Identity of the data controller
The controller responsible under the General Data Protection Regulation (EU) 2016/679 is:
Wrexalonppchol.world
Beneluxlaan 505
1183 BP
Amstelveen
Netherlands
Email: chat@wrexalonppchol.world
We do not require a data protection officer appointment for our current processing volume under
Dutch implementation guidance, yet you may address privacy requests to the contact above with
subject line “GDPR request”.
Corporate registration numbers, VAT identifiers, and chamber of commerce
extracts are supplied in commercial invoices and due-diligence packets for partners.
Categories of personal data
Depending on how you engage with us, we may process the following categories:
- Identity and contact data such as name, email address, telephone number, delivery address,
and preferred language.
- Transaction data including products ordered, payment status references, refunds, and
correspondence about shipments.
- Technical data such as IP address, device type, operating system, browser version,
approximate location derived from IP, and HTTP referrer fields.
- Usage data describing pages viewed, approximate scroll depth when analytics cookies are
accepted, and consent logs.
- Communication content you voluntarily include in free-text fields, which may contain
health-related remarks; we discourage sharing clinical data and will delete obvious medical
records unless law mandates retention.
- Cookies and similar identifiers as further described in the Cookie Policy.
Purposes of processing
Order fulfilment and contract preparation
We use your details to confirm availability, calculate shipping, communicate delays, issue
compliant invoices, and meet consumer-information duties for food supplements.
Customer support and complaint handling
We retain ticket records to resolve disputes, document goodwill gestures, and demonstrate
regulatory cooperation when authorities ask proportionate questions.
Website integrity and fraud prevention
Server logs help block aggressive crawlers, limit brute-force attempts on forms, and maintain TLS
certificates.
Product improvement and limited analytics
Where you opt in, aggregated statistics show which education sections are read before purchase
without building psychological profiles.
Advertising measurement
Where you consent to optional marketing or analytics cookies, we may process limited technical
data to measure ad delivery and landing-page traffic from platforms such as Google Ads.
Processing follows platform policies and Dutch and EU marketing law; we do not use such data to
make or prove disease-related claims about food supplements.
Legal compliance
Tax, consumer, and food-safety laws may oblige us to archive contracts, adverse event
communications, and recall instructions.
Legal bases enumerated
Article 6(1)(b) GDPR
Processing necessary to take steps at your request prior to entering a contract and to
perform a contract once accepted.
Article 6(1)(c) GDPR
Processing necessary to comply with legal obligations in the Netherlands and, where
relevant, destination countries.
Article 6(1)(f) GDPR
Legitimate interests in secure operations, network defence, internal reporting, and
proportionate direct service messages about your existing order.
Article 6(1)(a) GDPR
Consent for optional marketing communications, non-essential cookies, and newsletter
subscriptions when you actively opt in.
Where special categories of data appear incidentally in your message, Article 9(2)(a) explicit
consent may apply; we will seek clarification before relying on it.
Retention periods
- Completed sales ledgers, invoices, and tax records: up to seven years after the calendar
year closing the transaction unless a shorter period is validated by an advisor.
- Pre-contract enquiries that never convert: up to twenty-four months for follow-up service,
then deletion or anonymisation.
- Consent logs and cookie documentation: thirteen months rolling from the last interaction
tied to that record.
- Server security logs: ninety days except when an incident investigation freezes a snapshot.
- Marketing unsubscribe records: indefinitely in a suppression list limited to email hashes to
honour opt-outs.
Automated deletion jobs run quarterly; manual reviews occur when law enforcement requests narrow
preservation duties.
Recipients and categories of recipients
We share data only with processors bound by Article 28 agreements, including:
- Hosting and email transport providers operating within the European Economic Area or
equivalent jurisdictions.
- Payment service partners who tokenise card data so we never store full PAN numbers on our
servers.
- Logistics partners needing name, phone number, and address for delivery.
- Professional advisers such as accountants, insurers, and external counsel under
confidentiality terms.
We do not sell personal data as that phrase is understood under the GDPR.
International transfers
Primary systems reside in the EEA. If a subprocessor moves to the United Kingdom or another third
country, we implement Standard Contractual Clauses, transfer impact assessments, and
supplementary technical measures such as encryption in transit and at rest commensurate with
risk.
You may request a redacted copy of our transfer summary by email.
Data subject rights
You may exercise the following rights without undue delay:
- Access: confirmation of processing and a copy of personal data undergoing processing.
- Rectification: correction of inaccurate facts.
- Erasure: deletion where no overriding lawful ground continues to apply.
- Restriction: freeze of processing while disputes are verified.
- Portability: structured, machine-readable export for data provided under contract or
consent.
- Objection: to processing based on legitimate interests, including profiling that produces
legal effects, where grounds relate to your situation.
- Withdrawal of consent: where processing relied on consent, without retroactive invalidity.
To lodge a complaint, contact the Dutch supervisory authority Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.
Security measures
We maintain password complexity rules, hardware security module backed key storage for
administrative accounts, least-privilege database roles, encrypted backups with immutable
snapshots, vendor due diligence questionnaires, and patch management for critical CVEs within
documented SLAs.
Despite diligent efforts, absolute security does not exist; notify us promptly if you suspect
unauthorised account activity.
Automated decision-making
We do not conduct automated decision-making, including profiling, that produces legal effects or
similarly significantly affects you within the meaning of Article 22 GDPR.
Children
We do not target individuals under sixteen and delete accounts identified as child-created once
reasonably aware.
Updates and questions
Material modifications appear on this page with a refreshed review stamp. Continued ordering
after the publication date constitutes acknowledgement unless mandatory law requires express
consent.
Questions: chat@wrexalonppchol.world
Back to homepage