Quick contact: Zephyroxoaxikon.world, Fridtjof Nansens plass 5, 0160 Oslo, Norway. Email ask@zephyroxoaxikon.world. We answer substantive privacy questions within thirty calendar days.
1. Data controller identity
The data controller is Zephyroxoaxikon.world, the legal operator of the Alira product narrative, commerce pages, and customer correspondence residing at https://zephyroxoaxikon.ddd. The controller determines why and how personal data is processed and appoints internal owners for privacy, security, and vendor oversight.
For cross-border issues, we designate a privacy liaison reachable through the email above. Registered mail may be directed to the Oslo address; courier deliveries must include a clearly marked “Privacy” reference so packages reach the correct archive shelf.
2. Material scope
This Policy applies to visitors browsing marketing pages, individuals submitting availability or order forms, purchasers receiving parcels, newsletter subscribers, and business counterparties negotiating wholesale pilots. It also covers telemetry strictly necessary to protect accounts, plus optional analytics or marketing layers activated only after granular consent.
Employment candidates follow a separate fair-processing notice when they engage with recruiting workflows. Former customers who request erasure remain referenced in anonymised revenue statistics that can no longer identify a natural person.
3. Categories of personal data
Identity
Full name, chosen salutation, locale preferences derived from billing addresses.
Contact
Email, mobile number when supplied, structured address lines for customs forms.
Transactional
Order identifiers, SKU selections, refund reasons, payment status tokens.
Technical
IP address, TLS fingerprints, coarse geolocation from CDN edges, user-agent strings.
Preference
Cookie decisions, marketing opt-outs, saved communication language.
Correspondence
Free-text tickets, batch photographs you volunteer, internal tags added by staff.
4. Purposes and lawful bases
| Purpose | GDPR article | Illustrative activity |
|---|---|---|
| Contract delivery | Art. 6(1)(b) | Printing labels, charging cards, answering stock questions. |
| Legitimate interests | Art. 6(1)(f) | Fraud scoring, network defence, aggregated UX research. |
| Legal duty | Art. 6(1)(c) | VAT ledgers, export filings, regulator subpoenas. |
| Consent | Art. 6(1)(a) | Non-essential cookies, ambassador collaborations, beta surveys. |
We balance legitimate interests against your rights using documented assessments. Where an interest is outweighed, we rely on consent instead or stop the activity entirely.
Where you allow marketing or analytics cookies and tags, identifiers may be shared with advertising and measurement partners to attribute visits or deliver campaigns. That processing is described at a commercial level in our Marketing & commercial disclosures and technically in the Cookie Policy. You may withdraw consent through the cookie controls or by email.
5. Retention and minimisation
Accounting archives remain for five complete Norwegian fiscal years. Consent receipts stay until you withdraw or twelve months pass without reconfirmation. Raw web logs trim to ninety days unless they form part of a sealed forensic bundle. Marketing suppression lists outlive deletion requests so we never accidentally re-contact an objecting individual.
Support tickets purge twenty-four months after the last human-authored message except when litigation holds apply. Backups containing deleted records roll off automatically through immutable lifecycle policies tied to storage buckets.
6. Recipients and processors
We engage payment gateways, fulfilment hubs, email transports, cloud infrastructure suppliers, analytics platforms (only after consent), and professional advisors. Each relationship is governed by Article 28 data processing agreements or statutory equivalents. Subprocessors cannot market to your contacts without a separate legal ground.
7. International transfers
Whenever data leaves the EEA or adequacy-designated territories, we implement Standard Contractual Clauses, supplementary technical measures such as robust encryption, and transfer impact assessments for high-risk jurisdictions. Government access requests receive narrow disclosures reviewed by counsel.
8. Security measures
Compensating controls include hardware security modules for key custody, mandatory MFA for administrative roles, infrastructure-as-code reviews, quarterly tabletop incident drills, vendor SOC reports, and segregated least-privilege databases. Availability monitoring pings synthetic transactions from multiple regions.
9. Rights and supervisory review
You may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Automated profiling does not determine eligibility to purchase Alira. Complaints may be filed with Datatilsynet (Norway) or your habitual residence authority. We document each request in an auditable queue.
10. Children
Alira is positioned for adults. We delete records belonging to anyone under sixteen once we obtain verifiable parental objection or direct notice from the minor.
11. Decision automation
No solely automated decision produces legal or similarly significant effects. Fraud heuristics flag cases for human analysts who make the final call.
12. Change management
Substantive edits update the effective timestamp at the top of this page. When contact data is available, we email a plain-language summary referencing the refreshed TOC anchors. Continued ordering after a reasonable notice window constitutes acknowledgement unless mandatory law demands express consent.