1. Data controller and contact details
The data controller responsible for processing personal data obtained through this website is Phiphraxnriz, trading under the same name, located at 50 Avenue Rd, Mosman NSW 2088, Australia. You may contact us regarding privacy matters by email at notifyuse@phiphraxnriz.world or by telephone on +61 2 9960 2972 during Australian business hours. Where European Union data protection law applies to our processing, you may also contact us at the same email address to exercise GDPR rights or to raise queries about international transfers.
2. Scope and relationship to other notices
This Privacy Policy applies to personal data we process when you browse static pages, submit enquiry or contact forms, correspond with us by email, or interact with optional analytics or marketing technologies described in our Cookie Policy. It should be read together with our Terms of Service, which describe contractual obligations relating to orders and website use. If any provision in the Terms conflicts with mandatory privacy law, the mandatory privacy law prevails to the extent of the inconsistency.
3. Categories of personal data we collect
Depending on how you engage with us, we may process the following categories of personal data: identity and contact details (such as name, email address, postal address, and optional telephone number); account or order identifiers when you receive them; technical and usage data (such as browser type, device category, approximate location derived from IP address, referring URL, pages viewed, and timestamps); communication content that you voluntarily include in message fields; marketing preferences where you subscribe or object; payment-related metadata supplied by payment service providers (we aim not to store full card numbers on our own servers when payments are handled by certified partners); and compliance records (such as consent logs and complaint correspondence).
4. Sources of personal data
We obtain personal data directly from you when you type information into forms, send email, or speak with us by phone. We also generate technical data automatically through server logs and, if you consent, through analytics or marketing scripts. Occasionally we may receive updated contact details from delivery partners when shipments are returned or address corrections are filed.
5. Purposes and legal bases for processing
We process personal data for the following purposes and, where GDPR applies, on the following legal bases:
- Website operation and security — to deliver pages over HTTPS, prevent abuse, monitor infrastructure stability, and maintain audit logs. Legal bases: legitimate interests in securing our service; where strictly necessary cookies are used, those may also be justified by our legitimate interests or by a limited necessity framework depending on jurisdiction.
- Responding to enquiries — to read and answer questions submitted through forms or email. Legal bases: steps prior to a contract at your request; legitimate interests in supporting prospective customers; consent where you explicitly opt in to marketing follow-up beyond the specific enquiry.
- Contract performance — to process orders, arrange delivery, issue receipts, and manage returns. Legal basis: performance of a contract.
- Legal compliance — to meet tax, consumer, and product-safety record-keeping duties, and to respond to lawful requests from regulators or courts. Legal basis: legal obligation.
- Analytics — to understand aggregate traffic patterns and improve content layout when you enable analytics cookies. Legal basis: consent via our cookie banner where required.
- Marketing communications — to send promotional messages when you have opted in or where a specific exemption applies under local law. Legal basis: consent or other lawful grounds as applicable.
- Dispute resolution — to defend or pursue legal claims. Legal basis: legitimate interests; legal claims basis under GDPR Article 9(2)(f) is not routinely invoked because health data is not intentionally collected through this site.
6. Special categories of data
We do not ask you to share health diagnoses or other special category data through our marketing website. If you voluntarily disclose health information in a free-text field, we will restrict internal access and delete it when retention is no longer necessary unless a legal obligation requires otherwise. We encourage you to avoid sending sensitive medical information by unsecured channels.
7. Automated decision-making and profiling
We do not use personal data for automated decisions that produce legal or similarly significant effects solely by automated means. Basic analytics may aggregate behaviour for reporting but does not change your contractual rights without human review.
8. Recipients and categories of recipients
Personal data may be disclosed to the following categories of recipients where necessary and proportionate: hosting and content delivery providers that store static files or TLS certificates; email and ticketing service providers; payment processors; logistics and courier companies for delivery; professional advisers such as lawyers and accountants bound by confidentiality; insurers where claims arise; and government authorities when required by law. We contractually require processors to implement appropriate confidentiality and security commitments.
9. International transfers
Our operations are centred in Australia, but server infrastructure or subprocessors may be located in other countries, including the European Economic Area, the United Kingdom, or the United States. When we transfer personal data from the EEA, the UK, or Switzerland to countries not deemed adequate by the relevant authority, we implement appropriate safeguards such as Standard Contractual Clauses, supplementary measures where required by case law, or other lawful transfer tools. You may request a summary of the mechanisms we rely on by contacting us at the email address above.
10. Retention periods
We retain personal data only as long as necessary for the purposes described, unless a longer period is required by law. Indicative periods include: enquiry emails and form submissions retained for up to twenty-four months after the last substantive communication unless a dispute extends the need; order and tax records retained for seven years to satisfy Australian tax and consumer record expectations unless a different statutory period applies; marketing consent logs retained for the life of the consent plus three years to demonstrate compliance; server logs rotated on a shorter cycle, typically between thirty and ninety days unless security investigations require longer holds; and cookie-related identifiers handled as described in the Cookie Policy.
11. Security measures
We implement administrative, technical, and organisational measures appropriate to the risk, including HTTPS transport encryption for pages delivered from this static template, access controls for mailboxes and third-party dashboards, vendor due diligence, malware-resistant build practices for front-end assets, and staff instructions to verify unusual payment change requests. No online transmission is completely risk-free; if you suspect unauthorised access, notify us promptly.
12. Your rights in the European Economic Area and the United Kingdom
Where GDPR or the UK GDPR applies, you may have the right to access, rectify, erase, restrict processing, object to processing based on legitimate interests, data portability (where technically feasible), and to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal. You may lodge a complaint with a supervisory authority in your country of residence. We will respond to rights requests within one month, extendable by two further months where complex, and will explain any grounds if we cannot fulfil a request.
13. Your rights under the Australian Privacy Act 1988
Australian individuals may access and seek correction of personal information we hold under the Australian Privacy Principles. You may complain to us first; if unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC). We will confirm receipt of complaints and aim to respond within thirty days, subject to complexity.
14. Children
Our website markets dietary supplements intended for adults. We do not knowingly collect personal data from children under sixteen without verifiable parental authority. If you believe a minor has submitted data, contact us and we will delete it where verification supports the request.
15. Third-party links
Pages may reference external resources. Their privacy practices are governed by their own policies. Load third-party content only after reviewing their terms.
16. Personal data breach response
We maintain internal procedures to detect, assess, and report personal data breaches. Where a breach is likely to result in risk to individuals, we will notify affected persons and relevant regulators within timeframes required by the GDPR, UK law, or the Australian Notifiable Data Breaches scheme, as applicable. Notifications describe the nature of the breach, likely consequences, and measures we are taking.
17. Changes to this Privacy Policy
We may update this document to reflect legal, technical, or business developments. Material changes will be indicated by revising the date at the top and, where appropriate, a short notice on the homepage. Continued use after the effective date constitutes acceptance of the updated policy except where consent is required for new processing.
18. Contact for data protection questions
For privacy requests, email notifyuse@phiphraxnriz.world with the subject line “Privacy Request” and sufficient detail for us to verify your identity before disclosing or modifying records.