Controller identity
Styxreonthod.world operating the Dorexa supplement storefront, EU-facing communication, and Amsterdam return address logistics.
Supervisory context
Designed for compliance with GDPR, UK GDPR where applicable, and Dutch UAVG implementation rules.
Plain language
We avoid dense legalese where possible and link to deeper statutes when you need them.
Quick confirmation: We do not sell personal data, do not use it for undisclosed secondary markets, and document processor relationships in our internal vendor register available to regulators on request.
Who controls your personal data
The data controller is Styxreonthod.world (brand presentation: Dorexa dietary supplement inquiries), registered contact address at Stationsplein 17, 1012 AB Amsterdam, Netherlands. The primary communication channel is chat@styxreonthod.world. When we reference “we,” “us,” or “our,” this entity is meant unless a separate controller statement appears in a signed agreement.
Scope, definitions, and territorial reach
This Policy applies to https://styxreonthod.world/ and related subpages linked from the official navigation or legal footer. “Personal data” means any information relating to an identified or identifiable person as defined in Article 4 GDPR. “Processing” includes collection, storage, alteration, retrieval, disclosure, erasure, or destruction. If you interact with us only as an employee of a corporate buyer, additional contractual terms may supplement this Policy.
Visitors located in the European Economic Area receive the protections described here. Residents of other regions may have parallel rights; we honor those when mandatory local law exceeds this baseline.
Categories of personal data we collect
- Identity and contact details provided through forms: full name, email address, free-text requests, telephone number if you choose to share it, and marketing or consent preferences.
- Transaction or pre-contract information such as delivery notes, correspondence about product availability, and dispute summaries tied to an identifiable person.
- Technical metadata generated automatically: truncated IP address, user agent, device type, coarse geolocation derived from IP, HTTP referrer, timestamps, and diagnostic identifiers needed for troubleshooting.
- Cookie and similar storage identifiers when you interact with the consent interface, including a pseudonymous consent key stored locally to remember your choices.
- Support archives containing email threads, ticket numbers, attachments you send voluntarily, and internal coaching notes written by staff to resolve your issue.
Purposes and legal bases
- Website operations and inquiries (Article 6(1)(b) steps prior to contract or Article 6(1)(f) legitimate interests): we process contact fields to reply, route logistics questions, and maintain service quality.
- Legal obligation (Article 6(1)(c)): retaining invoices, VAT evidence, customs paperwork, or responding to court orders.
- Vital interests (Article 6(1)(d)): rare emergency disclosures when required by competent authorities.
- Consent (Article 6(1)(a)): analytics or marketing cookies, optional newsletters, or extended retention beyond default timelines when you explicitly agree.
- Legitimate interests (Article 6(1)(f)): securing infrastructure, detecting fraud, improving accessibility, measuring aggregate performance metrics that do not involve intrusive profiling, and training staff on anonymized scenarios.
We balance each legitimate interest against your rights and offer opt-outs where the balance tilts in your favor.
Cookies, SDKs, and storage technologies
Strictly necessary technologies power the cookie banner memory, session continuity for forms, and security filters. Optional analytics or marketing tags load only after consent. Detailed naming conventions, lifetimes, and vendor references appear in the Cookie Policy. You may reset consent through browser storage deletion or by emailing us for a manual clearance token.
Retention and minimization
- Marketing inquiries without purchase: up to twenty-four months from last contact unless you request earlier erasure and no legal hold applies.
- Completed commercial transactions: order metadata and accounting artifacts up to seven Dutch fiscal years unless a shorter statutory period emerges.
- Security logs: ninety-day rolling retention except when extended for active investigations.
- Consent proofs: twelve months from last interaction, extendable if EU regulators require longer substantiation.
- Anonymized analytics aggregates: indefinite retention when identifiers are stripped and re-identification is reasonably unlikely.
Recipients, processors, and categories of disclosure
We engage hosting providers, transactional email gateways, customer-support software vendors, payment facilitators, and occasional penetration-testing partners under written Data Processing Agreements. Disclosure to public authorities occurs only when compelled by law or imperative public interest grounds. We do not monetize mailing lists. If corporate restructuring occurs, you will be notified before your data transfers to a successor controller unless secrecy is legally required.
International data transfers
Data primarily resides within the EEA. When a processor stores backups in the United Kingdom, Switzerland, or other jurisdictions, we verify adequacy decisions or implement Standard Contractual Clauses with supplementary technical measures such as encryption at rest and access logging. Copies of transfer impact assessments are available to regulators and, upon justified request, to you in summarized form.
Security measures and incident handling
Transport security uses TLS 1.2 or newer. Administrative interfaces require multi-factor authentication for privileged roles. Segregation of duties prevents single-operator tampering with production databases. We maintain business continuity backups tested quarterly. Suspected incidents trigger containment, regulatory notifications where Article 33 GDPR applies, and user advisories when high risk to rights and freedoms exists.
Your rights and how to exercise them
You may request access, rectification, erasure, restriction, data portability, objection to certain processing, and human oversight over automated decisions with legal consequences. Submit requests via the controller email; we may ask for reasonable identification. You also have the right to lodge a complaint with Autoriteit Persoonsgegevens or your habitual residence authority. We respond within one month unless complexity warrants a justified extension.
Automation, profiling, and decision-making
We do not perform automated decisions that produce legal or similarly significant effects solely by algorithmic means. Lightweight scoring for fraud may flag transactions for manual review; humans make final calls.
Children’s privacy
The Site addresses adults purchasing food supplements. We do not knowingly process minors’ data without verifiable parental permission. If you believe we collected juvenile information inadvertently, contact us for expedited deletion.
Updates, version control, and historical copies
Material revisions receive a new “displayed as of” banner via our dynamic site date component plus email notices when prior consent or contract wording changes. Archived PDF snapshots may be kept for regulatory evidence; ask if you need a prior version.
Contact, representatives, and escalations
For privacy-specific correspondence, email chat@styxreonthod.world or write to Stationsplein 17, 1012 AB Amsterdam, Netherlands. Include enough detail for us to verify and fulfill your request securely.
- Step 1 — Intake: automated acknowledgment within two business days.
- Step 2 — Verification: we may confirm identity proportionate to the sensitivity of the data.
- Step 3 — Resolution: substantive reply with actions taken or legal reasons for denial.