Transparency archive GDPR Chapter III & IV

Privacy Policy

Zorvexaldhod.world operates Movira digital channels under the EU General Data Protection Regulation, the Dutch GDPR Implementation Act (UAVG), and sector guidance from the Autoriteit Persoonsgegevens. The notice explains every category we touch, why it exists, how long it stays, and which parties assist us.

Current document date:

1. Data controller identity

The controller responsible for personal data on https://zorvexaldhod.world/ and related Movira services is:

Zorvexaldhod.world
Lijnbaan 140, 3012 ER Rotterdam, Netherlands
Email: chat@zorvexaldhod.world

Representatives for supervisory correspondence may be appointed in writing; until published, address requests to the postal line above.

2. Material scope

The policy covers ecommerce visitors, testers, wholesale buyers, press contacts, prospective employees who email speculative CVs, and anyone submitting the Movira request form. It complements the Cookie Policy, which governs consent storage and analytics identifiers.

Offline events, paper contracts, or voice calls may generate additional records; when those diverge, we issue a supplemental notice at collection time.

3. Categories of personal data

Identity & contact

Full name, invoice name, email, optional phone, shipping address, company registry numbers, VAT identifiers, and unstructured text inside message bodies.

Transaction metadata

Order identifiers, SKU lists, payment confirmation tokens (never full card numbers), chargeback references, and voluntary survey responses.

Technical telemetry

IP address, approximate geolocation derived from IP, browser family, device type, referrer URL, crash logs if you opt into diagnostics.

Compliance artifacts

Age attestations, copies of identity documents when fraud teams require verification, customs paperwork, and regulator correspondence.

We discourage embedding sensitive health details in free-text fields. If you volunteer such content, we segregate it and delete it once the request concludes unless a distinct legal duty mandates retention.

4. Purposes and legal bases

Contract & pre-contract (Art. 6(1)(b)): quotes, fulfilment, subscription renewals, merchant-of-record payouts.

Legal obligation (Art. 6(1)(c)): tax books, consumer cooling-off evidence, product traceability, court orders.

Legitimate interests (Art. 6(1)(f)): cybersecurity, duplicate detection, internal reporting, limited brand protection scans balanced against your rights.

Consent (Art. 6(1)(a)): optional newsletters, non-essential cookies, testimonials featuring your name.

Where national implementations require impact assessments, we document them internally and provide excerpts to regulators upon request.

5. Recipients and processors

We rely on vetted vendors for hosting, transactional email, CRM, payment facilitation, translation, and customer support chat. Each relationship sits under Article 28 GDPR terms featuring confidentiality clauses, subprocess or notification obligations, and assistance with data subject inquiries.

Employees access data on a need-to-know basis through hardware security modules and single sign-on policies audited quarterly.

6. International transfers

Some subprocessors operate in the United Kingdom or the United States. We transfer only when adequate safeguards exist: adequacy decisions, approved standard contractual clauses plus supplementary technical measures such as TLS 1.2 minimum, field-level encryption for crown-jewel columns, and data minimization exports.

You may request a summary of mechanisms through the contact channel below.

7. Retention schedule (non-exhaustive)

Marketing consents and unsubscribe evidence: three years from last send.
Accounting ledgers: seven years from book closure or shorter if law updates.
Support transcripts: twenty-four months unless litigation holds apply.
Security monitoring logs: ninety rolling days except forensics snapshots.
Cookie preference proofs: aligned with ePrivacy guidance, typically thirteen months from last update.

8. Security measures

We implement encryption in transit, encrypted backups, key rotation, least-privilege secrets management, phishing-resistant admin MFA, endpoint detection on corporate devices, and annual penetration testing scoped to production-equivalent environments.

No control eliminates residual risk; when a breach likely affects your rights, we inform the AP within seventy-two hours where feasible and communicate with impacted individuals without undue delay.

9. Data subject rights

You may request access, rectification, erasure, restriction, portability, objection to certain processing, and withdrawal of consent without affecting prior lawful processing. To reduce spoofing, we may require signed PDFs or video identification for destructive actions.

Lodge complaints with the Dutch DPA (Autoriteit Persoonsgegevens) at Bezuidenhoutseweg 30, 2594 AV The Hague, or another EU supervisory authority under the GDPR forum rules.

10. Automated decision-making

We do not deploy solely automated decisions that produce legal or similarly significant effects regarding individuals. Fraud heuristics flag cases for humans; they never auto-block accounts without manual validation.

11. Policy maintenance

Material updates surface here with a refreshed publication date above. Continued use after notification where consent is unnecessary constitutes acknowledgement of non-substantive edits; substantive changes may require renewed consent for optional processing.

12. Escalation contacts

Privacy specialists monitor chat@zorvexaldhod.world. Postal mail remains the preferred channel for formal legal service. Include enough identifiers for us to locate records without excessive data collection.