Privacy Policy

Effective date: 19 March 2026 · Version: 1.0 · Jurisdiction: Sweden (EU/EEA)

This Privacy Policy explains how Dhorxellvorx (“we”, “us”, “our”) processes personal data when you visit dhorxellvorx.world, enquire about GreenVascura, place an order request, subscribe to updates, or otherwise interact with our services. We apply the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Swedish Act (2018:218) with supplementary provisions to the GDPR (“GDPR Execution Act”), and associated guidance from the Swedish Authority for Privacy Protection (IMY), together with other applicable EU and national rules where relevant.

1. Data controller and representative details

The data controller responsible for personal data relating to this website and related sales or customer support activities is:

• Legal trading name: Dhorxellvorx
• Registered address: Centralplan 15, 111 20 Stockholm, Sweden
• Email: help@dhorxellvorx.world
• Telephone: +46 8 505 019 00

If we appoint a data protection officer or EU representative distinct from the above contact, we will update this section and publish the new coordinates on this page. For supervisory authority contact, see Section 10.

2. Scope and relationship to other notices

This Policy covers processing performed through the website, email, telephone, and related fulfilment or payment partners acting on our instructions. It should be read together with our Cookie Policy, Terms of Service, and Return Policy. If you provide health-related information voluntarily in a message, we treat it as special category data only where a valid legal basis exists (typically explicit consent or a documented medical necessity pathway); in most consumer supplement contexts we ask you to avoid sending clinical details and to consult a professional separately.

3. Categories of personal data we collect

Depending on your interaction, we may process:

• Identity and contact data: full name, delivery address, billing address, email address, telephone number, country of residence.
• Order and transaction data: products selected (including GreenVascura), quantities, prices in EUR consistent with your region, payment status references, delivery preferences, communications about your order.
• Technical and usage data: IP address, device type, browser, operating system, approximate location derived from IP, referring URL, pages viewed, time on page, interaction events, cookie identifiers as described in the Cookie Policy.
• Communication content: free-text messages you submit through forms, email threads, call notes where permitted, and attachments you supply.
• Marketing preferences: opt-in or opt-out flags, newsletter subscription timestamps, segmentation metadata where used.
• Fraud and security signals: device fingerprints or risk scores from payment or anti-abuse tools where integrated.

We do not knowingly collect personal data from children under 16 for supplement-related sales. If you believe a minor has submitted data, contact us to request deletion.

4. Sources of personal data

Data originates from:

• Information you enter in order forms, contact forms, checkout fields, or emails.
• Automated technologies on our site (cookies, logs, analytics if enabled after consent).
• Payment service providers who confirm transaction outcomes without necessarily sharing full card numbers to our servers.
• Carriers and logistics partners who generate tracking events.
• Public registers only where legally required for invoicing or VAT compliance.

5. Purposes and lawful bases under GDPR

We process personal data only when a lawful basis applies. Typical mappings include:

• Contract (Art. 6(1)(b)): processing necessary to take steps at your request before a contract, to perform a contract of sale, to arrange delivery, and to provide customer support for that contract.
• Legal obligation (Art. 6(1)(c)): bookkeeping, tax invoicing, product traceability, consumer law documentation, and responses to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)): securing the website, preventing fraud, improving product information, measuring aggregated performance where not requiring consent, and enforcing our terms, balanced against your rights.
• Consent (Art. 6(1)(a)): optional analytics and marketing cookies, marketing emails where not covered by soft opt-in rules, and certain surveys. You may withdraw consent at any time without affecting prior processing legality.

Where special category data is inadvertently provided, we will delete it unless a separate explicit consent or other Article 9 basis clearly applies and is documented.

6. Automated decision-making and profiling

We do not rely on solely automated decisions that produce legal or similarly significant effects regarding consumers. Basic risk checks by payment partners may include automated elements governed by their policies; upon request we will clarify if such processing affects you and how to obtain human review where required by law.

7. Recipients and processors

We share personal data with categories of recipients strictly as needed:

• Hosting and infrastructure providers storing website files and databases within the EU/EEA or under approved safeguards.
• Payment acquirers and fraud screening services handling card or wallet transactions.
• Logistics carriers for label generation and tracking.
• Email and ticketing tools for correspondence.
• Professional advisers such as accountants or lawyers bound by confidentiality.
• Authorities when required by law.

Each processor is bound by a data processing agreement specifying instructions, confidentiality, security measures, subprocessors where relevant, and assistance with data subject requests.

8. International transfers

We primarily process data within the EU/EEA. If a tool necessitates transfer to a third country, we implement appropriate safeguards such as Standard Contractual Clauses (2021/914), supplementary measures where IMY or CJEU guidance requires, and transfer impact assessments for high-risk flows. Copies of relevant safeguards may be requested by email, subject to confidentiality constraints.

9. Retention periods

Retention follows necessity and statutory minima:

• Order and accounting records: up to seven years from the end of the financial year to satisfy Swedish bookkeeping and tax rules, unless a longer period is mandated for specific disputes.
• Marketing consents and unsubscribe logs: for the duration of the subscription plus three years to demonstrate compliance.
• Support tickets: typically twenty-four months after closure unless linked to an active warranty or legal claim.
• Web server logs: ninety days by default unless extended for security investigations.
• Cookie-derived identifiers: as stated in the Cookie Policy, often between one session and thirteen months depending on category.

When retention expires, we delete or irreversibly anonymise data.

10. Your rights

Under GDPR, you may request:

• Access to the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”) where applicable grounds exist.
• Restriction of processing in defined circumstances.
• Data portability for data you provided processed by automated means under contract or consent.
• Objection to processing based on legitimate interests or to direct marketing.
• Withdrawal of consent where processing was consent-based.

Submit requests to help@dhorxellvorx.world. We respond within one month, extendable by two further months where complex, notifying you of reasons. You may lodge a complaint with IMY (Integritetsskyddsmyndigheten) at imy.se or your local EU supervisory authority if you consider that our processing infringes applicable law.

11. Security measures

We implement technical and organisational measures appropriate to risk, including TLS encryption for data in transit, access controls and least-privilege administration, password hashing where we store credentials, segregated environments, logging and monitoring, backups with encryption at rest where supported, vendor due diligence, incident response procedures, and staff confidentiality commitments. No method of transmission or storage is perfectly secure; we encourage strong passwords and device protections on your side.

12. Marketing and newsletters

We send promotional messages only with a valid legal basis. Each message includes an unsubscribe mechanism. Preference centres, where available, let you adjust channels without withdrawing transactional notices necessary to fulfil orders or legal duties.

13. Third-party websites

Links to external sites are provided for convenience. Their privacy practices are independent; review their policies before submitting data.

14. Changes to this Policy

We may update this Policy to reflect legal, technical, or business developments. Material changes will be highlighted on the website or communicated when appropriate. Continued use after the effective date constitutes notice where permissible; where consent is required, we will obtain it expressly.

15. Records of processing activities

Internally we maintain Article 30 GDPR records describing processing purposes, categories of data subjects, categories of personal data, recipients, transfers, retention, and security measures. Extracts relevant to consumer-facing activities are summarised in this Policy; operational details that could impair security are withheld but may be shared with supervisory authorities under confidentiality.

16. Data protection impact assessment posture

Where processing is likely to result in high risk to individuals despite mitigations, we conduct a Data Protection Impact Assessment (DPIA) in line with IMY guidance. Current core ecommerce flows involving standard identity, contact, and transaction data, with mainstream payment processors and EU hosting, are not typically high risk; integrations that add large-scale profiling or sensitive data would trigger reassessment.

17. Breach notification

In case of a personal data breach likely to result in risk to rights and freedoms, we document facts, effects, and remedial action, and notify IMY within 72 hours where feasible. Affected individuals receive communication without undue delay when the breach is likely to result in a high risk to them, unless exceptions apply (for example, if subsequent measures remove the high risk).

18. Children's data

Our services target adults purchasing supplements. We do not solicit data from children. If we learn that a child has provided personal data without verifiable parental consent where required, we delete it promptly after verification steps.

19. Accuracy and data minimisation

We collect only data adequate, relevant, and limited to what is necessary for the purposes described. You are responsible for the accuracy of information you supply; please update us promptly if details change, especially for delivery.

20. Joint controllership scenarios

Some social plugins or advertising tools may establish joint controllership arrangements with platform providers. Where applicable, we link to the provider's information and define essence of the arrangement in supplementary notices at the point of interaction.

21. Statutory disclosures

We may disclose personal data when required by court order, subpoena, or competent regulatory investigation, and when necessary to protect our legal rights, users, or the public, within proportionality limits.

22. Employee and applicant privacy

Workforce-related processing is governed by separate internal policies compliant with Swedish employment and GDPR rules; this consumer Policy does not cover staff HR files unless referenced explicitly.

23. Product-specific communications

When you purchase GreenVascura, we may send factual communications about storage, batch updates, or safety notices. These service messages are distinct from marketing and may be sent under contractual necessity even if marketing is opted out.

24. Language

The authoritative business language of Dhorxellvorx is English for this site version. Translations may be provided for convenience; where they diverge, the English commercial records prevail unless mandatory local consumer law requires otherwise.

25. Contact

Questions about privacy may be directed to help@dhorxellvorx.world or by post to Centralplan 15, 111 20 Stockholm, Sweden.