Who controls personal data
The controller is Traxylonox.world, with postal address Sofienberggata 6, 0551 Oslo, Norway, and electronic contact via ask@traxylonox.world. When we reference “we” or “us” in commercial documents, we mean this entity unless a separate data processing agreement names a distinct legal person for enterprise clients.
Representative practice
We do not maintain a separate EU representative because our main establishment sits inside the EEA. Should that change after corporate restructuring, we will update this section before any new processing begins.
Supervisory dialogue
You may escalate concerns to Datatilsynet at datatilsynet.no. We cooperate with regulators in the language they request and document corrective measures when instructed.
Scope and material changes
This policy describes processing connected to browsing this website, completing lead forms, purchasing Minora products where enabled, receiving support, and receiving optional newsletters when you opt in separately. Offline processing tied to distributor contracts follows supplementary schedules referenced in those contracts.
Whenever we introduce a new category of personal data or a materially different purpose, we refresh this page, increase the version number in our internal register, and, where consent or legitimate interest balancing requires it, notify active customers directly.
The live “effective” stamp at the top of this page always mirrors the calendar day your browser reports when you load the document. For archival disputes, request a PDF export with server timestamps from our privacy desk.
Categories of personal data
Depending on how you interact with us, we may process some or all of the following:
- Identity and contact data: full name, salutation, billing or shipping addresses, telephone number, and corporate identifiers for B2B buyers.
- Communication content: free-text messages in forms, email threads, chat transcripts when offered, and attachments you voluntarily upload.
- Transaction data: order identifiers, SKU selections, VAT numbers for invoices, delivery preferences, and refund metadata.
- Technical data: truncated IP addresses, device type, approximate geolocation derived at city level for fraud analytics, and HTTP referrer fields.
- Usage data: aggregated events such as scroll depth categories, video engagement flags, and feature toggles associated with analytics cookies when consented.
- Preference data: marketing topics you select, language choice, accessibility settings stored locally in your profile if you create one.
We avoid collecting special categories of personal data unless you voluntarily disclose health context inside a support ticket. In that case we segregate such threads with restricted access and delete them once the ticket resolves unless law mandates longer storage.
Purposes and legal bases
Contract and pre-contract
Processing inquiries, quoting, charging, fulfilling shipments, and enforcing payment terms relies on Article 6(1)(b) GDPR. Where national consumer laws impose information duties, overlapping Article 6(1)(c) obligations may apply simultaneously.
Legitimate interests
We rely on Article 6(1)(f) for network security monitoring, duplicate account prevention, aggregated brand research, and limited B2B prospecting using public directories subject to opt-out honoring.
- Consent: non-essential cookies, SMS or push experiments, certain partner co-marketing surfaces.
- Legal obligation: bookkeeping, customs declarations, court orders, regulator audits.
- Vital interests: rare emergency disclosures to medical or security teams if a shipment incident creates imminent danger.
Each purpose links to an internal record of system owners, data fields, and deletion triggers reviewed quarterly by our privacy coordinator in Oslo.
Retention schedule
Retention balances statutory minimums, limitation periods for commercial disputes, and your expectation of deletion once a relationship ends.
| Dataset | Default retention |
|---|---|
| Marketing consents and logs | Until withdrawn plus twelve months for evidence |
| Order records | Five to ten years per accounting rules |
| Web logs | Ninety days unless incident extended |
| Support conversations | Twenty-four months post-closure |
Aggregated analytics where individuals are no longer identifiable may be stored indefinitely for capacity planning.
Recipients and subprocessors
We share personal data with infrastructure vendors under Article 28 GDPR agreements, including hosting within Frankfurt and Oslo regions, transactional email relays, payment facilitators licensed in the EEA, and courier APIs that require phone numbers for delivery windows.
Marketing partners never receive raw transactional history unless you join a double opt-in partner program with separate consent text. When auditors or investors request samples, we provide redacted extracts that suppress identifiers.
International transfers
Where a subprocessor operates outside the EEA, we execute Standard Contractual Clauses, perform transfer impact assessments when courts require supplemental measures, and document supplementary technical controls such as tokenization of identifiers before export.
You may request a summary redacted copy of the relevant transfer assessment when your data is affected by the transfer in question.
Your GDPR rights
Subject to statutory limits, you may access, rectify, erase, restrict, port, or object to processing. You may withdraw consent at any time without affecting prior lawful processing. Automated decision-making with legal effects does not occur on this consumer site.
Submit requests through the same email address listed at the top. We verify identity proportionally and respond within one month, extendable by two months when complex, notifying you of reasons.
Security measures
Controls include TLS 1.2 or higher on public endpoints, role-based access with quarterly reviews, encrypted backups rotated off-site, phishing-resistant internal MFA, and vendor SOC reports reviewed annually.
No system is impervious; we maintain incident playbooks, logging of privileged actions, and contractual notification duties toward partners when breaches might affect them.
Cookies and similar technologies
Details for each category, storage duration, and vendor relationships appear in our Cookie Policy. Consent records themselves are treated as personal data and stored with hashed IP fragments only.
Children
Our storefront targets adults. We delete profiles that appear to belong to individuals under sixteen once parental oversight cannot be documented.
Contact and questions
Write to ask@traxylonox.world with “Privacy request” in the subject line, or mail paper correspondence to Sofienberggata 6, 0551 Oslo, Norway. We welcome plain-language questions and will clarify jargon where helpful.