Those logs may constitute personal data when combined with identifiers such as IP addresses.

Data controller and representative contact

The Controller legally responsible for processing is:

Phaltronith.world
Leppävaarankatu 3 9
02600 Espoo
Finland
Email: question@phaltronith.world

For parity with Article 27 GDPR, note that we currently market primarily from Finland within the European Economic Area. Should we appoint a representative in another member state, this Policy will record their coordinates and mandate.

Written contact is preferred so that instructions, withdrawals, and identity evidence remain auditable. Telephone support may be introduced later; until then, vocal requests should be summarised in email to preserve the record.

Material and territorial scope

This instrument covers:

  • Visitors to public marketing pages, interactive modules, and downloadables.
  • Individuals who complete the inquiry or pre-order form.
  • Buyers and prospective buyers negotiating customised deliveries.
  • Newsletter or wait-list participants, if such programmes launch.
  • Individuals appearing in correspondence copied on business email threads.

It does not govern anonymous aggregated datasets that can no longer be re-linked to a person without disproportionate effort—those sets fall outside GDPR personal-data definitions once irreversible anonymisation is documented.

Categories of personal data collected

Depending on interaction depth, we may hold:

  • Identity data: full name, preferred salutation, title.
  • Contact data: email, telephone (if supplied), postal address for shipping or statutory notices.
  • Transaction data: order identifiers, SKU references, payment confirmation tokens from processors (not full card numbers).
  • Communication data: free-text messages, attachments, satisfaction surveys.
  • Technical data: IP address, user agent, approximate geolocation from IP, referring URLs, timestamps.
  • Preference data: cookie consent logs, marketing opt-ins, language selection.
  • Safeguarding data: fraud watchlists, chargeback notes limited to what law permits.

Special categories under Article 9 GDPR (health, biometrics, union membership, etc.) are not solicited through marketing forms. If you voluntarily disclose health context, we will segregate and restrict access, deleting non-essential elements once the conversation closes unless a narrower legal basis emerges.

Purposes, legal bases, and balancing tests

Website operation and contractual fidelity

We process identity, contact, transaction, and technical data to deliver pages over HTTPS, confirm purchases, issue receipts, and respond to contractual warranty issues. Legal bases: Article 6(1)(b) GDPR for performance of a contract; Article 6(1)(c) for tax and trade compliance.

Pre-contractual assistance

Inquiry forms create processing grounded in Article 6(1)(b) (steps prior to contract). Where no agreement materialises, follow-up analytics on whether the query was resolved relies on Article 6(1)(f), namely our interest in refining commerce pathways, suppressed where overridden by your rights.

Optional analytics and advertising

Non-essential tags fire only after affirmative action in the cookie banner or equivalent controls. Legal basis: Article 6(1)(a) consent, freely revocable without retrospective invalidation.

Integrity and security monitoring

Logs may be processed to detect brute-force attempts, credential stuffing, or web-scraping that degrades service. Legal basis: Article 6(1)(f), carefully documented in our legitimate-interest assessment file.

Legal defence and regulatory cooperation

We retain select communications where litigation or supervisory review is reasonably foreseeable. Legal basis: Article 6(1)(f) and, where applicable, Article 6(1)(c).

Coordination with cookies and device storage

Strictly necessary storage keys remember your consent state and secure session continuity. Analytics and marketing keys load only upon opt-in. Exact storage semantics appear in the Cookie Policy, which should be read as an annex to this instrument.

Sources of personal data

Most data originate directly from you. We may receive updates from payment service providers (billing status), logistics partners (delivery outcomes), or fraud intelligence vendors (hashed identifiers only). We do not purchase marketing lists that lack verifiable consent chains.

Automated decision-making and profiling

We do not execute automated decisions that produce legal or similarly significant effects under Article 22 GDPR. Lightweight segmentation for optional newsletters may occur, but humans remain accountable for creative messaging.

Minors

Xavico experiences are intended for adults. We do not knowingly invite data from individuals below sixteen without parental authority. If you believe a minor bypassed controls, notify us promptly so we can erase non-essential records.

Retention matrix

  • Inquiry threads: twenty-four months after last outbound message unless an open dispute extends necessity.
  • Accounting ledgers: up to ten years from fiscal year close, per Finnish accounting legislation.
  • Marketing consents and evidence: life of consent plus twenty-four months of probative logs.
  • Technical security logs: ninety days rolling, elongated only during live investigations.
  • Court holds: until formal releases supersede standard schedules.

Erasure is executed via secure deletion on active systems plus certificate-of-destruction routines on retired hardware under processor contracts.

Recipients and categories of processors

Access inside the Controller follows least-privilege principles. External categories typically include hosting vendors, transactional email relays, courier APIs, payment acquirers, customer-service ticketing tools, and optional analytics suites. Each relationship is governed by Article 28 agreements or statutory derogations.

Onward disclosure to public authorities occurs solely when compulsory process, narrowly construed, compels cooperation.

International transfers

Primary processing stays within the EEA. When a subprocessor maintains US operations, we implement Standard Contractual Clauses (2021/914) plus supplementary technical measures such as encryption in transit and, where available, at rest. Transfer impact assessments are refreshed following Schrems II jurisprudence.

Technical and organisational measures

Our security posture blends TLS 1.2+ termination, segregated environments, hardware security module-backed key storage where commercially viable, role-based dashboards, quarterly access reviews, phishing-resistant training for staff, and incident playbooks referencing Articles 33–34 GDPR timelines.

No architecture eliminates risk; we maintain cyber insurance and business continuity sites to preserve availability proportionate to our scale.

Rights of data subjects

Subject to verification and statutory exemptions, you may invoke:

  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure (Article 17)
  • Restriction (Article 18)
  • Portability for automated processing premised on consent or contract (Article 20)
  • Objection to Article 6(1)(f) processing (Article 21)
  • Withdrawal of consent without affecting prior lawfulness (Article 7(3))

Responses target the GDPR’s one-month guideline, extendable where complexity warrants with transparent notice.

Contact, supervisory authority, and policy evolution

Exercise rights by writing to question@phaltronith.world with reasonable identity evidence. You may also complain to the Office of the Data Protection Ombudsman (Finland) or your habitual residence authority.

Material updates to this Policy receive a revised publication timestamp; archived versions remain available upon authenticated request for regulatory inspection.