Privacy Policy

1. Data controller

The data controller responsible for processing personal data is:

Vrexalonprthol
Registered office and postal address: Nørrebrogade 8, 2200 København, Denmark
Email: support@vrexalonprthol.world
Phone: +45 69 16 41 01

Where reference to company registration numbers or VAT identifiers is required for your transaction, such identifiers will be stated on invoices, contracts, or upon request through the contact details above.

2. Scope and relationship to other documents

This Privacy Policy applies to processing carried out via the website, email, telephone, and related customer service channels operated by Vrexalonprthol. It should be read together with our Cookie Policy, Terms of Service, and Return Policy, which describe additional contractual and technical context.

If you provide health-related information voluntarily (for example in a free-text message), we treat it as special category data only where strictly necessary and in line with Article 9 GDPR, typically relying on explicit consent or a documented legal exemption. We ask that you avoid sharing unnecessary clinical details.

3. Definitions

Personal data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on personal data, including collection, storage, disclosure, and erasure.
Data subject means the identified or identifiable person.
Recipient means a natural or legal person, public authority, agency, or another body to which personal data are disclosed.

4. Categories of personal data we collect

Depending on how you interact with us, we may process:

• Identity and contact data: name, delivery address, billing address, email address, telephone number, country of residence.
• Order and transaction data: products ordered, order references, payment status (payment card data is handled by payment service providers, not stored by us beyond what they return for reconciliation).
• Communication data: messages you send through forms, email threads, and call notes when you contact support.
• Technical and usage data: IP address, browser type, device identifiers, approximate location derived from IP, pages viewed, referring URLs, timestamps, and cookie identifiers when you have consented to non-essential cookies.
• Marketing preferences: newsletter opt-in status, campaign identifiers, and suppression lists.
• Compliance data: records demonstrating consent, complaint correspondence, and fraud-prevention signals where permitted.

5. Sources of personal data

We obtain personal data directly from you when you place an order, complete a form, subscribe to updates, or contact us. We may also receive technical data automatically through your browser or device. In limited cases, we receive updates from carriers (tracking events linked to your name and address) or payment partners (payment confirmations).

6. Purposes and legal bases

We process personal data only where a legal basis under Article 6 GDPR applies (and Article 9 where relevant). The table below summarises typical processing.

Purpose	Legal basis
Operating the website, displaying content, maintaining security, and preventing abuse	Legitimate interests (Article 6(1)(f)) to provide a secure service; where required, consent for non-essential cookies (Article 6(1)(a))
Processing and delivering orders, taking payment, providing customer support	Performance of a contract (Article 6(1)(b))
Compliance with accounting, tax, and consumer law obligations	Legal obligation (Article 6(1)(c))
Responding to enquiries submitted through the contact form when you have ticked the GDPR consent box	Consent (Article 6(1)(a)) for the specific enquiry; legitimate interests where we answer pre-contract questions
Direct marketing by electronic mail to existing customers about similar products, where applicable law allows	Legitimate interests or consent depending on channel and jurisdiction
Analytics and aggregated statistics where non-essential cookies or trackers are used	Consent (Article 6(1)(a))
Establishing, exercising, or defending legal claims	Legitimate interests (Article 6(1)(f))

7. Retention periods

We keep personal data only as long as necessary for the purposes collected, unless a longer period is required by law:

• Order and accounting records: up to seven years from the end of the financial year to which they relate, in line with Danish bookkeeping requirements, unless a shorter period is justified earlier.
• Marketing consents and marketing logs: until you withdraw consent or object, plus a short period to update suppression files.
• Customer service correspondence: typically up to three years after the last interaction unless linked to an active dispute.
• Technical logs required for security: rolling retention, commonly between thirty and ninety days, unless extended for incident investigation.
• Cookie and consent records: as described in the Cookie Policy, usually up to twelve months from the last update unless a longer proof period is needed.

When retention ends, we delete or irreversibly anonymise data where possible.

8. Recipients and processors

We share personal data with service providers who process it on our instructions (processors), including:

• Hosting and infrastructure providers that store website files and databases.
• Payment service providers and acquiring banks.
• Logistics and postal carriers.
• Email delivery and customer service tooling providers.
• Analytics or advertising platforms only where you have given consent for the relevant cookies or tags.

We use written data processing agreements that require processors to implement appropriate technical and organisational measures and to assist us with data subject requests.

9. International transfers

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by transfer impact assessments where required. Copies of relevant safeguards may be requested by contacting us.

10. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects solely based on automated processing. Light-weight segmentation for marketing may occur after explicit consent, and you may withdraw consent at any time.

11. Security measures

We implement measures appropriate to the risk, including TLS encryption for data in transit on our storefront pages, access controls and authentication for administrative systems, principle of least privilege for staff accounts, malware monitoring on managed endpoints where applicable, backup procedures, and contractual confidentiality obligations for personnel and vendors. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your devices.

12. Your rights under the GDPR

Subject to conditions in the GDPR, you may have the following rights:

• Access: obtain confirmation whether we process your data and receive a copy.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion where applicable, for example when data is no longer needed or consent is withdrawn and no other ground applies.
• Restriction: limit processing in defined circumstances.
• Data portability: receive certain data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.
• Object: object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Withdraw consent: where processing is consent-based, without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint with a supervisory authority, notably Datatilsynet in Denmark (Carl Jacobsens Vej 35, 2500 Valby, Denmark, www.datatilsynet.dk).

To exercise rights, email support@vrexalonprthol.world with a description of your request. We may need to verify your identity before proceeding. We aim to respond within one month, which may be extended by two further months where complex.

13. Children

Our website and Calmora Active are aimed at adults. We do not knowingly collect personal data from children under 16 without parental authority. If you believe a child has provided data, contact us and we will take steps to delete it where appropriate.

14. Third-party websites

Our site may contain links to external pages. We are not responsible for their privacy practices. Review their policies before providing personal data.

15. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or business changes. The “last updated” date will be revised, and where changes are material we will provide additional notice as required by law, such as a banner or email.

16. Contact

For privacy questions or requests: support@vrexalonprthol.world or write to Nørrebrogade 8, 2200 København, Denmark.

17. Records of processing activities

We maintain internal records describing processing categories, purposes, data subjects, recipients, transfers, retention, and security measures, as required by Article 30 GDPR. These records are not published in full for confidentiality reasons but supervisory authorities may inspect them.

18. Data protection impact assessment

Where processing is likely to result in a high risk to rights and freedoms, we assess necessity and proportionality, consult stakeholders where appropriate, and document mitigation measures. Routine ecommerce processing with standard payment and logistics partners typically does not require a formal DPIA absent additional high-risk elements such as large-scale monitoring of public areas.

19. Processor instructions and audits

Processors receive documented instructions, including confidentiality duties, assistance with data subject requests, deletion or return of data at the end of services, and information necessary to demonstrate compliance. We perform periodic reviews of critical vendors and reserve contractual audit rights where proportionate.

20. Personal data breaches

In case of a breach affecting personal data, we evaluate risk to individuals. Where the breach is likely to result in a risk to rights and freedoms, we notify Datatilsynet without undue delay and, where required, communicate to affected data subjects with clear descriptions of the incident, likely consequences, and measures taken.

21. Joint controllers and independent controllers

Where we jointly determine purposes and means with another entity, we will make transparent arrangements defining responsibilities toward data subjects. Social plugins or embedded videos may involve independent controllers; we minimise such embeds and load them after consent where feasible.

22. Employee access and training

Staff with access to personal data receive confidentiality obligations and periodic awareness training on GDPR principles, phishing risks, and incident escalation paths.