Privacy charter for Novixa shoppers

Who controls your data

The controller is Valtoranzyuthia.world, responsible for the Novixa brand presentation online. Registered contact: 72 New Street, Birmingham B2 4DU, United Kingdom. Email correspondence for privacy questions and data subject rights: chat@valtoranzyuthia.world. Please include a subject line such as “Privacy request” so routing stays efficient.

We do not appoint a data protection officer by statutory mandate today, yet the same mailbox receives escalation paths normally assigned to a DPO. If your message concerns a child, a vulnerable consumer, or law enforcement correspondence, highlight that fact in the first paragraph.

Why processing exists in the first place

We process information to keep commerce functional, compliant, and respectful. That includes confirming your identity for deliveries, issuing order paperwork, preventing duplicate discounts, analysing aggregated traffic when you approve analytics cookies, maintaining audit evidence for food-supplement communications, and defending legal claims if they arise.

Marketing emails only follow granular opt-in. Service emails (receipts, shipping notices, safety clarifications) flow from contractual necessity rather than promotional consent.

Categories we may hold

Depending on your journey, the file can contain full name, billing and shipping addresses, email and phone, payment references (not full card numbers—those stay with certified payment processors), IP address, device characteristics, session identifiers, support transcripts submitted through forms, optional survey responses, cookie preference logs, and notes added by staff when resolving a ticket.

We avoid collecting sensitive categories (health diagnoses, biometric templates, religious beliefs). If you voluntarily disclose health context in an enquiry, we minimise retention and only keep it as long as needed to answer responsibly.

Legal bases mapped to activities

• Contract (Art. 6(1)(b)): checkout, fulfilment, invoicing, returns, loyalty credits tied to purchases.
• Legal obligation (Art. 6(1)(c)): tax archives, product traceability, responding to regulators.
• Legitimate interests (Art. 6(1)(f)): fraud analytics, network defence, supplier diligence, business reporting in aggregate form, internal training exemplars stripped of identifiers.
• Consent (Art. 6(1)(a)): non-essential cookies, newsletter topics beyond transactional notices, optional testimonials with attribution.

Where rely on legitimate interests, we record balancing tests summarising why our interests do not override yours and how to object.

Recipients and processor due diligence

Hosting partners, email infrastructure providers, payment acquirers, label printing bureaus, courier APIs, analytics suites (when enabled), customer-support workspaces, and backup vaults may access subsets of data strictly to deliver their service. Contracts contain Article 28 terms or equivalent UK addenda, including deletion schedules and subprocessors lists you can request.

We do not sell personal data in the sense of exchanging lists for monetary consideration. Sponsored placements, if any, rely on aggregated or cohort metrics rather than identifiable rows.

International transfers

Some subprocessors store backups in the United States or other third countries. When adequacy decisions do not apply, we implement Standard Contractual Clauses with supplementary technical measures such as encryption in transit and at rest, access logging, and regional key custody where feasible.

You may request redacted copies of transfer impact assessments connected to your data categories.

Retention and minimisation rhythm

Transactional accounting records remain up to seven years. Marketing consents and proof of double opt-in persist until withdrawal plus ninety days for dispute evidence. Web server logs roll off after ninety days unless security investigations extend a slice in isolated cold storage. Abandoned carts delete personal identifiers after one hundred eighty days of inactivity unless local law demands shorter windows.

When retention expires, we prefer secure deletion or irreversible anonymisation that cannot be relinked without extra information kept separately.

Technical and organisational measures

TLS 1.2 or newer for transport, role-based access with quarterly permission reviews, password managers mandated for staff, endpoint protection on laptops handling order exports, encrypted backup tapes rotated offsite, and vendor questionnaires before onboarding supplement manufacturers or logistics APIs.

No control eliminates residual risk. Report suspected incidents to the email above; we aim to acknowledge within seventy-two business hours and inform regulators or data subjects when legally required.

Exercising GDPR and UK GDPR rights

You may request access, rectification, erasure, restriction, portability, objection (particularly to direct marketing or certain legitimate-interest processing), and human oversight of decisions based solely on automated processing producing legal or similarly significant effects—currently we do not deploy such automated decision systems for shoppers.

Responses typically arrive within one calendar month, extendable for complex bundles with explanation. Identity checks protect against fraudulent disclosure.

Cookies and similar technologies

Granular descriptions, retention per tag, and consent toggles appear in the Cookie Policy. Preference centres remember your choices using strictly necessary storage that cannot be disabled by design.

Automation posture

Pricing experiments and inventory alerts may use rules-based automation, but they do not deny you service in a solely automated manner without human escalation pathways published in the Terms of Service.

Minors

Novixa is positioned toward adults managing their own nutrition. If you believe we collected data from a child without proper authority, demand deletion immediately; we will investigate and purge where appropriate.

Supervisory authority

You may contact the Information Commissioner’s Office (UK) or your local EU supervisory authority without prejudice to any administrative or judicial remedy.

Policy maintenance

Material updates trigger a refreshed “live document stamp” powered by the date logic embedded sitewide. Continued use after notice where consent is not required constitutes acknowledgement unless you object where objection rights apply.