Privacy Policy

This Privacy Policy explains how Viphnorexak (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you visit viphnorexak.world (the “Website”), contact us, or request information about Holivana and related services. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Danish Data Protection Act (implementing supplementary rules, where applicable), and other relevant legislation.

1. Data controller and contact details

The data controller responsible for the processing described in this policy is:

Viphnorexak
Hovedvejen 101
2600 Glostrup
Denmark

Email: help@viphnorexak.world
Phone: +45 43 96 00 20

For privacy-related requests, you may contact us using the email address above. We may ask you to verify your identity before responding to access, rectification, deletion, or portability requests.

2. Scope and relationship to other documents

This policy applies to the processing of personal data through the Website, email, telephone, and other channels that reference this policy. If you purchase products or services, additional terms and invoices may contain further information about transactional processing. If you use optional cookies, our Cookie Policy also applies to your device data and consent choices.

3. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

• Identity and contact data: name, email address, telephone number, postal address, and similar identifiers you provide when you contact us, place an order, or submit a form.
• Communication data: messages you send, including order notes, support requests, and attachments you choose to provide.
• Transaction and order data: order number, product selection, payment reference, delivery status, and related correspondence (where applicable).
• Technical and usage data: IP address, browser type and version, device type, approximate location derived from IP, pages visited, referring URLs, timestamps, and similar information collected through server logs.
• Cookie and similar technologies data: identifiers stored on your device, preferences, and analytics data where you have consented.
• Compliance and security data: records of fraud checks, complaints, and actions taken to protect accounts and systems.

We do not intend to collect special categories of personal data (such as health data) through the Website. If you voluntarily disclose sensitive information in a free-text field, we will process it only to the extent necessary to respond to your inquiry and in line with applicable law.

4. Sources of personal data

We obtain personal data directly from you when you:

• complete a contact form or order form;
• email or call us;
• subscribe to marketing communications where you have opted in;
• use the Website and accept optional cookies.

We may also receive technical data automatically from your browser and device, and we may receive data from payment service providers, logistics partners, or fraud prevention providers strictly to the extent required to complete a transaction or protect our services.

5. Purposes and legal bases for processing

We process personal data only where we have a lawful basis under GDPR Article 6. The table below summarizes the main categories of processing, purposes, and legal bases:

• Website operation and security: To deliver pages, maintain availability, prevent abuse, protect against attacks, and analyze logs. Legal basis: legitimate interests (Article 6(1)(f)) in operating a secure, functional website; where required, compliance with legal obligations (Article 6(1)(c)).
• Responding to inquiries: To handle questions, complaints, and requests. Legal basis: legitimate interests (Article 6(1)(f)) and, where your inquiry relates to a contract, performance of a contract (Article 6(1)(b)).
• Order processing and delivery: To process orders, take payment, deliver products, communicate about delivery, and provide customer support. Legal basis: performance of a contract (Article 6(1)(b)).
• Accounting, tax, and regulatory compliance: To keep records required by accounting, tax, and consumer protection rules. Legal basis: legal obligation (Article 6(1)(c)).
• Marketing communications (optional): To send marketing emails or display personalized marketing where you have opted in. Legal basis: consent (Article 6(1)(a)).
• Analytics and optional cookies: To understand how the Website is used, improve content, and measure campaigns where you consent. Legal basis: consent (Article 6(1)(a)).
• Establishing, exercising, or defending legal claims: Where necessary to protect or assert legal rights. Legal basis: legitimate interests (Article 6(1)(f)).

Where we rely on legitimate interests, we balance our interests against your rights and freedoms. You may object to processing based on legitimate interests in certain circumstances, as described in Section 9.

6. Recipients and categories of recipients

We may share personal data with:

• Service providers: hosting providers, email delivery providers, customer support tools, and IT maintenance providers.
• Payment processors: providers that process card payments or other payment methods on our behalf.
• Logistics partners: carriers and warehouses involved in shipping and returns.
• Professional advisers: lawyers, accountants, and auditors where required.
• Authorities: where required by law or valid legal process.

We do not sell personal data. We do not allow third parties to use your personal data for their independent marketing purposes without your consent.

7. International transfers

Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or transfers to countries that have received an adequacy decision under GDPR Chapter V. You may request further information about safeguards by contacting us.

8. Retention periods

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law. Indicative retention periods include:

• Contact form and support messages: typically up to three years after the last contact unless a longer period is needed to resolve a dispute.
• Order and contract records: for the duration of the contract and, where applicable, up to ten years after the end of the financial year for accounting and tax purposes.
• Marketing consent records: until you withdraw consent, plus a short period to demonstrate consent.
• Server logs and security records: typically between thirty and one hundred eighty days, unless longer retention is necessary for security investigations.
• Cookie data: as described in the Cookie Policy and your browser settings.

After retention periods expire, we delete or anonymize personal data.

9. Your rights under GDPR

If you are located in the EEA or UK, you have the following rights under GDPR (subject to conditions and exemptions):

• Right of access: request confirmation of whether we process your personal data and obtain a copy.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion where applicable, for example where data is no longer necessary for the original purpose.
• Right to restriction: request restriction of processing in certain circumstances.
• Right to data portability: receive a machine-readable copy of data you provided where processing is based on contract or consent and carried out by automated means.
• Right to object: object to processing based on legitimate interests, including profiling for direct marketing.
• Right to withdraw consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint: lodge a complaint with a supervisory authority.

In Denmark, the supervisory authority is the Danish Data Protection Agency (Datatilsynet), Borgergade 28, 5, DK-1300 Copenhagen K, Denmark. You can find official guidance on the Danish Data Protection Agency website.

10. Automated decision-making and profiling

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you based solely on automated processing. If this changes in the future, we will update this policy and provide information where required.

11. Security measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Measures may include access controls, encryption in transit where appropriate, secure hosting environments, patching, monitoring, and staff training. No method of transmission over the Internet is completely secure; we encourage you to use strong passwords and protect your devices.

12. Children

The Website is not directed at children under 16 years of age. We do not knowingly collect personal data from children without parental consent where such consent is required. If you believe we have collected information from a child, please contact us and we will take steps to delete it promptly.

13. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through the cookie banner and your browser settings.

14. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. The “Last updated” date at the top will change when revisions are published. Material changes may be communicated through a notice on the Website or by email where appropriate.

15. Contact

For privacy-related questions or requests, contact us at:

help@viphnorexak.world · +45 43 96 00 20
Viphnorexak, Hovedvejen 101, 2600 Glostrup, Denmark