Controller and representative contacts
The controller responsible for personal data processed through this website is the business
operating under the domain Wrozelonox.world, with a registered contact address at
Mannerheimintie 5, 00100 Helsinki, Finland. You may direct privacy enquiries to chat@wrozelonox.world. We
recommend including enough context for us to verify your identity before we disclose
account-level information.
If you reside in another EU member state, you may also contact your local supervisory authority.
In Finland, the Office of the Data Protection Ombudsman provides guidance and complaint intake.
Our cooperation with regulators includes timely responses to lawful information requests.
Categories of personal data
Depending on how you interact with us, we may process identity and contact details (name, email,
phone if provided), account credentials when you create a profile, order history, payment
references, delivery addresses, communications you send through forms or email, technical logs
(IP address, device type, browser version), cookie identifiers where consent applies, marketing
preferences, and notes created by customer service during ticket handling.
We do not intend to collect special categories of data. If you disclose health information
voluntarily in a message, we will restrict access to trained staff and delete content that is
not needed to answer your question, unless a longer retention period is mandated by law.
Purposes of processing
We process data to operate the website, fulfil contracts, communicate about Varexo orders,
improve product information layout, secure infrastructure, comply with accounting and tax rules,
analyse aggregated traffic when you consent, personalise marketing when you consent, handle
disputes, and defend legal claims. Marketing uses avoid misleading health claims and follow
Finnish and EU advertising rules for food supplements. Each purpose is tied to a documented
retention rule reviewed at least annually.
Food supplement regulations require honest labeling but do not authorise
us to give personalised medical advice. Customer service may refer you to qualified
professionals when questions exceed general product education.
Legal bases under GDPR Article 6
Contractual necessity covers order processing, payment authorisation, and delivery coordination.
Legitimate interests cover fraud screening, network security, product improvement analytics that
do not require profiling, and internal reporting, balanced against your rights. Legal obligation
covers invoice archiving and regulatory disclosures. Consent covers optional newsletters,
certain cookies, and marketing personalisation where required by ePrivacy rules.
You may withdraw consent without affecting processing that rests on other lawful grounds.
Withdrawing consent may mean we cannot send promotional reminders even if you remain a customer.
Recipients and processors
We share data with hosting providers, transactional email services, payment processors, logistics
partners, customer support tooling vendors, and professional advisers bound by confidentiality.
Each processor receives only the data required for their function and must implement appropriate
technical and organisational measures. A current list of main categories of processors is
available on request.
International transfers
Where personal data leaves the European Economic Area, we rely on adequacy decisions adopted by
the European Commission or standard contractual clauses supplemented by transfer impact
assessments. Copies of relevant safeguards may be requested where disclosure does not prejudice
the rights of others.
Retention periods
Marketing consents and related profiles are kept until withdrawal or thirty-six months of
inactivity unless a shorter internal rule applies. Contract records and invoices may be stored
up to ten years where Finnish law requires. Web logs used for security are rotated within twelve
months unless an incident investigation extends the need. Cookie consent logs follow the Cookie
Policy schedule.
Your rights
You may request access, rectification, erasure, restriction, portability, and objection to
processing based on legitimate interests. You may lodge a complaint with a supervisory
authority. We will respond within one month in ordinary cases, extendable where complexity
warrants, and we will explain any refusal with reference to applicable law.
Security measures
We use TLS for data in transit, role-based access controls, monitoring for unusual login
patterns, vendor due diligence questionnaires, and staff training on phishing awareness. No
system is perfectly secure; please protect your devices and report suspected misuse promptly.
Automated decision-making
We do not make decisions based solely on automated processing, including profiling, which
produces legal or similarly significant effects concerning you.
Children
Our storefront targets adults. We do not knowingly collect data from children under sixteen
without verifiable parental consent. If you believe we have received such data, contact us for
prompt review and deletion.
Updates to this Privacy Policy
When processing activities change materially, we revise this text and refresh the dynamic date
shown in the banner at the top of the page. Continued use after notice constitutes acceptance of
reasonable updates unless a change requires fresh consent.