Privacy Policy

1. Introduction

Graxylonoehrexia ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Norwegian law (including the Personal Data Act — Personopplysningsloven).

This policy applies to all personal data processed through our website at graxylonoehrexia.world and through any order forms or communications with us.

2. Data We Collect

We collect the following categories of personal data:

• Contact and order data: Full name, email address, telephone number, delivery address, and order details provided when you submit an order or contact us.
• Communications data: Content of messages or enquiries submitted via our contact or order forms.
• Technical data: IP address, browser type and version, operating system, device identifiers, pages visited, referring URL, and session duration — collected automatically via cookies and server logs.
• Cookie and preference data: Your cookie consent choices and settings stored in your browser's local storage.

We do not collect special categories of personal data (e.g. health information, genetic or biometric data) and we do not knowingly collect data from persons under 18 years of age.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing your name, contact details, and order information to fulfil your order, arrange delivery, and provide customer service.
• Compliance with a legal obligation (Art. 6(1)(c)): Retaining accounting and transaction records as required by Norwegian bookkeeping law (Bokføringsloven) and tax regulations.
• Consent (Art. 6(1)(a)): Processing for analytics and marketing purposes where you have given explicit consent via the cookie consent banner. Consent may be withdrawn at any time.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, security monitoring, and improving the functionality of our website, where our interests do not override your fundamental rights.

4. How We Use Your Data

We use your personal data for the following purposes:

• Processing and fulfilling orders placed through our website;
• Sending order confirmation and delivery status communications;
• Responding to customer enquiries and support requests;
• Maintaining accurate accounting and tax records as required by law;
• Analysing website usage to improve user experience (where analytics cookies are enabled);
• Preventing fraud and ensuring website security.

5. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

• Order and contact data: Retained for up to 5 years from the date of the last transaction, in accordance with Norwegian accounting obligations (Bokføringsloven § 13).
• Technical and analytics data: Retained for up to 26 months from the date of collection, then automatically deleted or anonymised.
• Cookie consent records: Retained for up to 12 months.
• Marketing data: Retained until consent is withdrawn, after which data is deleted within 30 days.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with the following categories of trusted third parties, who act as data processors under binding contractual obligations:

• Fulfilment and logistics partners: For delivery of orders. Only the data necessary for delivery (name, address, contact) is shared.
• Payment processors: For secure payment handling. Payment data is processed directly by the payment provider and is not stored on our systems.
• Analytics providers: Where analytics cookies are enabled, anonymised browsing data may be shared with tools such as Google Analytics.
• Legal and regulatory authorities: Where required by applicable law, court order, or official regulatory request.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms compliant with GDPR Chapter V. Transfers only occur where necessary and are minimised to the extent possible.

8. Your Rights Under GDPR

As a data subject, you have the following rights, which you may exercise free of charge:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where we no longer have a legal basis for processing it ("right to be forgotten").
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting prior lawful processing.

To exercise any of these rights, please contact us at the address provided in Section 10. We will respond within 30 days in accordance with GDPR Article 12.

9. Security Measures

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. Our website operates exclusively over HTTPS (TLS encryption). Access to personal data is restricted to authorised personnel only, and all third-party processors are subject to data processing agreements.

10. Contact and Supervisory Authority

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Graxylonoehrexia
Arnulf Øverlands gate 2-8, 6509 Kristiansund N, Norway
Email: correspondence-@graxylonoehrexia.world
Phone: +47 40 81 02 56

If you believe your rights have not been respected, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet), which can be reached at datatilsynet.no or by post at Datatilsynet, PO Box 458, 0105 Oslo, Norway.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will indicate the date of the last revision at the top of this page. Material changes will be communicated via a notice on our website. Continued use of the website after any changes constitutes acceptance of the updated policy.