Privacy Policy

Controller and contact information

The controller responsible for processing is Khiphloxhlox.world, operating the Wellix dietary supplement brand. We determine the purposes and means of processing for data described here unless another entity is named as joint controller in a specific agreement.

If you reside in the EU or EEA and wish to reach our data protection focal point, use the same email with the subject line “Data protection request”. We respond without undue delay and within statutory timelines.

Scope of this Privacy Policy

This policy applies to personal data processed through our website, checkout journey, customer care channels, marketing subscriptions that you opt into voluntarily, and post-purchase surveys we send with clear unsubscribe controls.

It does not cover anonymous statistics where individuals cannot reasonably be identified. It also does not govern third-party sites linked from our pages; their operators remain responsible for their own notices.

Categories of personal data

Please avoid embedding sensitive health information in free-text fields; if you disclose such data voluntarily, we restrict access and delete it when no longer required for the stated purpose.

This storefront does not provide medical services; contact forms are for orders and general service only, aligned with food supplement advertising rules in Norway and the EU.

Purposes and legal bases

Contract performance. We process order and delivery data so we can confirm purchases, ship Wellix products, handle warranty-style inquiries, and respond to product quality obligations.

Consent. Where you enable optional analytics or marketing cookies, subscribe to promotional email, or agree to personalized offers, processing relies on your freely given consent that you can withdraw through the same channels or the cookie banner without affecting unrelated order fulfillment.

Legitimate interests. We analyze aggregated traffic to secure our infrastructure, detect fraud patterns, improve navigation ergonomics, and document consent artifacts. Where required, we complete balancing tests and offer opt-outs compatible with the service.

Legal obligation. Accounting records, tax disclosures, and cooperation with competent authorities when compelled under Norwegian or EU law fall into this category.

Retention schedule

Invoices and bookkeeping materials remain available for up to seven years consistent with applicable Norwegian rules. Active customer profiles remain until you request deletion and no overriding law requires retention. Marketing suppression lists persist so we can honor unsubscribe choices even after profile deletion.

Security telemetry is rotated on a ninety-day cycle unless an active investigation mandates extended storage. Cookie consent JSON payloads expire after thirteen months from the last interaction unless you reset preferences earlier.

When retention ends, we erase or irreversibly anonymize data using procedures reviewed at least annually.

Recipients and processors

We rely on vetted service providers for payment capture, order fulfillment, cloud hosting inside or outside Norway, transactional email, and customer-support tooling. Each relationship is governed by data processing agreements requiring confidentiality, sub-processor notification where appropriate, and instructions that stay within this policy.

We do not sell personal data in the colloquial sense of exchanging lists for cash. Any monetized partnership that touches identifiers undergoes legal review and, where applicable, your explicit opt-in.

Your GDPR rights

You may request confirmation of processing, access to copies of personal data, rectification of inaccuracies, restriction while disputes are evaluated, erasure where no exemption applies, data portability for machine-readable outputs, and objection to processing justified on legitimate interests including profiling that produces legal or similarly significant effects (which we currently avoid).

To exercise rights, email us with a description of your request and proof of identity if we reasonably need to prevent impersonation. You may lodge a complaint with Datatilsynet at any time; we welcome the chance to resolve concerns directly first.

Security measures

We deploy TLS for data in transit, segregated production accounts with multi-factor authentication, least-privilege role design, encryption-at-rest for portable media, dependency patching windows, vulnerability scanning, and security awareness training for anyone with production access.

Backups are encrypted and tested periodically. Access logs are monitored for anomalous administrative behavior.

Personal data breaches

If we discover a breach likely to risk your rights, we document facts, contain the incident, notify Datatilsynet within statutory timelines when required, and communicate with affected individuals when the impact is high, including recommended mitigation steps.

International transfers

When processors are located in jurisdictions without adequacy decisions, we implement Standard Contractual Clauses or equivalent safeguards. You may request a summary of mechanisms by contacting the controller address above.

Automated decision-making

We do not make decisions based solely on automated processing that produce legal effects concerning you without human review.

Children

Wellix is marketed to adults. We do not knowingly collect data from children under digital consent age without verifiable parental authorization.

Changes to this policy

Material updates are published on this page with a refreshed narrative near the hero region. Where the law demands fresh consent, we will obtain it explicitly. The dynamic date shown at the top reflects the calendar day you are viewing the document in your browser; the substantive obligations are those in effect when the change is posted.