Data controller identity
Vyxtoranuxzol.world
Trading as Pavira supplement brand presentation
Binnenweg 201
3014 GJ Rotterdam
Netherlands
Email: chat@vyxtoranuxzol.world

We do not appoint a Data Protection Officer by statutory requirement today, but you may contact us for any privacy matter using the email above. For supervisory correspondence we acknowledge the Autoriteit Persoonsgegevens (AP) as our lead EU regulator for Dutch-established processing.

Scope and material scope

This policy applies to visitors of vyxtoranuxzol.world, recipients of transactional emails that originate from our systems, and business counterparties who exchange personal data for logistics or compliance. It excludes employees and applicants, who receive separate documentation when roles open. If you arrive via a partner landing page that forwards you here, both sites may process data under independent controllership or joint arrangements described in relevant agreements.

Categories of personal data

• Identity: full name, preferred language, company affiliation if you order as a business.
• Contact: email address, phone number when you provide it, formatted postal addresses.
• Transaction: order line items, payment confirmation tokens from our processor, refund identifiers—we never store full card Primary Account Numbers on Pavira-controlled infrastructure.
• Technical: IP address, approximate location derived at regional resolution, device/browser signatures, session identifiers stored in first-party cookies.
• Content: free-text you type into forms, including wellness context you choose to volunteer even though we cannot interpret it medically.
• Preference: cookie banner decisions persisted in local storage or cookies, marketing unsubscribes, product interest tags you set by clicking preference centers.

Purposes and legal bases in detail

Contract performance (Article 6(1)(b) GDPR): processing orders, communicating delivery status, issuing invoices compliant with Dutch commercial law, and managing warranty-like obligations described in our terms.

Legitimate interests (Article 6(1)(f)): monitoring site stability, detecting fraudulent transactions, enforcing intellectual property, measuring aggregate campaign reach where not purely consent-based under local ePrivacy guidance, and improving information architecture based on pseudonymized analytics.

Consent (Article 6(1)(a)): non-essential cookies, speculative marketing messages when no soft opt-in exists, participation in optional surveys, and certain international transfers lacking adequacy if Standard Contractual Clauses require explicit confirmation.

Legal obligation (Article 6(1)(c)): tax archives, consumer complaint registers when regulators demand evidence, responding to lawful police requests after jurisdictional review, and age verification paperwork if future channels require it.

Profiling and automated decisions

We do not employ solely automated decision-making that produces legal effects concerning you in the sense of Article 22 GDPR. Lightweight personalization may reorder content modules you already saw, but human review remains available on request for any materially impactful determination such as fraud holds on unusually large wholesale requests.

Processors and categories of recipients

We engage subprocessors in infrastructure, transactional email, customer support ticketing, analytics (only post-consent), advertising measurement, payment acquiring, fraud scoring, and parcel delivery. Each relationship is governed by Article 28 agreements specifying confidentiality, deletion timelines, and assistance with data subject rights. A current list is available upon authenticated business request to reduce public scraping of our stack details.

International transfers

When recipients outside the EEA access personal data, we implement appropriate safeguards such as Commission adequacy decisions, UK IDTA addenda where relevant, or Standard Contractual Clauses supplemented by transfer impact assessments. Copies of redacted assessments can be provided where commercially reasonable.

Retention schedule (summary)

• Marketing consents and resulting email events: thirty-six months of inactivity triggers re-permissioning, then deletion if you do not reaffirm.
• Website analytics tied to cookies: twenty-six months rolling, aligned with common platform defaults, unless you withdraw earlier.
• Completed sales ledgers: seven years for Dutch tax conformity.
• Security incident evidence: up to five years after closure if insurers or litigation require continuity.
• Ad-hoc support tickets: twenty-four months after last substantive reply unless escalated to legal.

Security measures

Transport encryption with modern TLS configurations, disk encryption on laptops issued to staff, multi-factor authentication for cloud consoles, centralized logging with tamper-evident storage, routine vulnerability scanning, vendor due diligence questionnaires, and incident response rehearsal at least annually. No control set eliminates all risk; we document residual risk acceptance in internal registers.

Your rights and how to exercise them

You may request access, rectification, erasure, restriction, portability (where technically feasible), objection to certain processing, and human review of disputed outcomes. Submit requests via email with enough detail to verify identity without over-collecting. We answer within one month extendable where Article 12 complexity applies. You may lodge complaints with the AP or another EU supervisory authority where you reside or work.

Children

Pavira experiences target adults. We delete data if we learn it pertains to minors under sixteen without verified parental authority.

Changes to this policy

Material revisions appear on this page with an updated snapshot date. The dynamic stamp at the top refreshes each load for transparency about when you are reading; archival PDFs may be produced for regulators upon request.

Snapshot key:

Return to homepage · Cookie Policy