Privacy Policy

1. Purpose and scope

This Privacy Policy explains how we process personal data when you visit the Site, create an account (if offered), purchase or request Vascoralis products, subscribe to updates, or communicate with us. It also describes rights available to individuals in the European Economic Area (“EEA”), United Kingdom (“UK”), and Switzerland (“CH”), consistent with the General Data Protection Regulation (“GDPR”), UK GDPR, and comparable laws, as well as disclosures required under U.S. state privacy laws where applicable.

We sell dietary supplements intended for U.S. consumers. If you access the Site from outside the United States, you acknowledge that data will be processed in the United States and potentially other countries that may not provide identical protections to your home jurisdiction. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms.

2. Categories of personal data we collect

Depending on how you interact with us, we may collect the following categories of information:

• Identity data: full name, salutation, customer reference number.
• Contact data: email address, telephone number, billing and shipping addresses.
• Transaction data: products ordered, order identifiers, payment status (payment card details are processed by our payment processor and not stored on our servers in full).
• Technical data: IP address, browser type and version, time zone, device identifiers, operating system, referring URL, and pages viewed.
• Communication content: messages you send through web forms, email, or telephone recordings where permitted by law and disclosed in advance.
• Preference data: marketing choices, cookie preferences, newsletter topics.
• Compliance data: records needed to meet tax, accounting, and product safety obligations.

We do not intentionally collect special categories of data (such as health diagnoses) through the Site. If you voluntarily disclose health information, we will limit use to the purpose you provided it for and protect it in line with this Policy.

3. Sources of personal data

We obtain personal data directly from you when you place orders, complete forms, create an account, subscribe to communications, or contact customer care. We also receive technical data automatically through cookies, pixels, and server logs. In limited cases we may receive updated address or fraud-risk information from carriers, payment partners, or public directories for verification.

4. Purposes and legal bases for processing

We process personal data for specific purposes and, where GDPR applies, on the following legal bases:

Where we rely on legitimate interests, we balance our interests against your rights and offer opt-out mechanisms where appropriate.

5. Cookies and similar technologies

We use cookies, local storage, and related tools as described in our Cookie Policy. You can manage non-essential cookies through our banner and browser settings. Strictly necessary cookies remain active because they enable core functionality and security.

6. Disclosure of personal data

We share personal data only with service providers who assist our operations under written agreements requiring confidentiality and appropriate safeguards. Categories of recipients include:

• Payment processors and fraud-screening vendors.
• Shipping carriers and address-validation services.
• Email delivery and customer relationship tools.
• Hosting, infrastructure, and cybersecurity vendors.
• Professional advisers including accountants and attorneys.
• Authorities when required by law or to protect rights and safety.

We do not sell personal data for monetary consideration as defined under certain U.S. state laws. Where “sharing” for cross-context behavioral advertising is regulated, we provide opt-out links where mandated.

7. International transfers

Our primary operations are in the United States. If you are located in the EEA, UK, or CH, your data may be transferred outside your region. When we transfer personal data from the EEA, UK, or CH to countries not subject to an adequacy decision, we implement safeguards such as Standard Contractual Clauses approved by the European Commission or UK Information Commissioner’s Office, supplemented by technical and organizational measures including encryption and access controls.

8. Retention periods

We retain personal data only as long as necessary for the purposes described and as required by law. Indicative retention periods include:

• Order and accounting records: up to seven years from the end of the financial year in which the transaction occurred, unless a longer period is required for tax or regulatory reasons.
• Marketing consents and suppression lists: until you withdraw consent or object, plus a short period to honor the request across systems.
• Customer service tickets: up to three years after closure unless linked to a legal dispute.
• Server logs and security records: typically between thirty days and twelve months depending on system design and incident investigations.
• Cookie records: as stated in the Cookie Policy, often between six months and twenty-four months depending on the vendor.

At the end of the retention period, we delete or anonymize data where feasible.

9. Security measures

We implement administrative, technical, and physical safeguards appropriate to the risk, including HTTPS encryption for the Site, role-based access controls, least-privilege credentials, periodic access reviews, malware protection, logging and alerting, and vendor due diligence. No method of transmission over the Internet is completely secure; we encourage you to use strong passwords and protect your devices.

10. Your rights under GDPR (EEA, UK, CH)

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase data where conditions are met (“right to be forgotten”).
• Restrict processing in certain circumstances.
• Data portability for data you provided where processing is automated and based on contract or consent.
• Object to processing based on legitimate interests or for direct marketing.
• Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority in your country of residence.

To exercise these rights, email help@pharionxthorxian.world or write to the postal address above. We may need to verify your identity before fulfilling requests.

11. U.S. state privacy rights

Residents of certain U.S. states may have additional rights regarding access, deletion, correction, opt-out of targeted advertising, or appeal of decisions. Submit requests through the same contact channels. We will not discriminate against you for exercising rights. Authorized agents may submit requests with proof of authorization where permitted by law.

12. Children

The Site is not directed to children under sixteen, and we do not knowingly collect personal data from children. If you believe a child provided information, contact us and we will delete it promptly.

13. Automated decision-making

We do not use solely automated decision-making, including profiling, that produces legal or similarly significant effects concerning you. Fraud screening may involve automated risk scores with human review.

14. Changes to this Policy

We may update this Privacy Policy to reflect operational, legal, or regulatory changes. The revised version will be posted on this page with a new effective date. Where required, we will notify you through the Site or email before material changes take effect.

15. Contact and supervisory authorities

For privacy questions, contact help@pharionxthorxian.world or call +1 (212) 865-9700. EEA and UK residents may contact the supervisory authority in their country of residence using public contact details published by that authority.