Privacy Policy

Controller: Phefxirevorghalx, Jernbanetorget 4B, 0154 Oslo, Norway. Email: contact@phefxirevorghalx.world. Phone: +47 23 35 81 00. Website: https://phefxirevorghalx.world

Last updated: 25 March 2026. Document version: EN-2026-03.

This Privacy Policy explains how Phefxirevorghalx ("we", "us") processes personal data when you visit https://phefxirevorghalx.world (the "Site"), purchase Enerlith or related goods ("Products"), or communicate with our team. We follow the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Privacy Regulation (EU) 2016/679 as incorporated into the EEA Agreement, the Norwegian Personal Data Act implementing GDPR provisions, and other applicable sector rules for food labelling and marketing.

1. Scope and children

The Site and Products target adults. We do not knowingly collect children's data. If you believe a minor submitted personal data, contact us immediately so we can delete it after verifying authority.

2. Categories of personal data

Depending on your interaction, we may process identity and contact data (name, postal address, email address, optional telephone number), account credentials when you create an optional profile, transaction data (order contents, price, VAT treatment, payment status), technical data (IP address, device type, browser version, approximate location through IP geolocation), communication content (free-text messages, attachments you voluntarily send), marketing preferences, cookie identifiers, audio or chat transcripts if you use supported channels, and due diligence data when law enforcement or tax authorities require cooperation.

3. Sources of data

We obtain information directly from you through forms, checkout flows, email, telephone, and postal mail. We also receive technical data from your device and cookies as described in the Cookie Policy. Payment service providers confirm authorisation outcomes without exposing full payment card numbers to us. Logistics partners return delivery scans and signature metadata.

4. Purposes and legal bases

4.1 Contract performance (GDPR Article 6(1)(b))

We process identification, delivery, and payment coordination data to accept orders, ship Enerlith, respond to service questions, and manage warranties or voluntary commercial guarantees.

4.2 Legal obligation (Article 6(1)(c))

Accounting statutes, product traceability rules, consumer authority filings, sanctions screening, and court orders can require retention or disclosure of order records, communications, and tax identifiers.

4.3 Legitimate interests (Article 6(1)(f))

We rely on legitimate interests for fraud monitoring, network security, internal reporting, brand protection, knowledge-base analytics that do not profile individuals in a significantly intrusive manner, and corporate transactions, balanced against your rights. You may object as described below.

4.4 Consent (Article 6(1)(a))

Optional marketing messages, certain non-essential cookies, and sensitive categories if ever lawfully collected depend on explicit consent, which you may withdraw without affecting earlier lawfulness.

5. Special categories

Enerlith is a food supplement, not a medicine. Please refrain from sending health diagnoses in contact forms. If you voluntarily disclose special-category data, we will restrict access and delete it when no legal exception applies.

6. Automated decision-making

We do not perform solely automated decisions with legal or similarly significant effects within the meaning of GDPR Article 22. Fraud checks may score risk but always involve meaningful human review before a negative action.

7. Recipients and subprocessors

Data is accessed by personnel bound by confidentiality obligations. External recipients include hosting providers within the EU/EEA or third countries covered by adequacy decisions or Standard Contractual Clauses, payment acquirers certified under PCI-DSS, carriers, email delivery vendors, customer-support ticketing tools, analytics partners if you consent, accounting firms, insurers, and professional advisers. An up-to-date list of material subprocessors is available upon request.

8. International transfers

If processors operate outside the EEA without an adequacy decision, we implement SCCs with supplementary measures such as encryption in transit, access logging, and data minimisation. Copies of safeguards are available on request.

9. Retention

Completed sales ledgers stay at least seven years to satisfy Norwegian bookkeeping law. Marketing consents persist until withdrawn. Cookie logs follow durations in the Cookie Policy. Support tickets auto-delete twenty-four months after closure unless litigation preserves them. Security logs rotate after twelve months unless incident investigation extends storage.

10. Security measures

We apply TLS 1.2 or higher on public endpoints, role-based access controls, periodic penetration testing, patching calendars, staff training, breach response playbooks, and supplier due diligence. No method is flawless; report suspected compromises promptly.

11. Your rights

Under GDPR you may request access, rectification, erasure, restriction, portability, objection, and human intervention regarding non-automated decisions. Norwegian residents may also contact Datatilsynet (www.datatilsynet.no). We respond within one month, extendable by two months when complex. You may lodge a complaint with your local supervisory authority.

12. Marketing preferences

Every promotional email contains an unsubscribe mechanism. You may also email contact@phefxirevorghalx.world with the subject "Marketing opt-out".

13. Data Protection Officer

Because processing is not large-scale monitoring of sensitive categories, a statutory DPO may not be mandatory. Nonetheless, the controller's privacy lead is reachable at the email above and coordinates with Norwegian counsel.

14. Changes

Material updates appear on this page with a revised date. Continued use after notice where we rely on contract performance constitutes acknowledgement of operational changes that do not reduce your statutory rights.

15. Breach notification

If we detect unauthorised access to personal data with likely risk to rights and freedoms, we analyse the incident, contain it, document facts, notify Datatilsynet within seventy-two hours where required, and communicate affected individuals when impact exceeds guidance thresholds. Suppliers must contractual guarantee equivalent cooperation.

16. Joint controllers and independent processors

Where we jointly determine purposes with advertising networks, transparent allocation of obligations appears in the relevant consent layer. Pure processors receive written instructions, may not engage sub-processors without approval, and delete copies after mandate completion unless law demands archival.

17. Research and aggregate statistics

We may create irreversibly aggregated datasets that no longer identify individuals. Such datasets fall outside GDPR scope when truly anonymised; pseudonymised datasets remain personal data.

18. Employment and recruitment

If you apply for work, CV data is processed under Article 6(1)(b) pre-contract measures or consent for speculative applications. Hiring panels outside Norway receive data only under transfer tools.

19. Contact

Postal: Phefxirevorghalx, Jernbanetorget 4B, 0154 Oslo, Norway. Electronic: contact@phefxirevorghalx.world. Telephone: +47 23 35 81 00.