Privacy Policy

Scope and audience

This Policy applies to visitors of zlexironzefrylon.world, individuals who email us, buyers who complete checkout flows we operate, and anyone whose data we incidentally process while securing our infrastructure. It does not cover third-party platforms that embed our content unless those platforms act as independent controllers.

By continuing to use the site after we publish updates, you acknowledge the revised terms where consent is not legally required. Where consent is the sole lawful basis, we will obtain a fresh indication before expanding processing.

Controller and representative details

The data controller determining why and how personal data is processed is:

• Legal name: Zlexironzefrylon.world
• Trading identity: Luminara
• Address: 2 Deansgate, Manchester M3 1AR, United Kingdom
• Email for privacy requests: chat@zlexironzefrylon.world

Please mark messages clearly with “Data protection request” and include reliable contact details. We may ask proportionate identity evidence before disclosing or deleting sensitive records to prevent fraudulent erasure attempts.

Categories of personal data

Depending on your interaction depth, we can process identity and contact fields, commercial history, transactional metadata, communications you initiate, device and log data, and—in limited cases—photographs you supply to evidence damaged goods.

We do not intentionally collect special category data or criminal offence data through marketing forms. If you voluntarily disclose health information, we minimise retention and use it solely to handle the support ticket you opened, unless separate lawful authority exists.

Pseudo-anonymous analytics identifiers may be generated from cookie consent records to prove that marketing tags remained off unless you opted in.

Purposes and lawful bases

Processing must always rest on a lawful basis recognised in Article 6 UK GDPR. The matrix below summarises typical scenarios:

• Contract necessity: accepting orders, arranging delivery partners, processing payments through certified gateways, and issuing compliance documents.
• Consent: optional analytics cookies, marketing email, SMS where adopted, and certain loyalty experiments described at collection.
• Legitimate interests: fraud prevention, network defence, product improvement using aggregated statistics, documenting legal claims, and internal reporting that does not outweigh your fundamental rights.
• Legal obligation: tax filings, responses to regulator information notices, and cooperation with lawful court orders subject to review.

Where multiple grounds could apply, we document the primary basis in internal records of processing activities and revisit the assessment annually.

Recipients and subprocessors

We share data only with organisations that supply essential services under written agreements: hosting, transport logistics, customer communication tools, accounting platforms, and payment processors regulated in their home jurisdictions. Each agreement imposes confidentiality obligations, data minimisation duties, and assistance obligations for data subject requests.

We do not sell personal data in the traditional sense of licensing contact lists for unspecified resale. If corporate restructuring occurs, you will receive notice before your data transfers to a successor controller where required by law.

International transfers

Some technical suppliers operate from the United States or other territories without an adequacy decision. When we must transfer personal data internationally, we implement the ICO International Data Transfer Agreement, EU Standard Contractual Clauses, or another approved mechanism, supplemented by transfer impact assessments describing government access risks and the technical safeguards we apply.

You may request a summary redacted copy of the safeguards we rely upon by emailing the contact address above.

Retention periods

• Completed sales and tax evidence: up to seven complete UK financial years unless a shorter period is permissible.
• Prospect enquiries that never convert: twenty-four months of inactivity unless you ask sooner for deletion compatible with legitimate interests.
• Marketing consents and suppression files: lifetime of the brand plus one year to honour unsubscribe proof.
• Security logs: rolling ninety days except when frozen for incident response.
• Cookies: durations named inside the Cookie Policy and your consent dashboard.

After expiry, we purge or irreversibly anonymise datasets so individuals can no longer be identified using reasonable means.

Security measures

We maintain administrative policies covering access reviews, incident escalation, and employee confidentiality undertakings. Technical measures include encrypted transport (TLS 1.2 or better), segregated admin accounts, multi-factor authentication on privileged consoles where supported, and vulnerability monitoring on external perimeter assets.

Organisational measures include processor due diligence questionnaires, periodic tabletop exercises, and data protection training for anyone who routinely handles identifiable customer records.

No system is immune to attack; if a breach risks your rights, we notify the ICO within seventy-two hours where feasible and communicate with affected individuals without undue delay when legally required.

Your privacy rights

Subject to exemptions, you may request access, rectification, erasure, restriction, portability of data you supplied for automated processing based on consent or contract, objection to processing rooted in legitimate interests or direct marketing, and human review of solely automated decisions with legal effects—which we currently do not perform.

You may withdraw consent for optional processing at any time without affecting the lawfulness of earlier processing. To exercise rights, email the controller address with sufficient detail for us to locate records.

If you remain dissatisfied after our final response, you may complain to the Information Commissioner’s Office via https://ico.org.uk/ or your local supervisory authority if the UK regime does not apply.

Automated decision-making

We do not make decisions about individuals using solely automated means that produce legal or similarly significant effects within the meaning of Article 22 UK GDPR. Risk scoring for fraud may flag transactions for manual review but never autonomously cancels legitimate orders without human involvement.

Marketing and profiling

Commercial emails deploy only after a clear opt-in or a soft opt-in scenario recognised under PECR for existing customers purchasing similar products. Profiling for personalised offers remains limited to purchase history and coarse geographic segments; you may object at any time.

Destination advertising: Where we use Google Ads or similar platforms in the United Kingdom, landing pages are designed to meet transparency expectations: clear product classification as a food supplement, visible pricing caveats, honest contact details, working policy links, and no unsubstantiated disease claims.

Children

Luminara products and the website target adults. We do not knowingly collect data from anyone under sixteen. Guardians who believe a minor submitted personal data should alert us so we can delete it promptly where verification succeeds.

Changes and how to reach us

Material updates to this Privacy Policy will carry a refreshed “last reviewed” indicator at the top of the page and, when legally required, a direct communication to active customers or a prominent banner inviting re-review.

For any question about this Policy or our processing activities, contact chat@zlexironzefrylon.world or write to 2 Deansgate, Manchester M3 1AR, United Kingdom, marking the envelope “Privacy Office—Luminara”.