Privacy Policy | Vaylo & Chelvarezla Legal Hub

Introduction and commitment

We treat privacy as part of product quality. The statements below follow the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act implementing GDPR, and ePrivacy-oriented expectations for transparent communication. Nothing here limits mandatory rights granted to you by law.

If you need this policy in another format, or if you wish to exercise a right described later, email us using the address listed under Controller. We verify identities proportionately before disclosing records.

Data controller identity

The controller is Chelvarezla.world, presenting the Vaylo supplement line, with registered postal address at Grønlandsleiret 16, 0190 Oslo, Norway. The primary electronic contact is talk@chelvarezla.world. For registered correspondence you may also refer to the postal address above.

We cooperate with Datatilsynet, the Norwegian Data Protection Authority, and recognise parallel oversight from other EU or EEA supervisory authorities if you reside outside Norway but within those territories.

Material scope

This policy covers processing through our website, HTML forms, email dialogue initiated from published addresses, and operational tooling needed to respond to inquiries or fulfil orders placed via approved channels. Third-party marketplaces may attach their own notices; when you buy elsewhere, both notices may apply side by side.

Categories of personal data

Depending on your interaction we may process: identity and contact details (full name, country, city where you share it, email address, phone number if you provide one); commercial content within messages; technical metadata generated by routine server logs (approximate timing, IP address, user agent, referring URL); consent logs for cookies; limited transaction metadata if you complete a purchase (order identifiers, delivery preference, payment status without full card numbers); and audio or documents you voluntarily attach.

Purposes of processing

Operating secure browsing, load balancing, rate limiting, and abuse mitigation.
Answer questions, prepare quotations, and manage wholesale credentials.
Perform contracts, including logistics coordination and after-sales assistance.
Meet bookkeeping, invoicing, and tax obligations.
Improve information architecture using aggregated or pseudonymous analytics where you opt in.
Maintain mailing lists or creative campaigns only with explicit consent.

Lawful bases in detail

Contractual necessity covers steps before purchase and performance afterwards. Legal obligation covers fiscal archives and regulatory audits. Legitimate interests cover proportionate fraud screening, network security, and internal reporting, each documented in our balancing tests. Consent covers optional cookies, marketing personalisation, and some newsletter segments. You may withdraw consent without retroactive invalidity.

Legitimate interest examples

We rely on this basis for securing dormant accounts, detecting credential stuffing attempts, enriching internal dashboards with anonymised session lengths, and training staff on de-identified transcripts when feasible.

When consent is refreshed

Marketing consent is renewed if you remain inactive for twenty-four months or if processing purposes widen materially. Cookie consent is replayed when we version identifiers or partner lists.

Retention schedule

Prospect communications default to twenty-four months from last reply unless a sale extends archiving. Contracts and tax evidence may persist seven years where Norwegian law requires. Security logs follow a ninety-day rolling deletion unless an investigation freezes segments. Backup tapes inherit the same policy upon restoration. Marketing consents expire after the inactivity window noted above unless you reaffirm.

Recipients and processors

We use vetted vendors for hosting, transactional email, ticketing, translation, carrier manifests, and payment capture. Each signs GDPR-compliant data processing terms, receives instructions for subprocessors, and supports audits. We never sell personal data in the conventional sense of exchanging lists for cash.

International transfers

Primary storage remains in the EEA. Where a tool temporarily routes data through another jurisdiction, we rely on Standard Contractual Clauses, supplementary technical measures such as tokenisation, and transfer impact assessments. Copies of relevant mechanisms are available upon legitimate request.

Security measures

Transport encryption via TLS, separation of staging and production, role-based access with multi-factor authentication for administrators, quarterly permission reviews, vendor due diligence questionnaires, and incident response drills form our baseline. Paper records, if any, stay in locked storage at the Oslo address.

Your GDPR rights

You may request access, rectification, erasure, restriction, objection, and portability as applicable. Automated decisions with legal effects are not used. Appeals can be filed with Datatilsynet or your local authority. We endeavour to answer within thirty days, extending where complexity demands and informing you promptly.

Supervisory contact

Datatilsynet, Postboks 458 Sentrum, 0105 Oslo, Norway — www.datatilsynet.no.

Children

Vaylo communication is designed for adults. We do not knowingly collect minors’ data without verified parental authority. If you believe we received such data inadvertently, alert us so we can delete it promptly.

Policy maintenance

Revisions appear on this page with an updated effective stamp generated when you load the document. Continued use after substantive change may be treated as acknowledgement where permitted. Archived PDF snapshots can be produced for dispute resolution.