Privacy Policy

Effective date: 23 March 2026

Document version: 1.0

This Privacy Policy explains how Klixarungrexmlox (“we”, “us”, “our”) processes personal data when you visit klixarungrexmlox.world, communicate with us, or purchase products such as Vascugest Vital. We process personal data in accordance with the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Danish Data Protection Act (Act No. 502 of 23 May 2018, as amended), and applicable sector guidance from the Danish Data Protection Agency (Datatilsynet).

1. Data controller and contact details

The data controller responsible for processing described in this policy is:

• Legal trading name: Klixarungrexmlox
• Registered office / postal address: Landemærket 3, 5, 1119 København, Denmark
• Email: office@klixarungrexmlox.world
• Telephone: +45 33 15 41 10

If we are required to publish additional public registration identifiers under Danish commercial law, those identifiers will be displayed on invoices, contracts, or the website footer when applicable.

2. Scope and relationship to other documents

This policy applies to personal data processed through our website, email, telephone, and related customer service channels. It should be read together with our Cookie Policy, Terms of Service, and Return Policy, which explain contractual terms, cookie technologies, and commercial rules that interact with privacy rights.

3. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

• Identity and contact data: full name, delivery address, billing address (if different), email address, telephone number, and similar identifiers you provide.
• Account and transaction data: order references, purchased items (for example Vascugest Vital), payment status, shipping selections, returns, and correspondence about your purchase.
• Communication content: messages you send through forms, email, or chat, including attachments where you choose to provide them.
• Technical and usage data: IP address, browser type and version, device type, operating system, referring URLs, pages viewed, approximate time zone, and similar diagnostics collected through logs or analytics tools where you have consented.
• Cookie and similar technologies data: identifiers stored on your device as described in our Cookie Policy.
• Compliance data: records required to demonstrate consent, marketing preferences, and complaints handling.

We do not intentionally collect special categories of personal data (so-called sensitive data under Article 9 GDPR) unless you voluntarily include such information in a message. If you provide health-related details without a separate legal basis, we will restrict processing to what is necessary to respond safely and may ask you to remove unnecessary information.

4. Purposes and legal bases for processing

We process personal data only where a legal basis applies. The table below summarizes common processing activities:

• Website operation and security (Article 6(1)(f) GDPR — legitimate interests): hosting, TLS encryption, abuse detection, fraud screening at a proportionate level, and maintaining stable service availability.
• Contract performance (Article 6(1)(b) GDPR): processing orders, taking payment through payment providers, arranging delivery, providing customer support about purchases, and managing returns within the statutory framework.
• Legal obligations (Article 6(1)(c) GDPR): bookkeeping, tax invoicing, responding to lawful requests from authorities, and product traceability where food law requires records.
• Consent (Article 6(1)(a) GDPR): optional analytics and marketing cookies, marketing emails where not covered by soft opt-in rules, and certain non-essential communications where we ask for explicit consent.
• Legitimate interests (Article 6(1)(f) GDPR), balanced against your rights: limited internal reporting, improving website usability based on aggregated data, and protecting our legal position in disputes, subject to proportionality.

Where local law requires a different basis for specific channels, we will adjust the processing and document the change in an updated policy notice.

5. Sources of personal data

We obtain personal data directly from you when you place orders, complete forms, subscribe to updates, or contact us. We may also receive data from payment service providers (payment confirmation, fraud indicators), carriers (delivery status), and IT vendors who host infrastructure under strict contracts.

6. Recipients and categories of recipients

Personal data may be shared with:

• Service providers who process data on our instructions, including hosting providers, email delivery services, customer ticketing tools, and analytics vendors where consent exists.
• Payment processors who handle card and alternative payment schemes according to their own privacy notices and PCI standards.
• Logistics partners who deliver physical goods and provide tracking information.
• Professional advisers such as accountants and lawyers, bound by confidentiality.
• Authorities when disclosure is mandatory under EU or Danish law.

We do not sell personal data as a commercial asset. Any transfer to a new owner through a merger or acquisition would be governed by continuity safeguards and notification requirements.

7. International transfers

Our primary processing occurs within the European Economic Area (EEA). If we transfer personal data to countries outside the EEA, we will ensure appropriate safeguards under Chapter V GDPR, such as the European Commission’s standard contractual clauses, supplemented by technical measures and transfer impact assessments where required.

8. Retention periods

We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law:

• Contract and order records: typically for the duration of the contractual relationship plus a period aligned with Danish bookkeeping and consumer law limitations, commonly up to five to ten years for accounting evidence, unless a shorter period applies to specific data elements.
• Marketing consents and unsubscribe logs: evidence of consent and suppression lists for the period necessary to demonstrate compliance.
• Support tickets: for a reasonable period after case closure to handle follow-up questions, usually not exceeding twenty-four months unless a dispute is ongoing.
• Server logs: rotated on a short cycle (for example ninety days) unless longer retention is needed for security investigations.
• Cookie-related records: as described in the Cookie Policy.

When retention ends, we delete or anonymize data where anonymization is feasible and informative value is not required for compliance.

9. Security measures

We implement appropriate technical and organizational measures, including:

• Transport encryption (HTTPS/TLS) for website connections where supported.
• Access controls and authentication for internal systems on a need-to-know basis.
• Vendor due diligence and data processing agreements with processors.
• Backups and continuity planning proportionate to risk.
• Guidance to staff on confidentiality and incident reporting.

No method of transmission or storage is completely risk-free. If we become aware of a personal data breach likely to affect your rights, we will assess notification duties under Articles 33–34 GDPR and cooperate with Datatilsynet as required.

10. Automated decision-making and profiling

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Limited fraud scoring performed by payment partners may involve automated checks under their policies; where such checks have a meaningful impact, those partners provide appropriate information in their own notices.

11. Your rights under GDPR

Subject to conditions and exceptions in the GDPR, you may have the following rights:

• Right of access (Article 15): request a copy of your personal data and certain contextual information.
• Right to rectification (Article 16): request correction of inaccurate data.
• Right to erasure (“right to be forgotten”) (Article 17): request deletion where grounds apply.
• Right to restriction (Article 18): request restriction of processing in defined situations.
• Right to data portability (Article 20): receive structured, commonly used, machine-readable data you provided, where processing is based on consent or contract and is carried out by automated means.
• Right to object (Article 21): object to processing based on legitimate interests or to direct marketing.
• Rights related to automated decision-making (Article 22): as applicable.
• Right to withdraw consent: where processing is consent-based, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority, notably Datatilsynet in Denmark.

To exercise rights, contact us using the details in Section 1. We may need to verify your identity before responding. We will answer within one month as a default, with extensions permitted under Article 12(3) GDPR when requests are complex or numerous.

12. Children’s data

Our website and products are directed at adults. We do not knowingly collect personal data from children under sixteen without parental authority where such consent is required. If you believe a child has provided data inappropriately, contact us so we can delete the information where appropriate.

13. Marketing communications

We send commercial email only where permitted by law, for example with your consent or within the Danish Marketing Practices Act rules for existing customers where applicable. You may opt out using unsubscribe links or by emailing us.

14. Records of processing and data protection impact assessments

We maintain internal records of processing activities as required by Article 30 GDPR, covering purposes, categories of data subjects, categories of personal data, recipients, transfers, retention, and a general description of security measures. Where processing is likely to result in a high risk to rights and freedoms, we assess whether a data protection impact assessment is required under Article 35 GDPR and consult Datatilsynet when mandatory criteria are met.

15. Processor agreements and onward transfers

We enter into Article 28 GDPR data processing agreements with vendors that process personal data on our behalf. Processors may only use subprocessors with our authorization or as permitted in the agreement, and they remain accountable for subprocessors’ compliance with documented instructions.

16. Data Protection Officer

Where appointment of a Data Protection Officer becomes mandatory under Article 37 GDPR, we will publish the DPO’s contact details here. Until such appointment is required and confirmed, privacy requests are handled by the controller contact in Section 1.

17. Changes to this Privacy Policy

We may update this policy to reflect legal, technical, or business changes. The effective date at the top will change accordingly. Material changes will be highlighted on the website or communicated where appropriate.

18. Contact and supervisory authority

For privacy questions, contact us at office@klixarungrexmlox.world. You may also contact Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, or via https://www.datatilsynet.dk/.