Privacy Policy

Last updated: 1 January 2026

1. Data Controller

The controller of your personal data is:

Ximthorexly
Teollisuustie 2, 96320 Rovaniemi, Finland
Phone: +358163305500
Email: call-us-ask@ximthorexly.world
Website: https://ximthorexly.world

2. Legal Basis and Purpose of Processing

We process personal data only when we have a lawful basis under Article 6 of the General Data Protection Regulation (GDPR). The specific legal bases and purposes are:

  • Performance of a contract (Art. 6(1)(b)): Processing your name, email address, phone number and delivery address to fulfil your order and arrange delivery.
  • Consent (Art. 6(1)(a)): If you have consented, processing data for marketing communications (newsletter, promotional messages). You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)): Improving our website, preventing fraud and maintaining the security of our IT systems.
  • Legal obligation (Art. 6(1)(c)): Complying with Finnish accounting and tax legislation (e.g., Accounting Act 1336/1997).

3. Categories of Personal Data Collected

We collect only the data necessary for the stated purposes:

  • Identity data: full name
  • Contact data: email address, phone number, postal address
  • Order data: products ordered, quantities, transaction references
  • Technical data: IP address, browser type, pages visited, time of visit (collected via cookies where consented)
  • Communication data: messages sent via our contact form

We do not process special categories of personal data (sensitive data) as defined in Article 9 GDPR.

4. Retention Periods

We retain personal data only as long as necessary:

  • Order and customer data: 7 years from the end of the financial year of the transaction, as required by Finnish accounting legislation.
  • Marketing consent records: Until consent is withdrawn, plus 3 years thereafter for compliance purposes.
  • Technical/log data: Up to 12 months, then deleted.
  • Contact form messages: 24 months from receipt, unless an ongoing matter requires longer retention.

5. Recipients and Third-Party Transfers

We may share your data with trusted processors who assist us in operating our business, always under data processing agreements:

  • Payment service providers (for order processing)
  • Logistics and delivery partners (for shipment)
  • IT and hosting service providers (servers located in the EU/EEA)
  • Email service providers (for order confirmation emails)

We do not sell personal data to third parties. Where processors are located outside the EEA, we ensure transfers are protected by Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission.

6. Your Rights Under GDPR

As a data subject, you have the following rights, which you can exercise by contacting us at the address above:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to our legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to requests within one month. If you believe your rights have been violated, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu): tietosuoja.fi.

7. Cookies and Tracking

We use cookies on this website. Please refer to our Cookie Policy for full details on the types of cookies used, their purposes and how to manage your preferences.

8. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction or alteration. These include encrypted data transmission (HTTPS), access controls and regular security assessments. In the event of a data breach likely to result in high risk to your rights, we will notify you and the supervisory authority in accordance with Article 33–34 GDPR.

9. Children's Privacy

Our website and products are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it without delay.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in law or our practices. We will notify registered users of material changes via email. The current version is always available on this page with the date of last update.

11. Contact

For any questions relating to this Privacy Policy or our data processing practices, please contact:

Ximthorexly
Teollisuustie 2, 96320 Rovaniemi, Finland
Email: call-us-ask@ximthorexly.world
Phone: +358163305500