Privacy Policy

Last updated: 16 March 2026

1. Controller and contact details

The data controller responsible for your personal data in relation to this website and the services described herein is:

Xorvaleniavim
Address: Kruunuvuorenkatu 1, 00160 Helsinki, Finland
Email: admin@xorvaleniavim.world
Phone: +3589664207

For any questions regarding this Privacy Policy or the processing of your personal data, please contact us using the details above.

2. Scope and applicability

This Privacy Policy applies to the website xorvaleniavim.world (the "Website") and to the processing of personal data carried out by Xorvaleniavim in connection with the Website, including when you place orders, contact us, or use our services. It explains what personal data we collect, for what purposes, on what legal basis, for how long we keep it, and what rights you have under applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

3. Personal data we collect

We may collect and process the following categories of personal data:

• Identity and contact data: name, email address, telephone number (if you provide it), and delivery or billing address when you place an order or contact us.
• Transaction and order data: order details, payment-related information (to the extent necessary for processing payments and refunds), and communication related to your orders.
• Technical and usage data: IP address, browser type and version, device type, operating system, referring URLs, pages visited, and approximate location (e.g. country or region) where this is derived from technical data. We may also collect information about how you use the Website (e.g. via cookies), subject to your consent where required by law.
• Communication data: content of messages you send us (e.g. via contact form or email) and our replies.

We do not collect special categories of personal data (e.g. health data) unless you voluntarily provide such information in a message. In that case we process it only to respond to your request and in accordance with applicable law.

4. Purposes and legal basis for processing

We process your personal data for the following purposes and on the following legal bases:

• Performance of a contract: To process and fulfil your orders, manage deliveries, handle returns and refunds, and communicate with you about your order. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Legitimate interests: To improve the Website, prevent fraud and abuse, enforce our terms, and defend our legal rights. Legal basis: legitimate interests (Art. 6(1)(f) GDPR), where our interests are balanced against your rights.
• Legal obligation: To comply with accounting, tax, and other legal obligations (e.g. in Finland and the EU). Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
• Consent: For non-essential cookies, analytics, or marketing communications where required by law. Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Retention periods

We retain your personal data only for as long as necessary for the purposes set out in this policy or as required by law:

• Order and transaction data: For the duration of the contractual relationship and thereafter for the period required by applicable tax and accounting laws (e.g. in Finland typically 6–10 years for accounting records).
• Contact and communication data: For as long as needed to handle your request and any follow-up, and where relevant for the establishment or defence of legal claims.
• Technical and usage data (e.g. server logs): For a limited period necessary for security and troubleshooting (e.g. up to 12 months), unless a longer period is required by law.
• Cookie and analytics data: As specified in our Cookie Policy and in accordance with your choices.

After the retention period, we delete or anonymise your personal data so that it can no longer be attributed to you.

6. Recipients and international transfers

We may share your personal data with:

• Service providers who assist us with hosting, payment processing, shipping, and customer support, acting as processors on our instructions and under appropriate contracts.
• Public authorities when required by law (e.g. tax authorities, courts).

When we transfer personal data to countries outside the European Economic Area (EEA), we ensure appropriate safeguards are in place (e.g. adequacy decisions, standard contractual clauses, or other mechanisms approved under GDPR). You may request details of these safeguards by contacting us.

7. Security measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Use of HTTPS and encryption where appropriate.
• Access controls and confidentiality obligations for staff and processors.
• Regular review of our security practices and contracts with processors.

While we strive to protect your data, no transmission over the internet or electronic storage is completely secure; we cannot guarantee absolute security.

8. Your rights under the GDPR

If you are in the EEA (including Finland), you have the following rights in relation to your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your data in certain circumstances (e.g. where it is no longer necessary or you withdraw consent).
• Right to restriction of processing (Art. 18): You may request that we limit how we use your data in certain situations.
• Right to data portability (Art. 20): Where processing is based on contract or consent and carried out by automated means, you may request to receive your data in a structured, commonly used format.
• Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling. You may also object at any time to processing for direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi.

To exercise any of these rights, please contact us using the details in section 1. We will respond within the time limits set by applicable law (generally one month under the GDPR).

9. Children

Our Website and services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete it.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top will be revised when we make material changes. We encourage you to review this page periodically. Where required by law, we will seek your consent or provide additional notice for significant changes.

11. Contact

For any questions about this Privacy Policy or our processing of your personal data, please contact:

Xorvaleniavim
Kruunuvuorenkatu 1, 00160 Helsinki, Finland
Email: admin@xorvaleniavim.world
Phone: +3589664207