Vorghalxwydlixer.world

Legal & clarity studio

Privacy Policy

Living document refreshed

This page narrates how Zivo and Vorghalxwydlixer.world respect personal data across browsing, inquiries, and regulatory expectations in the EU, UK, United States, and other regions where you may visit us.

Controller: Vorghalxwydlixer.world, 1899 Fillmore St, San Francisco, CA 94115, United States. Privacy inbox: ask@vorghalxwydlixer.world.

Jurisdiction blend

We drafted this Policy so GDPR, UK GDPR, Swiss FADP considerations, and U.S. state laws can be read side-by-side without contradictions.

No health dossiers

Zivo content is educational. Do not submit diagnostic imagery or regulated health records through the inquiry form.

Plain-language promise

If anything reads like legalese fog, email us—we refine paragraphs quarterly based on reader feedback.

1. Scope & roles

This Policy covers personal data processed through https://vorghalxwydlixer.world, related landing experiences, customer success email threads, optional SMS pilots, and offline events where QR codes direct visitors to the same domain.

We act as a controller for brand, marketing, and prospect relationship data. When a payment processor or logistics carrier independently decides how to use identifiers, they act as separate controllers governed by their own policies.

Note for teams: If you interact on behalf of a company, we treat your corporate email as business contact data while still honoring opt-out preferences tied to you individually.

2. Data inventory

We maintain an internal record of processing activities (ROPA-style ledger) summarizing these categories:

  • Identity & contact fields captured when you type your name, email, phone (optional), or social handle into forms or email footers.
  • Communications content such as questions about ingredients, retail partnerships, press interviews, or supplier audits.
  • Device & usage metadata generated by hosting logs, load balancers, optional analytics pixels activated only after consent, and fraud scoring tools.
  • Transactional artifacts including invoices, customs declarations, or rebate approvals when commerce actually completes.
  • Preference tokens that remember cookie choices, language selection, or newsletter topic filters.
Category Examples Source
Identifiers Name, email, billing address You or your payment wallet
Commercial info SKU interest, wholesale tier Forms & CRM tagging
Internet activity Pages viewed, consent logs Cookies & server logs
Inferences Likely region from IP Automated enrichment

3. Purposes & lawful bases

Under GDPR Article 6 we rely on contract preparation, legitimate interests, consent, or legal obligation depending on the task:

  • Answering questions (contract steps / legitimate interest in service excellence).
  • Fraud & abuse resistance (legitimate interest, proportionate monitoring).
  • Optional analytics & marketing (consent via the cookie banner or email double opt-in).
  • Regulatory recordkeeping (legal obligation for tax and product traceability).

CCPA/CPRA categories mirror the table above. We do not “sell” personal information or “share” it for cross-context behavioral advertising in the CCPA sense. Any future disclosures for monetary consideration would require a refreshed notice and explicit toggles.

4. Recipients & processors

Categories of recipients include cloud infrastructure vendors in Oregon and Virginia, encrypted email providers, contract manufacturers with need-to-know access to shipping manifests, professional advisors, and courts or regulators when mandatory.

Each vendor undergoes a lightweight due diligence checklist covering SOC reports, subprocessors, encryption defaults, and data deletion attestations. Contracts include GDPR Article 28 terms or CCPA service provider language as applicable.

5. Retention windows

  • Inquiry threads: up to twenty-four months unless you ask us to delete earlier and no superseding law applies.
  • Consent evidence: three years to demonstrate accountability to regulators.
  • Server logs: ninety days rolling, except narrowly preserved slices for security investigations.
  • Financial records: seven years where tax codes demand longer retention.

Automated deletion jobs run monthly; manual legal holds pause deletion for specific matters with written justification.

6. International transfers

When data leaves the EEA, UK, or Switzerland we implement Standard Contractual Clauses, UK IDTA equivalents, or other approved mechanisms, supplemented by transfer impact assessments documenting government access risks and supplementary measures such as encryption at rest.

Employees may access CRM entries remotely from approved devices only; portable media is prohibited for customer exports.

7. Security measures

We combine TLS 1.2+, AES-256 storage for backups, MFA on administrator accounts, least-privilege IAM roles, quarterly access reviews, and phishing drills. Incident response playbooks include customer notification thresholds aligned with GDPR Articles 33–34 and state breach statutes.

8. Your privacy rights

Depending on where you live you may request access, rectification, erasure, restriction, portability, objection, or withdrawal of consent. California residents may limit use of sensitive personal information when such data exists.

Submit requests through the privacy inbox with two data points to verify your identity (for example email plus latest order reference). We respond within thirty calendar days unless complexity extends the timeline with notice.

You may appeal denials under Colorado, Connecticut, or Virginia procedures by referencing “Privacy appeal” in the subject line. EU residents may escalate to a supervisory authority; Irish Data Protection Commission routing is common for U.S. startups serving the bloc.

9. Marketing & profiling

We do not run automated profiling that produces legal effects. Marketing emails include granular unsubscribe links. SMS programs, when active, disclose message frequency and STOP instructions.

Paid advertising measurement: When you visit from paid campaigns (for example Google Ads in the United States), we and our partners may use cookies, pixels, or similar technologies that you control through our Cookie Policy and the cookie banner. These signals help attribute visits and conversions, cap ad frequency, and improve campaign relevance. We do not use ad platforms to collect health diagnoses or treatment records through this marketing site. Opting out of marketing cookies limits but may not eliminate all third-party ad measurement; you may also use platform-level ad settings published by Google and others.

10. Children

The site is intended for adults 18+. Guardians who believe a minor submitted data should alert us promptly so we can delete it and tighten spam filters against repeat attempts.

11. Policy evolution

Material changes receive a banner for thirty days where technically feasible, plus an updated stamp in this hero module. Continued use after the notice period constitutes acknowledgment except where fresh consent is legally mandated.

DSAR quick path: Email ask@vorghalxwydlixer.world with “Data request” in the subject line and tell us what you need—access, correction, or deletion.

12. Contact & supervisory references

Postal address: Vorghalxwydlixer.world, 1899 Fillmore St, San Francisco, CA 94115, USA.

Email: ask@vorghalxwydlixer.world.

While we have not appointed an EU representative yet, we monitor regulatory guidance and will publish one if volume thresholds require.