VitalOneby Zipharonaighit.world

Legal · Data protection

Privacy policy

Live reference date · applies to visitors of zipharonaighit.world

Zipharonaighit.world operates VitalOne with a privacy-by-design mindset: we collect only what the checkout journey, customer care inbox, and security tooling require, then explain retention and rights in plain English aligned with the GDPR and the Norwegian Personal Data Act.

Controller
Zipharonaighit.world, Storgata 102, 9008 Tromsø, Norway.

Primary channel
talk@zipharonaighit.world

Supervisory authority
Datatilsynet for Norway-based complaints.

1. Data controller obligations

The data controller responsible for personal data processed through zipharonaighit.world is Zipharonaighit.world, trading as VitalOne, with its principal place of business at Storgata 102, 9008 Tromsø, Norway. We maintain an internal record of processing activities, review subprocessors yearly, and provide this statement so you can make informed choices before submitting forms or ordering products.

For privacy requests, include your name, the email address used on the form, masked order identifiers if available, and whether you seek access, rectification, erasure, restriction, portability, or objection. We verify identity proportionately before fulfilling requests and may ask for a signed declaration when fraud risk is elevated.

2. Scope, language, and minors

This policy applies to visitors and customers who interact with our website, forms, optional chat widgets, and transactional emails in English. The services target adults who can legally purchase food supplements in their jurisdiction. We do not knowingly collect data from anyone under 16. If you believe a minor submitted data, contact us immediately so we can delete or anonymise the entry and review acquisition channels.

Professional separation: VitalOne staff answer logistics and ingredient facts, not medical advice. Do not send clinical records through the general contact form; use secure channels offered by your clinician instead.

3. Categories of personal data

Depending on your interaction, we may process identifiers (name, email, phone if supplied), structured address data for shipments, message content, payment references (not full card numbers, which stay with payment processors), technical connection data (IP address, device type, browser, approximate location derived from IP), cookie identifiers stored per your banner choices, order references, loyalty notes you volunteer, and communications metadata (timestamps, ticket numbers, SMTP headers).

4. Purposes and legal bases (GDPR Article 6)

  • Responding to order or product inquiries: processing is necessary for steps prior to a contract at your solicitation (Article 6(1)(b)) and, for optional marketing follow-up, explicit consent where applicable (Article 6(1)(a)).
  • Compliance with accounting, tax, export, or customs obligations: legal obligation (Article 6(1)(c)).
  • Fraud prevention, forensic review, and network security: legitimate interests in securing our systems (Article 6(1)(f)), balanced against your rights through minimisation and expiry.
  • Analytics or marketing technologies: consent via the cookie banner when required (Article 6(1)(a)); strictly necessary storage may rely on legitimate interests or performance of a browsing contract depending on national guidance.
  • Product improvement surveys: consent where responses are optional; aggregated statistics may rely on anonymous data sets.

5. Sources and voluntary nature

Most data originates directly from you. We may receive updated delivery instructions from carriers or payment confirmations from banking partners strictly to complete a transaction. Providing marketing permissions or optional survey answers is voluntary and does not block access to mandatory purchase steps.

6. Automated decision-making and profiling

We do not conduct automated decision-making that produces legal effects concerning you. Basic segmentation for email cadence, if activated, relies on explicit opt-in and transparent criteria. Any future scoring would be documented here with the right to human review.

7. Recipients and processors

Personal data is accessed by authorised personnel in Norway and by technical service providers acting as processors (for example, secure email delivery, hosting, off-site backup, fraud monitoring, or analytics if enabled). Processors are bound by written agreements requiring confidentiality, documented security measures, assistance with data subject requests, and GDPR Article 28 terms.

8. International transfers

If a processor stores data outside the European Economic Area, we rely on adequacy decisions, standard contractual clauses approved by the European Commission, or other Article 46 mechanisms, supplemented by technical safeguards such as TLS 1.2+ in transit and disk encryption at rest where offered. You may request a summary of applicable safeguards or copies of relevant Standard Contractual Clauses redacted for commercial confidentiality.

9. Retention periods

Inquiry messages remain for up to 24 months after the last substantive reply unless litigation or warranty threads require longer retention. Accounting and tax evidence may be stored up to seven years where Norwegian law mandates it. Cookie-linked logs follow the analytics vendor configuration, typically 14–26 months unless shortened. Security logs rotate after 90 days unless an active investigation extends the window. Marketing consents are refreshed or deleted after 24 months of inactivity.

10. Security measures

We implement HTTPS transport encryption, role-based access, password managers for administrative consoles, separation of production and staging environments, patch cadences for supported software, anomaly monitoring, tamper-evident backups, and least-privilege credentials for customer threads. No control is perfect. If we detect a likely breach affecting your rights, we notify Datatilsynet and affected individuals without undue delay when risk thresholds require it.

11. Your rights and how to exercise them

  1. Email talk@zipharonaighit.world with subject line “Privacy request”.
  2. Describe the right you invoke (access, rectification, erasure, restriction, portability, objection).
  3. Attach proof of identity when we cannot match your inbox to an order profile.
  4. Expect acknowledgement within five business days and substantive answers within 30 days unless complexity requires an extension we communicate in writing.

Subject to applicable law, you may also lodge a complaint with Datatilsynet or another EEA supervisory authority where you reside or work.

12. Complaints and escalation

If you disagree with our response, reply referencing your ticket number. Unresolved disputes may proceed to Datatilsynet mediation or, where consumer law allows, local courts without waiving mandatory protections.

13. Marketing preferences

Marketing emails include unsubscribe links processed within 48 hours. SMS or push channels, if introduced later, will use separate consents documented at collection. We do not sell personal data to data brokers.

14. Research and aggregated analytics

We may compile anonymised statistics on traffic, capsule interest, or geographic demand. These datasets cannot reasonably identify you and fall outside personal data definitions. If re-identification risk changes, we republish assessments.

15. Third-party links

Our site may reference scientific glossaries or carrier tracking pages. Their privacy policies apply once you leave zipharonaighit.ddd. Review them independently.

16. Updates to this policy

Material updates appear on this page alongside the live reference date shown above for transparency. Continued use after notification constitutes acceptance of non-material clarifications; material new purposes require renewed consent where the law demands it.