Infrastructure
Servers reside in EU regions unless a documented Standard Contractual Clause packet authorizes US failover.
Controller notice
Privacy Policy
Vorquenxphap.world operates the Nexvia commerce and education surface. We wrote this Policy for shoppers, journalists, and regulators who need a single narrative describing what personal data flows through our stack, why that is lawful, how long bytes live on disk, and which levers you can pull under the General Data Protection Regulation and complementary Dutch implementations.
Version stamped for . Store this date if you print a copy.
Identity of the controller
The controller is Vorquenxphap.world, brand name Nexvia, with contact post at Westersingel 108, 3015 LB Rotterdam, Netherlands and electronic contact via talk@vorquenxphap.world. When you escalate a request, include enough detail for us to locate records without guessing. If you represent a corporate buyer, specify the entity name on invoices to reduce confusion with similarly named accounts.
We do not appoint a statutory Data Protection Officer today because current processing volume does not trigger the threshold under Article 37 GDPR, but we monitor regulatory guidance annually and revisit the analysis when introducing high-risk profiling or large-scale health adjacent datasets beyond what this storefront collects.
Categories of personal data
Identifiers and contact artifacts. Name, email address, order reference strings you supply, and free-text messages typed into the public contact surface.
Transactional metadata. Timestamps, SKUs referenced in correspondence, and carrier tracking tokens when fulfillment partners expose them to merchants.
Technical telemetry. IP address, TLS fingerprint hints, user agent, accepted language headers, rough geo hints produced by content delivery vendors when you load static assets, and diagnostic cookies described in the Cookie Policy.
Optional marketing traits. Pseudonymous identifiers generated after you consent to analytics or remarketing tags, stored in line with vendor cookie durations.
| Bucket | Examples | Typical source |
|---|---|---|
| Voluntary | Name, message body | HTML forms |
| Observed | Browser width, scroll depth samples | Optional analytics scripts |
| Inferred | Campaign cohort tags | Ad platform matching rules |
Purposes and legal bases
Responding to purchase intent. When you reach out before buying, we process contact data to answer sizing, allergen, or logistics questions. The lawful basis is steps prior to a contract under Article 6(1)(b) GDPR combined with legitimate interests in serving returning shoppers fairly under Article 6(1)(f).
Operating this website securely. Firewall logs, rate limit counters, and bot mitigation fingerprints defend against credential stuffing. This rests on Article 6(1)(f) with balancing tests documented internally because downtime harms both us and visitors.
Optional measurement and advertising. Where banners reference analytics or marketing cookies, activation depends on consent under Article 6(1)(a). You may withdraw consent without affecting operations that rely on other bases, though historical aggregated statistics remain lawful.
Compliance with court orders or tax audits. Article 6(1)(c) covers obligations to retain financial evidence when Dutch or European tax inspectors demand traceability.
We do not sell personal data. No lists leave our ecosystem in exchange for cash. If
a corporate transaction transfers the brand, we will notify you before switching controllers unless
secrecy orders prevent disclosure.
Retention schedule
Inbound email threads tied to product curiosity live up to twenty-four months unless litigation freezes them. Accounting attachments follow seven-year horizons where the Algemene wet inzake rijksbelastingen requires ledgers. HTTP access logs roll after ninety days unless security analysts pin an incident timeline. Cookie lifetimes follow the durations we inherit from vendors but never exceed the caps listed in the Cookie Policy.
When retention windows close, we purge or irreversibly anonymize files. Backups may linger encrypted for fourteen additional days while incremental tapes rotate.
Recipients and processors
We contract hosting, transactional email, optional analytics, ticketing, and payment intermediaries under Article 28 GDPR. Each receives instructions that forbid using personal data for independent purposes. Subprocessor swaps trigger thirty-day notifications on this page when the change is material.
Communications
SMTP partners only see headers necessary to deliver your inbox confirmations.
International transfers
Whenever data crosses the EEA, we apply Chapter V mechanisms. That includes 2021 Standard Contractual Clauses with supplemental technical measures such as tokenization of identifiers in analytics payloads. Copies of transfer impact assessments are available upon request when the law permits sharing.
Security measures
We enforce TLS 1.2 minimum on public endpoints, hardware-backed secrets for administrative keys, quarterly permission reviews, phishing-resistant multi-factor authentication for finance staff, segregated staging environments, and encrypted offline backups tested semiannually. Vendors must attest to SOC 2 or ISO 27001 parity before handling regulated workloads.
No control is perfect. Should a breach risk your rights, we notify the Autoriteit Persoonsgegevens within seventy-two hours of confirmation and describe remediations in plain language messages to impacted individuals.
Rights of data subjects
You may request access, rectification, erasure, restriction, portability, and objection to processing rooted in legitimate interests. Withdraw consent for optional cookies by re-opening the banner or clearing browser storage. To lodge a complaint, contact the Dutch DPA or your habitual residence supervisor under Article 77 GDPR. We do not charge fees for standard requests unless they become manifestly excessive.
Automated identity checks may ask for a government identifier fragment solely to prevent fraudulent deletion attacks. We delete those scans within seventy-two hours of verification.
Automated decision-making
We do not run solely automated decisions with legal or similarly significant effects regarding shoppers. Optional fraud heuristics flag transactions for human review rather than auto-declining them.
Children
Nexvia markets to adults. We do not knowingly collect data from anyone under sixteen without parental authority. Parents who observe underage submissions may demand deletion using the controller email above.
Policy evolution
When processing activities shift materially, we update this Policy, refresh the animated stamp at the top through client-side date rendering tied to your device clock, and archive prior PDF copies for regulators. Continued browsing after substantive changes constitutes acknowledgement except where fresh consent is legally required.
For questions that this lengthy text does not cover, email us. We prefer clarity over silence.