Phelaryndrex

Privacy Policy

Last updated: 11 March 2025

1. Data controller and contact details

The data controller responsible for the processing of your personal data in connection with this website and the sale of PhytoCardia is:

Phelaryndrex
Mannerheimintie 96, 00250 Helsinki, Finland
Email: touch@phelaryndrex.world
Phone: +358 300 20200

If you have any questions about this Privacy Policy or the processing of your personal data, you may contact us at the above address or email. We will respond to your request without undue delay and in any event within one month from the date of receipt, in accordance with the GDPR.

2. Scope, applicability and legal framework

This Privacy Policy applies to the website phelaryndrex.world and to all personal data we collect when you visit the site, place an order, contact us, subscribe to communications, or otherwise interact with our services. It covers both data collected through automated means (such as cookies and server logs) and data that you provide voluntarily (such as order and contact form data).

Our processing of personal data is carried out in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), the Finnish Data Protection Act (Henkilötietolaki 1050/2018, as amended), the Finnish Act on the Protection of Privacy in Electronic Communications, and any other applicable Finnish and European data protection legislation. Where we refer to “personal data”, we mean any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

We process personal data only where we have a lawful basis under Article 6(1) GDPR: (a) your consent; (b) performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; (c) compliance with a legal obligation to which we are subject; (d) protection of your or another person’s vital interests; (e) performance of a task carried out in the public interest; or (f) our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms. For each category of processing described below, we indicate the relevant legal basis and retention period.

3. Personal data we collect and purposes of processing

3.1 Data you provide when placing an order

When you place an order for PhytoCardia or other products via our website, we collect: your full name, email address, telephone number (if you choose to provide it), delivery address (including postal code and country), and any message or special instructions you include with the order. We use this data to: (i) process and fulfil your order; (ii) send you an order confirmation and, where applicable, shipping and tracking information; (iii) communicate with you about your order (e.g. in case of delays or issues); (iv) comply with our legal obligations under Finnish accounting, tax and consumer law; and (v) defend or enforce our legal rights where necessary.

Legal basis: Performance of the contract (Article 6(1)(b) GDPR) for order processing and delivery; compliance with a legal obligation (Article 6(1)(c) GDPR) for retention and disclosure to tax or other authorities where required. Retention: We retain order-related personal data for as long as necessary to perform the contract and to comply with legal obligations. Under Finnish law, accounting records (which may include order data) must be kept for at least six (6) years from the end of the financial year. After that period, or once the data is no longer necessary for the above purposes, we will delete or anonymise it so that you can no longer be identified.

3.2 Data you provide when contacting us

When you use the contact form or contact us by email or phone, we may collect: your name, email address, telephone number (if provided), and the content of your message or enquiry. We use this data solely to respond to your enquiry, to provide customer support, and to improve our services based on feedback. We do not use contact form data for direct marketing unless you have given separate consent.

Legal basis: Your consent (Article 6(1)(a) GDPR) when you submit the contact form; or our legitimate interest (Article 6(1)(f) GDPR) in responding to business enquiries. Retention: We retain contact correspondence for a period of up to twenty-four (24) months from the last communication, unless the matter relates to a dispute or legal claim, in which case we may retain it for longer in accordance with applicable limitation periods.

3.3 Automatically collected data (server logs and technical data)

When you access our website, our servers and any intermediate systems may automatically record technical data such as: your IP address; the date and time of your access; the pages or resources you request; the referring URL (if any); your browser type and version; your operating system; and, in some cases, device identifiers. This data is necessary for the operation and security of the website (e.g. to detect and prevent abuse, to ensure availability and performance, and to troubleshoot technical issues). Where we use analytics tools that process such data in a way that identifies or could identify you, we do so only with your consent as described in our Cookie Policy.

Legal basis: Our legitimate interest (Article 6(1)(f) GDPR) in ensuring the security, integrity and availability of our website and systems, and in improving our services. Where analytics involve non-essential cookies or similar technologies, the legal basis is your consent (Article 6(1)(a) GDPR). Retention: Server and security logs are typically retained for a period of twelve (12) to twenty-four (24) months, unless a longer retention period is required for the investigation of incidents, compliance with legal obligations, or the establishment, exercise or defence of legal claims. After the retention period, logs are deleted or anonymised.

3.4 Cookies and similar technologies

We use cookies, local storage, session storage and similar technologies as described in detail in our Cookie Policy. Strictly necessary cookies (e.g. for storing your cookie consent preference and for security) do not require your consent and are used on the basis of our legitimate interest in operating the website. Analytics and marketing cookies are used only after you have given your consent via our cookie banner or cookie settings. You may withdraw or change your consent at any time through the cookie settings available on the website. The personal data processed via cookies may include a unique identifier, your IP address, and information about your use of the site (e.g. pages visited, duration of visit), depending on the type of cookie.

Legal basis: For strictly necessary cookies: legitimate interest (Article 6(1)(f) GDPR) or, where applicable, legal obligation. For analytics and marketing cookies: your consent (Article 6(1)(a) GDPR). Retention: As set out in our Cookie Policy for each category of cookie (e.g. session cookies are deleted when you close your browser; persistent cookies may be stored for up to 12–24 months depending on purpose).

3.5 Data necessary for compliance with law

We may process and retain your personal data where necessary to comply with legal obligations imposed on us by Finnish or EU law. This includes, but is not limited to: obligations under tax law (e.g. to keep records of transactions and to disclose information to the tax authority upon request); obligations under consumer law (e.g. to retain proof of transactions and to cooperate with consumer authorities); and obligations under criminal or civil procedure (e.g. to respond to lawful requests from courts or law enforcement). In such cases, the scope and retention of the data are determined by the applicable law.

Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR). Retention: As required by the applicable legislation (e.g. at least six years for accounting-related data under Finnish law).

4. Recipients of your personal data and international transfers

We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this policy:

  • Payment service providers: To process payments (e.g. card payments, PayPal or other methods offered on the website). These providers may be established inside or outside the EEA. They process your payment data in accordance with their own privacy policies and applicable payment card industry standards.
  • Delivery and logistics partners: To ship your order to the delivery address you have provided. We pass on your name, delivery address and, where necessary, telephone number so that the carrier can deliver the product and, if applicable, contact you in relation to delivery.
  • IT and hosting providers: Providers that host our website, manage our servers, or provide other technical services may have access to personal data (e.g. server logs, order data stored in our systems) in the course of providing those services. We select providers that offer adequate guarantees and we enter into data processing agreements that comply with Article 28 GDPR, requiring them to process data only on our instructions and to implement appropriate security measures.
  • Professional advisers: Where necessary, we may share data with lawyers, auditors or other advisers bound by confidentiality obligations, for example in connection with legal proceedings or regulatory compliance.
  • Public authorities: We may disclose personal data to courts, tax authorities, consumer protection authorities, data protection authorities, or other public bodies when required by law or when necessary to establish, exercise or defend our legal rights.

We do not sell, rent or trade your personal data to third parties for their own marketing or other commercial purposes.

International transfers: Your data is primarily processed within the European Economic Area (EEA). If we transfer personal data to a country outside the EEA that has not been recognised by the European Commission as providing an adequate level of data protection, we will ensure that appropriate safeguards are in place, such as: (i) standard contractual clauses approved by the European Commission (Article 46(2)(c) GDPR); (ii) binding corporate rules; or (iii) another mechanism approved under the GDPR. You may request a copy of the safeguards we use for a specific transfer by contacting us at the details in section 1.

5. Your rights under the GDPR and Finnish law

Under the GDPR and the Finnish Data Protection Act, you have the following rights in relation to your personal data. These rights may be subject to certain conditions and limitations as set out in the GDPR and national law.

  • Right of access (Article 15 GDPR): You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to that data and to information such as the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period (or criteria for determining it), and the existence of automated decision-making. You also have the right to obtain a copy of your personal data, subject to the rights and freedoms of others.
  • Right to rectification (Article 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure (“right to be forgotten”) (Article 17 GDPR): You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies: the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds; the data have been unlawfully processed; the data have to be erased for compliance with a legal obligation; or the data were collected in relation to the offer of information society services to children. This right is subject to exceptions where we are obliged or entitled to retain the data (e.g. for compliance with a legal obligation or for the establishment, exercise or defence of legal claims).
  • Right to restriction of processing (Article 18 GDPR): You have the right to obtain from us restriction of processing where: you contest the accuracy of the data (for a period enabling us to verify accuracy); the processing is unlawful but you prefer restriction to erasure; we no longer need the data but you need them for the establishment, exercise or defence of legal claims; or you have objected to processing pending the verification of whether our legitimate grounds override yours.
  • Right to data portability (Article 20 GDPR): Where the processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, where technically feasible.
  • Right to object (Article 21 GDPR): You have the right to object at any time to processing of your personal data which is based on Article 6(1)(e) (public task) or (f) (legitimate interests), including profiling based on those provisions. We shall no longer process the data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. Where your data are processed for direct marketing purposes, you have the right to object at any time to such processing, and we shall cease processing for that purpose.
  • Right to withdraw consent: Where processing is based on your consent (Article 6(1)(a) GDPR), you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). You can find their contact details and further information at tietosuoja.fi. We encourage you to contact us first so that we can try to resolve your concern.

To exercise any of the above rights, please contact us using the contact details in section 1. We will respond without undue delay and in any event within one (1) month of receipt of your request. That period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension and the reasons for the delay. If you make a request by electronic means, we will provide the information by electronic means where possible. We may ask you to verify your identity before responding to a request, to ensure that we do not disclose your data to an unauthorised person. There is no charge for exercising your rights unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, in accordance with the GDPR.

6. Security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection of your personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. Such measures include, but are not limited to: (i) the use of encryption (e.g. TLS/SSL) for data transmitted between your browser and our servers; (ii) secure storage of data on servers with restricted access and appropriate access controls (e.g. role-based access, strong authentication where applicable); (iii) limitation of access to personal data to authorised personnel only and on a need-to-know basis; (iv) regular review and, where necessary, updating of our security practices and the security measures of our service providers; (v) procedures to detect, respond to and recover from security incidents; and (vi) where appropriate, pseudonymisation and encryption of personal data stored or processed.

Despite our efforts, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data. You are responsible for keeping any passwords or other access credentials confidential and for ensuring that the devices you use to access our website are secure. If you become aware of any unauthorised use of your data or any security incident, please contact us promptly.

7. Children

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you believe that your child has provided us with personal data without your consent, please contact us at the details in section 1. We will take steps to delete such data from our systems without undue delay, to the extent required by applicable law.

8. Automated decision-making and profiling

We do not use your personal data for automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. If we introduce such processing in the future, we will inform you and, where required by law, obtain your consent or ensure that another lawful basis and appropriate safeguards apply.

9. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in the data we collect, in the purposes or legal basis for processing, in our use of service providers, or to comply with new legal or regulatory requirements. The current version is always available on this page. We will indicate the date of the last update at the top of the policy. We encourage you to review this policy periodically. Where changes are material (e.g. a change in the purposes of processing or in the way we use your data in a manner that affects you), we may notify you by email or by a prominent notice on the website before the changes take effect, where appropriate and to the extent required by law. Your continued use of the website or our services after the effective date of the changes constitutes your acceptance of the updated policy, except where further consent or other steps are required by law.

10. Additional information for Finnish and EU users

This Privacy Policy is provided in English. In the event of any conflict between a translated version and the English version, the English version shall prevail. Your use of our website and services from Finland or from elsewhere in the European Economic Area is subject to the GDPR and any applicable national implementing or supplementary laws. Our principal place of business is in Finland, and we are committed to complying with Finnish data protection law and with the guidance and decisions of the Finnish Data Protection Ombudsman and the European Data Protection Board where relevant. If you have any questions about how we process your personal data or about this policy, please do not hesitate to contact us using the details in section 1.