Privacy Policy
This Privacy Policy explains how Quolrixxrrklixol processes personal data when you visit quolrixxrrklixol.world, request information about NaturaCardiovive, place an inquiry, communicate with us, or interact with cookies and similar technologies. We describe what we collect, why we use it, how long we keep it, who may receive it, and which rights and choices you have.
1. Scope and roles
This policy applies to processing carried out by Quolrixxrrklixol as a controller. A controller decides why and how personal data is processed. Where we use processors, they process data on documented instructions and must implement appropriate safeguards. If you use third-party services linked from our site, they are separate controllers or processors for their own processing, and their policies apply.
2. Categories of personal data
Depending on how you interact with us, we may process the following categories of data:
- Identity and contact data: name, email address, telephone number if provided, postal address if provided.
- Communication content: messages you send through forms, email, or other channels, including attachments and metadata.
- Order and request data: product interest, purchase intent, reference numbers, and related correspondence.
- Technical and usage data: IP address, browser type and version, device identifiers where available, time zone, operating system, pages viewed, referring URLs, and interaction events.
- Cookie and similar technology data: identifiers stored on your device, consent records, and preferences.
- Customer service records: notes from support interactions, complaint handling, and follow-up.
- Fraud prevention and security signals: limited technical indicators used to protect accounts and systems.
We do not seek special categories of personal data as defined in Article 9 GDPR. Please do not send health information unless we explicitly request it and provide a lawful pathway for processing.
3. Sources of data
We obtain personal data directly from you when you submit forms, email us, call us, or otherwise communicate. We also generate technical data automatically when you load pages or use features. We may receive data from payment service providers or logistics partners only to the extent necessary to fulfill orders or resolve disputes.
4. Purposes and legal bases
We process personal data only where a legal basis applies. The table below summarizes common processing activities.
- Website operations and security (Article 6(1)(f) GDPR legitimate interests): delivering pages, protecting infrastructure, preventing abuse, maintaining logs for incident response, and improving reliability. Where required, we balance your rights and interests.
- Responding to inquiries and pre-contractual steps (Article 6(1)(b) GDPR): handling requests for information, quotes, and support related to NaturaCardiovive.
- Contract performance (Article 6(1)(b) GDPR): processing orders, payments where applicable, delivery coordination, customer notifications, and returns.
- Legal obligations (Article 6(1)(c) GDPR): accounting, tax, consumer protection, product safety reporting where required, and responding to lawful requests from authorities.
- Consent (Article 6(1)(a) GDPR): optional cookies and similar technologies where consent is required under ePrivacy rules, and marketing communications if you opt in.
- Legitimate interests (Article 6(1)(f) GDPR): internal analytics on aggregated datasets, quality assurance, training, and limited direct marketing to existing customers where permitted by national law and where you have not objected.
Where consent is the legal basis, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal may limit certain features.
5. Automated decision-making and profiling
We do not use automated decision-making that produces legal or similarly significant effects about you. We may use basic analytics to understand aggregate usage patterns.
6. International transfers
Our primary operations are in the European Economic Area. If we transfer personal data outside the EEA, we ensure appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or transfer to countries recognized as adequate, supplemented by technical and organizational measures where necessary.
7. Recipients and processors
We share personal data only with recipients who need access to provide services. Categories may include:
- Hosting and infrastructure providers.
- Email and communication service providers.
- Payment processors and fraud prevention services.
- Logistics and courier partners.
- Customer support tools and ticketing systems.
- Professional advisers and auditors where required.
- Authorities when required by law.
We require processors to implement confidentiality and security obligations and to process data only on documented instructions.
8. Retention
We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law.
- Marketing consents and records: until consent is withdrawn or objections are honored, unless a longer retention is justified for evidence.
- Contract and order records: for the duration of the relationship and for a reasonable period thereafter to handle disputes, warranties, and legal claims.
- Accounting and tax records: according to Finnish bookkeeping and tax obligations, typically several years.
- Communication logs: for a limited period to operate support and security, unless a longer retention is justified for legal defense.
- Security logs: short to medium cycles depending on operational risk.
- Cookie and consent records: as described in the Cookie Policy and aligned with consent evidence requirements.
We periodically review retention periods and anonymize or delete data when no longer needed.
9. Security measures
We implement organizational and technical measures appropriate to the risk, including access controls, least privilege, encryption in transit where supported, secure configuration practices, backups, monitoring, logging, and staff training. No method of transmission or storage is completely secure; we work to reduce risk in a proportionate manner.
9a. Data minimization and purpose limitation
We collect personal data that is adequate, relevant, and limited to what is necessary for the purposes described. We avoid collecting sensitive categories unless a specific lawful basis and documented pathway exist. Internal access to personal data is granted on a need-to-know basis and reviewed periodically.
9b. Records of processing activities
We maintain records of processing activities where required by Article 30 GDPR, including purposes, categories of data subjects and data, recipients, international transfers, retention timelines, and a general description of security measures. These records support accountability and supervisory authority requests.
9c. Personal data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we document the incident, take containment steps, assess risk, and notify the supervisory authority without undue delay where required. We communicate to affected data subjects when the breach is likely to result in a high risk, unless exceptions apply.
9d. Subprocessors and onward transfers
Where we appoint subprocessors, we impose written obligations to implement appropriate safeguards, assist with data subject requests, return or delete data at the end of services, and notify us of breaches. We remain responsible for the processing carried out on our behalf. A current list of categories of subprocessors is available on request where commercially reasonable.
10. Your rights under GDPR
Subject to conditions and exceptions in applicable law, you may have the following rights:
- Access: request confirmation of processing and copies of personal data.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion where grounds apply.
- Restriction: request limitation of processing in certain cases.
- Data portability: receive a machine-readable copy of data you provided where processing is based on consent or contract and carried out by automated means.
- Object: object to processing based on legitimate interests, including profiling, and to direct marketing.
- Withdraw consent: where processing is based on consent.
- Complaint: lodge a complaint with a supervisory authority.
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu). You may also contact the authority in your country of residence or workplace.
11. Children
Our services are not directed to children. We do not knowingly collect personal data from children without parental authority where required. If you believe we have collected data from a child, contact us so we can delete it.
12. Cookies and similar technologies
We use cookies and similar technologies as described in our Cookie Policy. Where consent is required, we collect consent before non-essential cookies are set, and you can change preferences later.
13. Marketing
We send marketing communications only where permitted by law and, where required, based on your consent or explicit soft opt-in rules applicable to existing customers. You can opt out using unsubscribe links or by contacting us.
14. Changes to this policy
We may update this Privacy Policy to reflect legal, technical, or operational changes. We will publish the updated version on this page and revise the last updated date. Where changes materially affect your rights, we will provide additional notice where appropriate.
15. Contact
For privacy requests or questions about this policy, contact us at feedback@quolrixxrrklixol.world or write to Quolrixxrrklixol, Bulevardi 13, 00120 Helsinki, Finland. Please include enough detail to verify your identity and describe your request.