Privacy Policy

1. Data controller and representative contact

The controller responsible for personal data described in this Policy is:

• Name: Wrexalonthik.world
• Address: Torgallmenningen 8, 5014 Bergen, Norway
• Email: talk@wrexalonthik.world

2. Scope, audience, and age limits

This Policy applies to visitors of our website, people who contact us, newsletter or wait-list subscribers if we operate such features, and customers who purchase MovoDaily. The site and product are aimed at adults. We do not market to children and do not wish to process children’s data. If you believe a minor’s data reached us, notify us promptly so we can delete it subject to legal exceptions.

3. Categories of personal data we may process

The exact data depends on your interaction. Typical categories include:

• Identity: full name, title, social handle if you choose to share it.
• Contact: email, telephone, postal delivery address, billing address where different.
• Transactional: order identifiers, basket content history on our storefront, payment references, refunds and chargeback metadata.
• Financial (indirect): our payment service provider processes card data; we generally receive confirmation tokens, last four digits, brand, expiry, and fraud scores—not full primary account numbers on our own servers.
• Communications: free-text in contact forms, email threads, and call notes if you phone us and we summarize the request.
• Technical and usage: IP address, approximate geolocation from IP, device model, OS, browser, screen size bands, referrer URLs, session duration, click paths, and diagnostic timestamps.
• Cookie identifiers: where permitted, as detailed in the Cookie Policy.
• Compliance: identity screening outcomes if export control or sanctions screening is legally required for your jurisdiction.

• No deliberate sensitive health data via contact forms
• No biometric templates

4. Sources of data

We obtain personal data directly from you when you type it into our site, send email, or speak with us. We may also receive technical data automatically through server logs and optional analytics tools if you consent. Occasionally carriers or payment partners supply delivery status updates tied to your order.

5. Purposes and lawful bases under GDPR Article 6

5.1 Contract and pre-contractual steps

Processing your order, creating an account if we offer one, arranging shipment, taking payment, and answering product questions before you buy. Basis: Article 6(1)(b).

5.2 Legal obligation

Accounting records, VAT documentation, responses to competent authorities, and consumer dispute evidence. Basis: Article 6(1)(c).

5.3 Legitimate interests

Network security, abuse prevention, improving site stability, understanding aggregate product interest, enforcing terms, defending legal claims, and internal reporting. We balance these interests against your rights and offer opt-outs where required. Basis: Article 6(1)(f).

5.4 Consent

Optional analytics or marketing measurement tags activated through our cookie interface, and any future email marketing not strictly necessary for the contract. Basis: Article 6(1)(a); you may withdraw consent without affecting prior lawfulness.

6. Recipients, processors, and international transfers

We use carefully selected processors bound by Article 28 GDPR agreements. Categories include cloud infrastructure within the EEA or UK, transactional email, customer support ticketing, freight carriers, payment acquirers, accounting software, and external counsel. Some subprocessors may be in the United States or other third countries. Where GDPR requires safeguards, we rely on the European Commission adequacy decisions, Standard Contractual Clauses, UK IDTA equivalents, or other approved mechanisms and conduct transfer impact assessments when appropriate.

7. Retention schedule (summary)

Retention follows necessity and statute:

• Orders and invoices: up to seven years where Norwegian bookkeeping and tax rules require retention of underlying documentation.
• CRM and correspondence: generally twenty-four months after last inbound message unless a litigation hold applies.
• Web server logs: rolling deletion between fourteen and ninety days unless investigating incidents.
• Cookie consent strings: twelve months or until you clear storage, whichever comes first.
• Marketing consents: refreshed at least every twelve months of inactivity or sooner if industry practice changes.

8. Your GDPR rights and how to exercise them

You may request access, rectification, erasure, restriction, objection to processing based on legitimate interests, and portability where processing is automated and based on contract or consent. You may lodge a complaint with Datatilsynet. We respond within one month, extendable by two further months where complex, and we will explain any refusal with statutory references.

9. Security measures

Measures include TLS across public endpoints, role-based administrative access, unique credentials, principle of least privilege, vendor due diligence questionnaires, encrypted disks where offered by hosting, logging of privileged actions, and periodic review of subprocessors. Breaches posing risk to individuals will be notified to the supervisory authority within seventy-two hours where feasible and to you without undue delay when the risk is high.

10. Profiling and automated decision-making

We do not make decisions producing legal or similarly significant effects solely by automated means. Fraud scoring from payment partners may trigger manual review; that review involves humans.

11. Other jurisdictions

If you reside outside the EEA, local laws may grant additional rights. Nothing here limits mandatory consumer or privacy protections of your country when our marketing reaches you.

12. Policy maintenance

We review this Policy when we meaningfully change processing. The dynamic reference date at the top of the hero block updates on each page load to reflect when you are reading; substantive edits to legal text are logged internally and may also be mentioned by email to active customers when required.