Privacy Policy

Controller and contact details

The data controller responsible for processing described in this policy is Phivraxnkraxer.world, with its registered contact address at 3 Piccadilly Gardens, Manchester M1 3BN, United Kingdom. For general correspondence, including privacy enquiries, you may email talk@phivraxnkraxer.world. We recommend including “Privacy request” in the subject line when your message relates to rights under data protection law so we can route it efficiently.

We do not require you to create an account simply to read public pages. Where optional accounts exist for order history, the same controller relationship applies. If we appoint a data protection officer or EU representative in the future, their details will be added to this section and mirrored in our internal records of processing activities.

Scope and audience

This policy covers visitors to our website, individuals who submit contact forms, purchasers of EverVital food supplements, and business contacts who correspond with us in a professional capacity. It does not govern anonymous aggregated statistics that cannot reasonably identify you, except where such statistics are derived from identifiable events and therefore remain personal data until irreversibly anonymised.

If you provide information about another person, such as a gift recipient’s delivery address, you confirm that you have authority to share that information and that the recipient has been informed where required. Employment-related processing, if introduced later, will be described in a separate workforce privacy notice.

Categories of personal data

Depending on how you interact with us, we may process identity and contact data (name, email, telephone number, billing and delivery addresses), transaction data (order identifiers, product selections, payment status, refund references), technical data (IP address, browser type, device category, operating system, referring URL, timestamps, and pages viewed), communication content (free-text messages you send to us), marketing preferences (opt-in records, suppression lists), and cookie identifiers when you consent to optional categories described in our Cookie Policy.

We do not seek special category data through ordinary sales channels. If you voluntarily disclose health-related information in an email, we will restrict access to personnel who need it to respond and will not use it for unrelated profiling beyond what is necessary to handle your request, unless a separate lawful basis applies.

Purposes and lawful bases

We process data to operate the website securely, perform contracts with customers (including payment, delivery, and warranty-related support), comply with legal obligations such as tax and product traceability requirements, pursue legitimate interests that are not overridden by your rights (for example fraud monitoring, network security, and improving site stability), and send direct marketing where we rely on consent or soft opt-in rules applicable to existing customers of similar products.

Where consent is the basis—such as certain analytics or marketing cookies—you may withdraw it at any time without affecting the lawfulness of processing that occurred beforehand. Withdrawal may mean some features become unavailable, for example personalised offers that depend on optional tags you previously approved.

Advertising and conversion measurement

If you consent to marketing or analytics cookies, we or our processors may use tags to measure visits from online advertising (for example Google Ads) and to build aggregated conversion statistics. We do not use such tools to infer special category health data from supplement browsing alone. You can withdraw consent via our Cookie Policy controls; platform-level opt-outs may also be available from the relevant provider’s settings.

Sharing and processors

We share personal data with categories of recipients including payment service providers, fulfilment warehouses, carriers, email delivery vendors, cloud hosting providers, customer support tooling, and professional advisers bound by confidentiality. Each processor receives only the data needed for its function and must implement appropriate technical and organisational measures. We maintain a record of core processing activities and review subprocessors when contracts renew or services change.

We may disclose information when required by competent authorities, court orders, or to establish, exercise, or defend legal claims. We do not sell personal data in the conventional sense of exchanging lists for monetary consideration, and we do not permit processors to use your order history for their own independent marketing unrelated to providing services to us.

International transfers

Our primary operations are in the United Kingdom. If a service provider processes data outside the UK or EEA, we rely on adequacy regulations where available, or otherwise implement standard contractual clauses approved for UK transfers together with supplementary measures such as encryption in transit, access logging, and contractual audit rights. Copies of relevant transfer mechanisms may be requested where we are legally permitted to share them.

Retention periods

Marketing consent logs and preference centres are retained while the consent remains valid and for a short period afterwards to demonstrate compliance, typically not exceeding twenty-four months after withdrawal unless a dispute requires longer storage. Order and accounting records follow statutory retention periods commonly aligned with seven-year horizons for tax purposes where applicable. Server security logs with IP addresses may roll on a ninety-day cycle unless extended for incident investigation. Contact form messages are generally kept for twenty-four months unless linked to an ongoing complaint or legal process.

Security measures

We deploy HTTPS across the public site, enforce access controls on internal systems, encourage strong authentication for administrative accounts, maintain backups with encryption where supported, and patch dependencies according to risk. No system is perfectly secure; you should protect your devices, avoid reusing passwords across unrelated services, and report suspicious messages purporting to be from us.

Your rights

Subject to applicable exemptions, you may request access to your personal data, rectification of inaccuracies, erasure, restriction of processing, data portability for data you provided where processing is automated and based on contract or consent, and objection to processing based on legitimate interests including profiling within defined boundaries. You may also withdraw consent where processing relies on it.

We will respond within one month in ordinary cases, extendable by two further months where requests are complex, informing you of any extension and reasons. Identity verification may be required to prevent disclosure to impersonators. Automated decision-making that produces legal or similarly significant effects is not a core part of our current retail model; should that change, we will update this policy and provide meaningful information about logic and consequences.

Complaints to supervisory authorities

If you believe our processing infringes data protection law, you may lodge a complaint with the Information Commissioner’s Office in the United Kingdom or, if you reside in the EEA, with your local supervisory authority. We appreciate the opportunity to resolve concerns directly first through talk@phivraxnkraxer.world.

Changes to this policy

We revise this Privacy Policy when our practices, products, or legal requirements evolve. Material updates will be reflected here with a revised “Last updated” date generated dynamically when you load the page. Significant changes affecting existing customers may also be communicated by email where we hold a valid address and the change requires proactive notice.