1. Data controller
The controller responsible for processing personal data obtained through this website and related communication channels is:
Kheflaxxnroz
Rokin 64A
1012 KW Amsterdam
Netherlands
Telephone: +31 20 624 4331
Email: relations@kheflaxxnroz.world
References to “we”, “us”, or “our” mean Kheflaxxnroz in this Policy. Where national law requires publication of additional commercial identifiers, you may request them by email and we respond without undue delay.
2. Scope and relationship to other notices
This Privacy Policy applies to personal data processed in connection with browsing kheflaxxnroz.world, submitting forms, corresponding with us, and purchasing or enquiring about Floravelle. It should be read together with our Cookie Policy, Terms of Service, and Return Policy. If you provide health-related information voluntarily, section 5 describes the heightened care we apply.
3. Categories of personal data
Depending on your interaction, we may process:
- Identity and contact data: name, delivery address, billing address, email address, telephone number when supplied.
- Order and transaction data: products ordered, price, payment status references, shipment tracking identifiers, communication about your order.
- Technical data: IP address, browser type and version, device type, operating system, referring URL, pages viewed, timestamps. Some technical data arise from cookies or similar technologies as described in the Cookie Policy.
- Communication content: free-text messages you send through contact or order forms, including optional details you choose to include.
- Consent records: logs that show cookie preferences, marketing permissions, or other explicit consents together with timestamps and policy versions.
- Fraud-prevention signals: basic risk indicators supplied by payment partners or our infrastructure providers.
We do not intentionally collect special categories of personal data (such as data revealing health, unless you volunteer it in a message). We ask you not to share unnecessary sensitive information. If you do, we will restrict access and delete the information when retention is not required by law.
4. Sources of personal data
We obtain personal data directly from you when you fill in forms, create an order request, email us, or call our listed number. We also generate technical data automatically when your device contacts our servers. Occasionally we receive updates from payment service providers, logistics partners, or fraud-screening tools strictly to complete a transaction you initiated.
5. Purposes and legal bases under the GDPR
We process personal data only where a legal basis under the General Data Protection Regulation (EU) 2016/679 applies. The table below summarises typical processing activities connected to Floravelle sales and website operation.
- Contract performance (Article 6(1)(b) GDPR). Processing your order, taking payment, arranging shipment, providing customer support about an existing purchase, and handling returns within the statutory framework.
- Legitimate interests (Article 6(1)(f) GDPR). Securing our website, detecting abuse, improving performance metrics where allowed without intrusive profiling, internal reporting, and asserting legal claims or defending against complaints, provided your interests do not override ours.
- Legal obligation (Article 6(1)(c) GDPR). Accounting and tax record keeping, responding to lawful requests from regulators or courts, and product-safety traceability where applicable.
- Consent (Article 6(1)(a) GDPR). Non-essential cookies, marketing emails when no soft opt-in applies, and any optional programmes we describe at collection. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Where you send us special-category data without a request from us, we rely on Article 9(2)(a) GDPR (explicit consent) if we must retain the message to assist you, or we delete the excess information when no consent exists and retention is unnecessary.
6. Marketing communications
We send commercial messages only when permitted by law, for example after you opt in or, where applicable, when you purchased similar products and we give you a clear chance to object at collection. Every marketing email includes an unsubscribe mechanism. You may also email relations@kheflaxxnroz.world with the subject “Marketing opt-out”.
7. Recipients and processors
We share personal data with service providers who process it on documented instructions, including:
- Hosting and infrastructure suppliers that store website files and databases.
- Payment acquirers or payment gateways that validate card or wallet transactions.
- Carriers and fulfilment partners that deliver Floravelle orders.
- Email delivery services that transmit transactional or marketing messages you agreed to receive.
- Professional advisers such as lawyers or accountants when confidentiality obligations apply.
Each processor is bound by a data processing agreement or statutory provisions requiring security and confidentiality. We do not sell personal data in the conventional sense of exchanging lists for monetary consideration.
8. International transfers
Where personal data moves outside the European Economic Area, we implement safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by transfer impact assessments when required. Copies of relevant safeguards may be requested by email. If a court or regulator invalidates a transfer mechanism, we will adopt an alternative approach consistent with applicable law.
9. Retention periods
We keep personal data only as long as necessary for the purposes described or as law mandates:
- Order and accounting records: up to seven years from the end of the financial year in line with Dutch bookkeeping obligations, unless a shorter period applies to specific elements.
- Marketing consents and suppression lists: until you withdraw consent or object, after which we retain minimal identifiers to honour your choice.
- Website logs and security monitoring: typically between thirty and ninety days, unless an incident investigation requires longer retention.
- Cookie-derived identifiers: according to the lifetimes stated in the Cookie Policy and your preferences.
- Unresolved disputes: for the duration of limitation periods applicable in the Netherlands.
When retention expires, we delete or irreversibly anonymise data unless a narrow statutory exception applies.
10. Security measures
We implement administrative, technical, and organisational measures appropriate to the risk, including TLS encryption for data in transit on production domains, access controls with least-privilege principles, authentication for administrative interfaces, malware monitoring on servers, backups with encrypted storage where feasible, and staff confidentiality commitments. No online transmission is completely immune to risk; you should protect your devices and credentials.
11. Automated decision-making and profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Basic fraud checks may flag transactions for manual review, which involves human assessment.
12. Your rights
Subject to conditions in the GDPR and local law, you may:
- Request access to the personal data we hold about you.
- Ask for rectification of inaccurate data or completion of incomplete data.
- Request erasure (“right to be forgotten”) when grounds in Article 17 GDPR apply.
- Request restriction of processing in situations listed in Article 18 GDPR.
- Receive personal data you provided in a structured, machine-readable format and transmit it to another controller where processing is based on consent or contract and automated.
- Object to processing based on legitimate interests, including profiling, unless we demonstrate compelling grounds.
- Withdraw consent for processing that relies on consent, without affecting earlier lawfulness.
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or another EU supervisory authority where you live or work.
To exercise rights, email relations@kheflaxxnroz.world with a description of your request. We may need to verify your identity before disclosing information. We respond within one month, extendable by two further months where complex, and we explain any refusal with legal reasoning.
13. Children
Floravelle is aimed at adults. We do not knowingly collect personal data from children under sixteen without parental authority. If you believe a minor provided data, contact us so we can delete it promptly.
14. Third-party websites
Our site may link to external resources. Their privacy practices are independent from ours. Review their policies before submitting personal data.
15. Changes to this Policy
We update this Privacy Policy when our processing activities or legal requirements change. The “Last updated” date at the top reflects the newest version. Material changes may be highlighted on the homepage or communicated by email when appropriate.
16. Contact
Questions about privacy may be sent to relations@kheflaxxnroz.world or by post to the controller address in section 1.