Khiphloxjrax

Privacy Policy

Last updated: 23 March 2026. This document explains how Khiphloxjrax (“we”, “us”) processes personal data when you use khiphloxjrax.world and related services for SustainaVive.

1. Data controller and contact

The controller responsible for processing personal data relating to this website and related customer communications is:

Khiphloxjrax
Shopping Mall REDI, Hermannin rantatie 5, 00580 Helsinki, Finland
Email: hello@khiphloxjrax.world
Phone: +35897744850

For privacy requests, please email the address above with “Privacy request” in the subject line. We may ask proportionate questions to confirm your identity before disclosing or changing information.

2. Scope and relationship to other documents

This Privacy Policy applies to personal data collected through this website, email, telephone, and related order or enquiry handling. It should be read together with the Cookie Policy, the Terms of Service, and the Return Policy. If you do not agree with this Policy, please discontinue use of the site except where law requires us to retain certain records.

3. Categories of personal data we process

Depending on how you interact with us, we may process:

  • Identity and contact data: name, delivery address, billing address, email address, telephone number, country, and language preference.
  • Order and transaction data: products ordered, order references, payment status information, shipping updates, returns, and correspondence about your purchase.
  • Communication content: messages you send through forms, email threads, or recorded telephone notes when you contact customer service.
  • Technical data: IP address, browser type, device type, approximate location derived from network information, timestamps, and diagnostic logs needed to secure the service.
  • Cookie and similar data: identifiers stored on your device when you consent to optional cookies, as described in the Cookie Policy.
  • Marketing preferences: opt-in or opt-out choices where marketing is used lawfully.

We do not ask you to send special categories of data (such as health data) through the website. Please avoid including sensitive information in free-text fields unless strictly necessary and lawful.

4. Sources of personal data

We obtain personal data directly from you when you place an order, create an enquiry, subscribe where available, or contact us. We may also receive limited data from payment service providers (for example, confirmation of successful payment without storing full card numbers on our servers when processing is delegated to a certified provider). We may receive updates from carriers for delivery purposes.

5. Purposes and lawful bases under the GDPR

We process personal data only when a lawful basis applies. The main bases we rely on are: performance of a contract (Article 6(1)(b) GDPR), legitimate interests (Article 6(1)(f)), compliance with legal obligations (Article 6(1)(c)), and consent where required (Article 6(1)(a)).

Contract and pre-contract steps. We process identity, contact, and order data to accept your order, take payment where applicable, deliver products, provide customer support, and handle returns within the scope of our policies.

Legal obligations. We retain certain accounting and tax records, respond to lawful requests from public authorities where required, and maintain records needed for consumer law compliance.

Legitimate interests. We use technical data for fraud prevention, network security, debugging, service improvement, and measuring aggregate site performance when compatible with your rights. Where required, we balance these interests against your interests and fundamental rights. You may object to certain processing as described below.

Consent. Where we place optional analytics or marketing cookies, or send optional marketing messages, we ask for your consent first. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

6. Automated decision-making and profiling

We do not make decisions based solely on automated processing which produce legal effects concerning you or similarly significantly affect you. Basic fraud checks may flag transactions for manual review, but a person reviews flagged cases before a final decision.

7. Recipients and processors

We share personal data with service providers who process data on our instructions (“processors”), such as hosting providers, email delivery services, payment processors, logistics partners, and IT support. We use written agreements that require processors to protect personal data and assist with compliance.

We may disclose personal data to professional advisers where required (for example, auditors or lawyers under confidentiality). We may disclose information when required by law, court order, or a lawful request from a competent authority, subject to applicable limitations.

If the business is reorganised, personal data may be transferred as part of that transaction with appropriate safeguards and notices where required.

8. International transfers

Our primary operations are in the European Economic Area (EEA). If any processor is located outside the EEA, we ensure appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by technical and organisational measures where needed, unless an adequacy decision applies.

9. Retention periods

We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law.

  • Order and accounting records: typically for the duration of the statutory accounting and tax retention period applicable in Finland, often several years from the end of the financial period, unless a longer obligation applies.
  • Customer service records: for a reasonable period after the last interaction to handle follow-up questions, warranty-related queries where applicable, and dispute resolution, unless a shorter or longer period is justified by law.
  • Security logs: for a limited period necessary to detect misuse and secure systems, often rotated on a short cycle unless an incident requires longer retention.
  • Marketing consents and suppression lists: until you withdraw consent or object, and thereafter minimal identifiers may be kept to respect your opt-out.

When retention ends, we delete or irreversibly anonymise data where feasible.

10. Security measures

We implement appropriate technical and organisational measures proportionate to the risk, including access controls, encryption in transit where appropriate for web traffic, separation of environments, logging, and staff training on confidentiality. No method of transmission or storage is completely secure; we work to reduce risk and respond to incidents in line with legal duties.

Access to personal data is limited to personnel and contractors who need it for their duties. We maintain records of processing activities at a level appropriate to our operations, review vendor security practices before onboarding, and patch systems as part of routine maintenance. Where remote access is used, we require strong authentication and secure devices consistent with our risk assessment.

11. Subprocessors and categories of recipients

We engage categories of processors that typically include: website hosting and content delivery; transactional email delivery; payment service providers; customer ticketing or email mailboxes; logistics and parcel carriers; accounting and invoicing tools; and IT support partners. The exact providers may change over time as contracts are updated. We remain responsible for personal data processed on our behalf and require data processing terms consistent with Article 28 GDPR.

We do not sell personal data as a business model. Any disclosure to public authorities follows applicable legal thresholds and procedural safeguards.

12. Personal data breaches

We maintain procedures to detect, assess, and document personal data breaches. Where a breach is likely to result in a risk to individuals, we will notify the supervisory authority without undue delay and, where required, communicate with affected individuals using clear language describing the nature of the breach, likely consequences, and measures taken or proposed.

If you become aware of a vulnerability related to our website, contact us responsibly through the email in Section 1 so we can investigate and coordinate remediation.

13. Marketing communications

Where we send electronic marketing to individuals, we do so in accordance with ePrivacy rules and the GDPR. Commercial communications are sent only with a valid legal basis, typically consent or soft opt-in where strictly permitted by national law for similar products. You may opt out of marketing at any time using the unsubscribe mechanism in messages or by emailing us.

14. Your rights under the GDPR

Subject to conditions in applicable law, you may have the following rights:

  • Access: request a copy of personal data we hold about you.
  • Rectification: ask us to correct inaccurate data or complete incomplete data.
  • Erasure: ask us to delete data where grounds apply (for example, where data is no longer necessary).
  • Restriction: ask us to limit processing in defined situations.
  • Data portability: receive certain data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
  • Object: object to processing based on legitimate interests, including profiling insofar as it relates to those interests, and to direct marketing where applicable.
  • Withdraw consent: where processing is consent-based, withdraw consent at any time.

To exercise rights, contact us using the details in Section 1. We will respond within one month in ordinary cases, with a possible extension of two further months where complex, in line with Article 12 GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Finland, the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu) is reachable at tietosuoja.fi, with contact details published there.

15. Decision-making records

Where we rely on legitimate interests, we maintain internal notes sufficient to demonstrate how we balanced our interests against your rights in proportion to the processing context. These notes may be reviewed during audits or supervisory requests where applicable.

16. Children

Our services are directed at adults. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will take steps to delete it where appropriate.

17. Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. The “Last updated” date will change accordingly. Material changes will be brought to your attention where required, for example through a notice on the website or email where we have your address.

18. Contact

Questions about privacy may be sent to hello@khiphloxjrax.world or by post to the address in Section 1.