Privacy Policy

This Privacy Policy explains how Thogreonchrel (“we”, “us”) processes personal data when you visit https://thogreonchrel.world/, purchase Maxovascor-related products, or communicate with us. We apply the General Data Protection Regulation (EU) 2016/679 (“GDPR”), supplemented by the Norwegian Personal Data Act implementing GDPR rules (“Personopplysningsloven”), and other applicable privacy legislation in Norway and the European Economic Area (“EEA”).

1. Data controller and representative details

The data controller responsible for processing described here is Thogreonchrel, with its principal contact address at Fridtjof Nansens plass 5, 0160 Oslo, Norway. For privacy enquiries and data subject requests, contact office@thogreonchrel.world. If we appoint a data protection officer or EU/EEA representative for cross-border processing, we will publish updated contact data on this page.

2. Scope and relationship to other notices

This Policy covers processing linked to our website, customer service, order handling, marketing where permitted, analytics where you consent, and compliance obligations. Cookie-specific information appears in the Cookie Policy. Contractual commercial terms appear in the Terms of Service. Return-related data handling is aligned with the Return Policy.

3. Categories of personal data we process

Depending on your interaction, we may process: identity and contact data (name, postal address, delivery address, email address, telephone number); account and order data (order history, product selections, payment status references, communications about orders); technical data (IP address, device type, browser version, approximate location derived from IP, referrer URL, pages viewed, timestamps); communication content you send via forms or email; marketing preference indicators; cookie identifiers and similar technologies as described in the Cookie Policy; and documentation required for tax, accounting, and consumer law compliance.

We do not intend to collect special categories of personal data (such as health data). If you voluntarily disclose health information, we will treat it with additional care and only retain it if a legal obligation or narrowly defined legitimate interest requires it.

4. Sources of personal data

We obtain data directly from you when you place orders, complete forms, subscribe to updates, or contact us. We also generate data through website logs and security tools. Payment card data is typically processed by payment service providers; we receive confirmation tokens rather than full card numbers unless a specific integration requires limited elements under strict security standards.

5. Purposes and legal bases

5.1 Contract performance and pre-contract steps

When you order Maxovascor or related goods, we process name, delivery details, contact channels, payment references, and order messages to perform the contract (GDPR Article 6(1)(b)). This includes arranging shipment, invoicing where applicable, and responding to product questions tied to an order.

5.2 Legal obligations

We process certain data to comply with accounting rules, tax law, consumer protection documentation, and regulatory requests (GDPR Article 6(1)(c)). This can include retaining invoices and transaction records for periods defined by Norwegian law.

5.3 Legitimate interests

We rely on legitimate interests for website security monitoring, fraud prevention, server stability, limited internal analytics that do not require consent under ePrivacy where applicable, and business continuity (GDPR Article 6(1)(f)). We balance these interests against your rights and offer opt-outs where required.

5.4 Consent

Where marketing communications, non-essential cookies, or certain surveys require consent under applicable law, we process data only after a clear affirmative action (GDPR Article 6(1)(a)). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

6. Automated decision-making and profiling

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Article 22. If this changes, we will update this Policy and provide meaningful information about the logic and consequences.

7. Recipients and processors

We share personal data with service providers acting under written agreements: hosting providers, email delivery services, payment processors, logistics partners, customer support tools, and professional advisers (lawyers, accountants) where confidentiality duties apply. Processors may only process data on our instructions and must implement appropriate security measures.

We may disclose data when required by court order, competent authority requests, or to establish or defend legal claims, limited to what is necessary and proportionate.

8. International transfers

Our primary operations are in Norway and the EEA. If we transfer personal data outside the EEA, we will ensure a valid transfer mechanism such as adequacy decisions, Standard Contractual Clauses approved by the European Commission, or other approved safeguards, supplemented by assessments where required. Copies of relevant safeguards may be requested via our contact email.

9. Retention periods

Order and accounting records are retained for at least the period required by Norwegian bookkeeping law, typically five years from the end of the financial year, unless longer retention is mandated. Marketing consent records are kept until consent is withdrawn and briefly thereafter to prove compliance. Website logs used for security may rotate on a shorter technical cycle unless preserved for incident investigation. Contact form messages are retained until the request is completed and for a subsequent period if needed to document customer care, usually not exceeding twenty-four months unless a dispute extends the need.

When retention expires, we delete or anonymise data so it can no longer be linked to you, except where anonymous statistics are retained.

10. Security measures

We implement organisational and technical measures appropriate to risk, including access controls, encryption in transit for website connections served over HTTPS, patching procedures, malware protection where relevant, staff confidentiality expectations, vendor due diligence, and incident response planning. No online transmission is completely risk-free; you should also protect your devices and credentials.

11. Your rights under GDPR

Subject to conditions in the GDPR, you may have the following rights: access to personal data; rectification of inaccurate data; erasure (“right to be forgotten”) where applicable; restriction of processing; data portability for data you provided processed by automated means under contract or consent; objection to processing based on legitimate interests or for direct marketing; and withdrawal of consent at any time for consent-based processing.

To exercise rights, email office@thogreonchrel.world with a description of your request and information allowing us to verify your identity. We will respond within one month, extendable by two further months where complex, and inform you of reasons if we cannot fulfil a request.

12. Right to lodge a complaint

You may lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet), visiting www.datatilsynet.no or writing to Datatilsynet, Postboks 458 Sentrum, 0105 Oslo, Norway, if you believe our processing infringes applicable law. You may also contact the supervisory authority in your habitual residence or place of work within the EEA.

13. Children

Our website and Maxovascor marketing are directed to adults. We do not knowingly collect personal data from children under sixteen without appropriate consent from a holder of parental responsibility. If you believe we have collected such data, contact us for prompt review and deletion where appropriate.

14. Data protection by design and default

We apply data minimisation when designing forms, limiting mandatory fields to what is needed for the stated purpose. Access to personal data internally follows role-based permissions reviewed periodically. Vendors are selected using security and privacy criteria documented in our procurement notes.

15. Records of processing activities

We maintain internal records describing processing purposes, categories of data subjects, categories of personal data, recipients, transfers, retention, and security measures, as required under GDPR Article 30. Extracts relevant to your data are summarised in this Policy; further detail may be provided where feasible upon request.

16. Personal data breaches

We maintain procedures to detect, report, and investigate personal data breaches. Where a breach is likely to result in risk to rights and freedoms, we will notify the supervisory authority without undue delay and, when required, communicate with affected data subjects, describing nature of the breach, likely consequences, and measures taken.

17. Joint controllers and independent controllers

If we jointly determine purposes and means with another entity, we will make the essence of the arrangement available to you. Payment networks or social platforms may act as independent controllers for their own processing; their policies govern that processing.

18. Marketing and preference management

Email marketing to consumers is sent only with valid consent or another lawful basis recognised in Norwegian marketing law. Each marketing message includes an unsubscribe or preference mechanism where required. Opt-out requests are processed without charging a fee beyond transmission costs at standard rates.

19. Analytics and aggregated statistics

Where analytics tools process personal data, we configure them to reduce identifiability where possible, such as IP truncation or aggregated reporting. Statistical datasets that cannot be re-linked to individuals may be retained for longer periods for business analysis.

20. Employment and recruitment

If you apply for a job with us, separate privacy information applies to that process, including retention of CVs, interview notes, and referee contacts. This consumer-facing Policy does not govern employment records except where referenced.

21. Third-party websites

Our website may link to external resources. Their privacy practices are outside our control. Review their policies before submitting personal data.

22. Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or business developments. Material changes will be highlighted on the website or communicated where appropriate. The effective date reflects the latest substantive revision.

Effective date: 25 March 2026.