Grozelonkroz.world

Privacy Policy & data stewardship

This extended policy explains how Nuvia and Grozelonkroz.world collect, store, and retire personal data across web, email, and logistics channels. It is written for adults in the European Economic Area, the United Kingdom, and Norway. Effective date: .

Overview

We treat privacy as a product feature, not a footnote. When you browse our domain, submit a capsule inquiry, or correspond about regulatory filings, we only use personal data for purposes you can predict from the interaction itself. This document expands on summaries shown in forms and cookie banners so you never have to guess what happens behind the scenes.

The Nuvia line lives at the intersection of nutrition science and retail logistics. That means we routinely handle order identifiers, contact details, marketing preferences, compliance attachments, and analytics events. None of this information is sold as a standalone commodity. Monetisation happens through honest product sales, not through covert profiling marketplaces.

If you only remember one paragraph: you may request a human-readable export of the data we maintain about you, and you may object to certain processing activities even when you continue shopping with us.

Controller details

The data controller responsible for GDPR inquiries is Grozelonkroz.world, with its principal place of business at Vitaminveien 7–9, 0485 Oslo, Norway. The statutory representative for EU correspondence may be reached via talk@grozelonkroz.world. Please include “GDPR request” in the subject line if you are exercising a formal right so we can route the message to the compliance queue within one business day.

Postal addressVitaminveien 7–9, 0485 Oslo, Norway. Use tracked mail if you must send original identification documents.
Electronic contactPrefer encrypted email if your organisation provides it; otherwise TLS-protected SMTP still applies during transit.

Personal data categories

Identity & contact data includes full name, email address, phone number when provided, and typed delivery addresses. Transaction data covers order numbers, basket contents, payment method tokens generated by certified payment gateways, and VAT identifiers when businesses purchase wholesale. Technical data arises automatically: IP address, approximate location derived at city level, browser name, operating system, referral URL, and timestamps from security logs.

Marketing data records newsletter opt-ins, double-confirmation timestamps, and suppression lists for users who withdraw consent. Compliance data may include identity checks, customs paperwork, or documented allergy incidents you voluntarily share with our quality team. Cookie identifiers are pseudonymous strings stored on your device when optional analytics or advertising categories are enabled.

Purposes & legal bases

We rely on Article 6(1)(b) GDPR when processing is necessary to perform a contract—shipping bottles, issuing refunds, or answering pre-sales questions. Article 6(1)(c) covers statutory bookkeeping, consumer protection records, and tax filings. Article 6(1)(f) supports our legitimate interests in securing infrastructure, detecting duplicate fraudulent orders, and improving information architecture, always after balancing your rights. Article 6(1)(a) applies to non-essential cookies, optional newsletters, and certain case studies where we would publish quotes only after receiving clear consent.

Where Norwegian marketing law demands explicit permission, we log the wording of the checkbox you selected and the version ID of the interface. If regulators issue new guidances on health claims, we may process historical communications to demonstrate due diligence—typically under Article 6(1)(c) or (f) depending on context.

Retention & deletion

Completed inquiry forms remain for twenty-four months unless litigation or tax audits require longer freezing. Accounting ledgers follow the Norwegian five-year standard. Marketing consents persist until withdrawn, after which we retain only the fact of withdrawal for five years to prove compliance. Web server logs with full IP addresses rotate after ninety days, although anonymised aggregates may remain in analytics warehouses.

When you request erasure and no exception applies, we delete rows from production databases, revoke API tokens, and ask subprocessors to purge mirrored backups on their next cycle. Some residual copies may linger in disaster recovery snapshots until those tapes expire—typically fewer than thirty days.

Processors & recipients

We contract with email delivery providers, payment facilitators, freight carriers, customer-support ticketing software, cloud hosting vendors, and penetration-testing consultants. Each relationship is governed by Article 28 GDPR data processing agreements describing instruction rights, audit cadence, and breach notification windows. Employees receive role-based access: operations staff see logistics fields while engineers working on features rarely see plaintext mailing addresses.

International transfers

Whenever a vendor processes personal data outside the EEA or an adequacy decision jurisdiction, we implement Standard Contractual Clauses, supplementary technical measures such as tokenisation, and transfer impact assessments describing local surveillance laws. You may request a redacted copy of the assessment summary relevant to the product you purchased.

Security measures

Transport encryption uses modern TLS configurations. Password hashes employ slow key-derivation functions where authentication systems apply. We segment networks so CRM databases cannot be reached directly from public marketing landing pages. Incident response drills occur twice yearly, and findings feed into a corrective backlog prioritised alongside product features.

Your rights

Under GDPR you may request access, rectification, erasure, restriction, data portability, and objection. UK residents enjoy equivalent UK GDPR rights. You may also withdraw consent at any time without affecting the lawfulness of earlier processing. We will respond within thirty calendar days unless complexity justified under Article 12(3) demands an extension—if so, we explain why.

If you believe we mishandled your request, contact Datatilsynet in Norway or your habitual residence supervisory authority. We welcome dialogue before formal complaints whenever possible.

Children & sensitive data

Our storefront targets adults. We do not knowingly collect data from anyone below sixteen without parental authority. Health-related details you volunteer are treated as confidential special-category data when they cross GDPR Article 9 thresholds, accessible only to trained staff and stored with heightened access controls.

Updates & notifications

Material updates to this policy appear with a revised effective date at the top. If a change affects consent logic, we refresh banners on the homepage and, when feasible, email active account holders. Continued browsing after a reasonable notice period may constitute acceptance only for non-essential changes where the law permits.

Contact & complaints

Direct privacy questions to talk@grozelonkroz.world. For registered mail, use the Vitaminveien address listed above and mark the envelope “Privacy Office.” We log inbound requests in a tamper-evident ticketing system to prevent accidental loss.