Privacy Policy

Controller: Squibronchex, Bulevardi 13, 00120 Helsinki, Finland

Contact email: feedback@squibronchex.world

Last updated: 23 March 2025

Applicable law: Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), Finnish national implementing acts where applicable, and ePrivacy rules as relevant to storage and access on terminal equipment.

This Privacy Policy explains how Squibronchex processes personal data when you visit squibronchex.world, request information about NaturaCardiovive, place an inquiry, communicate with us, or interact with cookies and similar technologies. We describe what we collect, why we use it, how long we keep it, who may receive it, and which rights and choices you have.

1. Scope and roles

This policy applies to processing carried out by Squibronchex as a controller. A controller decides why and how personal data is processed. Where we use processors, they process data on documented instructions and must implement appropriate safeguards. If you use third-party services linked from our site, they are separate controllers or processors for their own processing, and their policies apply.

2. Categories of personal data

Depending on how you interact with us, we may process the following categories of data:

Identity and contact data: name, email address, telephone number if provided, postal address if provided.
Communication content: messages you send through forms, email, or other channels, including attachments and metadata.
Order and request data: product interest, purchase intent, reference numbers, and related correspondence.
Technical and usage data: IP address, browser type and version, device identifiers where available, time zone, operating system, pages viewed, referring URLs, and interaction events.
Cookie and similar technology data: identifiers stored on your device, consent records, and preferences.
Customer service records: notes from support interactions, complaint handling, and follow-up.
Fraud prevention and security signals: limited technical indicators used to protect accounts and systems.

We do not seek special categories of personal data as defined in Article 9 GDPR. Please do not send health information unless we explicitly request it and provide a lawful pathway for processing.

3. Sources of data

We obtain personal data directly from you when you submit forms, email us, call us, or otherwise communicate. We also generate technical data automatically when you load pages or use features. We may receive data from payment service providers or logistics partners only to the extent necessary to fulfill orders or resolve disputes.

4. Purposes and legal bases

We process personal data only where a legal basis applies. The table below summarizes common processing activities.

Website operations and security (Article 6(1)(f) GDPR legitimate interests): delivering pages, protecting infrastructure, preventing abuse, maintaining logs for incident response, and improving reliability. Where required, we balance your rights and interests.
Responding to inquiries and pre-contractual steps (Article 6(1)(b) GDPR): handling requests for information, quotes, and support related to NaturaCardiovive.
Contract performance (Article 6(1)(b) GDPR): processing orders, payments where applicable, delivery coordination, customer notifications, and returns.
Legal obligations (Article 6(1)(c) GDPR): accounting, tax, consumer protection, product safety reporting where required, and responding to lawful requests from authorities.
Consent (Article 6(1)(a) GDPR): optional cookies and similar technologies where consent is required under ePrivacy rules, and marketing communications if you opt in.
Legitimate interests (Article 6(1)(f) GDPR): internal analytics on aggregated datasets, quality assurance, training, and limited direct marketing to existing customers where permitted by national law and where you have not objected.

Where consent is the legal basis, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal may limit certain features.

5. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects about you. We may use basic analytics to understand aggregate usage patterns.

6. International transfers

Our primary operations are in the European Economic Area. If we transfer personal data outside the EEA, we ensure appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or transfer to countries recognized as adequate, supplemented by technical and organizational measures where necessary.

7. Recipients and processors

We share personal data only with recipients who need access to provide services. Categories may include:

Hosting and infrastructure providers.
Email and communication service providers.
Payment processors and fraud prevention services.
Logistics and courier partners.
Customer support tools and ticketing systems.
Professional advisers and auditors where required.
Authorities when required by law.

We require processors to implement confidentiality and security obligations and to process data only on documented instructions.

8. Retention

We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law.

Marketing consents and records: until consent is withdrawn or objections are honored, unless a longer retention is justified for evidence.
Contract and order records: for the duration of the relationship and for a reasonable period thereafter to handle disputes, warranties, and legal claims.
Accounting and tax records: according to Finnish bookkeeping and tax obligations, typically several years.
Communication logs: for a limited period to operate support and security, unless a longer retention is justified for legal defense.
Security logs: short to medium cycles depending on operational risk.
Cookie and consent records: as described in the Cookie Policy and aligned with consent evidence requirements.

We periodically review retention periods and anonymize or delete data when no longer needed.

9. Security measures

We implement organizational and technical measures appropriate to the risk, including access controls, least privilege, encryption in transit where supported, secure configuration practices, backups, monitoring, logging, and staff training. No method of transmission or storage is completely secure; we work to reduce risk in a proportionate manner.

9a. Data minimization and purpose limitation

We collect personal data that is adequate, relevant, and limited to what is necessary for the purposes described. We avoid collecting sensitive categories unless a specific lawful basis and documented pathway exist. Internal access to personal data is granted on a need-to-know basis and reviewed periodically.

9b. Records of processing activities

We maintain records of processing activities where required by Article 30 GDPR, including purposes, categories of data subjects and data, recipients, international transfers, retention timelines, and a general description of security measures. These records support accountability and supervisory authority requests.

9c. Personal data breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we document the incident, take containment steps, assess risk, and notify the supervisory authority without undue delay where required. We communicate to affected data subjects when the breach is likely to result in a high risk, unless exceptions apply.

9d. Subprocessors and onward transfers

Where we appoint subprocessors, we impose written obligations to implement appropriate safeguards, assist with data subject requests, return or delete data at the end of services, and notify us of breaches. We remain responsible for the processing carried out on our behalf. A current list of categories of subprocessors is available on request where commercially reasonable.

10. Your rights under GDPR

Subject to conditions and exceptions in applicable law, you may have the following rights:

Access: request confirmation of processing and copies of personal data.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion where grounds apply.
Restriction: request limitation of processing in certain cases.
Data portability: receive a machine-readable copy of data you provided where processing is based on consent or contract and carried out by automated means.
Object: object to processing based on legitimate interests, including profiling, and to direct marketing.
Withdraw consent: where processing is based on consent.
Complaint: lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu). You may also contact the authority in your country of residence or workplace.

11. Children

Our services are not directed to children. We do not knowingly collect personal data from children without parental authority where required. If you believe we have collected data from a child, contact us so we can delete it.

12. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy. Where consent is required, we collect consent before non-essential cookies are set, and you can change preferences later.

13. Marketing

We send marketing communications only where permitted by law and, where required, based on your consent or explicit soft opt-in rules applicable to existing customers. You can opt out using unsubscribe links or by contacting us.

14. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. We will publish the updated version on this page and revise the last updated date. Where changes materially affect your rights, we will provide additional notice where appropriate.

15. Contact

For privacy requests or questions about this policy, contact us at feedback@squibronchex.world or write to Squibronchex, Bulevardi 13, 00120 Helsinki, Finland. Please include enough detail to verify your identity and describe your request.