Privacy Policy

Effective date: 23 March 2026 · Version: 1.0 · Jurisdiction: Finland / European Union (GDPR)

This Privacy Policy explains how Draxylonshul (“we”, “us”, “our”) processes personal data when you visit draxylonshul.world, purchase BotaniCardia or related products, subscribe to updates where available, or contact us. We process personal data lawfully, fairly, and transparently. If you do not agree with this Policy, please discontinue using the website and do not submit forms.

1. Data controller and contact

The controller responsible for personal data processing is:

Draxylonshul
Business address: Sähkötalon alakerta, Kampinkuja 2, 00100 Helsinki, Finland
Email: team@draxylonshul.world
Phone: +358 9 441 919

For general privacy requests, please email the address above with the subject line “Privacy request” and describe your question. We may ask proportionate follow-up questions to verify identity before disclosing or changing data.

2. Scope and relationship to other documents

This Policy applies to processing connected with our online presence, customer service, order handling, marketing where consented, analytics where consented, and legal compliance. The Cookie Policy describes identifiers stored on devices. The Terms of Service govern commercial rules. The Return Policy explains product returns and related data uses.

3. Categories of personal data

Depending on how you interact with us, we may process:

• Identity and contact data: name, delivery address, billing address, email address, telephone number, country, preferred language.
• Order and transaction data: products ordered, quantities, prices, payment status references (card payments are typically handled by payment service providers; we may receive limited confirmation data, not full card numbers).
• Communication data: messages you send via forms, email threads, and call notes we create when you phone us.
• Technical and usage data: IP address, approximate location derived from IP, browser type, device type, operating system, referring URL, pages viewed, timestamps, and similar diagnostics when our systems or analytics tools collect them in line with your cookie choices.
• Account data: if we offer customer accounts, login identifiers, password hashes, and profile preferences.
• Marketing preferences: newsletter subscription status, opt-in timestamps, and unsubscribe records.
• Compliance data: records required for tax, accounting, consumer protection, and dispute resolution.

We do not seek special categories of personal data (health data) through this website. If you voluntarily disclose health-related information in a message, we will treat it carefully and only use it to respond to your enquiry unless a separate legal basis applies.

4. Sources of data

We obtain data directly from you (forms, checkout, email, telephone), automatically when you use the site (server logs, cookies where permitted), and occasionally from third parties such as payment providers (payment confirmations), carriers (delivery updates), and fraud screening tools if used.

5. Purposes and legal bases (GDPR Articles 6 and 9)

We process personal data on the following legal bases:

• Contract (Art. 6(1)(b)): to take steps at your request before a contract and to perform a contract, including order processing, delivery, invoicing where applicable, and customer support.
• Legitimate interests (Art. 6(1)(f)): to secure our IT systems, prevent fraud, improve website stability, analyse aggregate usage where not relying on consent, enforce our terms, and defend legal claims, balanced against your rights.
• Legal obligation (Art. 6(1)(c)): to meet accounting, tax, and regulatory duties in Finland and the EU.
• Consent (Art. 6(1)(a)): for non-essential cookies, certain marketing communications, and optional newsletters where we ask for explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

6. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects on you. Basic fraud checks may involve automated scoring at payment providers; those providers operate under their own policies.

7. Recipients and processors

We share personal data only when necessary, with:

• Hosting and infrastructure providers that store website data.
• Payment service providers and banks for payment execution.
• Logistics partners and carriers for delivery.
• Email delivery services for transactional messages and, if consented, marketing.
• Professional advisers (lawyers, accountants) bound by confidentiality.
• Authorities when required by law or lawful requests.

We use written agreements with processors (Article 28 GDPR) requiring security and assistance with your rights.

8. International transfers

Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other mechanisms recognised under Chapter V GDPR. You may request further information about transfers by contacting us.

9. Retention periods

We keep personal data only as long as necessary for the purposes described:

• Order and invoice records: typically for the duration of statutory accounting and tax retention in Finland (often several years; exact periods follow national law in force).
• Customer service messages: long enough to resolve issues and maintain reasonable business records, generally up to 24–36 months unless a dispute requires longer retention.
• Marketing consents and logs: until you withdraw consent plus a short period to prove consent was obtained.
• Server logs: rotated or deleted according to security policies, often within months unless investigation requires longer storage.
• Cookie-related records: as stated in the Cookie Policy.

When retention ends, we delete or anonymise data where feasible.

10. Security measures

We implement appropriate technical and organisational measures, including access controls, encryption in transit (HTTPS) for the website, secure credential handling for staff tools where applicable, backups, patching, and staff instructions on confidentiality. No system is perfectly secure; we encourage strong passwords and caution with phishing.

11. Your rights

Under GDPR, you may have the right to:

• Access your personal data and obtain a copy (Article 15).
• Rectification of inaccurate data (Article 16).
• Erasure in certain cases (Article 17).
• Restriction of processing in certain cases (Article 18).
• Data portability for data you provided where processing is based on consent or contract and automated (Article 20).
• Object to processing based on legitimate interests or to direct marketing (Article 21).
• Withdraw consent where processing is consent-based, without retroactive effect.
• Lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu). Website: https://tietosuoja.fi/en/

12. Children

Our services are directed at adults. We do not knowingly collect data from children under 16 without parental authority where required. If you believe we have received a child’s data in error, contact us for deletion.

13. Third-party websites

Our site may link to external pages. Their privacy practices are their own. Review their policies before sharing data.

14. Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. We will post the new version with an updated effective date. Material changes may be highlighted on the website or communicated where appropriate.

15. Data breach notification

We maintain internal procedures to detect, assess, and document personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority without undue delay and, where required by law, communicate with affected individuals, describing the nature of the breach, likely consequences, and measures taken or proposed.

16. Records of processing

We maintain records of processing activities as required by Article 30 GDPR, including purposes, categories of data subjects, categories of personal data, recipients, transfers, retention periods, and security measures. These records are internal but may be shared with regulators on request.

17. Marketing and newsletters

We send commercial communications only where permitted by law—typically after explicit opt-in for electronic marketing, or within the “soft opt-in” rules where applicable to existing customers for similar products. Each message includes an unsubscribe mechanism. Opt-out preferences are stored to prevent future sends.

18. Contact for privacy matters

For privacy questions or to exercise rights, contact team@draxylonshul.world or write to Sähkötalon alakerta, Kampinkuja 2, 00100 Helsinki, Finland. We will respond within one month where GDPR requires, subject to complexity and volume.