Privacy Policy
Effective date: 19 March 2026
Version: 1.0
Jurisdiction note: This Policy is designed to meet the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR as retained and amended in United Kingdom law, and the Swedish Act (2018:218) with supplementary provisions to the EU Data Protection Regulation, together with complementary ePrivacy expectations for electronic communications.
1. Introduction and purpose
This Privacy Policy explains how Xibnarexwlaxyron (“we”, “us”, “our”) processes personal data when you visit xibnarexwlaxyron.world, request information about OmniPentar, place or discuss an order, communicate with customer care, subscribe to updates where available, or exercise your statutory rights. Transparency is a legal requirement under Article 12 GDPR. We describe what we collect, why we use it, how long we keep it, whom we share it with, which safeguards apply, and which rights you may exercise.
Food supplement sales involve health-adjacent topics. We do not use your personal data to make automated decisions that produce legal or similarly significant effects about your health. We do not sell personal data in the sense of disclosing it to unrelated third parties for their independent marketing in exchange for money. Where we use processors or share data with logistics or payment partners, they act under contract and instructions as required by Article 28 GDPR.
2. Data controller and representative details
The data controller responsible for processing under GDPR is:
- Legal trading name: Xibnarexwlaxyron
- Registered postal address: Sveavägen 94, 113 50 Stockholm, Sweden
- Email (primary contact for privacy requests): support@xibnarexwlaxyron.world
- Telephone: +46 8 500 222 51
If Swedish law requires publication of a formal registration identifier such as an organisationsnummer, that identifier appears on invoices, credit notes, and contractual paperwork supplied to customers. You may request a copy in writing using the email address above.
We do not intend to appoint a separate EU representative because the controller is established in Sweden. If we designate a UK representative for UK GDPR purposes in the future, this Policy will be updated with that entity’s name and contact coordinates.
3. Scope and material scope
This Policy applies to personal data processed through:
- Our public website and landing pages hosted under xibnarexwlaxyron.world
- Email, telephone, and messaging correspondence with our team
- Order preparation, fulfilment, returns, accounting, and dispute records
- Security logs generated by hosting infrastructure and content delivery systems
- Optional analytics or marketing technologies where you provide consent
It does not govern third-party websites that we link to for general information. Their policies apply separately.
4. Categories of personal data we process
Depending on your interaction, we may process:
- Identity and contact data: full name, delivery address, billing address if different, country, phone number, email address.
- Transaction data: order identifiers, product names such as OmniPentar, quantities, prices in EUR, payment status, shipment tracking references, return reasons you voluntarily provide.
- Financial data: limited payment metadata handled by payment processors (for example last four digits of a card, authorisation codes). We do not store full card numbers on our servers when payments are delegated to certified providers.
- Communication content: text you type into forms, email threads, recorded call notes if you phone us and we summarise the request internally.
- Technical data: IP address, approximate region derived from IP, browser type, device category, referring URL, timestamps, HTTP status codes.
- Cookie and similar identifiers: as described in our Cookie Policy and consent records.
- Compliance data: evidence of marketing consents, cookie choices, export control screenings if mandated, fraud indicators.
Special categories of personal data under Article 9 GDPR (for example detailed health diagnoses) are not requested through our marketing forms. If you voluntarily disclose health information, we will restrict internal access and delete it when retention is no longer necessary unless a limited legal exception applies.
5. Sources of personal data
We obtain data directly from you when you submit forms, create or discuss orders, email us, or call. We also generate technical data automatically when you load pages. Payment processors and carriers return status updates that we associate with your order. In rare fraud cases we may receive notes from payment partners or banks.
6. Purposes, legal bases, and legitimate interests
Article 6 GDPR requires a lawful basis for each purpose. The table below summarises typical processing activities for customers in the EU/EEA and UK.
| Purpose | Legal basis | Explanation |
|---|---|---|
| Website delivery, security, TLS termination logs | Legitimate interests (Article 6(1)(f)) | Keeping the site available, mitigating abuse, protecting accounts and infrastructure; balanced against your rights. |
| Answering product and policy questions | Legitimate interests / pre-contractual steps (Article 6(1)(b)/(f)) | Responding to inbound messages before a contract exists. |
| Contract performance: order, payment, shipment | Contract (Article 6(1)(b)) | Processing necessary to sell and deliver OmniPentar. |
| Accounting, tax, invoicing archives | Legal obligation (Article 6(1)(c)) | Swedish bookkeeping and tax rules require retention of supporting documents. |
| Defence of legal claims | Legitimate interests (Article 6(1)(f)) | Preserving evidence within limitation periods. |
| Direct marketing by electronic mail to existing customers about similar products | Soft opt-in under ePrivacy implementations where applicable, or consent | We honour opt-outs promptly and document consent where required. |
| Non-essential analytics or marketing cookies and pixels | Consent (Article 6(1)(a)) | Only after you opt in via the cookie banner or settings panel. |
| Product safety communications such as recalls | Vital interests / legal obligations, context-dependent | Rare events where we must contact purchasers of affected batches. |
Where we rely on legitimate interests, you may object under Article 21 GDPR. We will stop processing unless we demonstrate compelling grounds that override your interests or need the data for legal claims.
7. Cookies, pixels, and consent records
Strictly necessary cookies support functions such as security, load balancing, and remembering your cookie decision. Optional analytics or marketing tools load only after consent. Detailed names, providers, durations, and purposes appear in the Cookie Policy. Consent strings, timestamps, and banner version identifiers are stored to demonstrate compliance.
8. Recipients and categories of processors
We share personal data only when needed and under written agreements where Article 28 applies. Categories include:
- Hosting providers and content delivery networks in the EU or countries with adequacy decisions
- Payment service providers and acquirers
- Carriers and customs brokers for international segments
- Email delivery services for transactional messages
- Customer helpdesk tooling vendors with data residency in the EU or safeguarded regions
- Professional advisers such as accountants or lawyers bound by confidentiality
- Public authorities when lawfully required
Processors may only use data on documented instructions and must assist us with security, breach notifications, and deletion at contract end.
9. International transfers
Primary storage is within the European Economic Area. If we transfer personal data to countries without an adequacy decision, we implement appropriate safeguards under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses (2021/914) with supplementary technical and organisational measures including encryption in transit, access minimisation, and transfer impact assessments where required.
10. Retention periods
Retention follows necessity and law:
- Marketing and analytics logs tied to consent: up to 26 months from collection unless a shorter vendor default applies, after which identifiers are aggregated or deleted.
- Contract and order records: seven years after the end of the financial year in which the transaction occurred to satisfy Swedish bookkeeping obligations, unless a longer period is mandated for tax disputes.
- Customer service emails: up to 36 months after the last substantive message unless linked to an active claim.
- Security logs: typically 90 days, extended if investigating an incident.
- Cookie consent proofs: up to five years from the last interaction to demonstrate compliance.
When retention expires, we delete or irreversibly anonymise data. Backups roll off according to technical schedules that may add a short additional window before overwriting.
11. Security measures
We implement administrative, technical, and physical safeguards appropriate to the risk, including role-based access, least-privilege accounts, TLS for data in transit, malware filtering on endpoints used by staff, vendor due diligence, internal instructions for remote work, and confidentiality clauses in employment and contractor agreements. No online system is perfectly secure; if we detect a personal data breach likely to affect your rights, we will notify the Swedish Authority for Privacy Protection (IMY) and, when required, inform you without undue delay.
12. Your rights under GDPR
Subject to conditions and exceptions in the GDPR, you may:
- Access your personal data and obtain a copy (Article 15)
- Rectify inaccurate data (Article 16)
- Erase data in certain cases (Article 17)
- Restrict processing (Article 18)
- Data portability for data you provided where processing is automated and based on consent or contract (Article 20)
- Object to processing based on legitimate interests or direct marketing (Article 21)
- Withdraw consent at any time for processing that relies on consent, without affecting prior lawful processing (Article 7(3))
- Not be subject solely to automated decision-making with legal or similar significant effect, where applicable (Article 22)
To exercise rights, email support@xibnarexwlaxyron.world with enough detail for us to verify your identity. We respond within one month, extendable by two further months where complex, per Article 12(3).
You may lodge a complaint with Integritetsskyddsmyndigheten (IMY) at imy.se or your local supervisory authority in the EU/EEA if you believe processing infringes the GDPR.
13. Children
OmniPentar is intended for adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor submitted data, contact us for prompt deletion.
14. Automated decision-making and profiling
We do not use profiling that produces legal or similarly significant effects. Basic fraud scoring by payment providers may occur under their policies; you may receive information directly from them where required.
15. Changes to this Policy
We update this Policy when practices, laws, or products change. Material changes will be highlighted on the website with a new effective date. Continued use after notice where consent is not required constitutes acknowledgement of reasonable updates tied to legal compliance.
16. Contact
Questions about privacy may be sent to support@xibnarexwlaxyron.world or by post to the address in Section 2.
17. Records of processing activities
Internally we maintain a record of processing activities under Article 30 GDPR describing processing name, purpose, categories of data subjects, categories of personal data, recipients, transfers, retention, and security measures. Extracts relevant to customer-facing processing are available to supervisory authorities upon request and, where appropriate, to you when needed to support access requests.
18. Data protection impact assessment posture
Where processing is likely to result in a high risk to rights and freedoms, we assess whether a formal Data Protection Impact Assessment is required under Article 35 GDPR. Routine food supplement e-commerce with proportionate marketing analytics is not typically high risk; nevertheless, we revisit this assessment when introducing large-scale location tracking, biometric processing, or novel automated profiling.
19. Employee and contractor access
Personnel with access to personal data receive confidentiality training and work under policies covering password hygiene, device encryption, clean desk expectations, and incident escalation. Access reviews occur at least annually; redundant accounts are disabled promptly when roles change.
20. Marketing communications and preferences
Where we send newsletters or product updates, we log consent or soft-opt-in eligibility, provide unsubscribe links, and honour objections within legal timelines. Suppression lists prevent re-contact after a valid opt-out unless you initiate a new relationship and provide fresh consent where required.
21. Third-party websites and embedded content
Hyperlinks to regulators, payment brands, or educational resources are provided for convenience. Embedded videos or social widgets may set third-party cookies if you interact with them; we minimise such embeds on transactional paths and prefer static images where feasible.
22. Law enforcement and national security requests
We disclose personal data to public authorities only when legally compelled, narrowly scoped, and documented. Where not prohibited, we notify affected users after receipt of a lawful order unless emergency circumstances justify delay.
23. Post-merger scenarios
If ownership of Xibnarexwlaxyron changes, personal data may transfer to a successor controller under Article 14(2)(f) transparency duties. You will receive notice through prominent website disclosure and, where the transaction materially alters purposes, we will seek a fresh legal basis if consent is the only appropriate ground.
24. Accessibility of this Policy
We aim for readable typography and structured headings so assistive technologies can navigate this Policy. If you need an alternative format, request one using the contact details above.