Glexironwhroxxen

Privacy Policy

Effective date: 25 March 2026 · Version: 1.0 · Jurisdiction: Norway (European Economic Area)

1. Introduction and material scope

This Privacy Policy explains how Glexironwhroxxen, operating the website available at https://glexironwhroxxen.world (the “Site”), collects, uses, stores, and protects personal data when you browse, create an enquiry, place an order request, subscribe to updates where available, or otherwise interact with us. We act as a data controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Norwegian Personal Data Act implementing GDPR rules for national contexts.

The Policy applies to natural persons located in the European Economic Area and, where relevant, the United Kingdom and Switzerland when our processing falls within the material scope of GDPR or equivalent standards we voluntarily apply. It does not govern anonymous statistics that cannot be linked to an identifiable person.

Phytocorex is a food supplement brand distributed through Glexironwhroxxen. Marketing descriptions on the Site are informational. They are not medical advice. Nothing in this Policy reduces your statutory rights as a consumer or data subject.

2. Data controller and representative details

The controller responsible for processing under GDPR Article 4(7) is:

  • Legal trading name: Glexironwhroxxen
  • Registered address: Trondheimsveien 233, Bygg 40, 0586 Oslo, Norway
  • Country of establishment: Norway
  • General contact email: help@glexironwhroxxen.world
  • Telephone: +47 23 01 38 80
  • Website: https://glexironwhroxxen.world

If Norwegian law requires a formally registered organisation number for your specific transaction, that identifier will appear on invoices, contracts, or imprint pages when such documents are generated for you. Visitors may request controller verification information by email using the address above.

3. Categories of personal data we process

Depending on how you use the Site, we may process the following categories:

  • Identity and contact data: full name, delivery address if supplied, billing address if distinct, email address, optional telephone number, company name if you represent a business customer.
  • Transaction data: products requested, price quotes, payment status references, carrier tracking identifiers, return case numbers, correspondence about complaints.
  • Technical data: Internet Protocol address, approximate geographic region derived from IP, browser type and version, device category, operating system, referral URL, pages viewed, time zone, and timestamps.
  • Cookie and similar identifiers: consent logs, randomly generated client identifiers where analytics or marketing tools are activated after consent.
  • Communication content: free-text messages you submit through order or contact forms, email threads, recorded call notes if you phone us and we document the call internally.
  • Compliance data: records demonstrating consent, age confirmation if required, fraud screening outcomes, export control checks where mandatory.
  • Special categories: we do not aim to collect health data. If you voluntarily disclose health information in a message, we will restrict access, use it only to respond or fulfil a legal duty, and delete it when no longer needed unless law requires longer retention.

4. Sources of personal data

We obtain data directly from you when you complete forms, email us, call, or chat. Automated technical data are collected from your device through server logs and, when you consent, through analytics or marketing tags. We may receive updated address or payment failure information from postal carriers, payment service providers, or credit institutions involved in a transaction you initiated. We do not purchase marketing lists that contain personal data of individuals who have not interacted with our brand.

5. Purposes, legal bases, and necessity

Article 6 GDPR requires a lawful basis for each processing purpose. The table below summarises typical operations connected to the Site. Where we rely on legitimate interests, you may object as described in Section 11.

  • Website delivery and security (Article 6(1)(f)): hosting content, TLS termination, rate limiting, bot management, intrusion detection, backup integrity checks. Legitimate interest in secure, reliable operation; balanced against your rights.
  • Contract preparation and performance (Article 6(1)(b)): processing order requests, taking payment, arranging shipment, providing customer support for purchases, managing returns within statutory windows.
  • Legal obligation (Article 6(1)(c)): bookkeeping under the Norwegian Bookkeeping Act, tax invoicing, responding to court orders, cooperating with Datatilsynet investigations, product traceability for food law.
  • Consent (Article 6(1)(a)): optional analytics cookies, marketing cookies, marketing email where double opt-in is used, certain surveys. You may withdraw consent without affecting prior lawful processing.
  • Legitimate interest in business analytics (Article 6(1)(f)): aggregated reporting that does not require cookies when raw logs are minimised and aggregated promptly.

Where GDPR Article 9 could become relevant because of voluntary health disclosures, we rely on Article 9(2)(a) explicit consent if you manifestly make a health-related request, or Article 9(2)(f) for establishment, exercise, or defence of legal claims if a dispute arises.

6. Recipients and categories of processors

Personal data are accessed only by personnel bound by confidentiality obligations and a need-to-know principle. External recipients may include:

  • Hosting and infrastructure providers within the EEA or bound by Standard Contractual Clauses approved by the European Commission.
  • Email delivery and ticketing systems.
  • Payment acquirers, fraud screening APIs, and chargeback management partners.
  • Logistics carriers and customs brokers for international parcels.
  • Professional advisers such as accountants, auditors, and lawyers under professional secrecy rules.
  • Public authorities when Norwegian or EU law compels disclosure.

Processor relationships are governed by Article 28 GDPR data processing agreements specifying purpose limitation, confidentiality, subprocessors, assistance with data subject rights, deletion or return at end of contract, and audit cooperation.

7. International transfers

Our preference is to store and process within the EEA. If a tool provider processes data in a country not subject to an adequacy decision under GDPR Chapter V, we implement appropriate safeguards such as Standard Contractual Clauses (2021 versions) with supplementary technical measures including encryption in transit and, where feasible, encryption at rest. Copies of transfer impact assessments are available on request where disclosure does not prejudice security or commercial confidentiality.

8. Retention periods

Retention follows necessity and statutory minima:

  • Completed sales records: up to five years after the end of the financial year to satisfy bookkeeping obligations, unless longer retention is required for an ongoing dispute.
  • Marketing consents and unsubscribe logs: three years after the last interaction unless law requires longer evidence of consent.
  • Cookie consent proofs: thirteen months rolling for documentation aligned with ePrivacy guidance, unless national law prescribes a different evidence window.
  • Server logs for security: ninety days in active storage, then aggregated or deleted unless isolated records must be preserved for incident investigation.
  • Unrealised enquiries: twelve months after last contact unless you ask for earlier deletion and no legal hold applies.

When retention expires, we delete or irreversibly anonymise data. Backup tapes may retain encrypted copies until scheduled rotation cycles complete; restoration for non-security purposes does not occur after deletion requests except where legally mandated.

9. Security measures

We implement administrative, technical, and organisational measures appropriate to risk, including role-based access control, multi-factor authentication for administrative interfaces, encrypted connections for public endpoints, segmentation between production and test environments, malware scanning on endpoints, vendor security reviews for critical processors, logging of administrative actions, and periodic access recertification. Staff receive periodic data protection training. Physical media containing personal data are stored in locked facilities with visitor logs where applicable.

No method of transmission or storage is perfectly secure. If we become aware of a personal data breach likely to result in risk to your rights, we will notify Datatilsynet within seventy-two hours where feasible and communicate with affected individuals when GDPR Article 34 requires direct notice.

10. Automated decision-making and profiling

We do not use solely automated decisions that produce legal or similarly significant effects under GDPR Article 22. Basic fraud scoring may flag transactions for manual review; a human makes the final decision on whether to accept or decline an order.

11. Your rights

Subject to conditions in GDPR Chapter III, you may:

  • Request access to personal data and obtain a copy (Article 15).
  • Request rectification of inaccurate data (Article 16).
  • Request erasure (“right to be forgotten”) where grounds apply (Article 17).
  • Request restriction of processing in defined situations (Article 18).
  • Receive data in a structured, commonly used, machine-readable format and transmit those data to another controller where processing is based on consent or contract and automated (Article 20).
  • Object to processing based on legitimate interests, including profiling (Article 21).
  • Withdraw consent at any time for processing that relies on consent (Article 7(3)).
  • Lodge a complaint with Datatilsynet, the Norwegian Data Protection Authority, or another EU supervisory authority where you reside or work.

Contact help@glexironwhroxxen.world to exercise rights. We respond within one month, extendable by two further months for complex requests, and inform you of reasons plus the right to complain if we refuse a request.

12. Children

Our products and Site target adults. We do not knowingly collect data from children below digital consent age in their member state without parental authority. If you believe we hold a child’s data, contact us for prompt review and deletion.

13. Third-party websites

The Site may reference external resources. Their privacy practices are independent. Review their policies before submitting personal data.

14. Changes to this Policy

We update this Policy when processing operations, laws, or guidance change. Material changes will be highlighted on the Site or communicated by email when we have your address. Continued use after the effective date constitutes acknowledgement of reasonable updates where consent is not legally required.

15. Contact

Questions about this Policy or our processing may be sent to help@glexironwhroxxen.world or by post to Trondheimsveien 233, Bygg 40, 0586 Oslo, Norway.

16. Joint controllership and independent controllers

Payment processors, carriers, and fraud screening services act as independent controllers for their own fraud analytics, payment compliance, and delivery routing. We coordinate data subject requests where feasible but you may also contact those providers directly using privacy links on their invoices or tracking pages. No joint controllership arrangement exists unless a separate agreement is signed and published on the Site.

17. Marketing and preference profiles

Email marketing is sent only with prior consent or existing customer soft opt-in where Norwegian law permits commercial communication about similar products. Each marketing email includes an unsubscribe link processed within seventy-two hours at infrastructure level. Profiles used for marketing are limited to purchase history, product interests inferred from browsing if marketing cookies are accepted, and language preference. We do not sell personal data to third-party advertisers.

18. Research and aggregate statistics

We may compute aggregate statistics about sales volumes, return rates, and Site performance. Aggregates are designed so individual customers are not identifiable. Where small sample sizes risk re-identification, we apply suppression rules such as combining categories or delaying publication.

19. Employee access logging

Staff with customer support or logistics roles access personal data through authenticated consoles. Access events are logged with user identifier, timestamp, and object category. Logs support security investigations and least-privilege audits. Log retention for administrative access follows the same schedule as security logs unless a longer hold applies during litigation.

20. Data protection impact assessments

When we introduce processing likely to result in high risk to rights and freedoms, we conduct a Data Protection Impact Assessment under GDPR Article 35, consult Datatilsynet when criteria for prior consultation are met, and document mitigation measures such as pseudonymisation, encryption, and strict retention caps.

21. Subprocessors and onward transfers

An up-to-date list of categories of subprocessors is available on request. We notify registered business customers of material subprocessor changes when contracts require. Consumer customers are informed through Policy updates for non-sensitive changes or direct email for sensitive security-related changes.

22. Law enforcement and national security requests

We disclose personal data to law enforcement only when Norwegian law or a valid EU judicial cooperation instrument compels disclosure. We document requests, assess proportionality, and notify affected users when legal prohibitions on notice do not apply.

23. Accessibility of information

This Policy is available in English to support our international customers. Norwegian authorities may require Norwegian-language consumer information in specific channels; statutory templates take precedence where mandatory.