Privacy Policy
Effective date: 25 March 2026 · Version: 1.0 · Jurisdiction: Kingdom of Norway (EEA) with reference to Regulation (EU) 2016/679 (GDPR) as incorporated into Norwegian law through the Personopplysningsloven and related regulations.
This Privacy Policy explains how Queflornchor, with business address Torggata 1, 0181 Oslo, Norway, telephone +47 24 15 50 50, and electronic contact support@queflornchor.world (hereinafter “we”, “us”, or the “Controller”), collects, uses, stores, shares, and protects personal data when you visit https://queflornchor.world (the “Site”), purchase or enquire about Digestivae and related products, subscribe to updates, or otherwise interact with our services (collectively, the “Services”).
We process personal data lawfully, fairly, and transparently. This document satisfies Articles 13 and 14 GDPR where applicable, aligns with transparency expectations under the Norwegian Marketing Control Act where marketing is involved, and complements our Cookie Policy, Terms of Service, and Return Policy.
1. Data controller and representative contacts
The Controller responsible for processing described here is Queflornchor, Torggata 1, 0181 Oslo, Norway. For privacy-specific requests, email support@queflornchor.world with the subject line “Privacy request” and include enough detail for us to verify your identity proportionately. You may also call +47 24 15 50 50 on weekdays between 09:00 and 17:00 Central European Time. If we appoint a data protection officer or an EU/EEA representative for cross-border processing, we will update this section and publish their coordinates on the Site.
2. Scope and material applicability
This Policy applies to natural persons who are identifiable, directly or indirectly, through the data we handle. It covers browsing data, account or guest-checkout data, customer service conversations, marketing preferences, analytics identifiers where consent or legitimate interest applies, and employment or contractor enquiries if you submit a CV. It does not govern anonymous or aggregated statistics that cannot be traced back to an individual.
Healthcare professionals and business customers acting on behalf of legal entities should also read Section 6 regarding business contact persons, where corporate contact details may still constitute personal data for named individuals.
3. Categories of personal data we process
Depending on how you use the Services, we may process:
- Identity and profile data: full name, title, language preference, customer reference number.
- Contact data: postal address, email address, telephone number, country of residence.
- Transaction data: order contents, price paid in NOK or converted currency, payment status, delivery notes, invoice references, partial payment instrument metadata supplied by payment processors (we do not store full card numbers on our servers).
- Communication data: free-text messages, email threads, call logs you initiate, attachments you choose to send, satisfaction survey replies.
- Technical and usage data: IP address, approximate geolocation derived from IP, browser type, device type, operating system, referring URL, pages viewed, scroll depth where measured, session duration, crash diagnostics.
- Cookie and similar identifiers: as described in the Cookie Policy, including consent logs.
- Compliance data: records demonstrating consent, marketing opt-outs, fraud screening outcomes provided by payment partners, export control checks if relevant.
- Special categories: we do not ask you to send health data. If you voluntarily disclose health information in a message, we will restrict access, delete it when no longer needed for the narrow purpose of responding, and remind you to consult qualified professionals for medical matters.
4. Sources of personal data
We obtain data directly from you when you complete forms, place orders, create an account, or contact us. We receive technical data automatically through cookies, pixels, server logs, and security tools. We may receive updated address or payment status information from carriers, payment service providers, and fraud prevention networks. We do not purchase marketing lists that contain personal data without verifying a lawful basis.
5. Purposes, legal bases, and retention
The table below summarises typical processing activities. Retention periods are default maxima; we may delete earlier when no longer needed or anonymise data for analytics.
| Purpose | Legal basis (GDPR Art. 6) | Default retention |
|---|---|---|
| Delivering products, providing invoices, arranging returns | Contract (Art. 6(1)(b)); legal obligation for accounting (Art. 6(1)(c)) | Order records 7 years from fiscal year-end to meet Norwegian bookkeeping rules; shorter for delivery-only notes unless law requires longer |
| Responding to enquiries and providing customer support | Contract or pre-contract steps (Art. 6(1)(b)); legitimate interests in serving customers (Art. 6(1)(f)) | 18 months after last meaningful contact unless a dispute extends the need |
| Operating the Site, troubleshooting, security monitoring | Legitimate interests (Art. 6(1)(f)) balanced against your rights | Server logs rotated after 90 days unless security incident investigation requires longer hold |
| Analytics cookies and similar technologies | Consent where required (Art. 6(1)(a)); anonymised aggregate metrics may rely on legitimate interest after irreversible aggregation | According to cookie settings, typically 14 months maximum for analytics platforms unless you withdraw consent earlier |
| Marketing communications about similar products | Soft opt-in under Norwegian implementation where applicable, otherwise consent (Art. 6(1)(a)) | Until you unsubscribe plus 30 days for suppression lists |
| Compliance with court orders, regulatory requests, or defence of legal claims | Legal obligation (Art. 6(1)(c)) or legitimate interest in legal defence (Art. 6(1)(f)) | Duration of proceeding plus appeal window, then review for deletion |
Accounting vouchers, including invoices and export documentation, may be retained for up to ten years where tax or customs authorities require extended storage. Cookie consent records are kept for five years to demonstrate compliance with the ePrivacy framework and GDPR accountability principle.
6. Recipients and subprocessors
We share personal data only when necessary and under written agreements requiring GDPR-compliant safeguards:
- Payment processors tokenise card data and inform us of authorisation outcomes.
- Logistics partners receive name, address, phone number, and parcel contents description for customs where required.
- Cloud hosting, email delivery, and ticketing systems located in the EEA or covered by Standard Contractual Clauses.
- Professional advisers such as attorneys and auditors under confidentiality duties.
- Authorities when Norwegian or EU law mandates disclosure.
A current list of material categories of recipients is available on request. We do not sell personal data in the sense of disclosure for purely monetary consideration to data brokers.
7. International transfers
Our primary processing occurs within the EEA. If a processor operates in a country without an adequacy decision, we implement Standard Contractual Clauses approved by the European Commission, supplemented by technical measures such as encryption in transit and, where feasible, encryption at rest. Copies of relevant transfer impact assessments can be summarised for you upon request.
8. Security measures
We apply administrative, technical, and organisational measures appropriate to the risk, including role-based access controls, multi-factor authentication for administrative accounts, TLS 1.2 or higher for data in transit, malware scanning, vulnerability management, logging and alerting, staff training, and vendor due diligence. No method of transmission or storage is completely secure; if we detect a breach likely to affect your rights, we will notify the Norwegian Data Protection Authority (Datatilsynet) and, when required, affected individuals without undue delay.
9. Your rights
Subject to conditions in GDPR Chapter III, you may:
- Request access to the personal data we hold about you.
- Request rectification of inaccurate or incomplete data.
- Request erasure (“right to be forgotten”) where no overriding lawful ground applies.
- Request restriction of processing in specific scenarios.
- Object to processing based on legitimate interests, including profiling for direct marketing.
- Request data portability for data you provided where processing is automated and based on consent or contract.
- Withdraw consent at any time for processing that relies on consent, without affecting prior lawful processing.
- Not be subject to solely automated decisions with legal or similarly significant effects, which we do not conduct in the online shop context.
To exercise rights, email support@queflornchor.world. We will respond within one month, extendable by two further months where complex, and inform you of reasons plus appeal paths if we refuse a request. You may lodge a complaint with Datatilsynet, Postboks 458 Sentrum, 0105 Oslo, Norway, or via https://www.datatilsynet.no/.
10. Marketing and profiling
We do not perform invasive profiling that evaluates personal aspects such as health. Generic segmentation based on purchase history may occur for service emails. You can opt out of non-essential marketing through unsubscribe links or by contacting us.
11. Children
Digestivae is intended for adults. We do not knowingly collect data from children under 16 without parental authority. If you believe a minor provided data, contact us for prompt deletion.
12. Automated decision-making
Fraud checks may produce risk scores influencing whether a transaction is held for manual review. A human reviews significant blocks before a final refusal. You may request human intervention and express your point of view where such measures produce legal effects.
13. Changes to this Policy
We update this Policy when processing operations, law, or guidance changes. Material updates will be highlighted on the Site with a revised effective date. Continued use after notice where consent is not required constitutes acknowledgement of reasonable changes tied to the original purpose.
14. Data protection by design and default
We minimise fields in forms, collect only data needed for stated purposes, use test data in non-production environments, and apply access controls following the least-privilege principle. Product development includes privacy review checkpoints before new features launch.
15. Processor governance
Each processor signs Article 28 GDPR terms specifying subject matter, duration, nature and purpose, type of personal data, categories of data subjects, and obligations regarding assistance with rights requests, deletion, audits, and breach notification timelines.
16. Research and surveys
Optional surveys may collect demographic or satisfaction data. Participation is voluntary and analysed in aggregate. If open-text responses risk identifying individuals, we restrict access and redact before wider sharing.
17. Contact
Questions about privacy practices may be directed to support@queflornchor.world or by post to Queflornchor, Torggata 1, 0181 Oslo, Norway.