Privacy Policy

Last updated:

1. Introduction

Welcome to Xephylarvun ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website xephylarvun.world or purchase our products.

This policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Finnish Data Protection Act (Tietosuojalaki 1050/2018), the Act on the Protection of Privacy in Electronic Communications (Laki sähköisen viestinnän tietosuojasta 516/2004), and other applicable Finnish and international privacy laws.

2. Data Controller Information

The data controller responsible for your personal data is:

3. Personal Data We Collect

We collect and process the following categories of personal data:

• Identity Data: Full name as provided in the order form
• Contact Data: Email address and phone number (if provided)
• Communication Data: Messages and inquiries you send to us
• Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website
• Usage Data: Information about how you use our website and services
• Consent Data: Records of consent you have given us

4. How We Collect Your Data

We collect personal data through:

• Direct interactions: When you fill out the order form, contact us, or subscribe to communications
• Automated technologies: As you navigate our website, we may automatically collect Technical Data through cookies and similar technologies

5. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Consent (Article 6(1)(a)): Where you have given explicit consent for processing, such as for marketing communications
• Contract Performance (Article 6(1)(b)): Processing necessary to fulfill your order and provide our services
• Legal Obligation (Article 6(1)(c)): Processing required to comply with legal requirements
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our services and website security

6. Purposes of Data Processing

We use your personal data for the following purposes:

• Processing and fulfilling your orders
• Communicating with you about your orders and inquiries
• Providing customer support
• Improving our website and services
• Analyzing website usage patterns
• Complying with legal obligations
• Preventing fraud and ensuring security
• Sending marketing communications (only with your consent)

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Order Data: 7 years from the date of transaction (for tax and legal compliance)
• Marketing Consent Records: Until consent is withdrawn, plus 3 years for record-keeping
• Technical/Usage Data: 26 months
• Customer Inquiries: 3 years from the last interaction

After the retention period, your data will be securely deleted or anonymized.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Request correction of inaccurate data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Request limitation of how we use your data
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time
• Right Not to be Subject to Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing

To exercise any of these rights, please contact us at admin@xephylarvun.world. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against:

• Unauthorized access or disclosure
• Accidental loss, destruction, or damage
• Unlawful processing

Our security measures include:

• SSL/TLS encryption for data in transit
• Secure server infrastructure
• Access controls and authentication
• Regular security assessments
• Staff training on data protection

10. Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure adequate protection through:

• EU Standard Contractual Clauses
• Adequacy decisions by the European Commission
• Other approved certification mechanisms

11. Processors and Third-Party Sharing

We may share your personal data with:

• Processors (GDPR Article 28): Payment processors, shipping companies, and hosting or IT services that process personal data on our behalf. We use only processors that provide sufficient guarantees and are bound by written agreements requiring them to protect your data.
• Legal Authorities: When required by law or to protect our legal rights

We maintain records of processing activities as required by GDPR Article 30. All processors are bound by data protection agreements and process data only as instructed.

12. Cookies

Our website uses cookies and similar technologies. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

13. Children's Privacy

Our website and services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a new "Last updated" date. We encourage you to review this policy regularly.

15. Complaints

If you have concerns about how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. For Finland, this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). We will respond to your request to exercise your rights within one month; if we refuse, you may refer the matter to the Ombudsman.

16. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us: