1. Data controller and primary contact
The controller responsible for personal data is Ploxarelxitax.world, operating the consumer brand Nexoria, with a registered business address at Kaisaniemenkatu 1, 00100 Helsinki, Finland. For all privacy-related correspondence, including requests to exercise GDPR rights, email chat@ploxarelxitax.world. Postal inquiries should be marked “Data Protection” on the envelope so they reach the correct internal queue.
We may request reasonable verification before disclosing or modifying data tied to an account. Verification typically involves confirming an order reference, partial payment metadata, or a signed declaration when you lack access to the original email address.
2. Scope, definitions, and layered notices
This Policy applies to processing carried out via the public website, checkout flows, customer service inboxes, and optional marketing programmes operated under the same brand. “Personal data” means any information relating to an identified or identifiable natural person. “Processing” includes collection, storage, adaptation, retrieval, disclosure, erasure, or destruction.
Where we present short summaries in banners or checkout footers, those summaries are illustrative. This Policy remains the authoritative description unless a separate contract explicitly overrides it for enterprise clients.
3. Categories of personal data we process
- Identity & profile: full name, title, preferred language, and optional date of birth when you volunteer it for age-restricted offers.
- Contact: email address, telephone number, and delivery or billing addresses.
- Transaction: order identifiers, basket contents, payment status tokens, refund references, and correspondence about disputes.
- Financial metadata: last four digits of card numbers, payment method type, and fraud scores supplied by payment service providers—we do not store full payment credentials on our own infrastructure.
- Technical: IP address, device type, operating system, browser version, approximate location derived from IP, referrer URLs, and diagnostic logs.
- Usage & preference: cookie consent choices, newsletter topic preferences, and on-site behavioural metrics when you consent to analytics.
- Support content: free-text messages, attachments, and call-back numbers you supply when asking product or logistics questions.
4. Purposes and legal bases under Article 6 GDPR
4.1 Contractual necessity (Art. 6(1)(b))
We process identity, contact, transaction, and limited technical data to conclude and perform purchase contracts: confirming orders, arranging shipment, processing lawful refunds, and responding to delivery issues.
4.2 Legitimate interests (Art. 6(1)(f))
We rely on balanced legitimate interests for network security, abuse prevention, merchandise planning, aggregated reporting, and documenting commercial correspondence. You may object pursuant to Article 21 where applicable, and we will assess whether our interests override yours.
4.3 Legal obligation (Art. 6(1)(c))
Tax, accounting, consumer protection, and product-safety statutes may oblige us to retain certain records, disclose information to regulators, or cooperate with competent authorities.
4.4 Consent (Art. 6(1)(a))
Optional marketing emails, non-essential cookies, and certain surveys operate only with freely given, specific consent that you may withdraw at any time via unsubscribe links or the cookie preference centre.
5. Cookies and similar technologies
Strictly necessary cookies power security, load balancing, and storage of your consent decisions. Analytics and marketing cookies load only after you opt in through the banner or settings modal. Detailed descriptions, storage durations, and vendor categories appear in the Cookie Policy, which should be read together with this document.
You may reopen cookie preferences by clearing site data for ploxarelxitax.world and reloading the page, or by writing to us with the browser fingerprint timestamp captured in your consent log.
6. Retention periods and erasure cadence
Active customer profiles remain while your account stays open and for twenty-four months thereafter unless local law demands longer archival. Accounting and tax records follow Finnish bookkeeping rules, generally six fiscal years from the entry date. Marketing consents expire after twenty-four months of inactivity unless you reconfirm interest. Security logs rotate after ninety days unless an investigation requires an extended hold. Backup snapshots may temporarily retain deleted data until the next scheduled purge cycle, not exceeding thirty days.
7. Recipients, processors, and onward disclosure
We share data only with categories of recipients bound by written agreements: hosting providers within the EU/EEA, payment acquirers, fraud-screening partners, carriers, email delivery services, and professional advisers. We do not sell personal data. Lawful disclosure to courts or regulators occurs when mandatory legal process compels it.
8. International transfers outside the EEA
If a sub-processor operates outside the European Economic Area, we implement Standard Contractual Clauses, adequacy decisions, or supplementary technical measures such as encryption in transit and at rest. Copies of transfer impact assessments are available upon justified request.
9. Security measures
We maintain TLS encryption for web traffic, segregated production environments, role-based access with multi-factor authentication for administrators, periodic vulnerability reviews, and staff confidentiality commitments. Incidents posing a risk to individuals trigger notification procedures aligned with Articles 33–34 GDPR.
10. Your rights and how to exercise them
Access & portability
You may request a structured copy of data you provided where processing is automated and contract-based.
Rectification & erasure
We correct inaccurate fields and delete data when no overriding legal ground applies.
Restriction & objection
You may ask us to pause processing or object to certain legitimate-interest activities.
Complaints
Contact the Finnish Office of the Data Protection Ombudsman if you believe processing infringes the law.
11. Automated decision-making
We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.
12. Children
Our services target adults capable of entering binding contracts. If you believe we collected data from a person below the digital consent age applicable in Finland without verifiable parental permission, notify us so we can delete the information promptly.
13. Policy updates and escalation path
We review this Policy at least annually and whenever we launch materially new processing. The “Live document date” at the top reflects the calendar day on which you view the page, helping you confirm you are reading the latest rendered version. For substantive changes we may also email registered customers or display an on-site notice.
Questions about interpretation, processor lists, or data protection impact assessments should be directed to chat@ploxarelxitax.world with the subject line “GDPR inquiry”.