1. Data controller and contact details
The data controller responsible for personal data processed through this website is:
Trading name: Vordalonkhythran
Registered address: 262 Queen Street, Auckland CBD, Auckland 1010, New Zealand
Email: admin@vordalonkhythran.world
Telephone: +64 9 375 1537
For privacy requests, please email the address above with the subject line “Privacy Request” and include your name, contact details, and a clear description of your query. We may ask for reasonable identity verification before disclosing or changing records.
2. Scope and relationship to law
This Policy applies to personal information collected via our website forms, email, telephone, cookies, analytics tools (when consented), payment intermediaries, and shipping partners. We aim to comply with the New Zealand Privacy Act 2020 and, where relevant, the EU and UK General Data Protection Regulation frameworks for visitors and customers who receive goods or services connected to the European Economic Area or United Kingdom.
Where laws conflict, we apply the stricter or more specific requirement that legitimately applies to the processing activity in question.
3. Categories of personal data we collect
Depending on how you interact with us, we may process:
- Identity and contact data: full name, delivery address, billing address, email address, telephone number, and communication preferences.
- Order and transaction data: items purchased, price paid, payment status references, delivery notes, returns history, and customer service tickets.
- Technical data: IP address, device type, browser version, operating system, approximate location derived from IP, referring URL, and timestamps.
- Usage data: pages viewed, click paths, form interactions, and cookie identifiers where permitted.
- Marketing data: newsletter subscriptions, campaign identifiers, and consent logs where marketing is used.
- Special categories: we do not intentionally collect health data through this website. If you voluntarily disclose health-related information in a free-text message, we will treat it as sensitive and limit access; please avoid sending clinical details unless strictly necessary.
4. Sources of personal data
We obtain personal data directly from you when you submit forms, create an account (if offered), email us, or call our team. We also receive data from payment service providers, fraud screening tools, logistics carriers, and analytics or advertising partners when you have provided consent for those tools.
5. Purposes and legal bases for processing
We process personal data for the following purposes and, for GDPR-covered individuals, on the following legal bases:
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing products, order fulfilment, delivery, invoicing, and customer support | Performance of a contract; legitimate interests in operating a retail business |
| Processing payments and preventing fraud | Performance of a contract; legitimate interests; legal obligations where applicable |
| Compliance with tax, consumer, and accounting obligations | Legal obligation |
| Website security, abuse detection, and server logging | Legitimate interests; legal obligations |
| Analytics to improve site performance (non-essential cookies) | Consent, where required |
| Marketing communications about similar products | Consent or soft opt-in where permitted by law |
| Responding to legal requests and defending legal claims | Legal obligation; legitimate interests |
For New Zealand users, we rely on the Privacy Act 2020 principles, including lawful purpose, transparency, security, and access/correction rights.
6. Cookies and similar technologies
We use strictly necessary cookies to operate the site and remember your cookie choices. Optional analytics and marketing technologies are activated only after you provide consent through our cookie banner or settings panel. See our Cookie Policy for a detailed list, retention periods, and management options.
7. Disclosure and categories of recipients
We share personal data with service providers who process it on our instructions, including:
- Hosting and infrastructure providers that store website files and databases.
- Payment processors and banks that handle card or wallet transactions.
- Courier and postal companies responsible for delivery.
- Email delivery and customer ticketing platforms.
- Professional advisers such as accountants and lawyers when required.
- Authorities when compelled by lawful process.
We do not sell personal information as defined under broader privacy laws. Some analytics partners may receive device identifiers under consent to provide aggregated reports.
8. International transfers
Our primary operations are in New Zealand. If we transfer personal data to processors located outside New Zealand or the EEA, we implement appropriate safeguards such as standard contractual clauses, adequacy decisions, or equivalent measures required by applicable law, and we assess local surveillance laws where relevant.
9. Retention periods
We retain personal data only as long as necessary for the purposes described:
- Order and accounting records: up to seven years from the end of the financial year in which the transaction occurred, unless a longer period is required by regulators.
- Customer service emails: up to three years after the last related case closure unless a dispute is ongoing.
- Marketing consents and unsubscribe logs: until you withdraw consent plus a short backup period for suppression lists.
- Security logs: typically ninety days unless investigation requires longer retention.
- Cookie and analytics identifiers: as stated in the Cookie Policy, often between six and twenty-four months depending on the tool.
When retention ends, we delete or irreversibly anonymise data where possible.
10. Security measures
We apply administrative, technical, and organisational measures appropriate to the risk, including TLS encryption for data in transit, access controls on a need-to-know basis, authentication for administrative systems, malware scanning, patching routines, and confidentiality commitments in vendor contracts. No method of transmission or storage is completely secure; please use strong passwords and protect your devices.
11. Automated decision-making and profiling
We do not use automated decision-making that produces legal or similarly significant effects solely based on profiling. Basic fraud checks may flag transactions for manual review.
12. Your rights under the Privacy Act 2020 (New Zealand)
You may request access to personal information we hold about you and ask for correction of inaccurate information. We will respond within twenty working days where practicable, or inform you of any extension permitted by law. If we refuse a request, we will explain the reasons unless disclosure would undermine a specified ground.
13. Your rights under GDPR (where applicable)
If GDPR applies to our processing of your data, you may have the right to access, rectification, erasure, restriction, objection to processing based on legitimate interests, data portability (for data you provided processed by automated means under contract or consent), and withdrawal of consent at any time without affecting prior lawful processing. You may lodge a complaint with your local supervisory authority.
14. Children
Greenovitalis is intended for adults. We do not knowingly collect personal information from children under sixteen without parental authority. If you believe a minor has provided data, contact us and we will delete it where appropriate.
15. Third-party websites
Our site may contain links to external resources. Their privacy practices are independent, and we encourage you to read their policies before submitting personal data.
16. Changes to this Policy
We may update this Policy to reflect legal, technical, or business changes. The “Last updated” date will change accordingly. Material changes may be highlighted on the homepage or communicated by email where appropriate.
17. Personal data breach notification
We maintain internal procedures to detect, report, and investigate personal data breaches. Where a breach is likely to result in risk to individuals, we will notify affected persons and relevant supervisory authorities without undue delay in line with GDPR timelines where applicable, and in accordance with New Zealand notification expectations for serious privacy breaches under the Privacy Act 2020.
18. Data protection impact assessments
When we introduce processing that may result in high risk to rights and freedoms, we assess necessity, proportionality, and mitigations. Outcomes are documented and reviewed by responsible staff. You may request high-level summaries concerning tools that affect your data where disclosure would not harm security or commercial confidentiality.
19. Marketing suppression and preference centres
Marketing communications include clear opt-out mechanisms. We maintain suppression lists to honour unsubscribe requests even if you later resubscribe inadvertently through another channel. Transactional messages about orders, security, or legal notices may still be sent where necessary.
20. Complaints handling procedure
If you are dissatisfied with our response, you may escalate in writing to the postal address above. EEA or UK residents may lodge a complaint with their local supervisory authority. New Zealand residents may contact the Office of the Privacy Commissioner.
21. Records of processing activities
We maintain internal inventories describing processing purposes, categories of data, recipients, retention, and security measures. These documents support accountability and are updated when systems or vendors change.
22. Contact and supervisory references
For privacy questions, contact admin@vordalonkhythran.world or write to 262 Queen Street, Auckland CBD, Auckland 1010, New Zealand. New Zealand residents may contact the Office of the Privacy Commissioner for guidance on privacy rights.