Xunrovarshex

Privacy Policy

Last updated: 23 March 2026. This notice explains how Xunrovarshex (“we”, “us”) processes personal data when you visit this website, purchase AndroVascor, or contact us. We apply the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), Finland’s Data Protection Act (1050/2018), the ePrivacy rules where relevant, and consumer laws that intersect with privacy.

1. Data controller and representative details

The controller responsible for personal data processing is:

Xunrovarshex
Stenbäckinkatu 9
00290 Helsinki
Finland

Email: admin@xunrovarshex.world
Phone: +358 9 4717 6610

We do not require a separate EU representative because our establishment is in Finland. If you contact us about privacy, please include enough detail to identify your request and, where needed, proof of identity so we can avoid disclosing data to the wrong person.

2. Scope of this notice

This Privacy Policy applies to processing carried out through the website at xunrovarshex.world and related email or telephone communications that relate to the same relationship. It does not cover third-party websites linked from our pages; their operators are responsible for their own notices.

Where we process personal data as a processor on behalf of another organisation, separate terms apply and we will identify the controller. For standard consumer orders of AndroVascor placed with us, we act as controller for customer relationship data.

3. Categories of personal data we collect

Depending on how you interact with us, we may process:

  • Identity and contact data: name, delivery address, billing address, email address, telephone number, customer reference, language preference.
  • Transaction data: order contents, price, VAT treatment, payment status, carrier references, returns and refund records.
  • Communication data: messages you send through forms, email, or post, including attachments and metadata such as timestamps.
  • Technical data: IP address, device type, browser, approximate location derived from IP, referrer URL, pages viewed, and similar diagnostics when our hosting or analytics tools collect them.
  • Cookie and similar data: identifiers stored on your device when you consent or when strictly necessary tools require them (see our Cookie Policy).
  • Compliance data: records needed for accounting, tax, product safety traceability, and dispute handling.

We do not seek to collect special categories of data (such as health data). If you voluntarily disclose health information, we will restrict internal access and delete it when retention is no longer necessary unless a law requires otherwise.

4. Sources of data

We obtain personal data directly from you when you place orders, create enquiries, subscribe to updates (if offered), or communicate with us. We may receive technical data from your browser automatically. We may receive updated address information from carriers when deliveries are processed. We do not purchase marketing lists that contain personal data for this website.

5. Purposes and legal bases

We process personal data only when a legal basis under Article 6 GDPR applies. The table below summarises typical processing.

Purpose Legal basis Notes
Providing the website and displaying content Legitimate interests (Article 6(1)(f)) to operate a secure site Balanced against your rights; minimal logging
Processing orders, payments, delivery, and customer support Performance of a contract (Article 6(1)(b)) Core purchase lifecycle
Responding to enquiries submitted through forms or email Legitimate interests and, where relevant, pre-contractual steps (Article 6(1)(b)) We keep threads only as long as needed
Compliance with accounting, tax, and product traceability laws Legal obligation (Article 6(1)(c)) Retention periods follow statute
Fraud prevention, network security, abuse detection Legitimate interests (Article 6(1)(f)) May include short-term IP processing
Non-essential cookies, analytics, and marketing communications Consent (Article 6(1)(a)) where required Managed through the cookie banner and subscription controls
Direct marketing by electronic mail to existing customers about similar products Soft opt-in under ePrivacy implementation where conditions are met, or consent You may opt out at any time

Where we rely on legitimate interests, we evaluate necessity and proportionality. You may object to processing based on legitimate interests as described in Section 10.

6. Automated decision-making and profiling

We do not make decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. If this changes, we will update this Policy and provide meaningful information about the logic involved.

7. Recipients and processors

We share personal data with service providers who assist our operations under written agreements that require confidentiality and appropriate security measures. Categories may include:

  • Hosting and infrastructure providers for website storage and backups.
  • Payment service providers and banks for transaction authorisation and settlement.
  • Logistics partners for picking, packing, delivery, and returns.
  • Email delivery and customer ticketing tools.
  • Professional advisers such as accountants and lawyers when required.

We may disclose information to public authorities when required by law, court order, or lawful regulatory request. We may share data with law enforcement when necessary to protect vital interests or to investigate misuse.

8. International transfers

Our primary processing occurs within the European Economic Area (EEA). If we transfer personal data to countries outside the EEA, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented measures where required by case law, or rely on adequacy decisions. You may request a copy of relevant safeguards by contacting us.

9. Retention periods

We retain personal data only as long as necessary for the purposes described, plus any statutory limitation periods. Indicative periods include:

  • Order and invoice records: up to ten years where Finnish accounting and tax rules require bookkeeping materials, unless a longer period applies for product traceability.
  • Customer correspondence unrelated to a concluded contract: typically up to twenty-four months after the last message unless a dispute is ongoing.
  • Marketing consents and unsubscribe logs: evidence of consent or objection for the period needed to demonstrate compliance.
  • Web server logs: rotated on a short cycle unless longer retention is justified for security investigations.
  • Cookie data: as stated in the Cookie Policy and your preferences.

When retention ends, we delete or anonymise data so it can no longer be linked to you, unless anonymised statistics are retained.

10. Your rights

Under GDPR, you have the following rights in principle, subject to conditions and exceptions in law:

  • Access: obtain confirmation whether we process your data and receive a copy.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion where applicable grounds exist.
  • Restriction: request limitation of processing in defined situations.
  • Data portability: receive structured, commonly used, machine-readable data that you provided, where processing is based on consent or contract and is automated.
  • Object: object to processing based on legitimate interests or to direct marketing.
  • Withdraw consent: where processing is consent-based, without affecting prior lawful processing.
  • Lodge a complaint: with the Finnish Office of the Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

To exercise rights, email us at admin@xunrovarshex.world or write to the postal address above. We may ask for information to confirm identity. We respond within one month, which may be extended by two further months in complex cases.

11. Security measures

We implement technical and organisational measures appropriate to the risk, including TLS encryption for data in transit on this website, access controls on a need-to-know basis, authentication mechanisms for administrative systems, malware protection on endpoints, and policies for vendor assessment. No method of transmission or storage is completely secure; we encourage strong passwords on your accounts with us and prompt reporting of suspected incidents.

12. Children

Our services are directed to adults who purchase food supplements. We do not knowingly collect personal data from children under sixteen years for marketing purposes. If you believe a child has provided data, contact us and we will delete it unless we must retain it for legal reasons.

13. Changes to this Privacy Policy

We may update this Policy to reflect legal, technical, or business developments. The latest version is always published on this page with a revised “Last updated” date. Material changes may be communicated by email or a prominent notice on the website where appropriate.

14. Records of processing activities

Internally, we maintain records of processing activities as required by Article 30 GDPR where applicable. The summary below complements the tables elsewhere in this Policy and describes typical processing in plain language:

Activity Data subjects Categories Recipients
E-commerce checkout and fulfilment Customers Identity, contact, transaction, delivery Payment processors, carriers, IT hosting
Customer support Customers and prospects Contact, correspondence Ticketing tools, internal staff
Website security Visitors Technical logs, IP addresses Hosting provider, security tools
Optional analytics or marketing Visitors Pseudonymous identifiers where used Analytics or ad partners with consent

Retention schedules attached to each activity follow Section 9. We review these records when we introduce new tools or change purposes.

15. Personal data breaches

We maintain internal procedures to detect, assess, and respond to personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required by Article 34 GDPR, communicate with affected individuals, describing the nature of the breach, likely consequences, and measures taken or proposed.

Notifications address facts such as categories and approximate numbers of data subjects, likely consequences, and remedial steps. If immediate full detail is impossible, we provide information in phases as investigations progress.

16. Data protection by design and by default

We implement technical and organisational measures at the design stage of projects that involve personal data, including data minimisation, purpose limitation, pseudonymisation where appropriate, role-based access, and secure deletion workflows. Default settings for optional communications require affirmative choices where consent is the legal basis.

17. Contact

For privacy questions or requests, contact:

Xunrovarshex, Stenbäckinkatu 9, 00290 Helsinki, Finland. Email: admin@xunrovarshex.world. Phone: +358 9 4717 6610.