Reading tip: this is not personalised legal advice. If you need a formal Data Processing Agreement for wholesale volumes, email the address in the contact section with your corporate registration number.
Scope and material field
The policy covers personal data processed through the domain vomrelonvythreon.world, related mobile experiences that deliberately mirror the site, email inboxes operated by the controller, and offline notes captured at trade booths when you hand us a card. It does not cover social networks operated by third parties unless we later import those leads into our own CRM with your knowledge.
Supplement purchases trigger additional transactional datasets compared with pure browsing. Where a section applies only to buyers, we say so explicitly. Where figures appear (for example retention years), they refer to the default rule absent a superseding court order or regulatory inquiry.
Controller and representation
The controller is Vomrelonvythreon.world, trading under the Velio line, with postal address Rosenkrantz' gate 15, 0160 Oslo, Norway. The public email channel is ask@vomrelonvythreon.world. We do not maintain an EU representative beyond Norwegian jurisdiction because our main establishment sits in Norway; UK-related questions after Brexit are assessed under the UK GDPR bridge and adequacy decisions when you ship to Northern Ireland addresses.
Company registers
Statutory identifiers appear on invoices and advanced shipping notices for traceability during audits.
Dedicated inbox
Data protection requests should include enough detail for us to locate your account without unnecessary extra identifiers.
Categories of personal data
We process identity data (full name, title), contact data (email, phone, shipping line), financial identifiers (last four card digits, bank references via PSP tokens), transaction metadata (SKU, quantity, coupon usage), behavioural telemetry from the site (scroll checkpoints if analytics cookies are accepted), support chat transcripts you initiate, marketing preference vectors, and occasional special categories if you voluntarily disclose health-adjacent context in a ticket—those notes are minimised and deleted when the ticket closes unless law demands longer archival.
Purposes in plain language
We use the data to perform contracts, take payments, fight fraud, improve navigation flows, fulfil legal accounting duties, send service messages about shipments, document consent trails for optional marketing, and defend legal claims. We do not sell personal data; monetisation comes from product margins, not from brokered audience lists.
Checkout journey
Addresses travel to fulfilment software, while payment numbers stay tokenised at the gateway. We never store full payment credentials on Velio servers.
Post-purchase care
Refund investigations may merge order history with carrier scans. Retention for those bundles follows the refund section of this hub.
Optional research invites
If you opt in, we might invite you to anonymised surveys. Raw email connections are stripped before analysts see aggregate charts.
Legal bases under GDPR
Contract performance covers orders and support tickets. Legitimate interests cover fraud screening, network security, incremental UX testing, and limited business analytics with balancing tests documented internally. Legal obligations drive bookkeeping and consumer-law evidence. Consent, where required, is collected through granular UI controls—cookie banners for non-essential storage, newsletter forms for email units, and withdraw links in every footer module.
Recipients and processor map
Categories of recipients include hosting providers within the EU, transactional email services with SCC backups, payment acquirers, transport integrators, customer service SaaS, and accountants bound by confidentiality. Each relationship is governed by Article 28 agreements or statutory public-sector exceptions. Police requests are scrutinised for strict necessity before disclosure.
International transfers
Where processors sit outside the EEA, we implement Standard Contractual Clauses, transfer impact assessments, and supplementary technical measures such as TLS 1.2 or newer for data in transit and encryption at rest where the processor offers managed keys. You may request a summary redacted copy of the latest assessment relevant to your data categories.
Retention grid
Accounting artefacts remain up to seven Norwegian financial years. Web logs with IP addresses typically roll after ninety days unless integrated into a security incident bundle. Marketing consents and proof of double opt-in persist until you revoke and for a short cooling-off archive to prove compliance. Abandoned carts without a purchase delete identifiers after thirteen months unless you re-engage. Legal holds pause deletion timelines until matters resolve.
Security measures
Role-based access control, hardware key options for administrators, mandatory phishing drills, quarterly permission reviews, dependency scanning on build pipelines, segregated staging environments, and encrypted backups with offline rotation form the baseline. Incidents with likely risk to rights trigger notifications to regulators and, when high risk, direct notices to individuals.
Data subject rights
You may request access, rectification, erasure, restriction, portability for automated processing grounded in consent or contract, objection to certain processing, and explanation regarding automated decision-making with legal effects. You can lodge a complaint with Datatilsynet in Norway or your habitual residence supervisory authority where EU law allows cross-border escalation. We verify identity proportionately before honouring requests to prevent fraudulent erasures.
Automation and profiling
We do not carry out automated decisions that deny contractual access without human involvement. Risk scoring for fraud may flag transactions for review, but a person confirms outcomes. Product recommendation blocks on the site rely on coarse category affinity rather than invasive profiling.
Children
Our supplements target adults. We do not knowingly collect data from anyone under sixteen without verifiable parental authority. If you believe we have, ask for immediate deletion.
How we refresh this text
Material changes receive a summary banner on the storefront and, for registered customers, an email when address quality permits. The dynamic stamp at the top of this file shows the calendar context when you loaded the page; archived PDF snapshots can be supplied for dispute resolution upon fee-neutral request.
Privacy desk contact
Write to ask@vomrelonvythreon.world with subject line GDPR request plus a short description. We endeavour to answer within thirty days, extendable where complex, and we document extensions as GDPR contemplates.