Chelvareyx

Privacy Policy

Effective date: March 20, 2026. This Policy explains how Chelvareyx collects, uses, discloses, retains, and protects personal data when you visit chelvareyx.world or interact with Floravion-related services.

1. Data controller and contact information

The data controller responsible for personal data processing related to this website and the Floravion sales channel is:

Legal name: Chelvareyx
Registered address: 206 1st Ave, New York, NY 10009, United States
Email: info@chelvareyx.world
Phone: +1 (212) 253-8686

For EU and UK data subjects, you may contact us at the email above regarding GDPR or UK GDPR rights. We will respond within the timeframes required by applicable law. If you believe we have not addressed your concern, you have the right to lodge a complaint with your local supervisory authority. The Irish Data Protection Commission and other EU supervisory authorities maintain public contact portals for such complaints.

2. Scope and relationship to other documents

This Privacy Policy applies to personal data we process through the website, email, phone, web forms, and related fulfillment and customer service workflows. It should be read together with the Cookie Policy, which describes storage on your device, and the Terms of Service, which describe contractual rules for using the website and purchasing products.

This Policy does not govern third-party websites, social platforms, or payment processors beyond the portions where they act as independent controllers. When a provider presents its own privacy terms at checkout or authentication screens, those terms apply to data they collect directly.

3. Categories of personal data we process

Depending on how you interact with us, we may process the following categories of information:

  • Identity and contact data: full name, postal address, shipping address, email address, phone number, and similar identifiers you supply in forms or account communications.
  • Transaction data: product selections, request references, payment confirmation metadata provided by payment partners, refund references, and correspondence about orders.
  • Technical and usage data pertaining to visits: Internet Protocol address, browser type, operating system, approximate geographic area derived from IP, referral URL, pages viewed, time on page, and diagnostic events captured in server logs or analytics tools if you consent to them.
  • Cookie and similar identifiers: values stored in local storage or cookies when you accept optional categories. Strictly necessary cookies support session integrity and consent storage.
  • Communications content: text you type into contact forms or emails, including special categories of data only if you voluntarily include them. We ask that you avoid sending unnecessary health detail unless a lawful exception applies.
  • Compliance and fraud mitigation records: screening outcomes, dispute tickets, and chargeback documentation where required to fulfill legal obligations.

We do not collect biometrics and do not operate facial recognition features through this property. We do not knowingly sell the personal information of minors under sixteen years of age.

4. Sources of personal data

We obtain personal data directly from you when you submit forms, email us, call our published number, or complete checkout journeys handled by partners. We also obtain technical data automatically when your device connects to our servers. Occasionally partners transmit fulfillment updates or address corrections. We may enrich shipping labels using public postal formatting services that do not retain your data for marketing.

5. Purposes of processing and legal bases under the GDPR

For individuals in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases as described in Articles 6 and 9 GDPR where relevant:

  • Contract necessity (Art. 6(1)(b)): processing orders, delivering Floravion shipments, managing returns, and responding to transactional inquiries.
  • Legitimate interests (Art. 6(1)(f)): securing our infrastructure, debugging errors, documenting business communications, analyzing aggregate performance of the website, and defending legal claims, balanced against your rights.
  • Legal obligation (Art. 6(1)(c)): tax recordkeeping, product safety communications, responding to lawful requests, and honoring data subject rights requests within regulatory timeframes.
  • Consent (Art. 6(1)(a)): optional analytics or marketing cookies, certain newsletter communications if offered, and non-essential data uses where consent is the appropriate basis. You may withdraw consent without affecting lawfulness of processing before withdrawal.

Where special categories of data appear because you include them in free text, we treat them as manifestly made public by you or process them under explicit consent if we need to retain them for documented customer service. Whenever possible we redact unnecessary sensitive detail.

6. Purposes for United States visitors

For US residents we align disclosures with state laws such as the California Consumer Privacy Act as amended by the CPRA where applicable and other state comprehensive privacy statutes as they come into force. Purposes include:

  • Operating the website and processing orders.
  • Customer support, quality assurance, and training review of interactions where legally permitted.
  • Security monitoring, fraud screening, and bot mitigation.
  • Analytics and marketing only when permitted by your consent settings or applicable exemptions.
  • Compliance with federal and state requirements including tax, consumer protection, and labelling regulations for dietary supplements.

We do not use personal data for automated profiling that produces legal or similarly significant effects without human review and disclosure where required.

7. Sharing and categories of recipients

We disclose personal data only when necessary and under written agreements where appropriate. Recipients include:

  • Shipping carriers and warehouses responsible for physical delivery of Floravion inventory.
  • Payment processors that tokenize payment credentials; we typically receive confirmation tokens rather than full card numbers.
  • Email and telephony providers that relay messages between you and our team.
  • IT vendors providing hosting, logging, backup, and security services under confidentiality obligations.
  • Professional advisers such as attorneys and accountants bound by professional secrecy.
  • Authorities when compelled by lawful process or necessary to protect vital interests.

We prohibit recipients from using your personal data for independent marketing unrelated to our services unless you consent separately to them.

8. International transfers

Because our controller address is in the United States, data collected from EEA, UK, or Swiss individuals may be transferred to the United States. Where Standard Contractual Clauses, UK International Data Transfer Addendum, or Swiss revisions apply, we implement them with supplementary technical and organizational measures such as encryption in transit, access logging, and role-based access control. Copies of relevant transfer mechanisms may be requested through the contact email. We assess legislation in recipient countries and adopt supplemental measures if required by European Data Protection Board guidance.

9. Retention periods

Retention depends on the data category and legal requirements:

  • Order and accounting records: up to seven years from the transaction date to satisfy tax and commercial law evidence standards in the United States.
  • Customer service emails: generally twenty-four months unless a dispute extends the need.
  • Marketing consents and unsubscribe logs: life of the account relationship plus three years to demonstrate compliance.
  • Server logs: rolling ninety days unless longer retention is required for incident investigation.
  • Cookie consent records: thirteen months from the moment of choice, refreshed when you revisit preferences.

After retention expires we delete or irreversibly anonymize personal data. Backups may persist for disaster recovery windows but are isolated from production processing.

10. Security measures

We implement administrative, technical, and physical safeguards appropriate to the risk, including:

  • Transport Layer Security for public endpoints to resist interception.
  • Least-privilege administrative accounts with multi-factor authentication for privileged roles.
  • Periodic review of access logs and vendor security posture.
  • Employee confidentiality training and written policies referencing this Privacy Policy.
  • Segregation of production and testing environments to prevent accidental disclosure.

No method of transmission or storage is perfectly secure; we encourage you to use unique passwords and to contact us if you suspect unauthorized activity involving your data.

11. Your GDPR rights

If the GDPR applies, you may exercise the following rights subject to conditions and exemptions:

  • Right of access and copy.
  • Right to rectification of inaccurate data.
  • Right to erasure when processing lacks justification.
  • Right to restrict processing in specific circumstances.
  • Right to data portability for data processed by automated means under contract or consent.
  • Right to object to processing based on legitimate interests or for direct marketing.
  • Right not to be subject to solely automated decisions with legal effects, which we do not conduct as defined above.

To exercise rights, email info@chelvareyx.world with subject line "GDPR Request" and verify your identity using information we already maintain. We respond within thirty days unless complexity requires an extension as permitted by law.

12. US state privacy rights

Residents of states providing consumer privacy rights may request access, deletion, correction, or opt-out of certain disclosures depending on statute. We honor GPC signals where required. Financial incentives tied to personal information, if ever offered, will include written terms. Appeals processes required by Colorado, Connecticut, or similar statutes can be initiated via the same contact email with the word "Appeal" in the subject line.

13. Children

The website is directed to adults purchasing dietary supplements for themselves or dependents with guardian involvement. We do not knowingly collect personal information from children under thirteen without verifiable parental consent as defined by COPPA. If you believe we collected such information inadvertently, contact us for deletion.

14. Marketing communications

Commercial email, if sent, will include an unsubscribe mechanism honoring requests within ten business days as required by CAN-SPAM. SMS programs, if launched, will disclose frequency and data rates at signup.

15. Automated decision-making and profiling

We do not use profiling that denies financial services or employment. Recommendation engines on the website, if any, operate at an aggregate level and do not evaluate your health conditions.

16. Changes to this Policy

We revise this document when practices, regulations, or infrastructure change materially. The effective date appears at the top. Continued use after notice constitutes acceptance where allowed by law; where fresh consent is needed, we request it before activating new optional processing.

17. Regulatory disclosures for dietary supplement context

When you submit health-related anecdotes, we store them only for customer service context. They are not used to diagnose or treat medical conditions. Supplement labels follow FDA structure-function rules. Nothing in this Privacy Policy constitutes medical advice.

18. Records of processing activities

Internally we maintain a records inventory describing processing purposes, categories of data subjects, recipients, and anticipated erasure timelines. The inventory is available to supervisory authorities upon request and supports Data Protection Impact Assessments when we introduce processing that may affect rights substantially.

19. Subprocessors and vendor oversight

Representative categories of sub processors include managed hosting providers, email transport vendors, ticketing systems, and penetration testing consultants. Contracts impose confidentiality, assistance with data subject requests, deletion upon offboarding, and breach notification windows. We evaluate vendor security questionnaires and, where feasible, SOC 2 reports.

20. Personal data breaches

We maintain an incident response plan with escalation paths, forensic preservation steps, and notification templates. If supervisory authorities or individuals must be informed under GDPR Articles 33 and 34, we do so without undue delay. US state laws may impose additional notice timelines we honor.

21. Sensitive data minimization

Free-text boxes sometimes invite unnecessary medical detail. We train staff to delete surplus sensitive information once the customer service interaction resolves. Automated scanning may redact national identification numbers if accidentally pasted.

22. Data Protection Officer status

Depending on regulatory thresholds, we may designate a Data Protection Officer and publish contact details. As of this version, general privacy requests route to info@chelvareyx.world. We update this section if a statutory obligation arises to appoint a named officer.

23. Law enforcement requests

Unless law prohibits notice, we evaluate subpoenas and preservation letters carefully, responding narrowly with data scoped to lawful requests. We may challenge overbroad demands and will not create backdoors contrary to published security architecture descriptions.

24. Research and aggregate analytics

We may produce aggregate statistics about supplement purchase volumes without identifying individuals. If future research uses identifiable data, we will seek explicit consent or rely on a recognized scientific research exemption after ethical review.

25. Employee access logging

Employees access personal data only when their role requires it. Access attempts generate audit logs retained for at least twelve months to detect misuse. Violations may result in disciplinary action and credential revocation.

26. Contact and supervisory authority information summary

Controller: Chelvareyx, 206 1st Ave, New York, NY 10009, United States. Email info@chelvareyx.world, phone +1 (212) 253-8686. EU and UK residents may contact their data protection authority if unsatisfied with our reply; US residents may contact state attorneys general for consumer protection matters within jurisdictional limits.

For Nevada residents, we do not sell covered information as defined in Chapter 603A of the Nevada Revised Statutes in exchange for monetary consideration without your direction, but you may still submit opt-out requests through the email above for consistency with other regimes.

27. Accessibility of this notice

We strive to present this Privacy Policy in readable formatting compatible with screen readers. If you require an alternate format, contact us describing the needed adaptation.

28. Version history reference

Version identifiers appear through the effective date banner at the top of this document. Historical copies are available upon authenticated request for disputes or regulatory inspections.