Introduction and scope
This Privacy Policy describes how Brandoadesign.world, operating the Eluvo brand from Vetrlidsallmenningen 11, 5014 Bergen, Norway, processes personal data in connection with https://brandoadesign.world, pre-contractual communications, purchase fulfilment, customer care, and marketing where permitted. It applies to website visitors, prospective buyers, customers, and business contacts unless a separate data processing agreement governs a purely B2B relationship.
We process data in accordance with Regulation (EU) 2016/679 (GDPR) as incorporated into Norwegian law through the Personal Data Act and related regulations, together with the ePrivacy rules governing storage and access to terminal equipment where relevant.
Plain-language summary: we collect only what we need to run a compliant supplement store, tell you what we do with it, keep it only as long as justified, secure it proportionately, and honour GDPR rights without charging a fee unless requests become manifestly excessive.
Identity of the controller
The controller decides why and how personal data is processed:
Brandoadesign.world · Eluvo
Vetrlidsallmenningen 11
5014 Bergen
Norway
Email: ask@brandoadesign.world
For EU advisory purposes we monitor regulatory dialogue through EEA advisers; we do not require an Article 27 representative while our establishment remains in Norway, an EEA member. Should that change, contact information will be updated in this section.
Data categories and sources
Depending on your interaction depth, we may process some or all of the following categories. Not every visitor supplies every category.
| Category | Examples | Typical source |
|---|---|---|
| Identity | Full name, customer reference | You, order forms |
| Contact | Email, phone, billing and shipping addresses | You, checkout, carrier confirmations |
| Transactional | Order lines, refunds, payment status tokens | E-commerce platform, payment provider |
| Technical | IP address, device identifiers, browser metadata | Server logs, optional analytics if consented |
| Communication | Free-text messages, attachment metadata | Email, chat, contact forms |
| Preference | Newsletter topics, cookie consent flags | You, cookie banner, preference centre |
We do not intentionally collect special categories of personal data (for example detailed health dossiers). If you voluntarily disclose health information in unsolicited messages, we minimise retention and direct you to qualified professionals unless law requires otherwise.
Purposes and lawful bases
Article 6 GDPR requires a lawful basis for each distinct purpose. The table below maps common processing activities to their primary legal foundation. Where multiple bases could apply, we rely on the narrowest adequate option.
| Purpose | Lawful basis |
|---|---|
| Order fulfilment, customer support, contract administration | Performance of a contract (Art. 6(1)(b)) |
| Accounting, tax, consumer law documentation | Legal obligation (Art. 6(1)(c)) |
| Fraud screening, network security, abuse prevention | Legitimate interests (Art. 6(1)(f)) balanced against your rights |
| Optional analytics, personalised marketing emails | Consent (Art. 6(1)(a)), withdrawable at any time |
Where consent forms the basis, refusal does not invalidate core purchasing functions unless an activity is genuinely optional, such as certain marketing personalisation layers.
Recipients, processors, and transfers
We engage service providers who process personal data strictly on documented instructions (Article 28 GDPR). Examples include secure hosting within the EEA or adequacy-listed jurisdictions, email deliverability tools, payment acquirers with PCI scope segregation, ticketing software, and carriers responsible for last-mile delivery notifications.
If a processor stores or accesses data outside the EEA, we implement appropriate safeguards such as standard contractual clauses (2021 Commission versions), supplementary technical measures where required by European Data Protection Board guidance, or reliance on adequacy decisions. Copies of relevant transfer mechanisms may be requested subject to confidentiality constraints.
We do not sell personal data to data brokers. Limited disclosures to professional advisers (lawyers, auditors) occur under confidentiality duties when strictly necessary.
Retention schedule
Retention follows necessity rather than convenience. Illustrative periods below may be extended where a legal claim or investigation reasonably requires preserved records.
- Active customer accounts: duration of the commercial relationship plus a short grace window for account recovery.
- Accounting records: up to ten calendar years aligning with Norwegian bookkeeping obligations.
- Marketing consents and associated logs: until withdrawn or, absent engagement, reviewed at least every thirty-six months.
- Cookie and consent artefacts: aligned with durations in the Cookie Policy.
- Server security logs: a rolling window typically not exceeding ninety days unless escalated incident handling applies.
Security measures
We implement TLS for data in transit, access controls partitioned by role, hashed credentials where authentication systems permit, periodic vulnerability scanning on internet-facing services, backups encrypted at rest, and incident logging. Staff with elevated access receive privacy refresher training upon hire and annually.
Breach notification: if a breach likely affects your rights, we notify the Norwegian Data Protection Authority without undue delay where required and communicate with affected individuals when the risk is high, describing mitigations in clear language.
Your GDPR rights
You may exercise the following rights by emailing ask@brandoadesign.world with subject line “Data subject request”. We may verify identity proportionately before disclosing information.
- Access: obtain confirmation whether we process your data and receive a copy in structured, commonly used form.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion where no overriding legal ground persists.
- Restriction: freeze certain processing while disputes are assessed.
- Portability: receive machine-readable data you supplied for contract or consent-based automated processing.
- Objection: object to processing rooted in legitimate interests or to direct marketing, the latter always honoured immediately upon notification.
- Withdraw consent: where processing relied on consent, without retroactive invalidation of prior lawful processing.
You may escalate concerns to Datatilsynet (datatilsynet.no). We welcome the chance to resolve issues directly before regulatory escalation when feasible.
Automated decision-making
We do not deploy solely automated decision-making, including profiling, that produces legal or similarly significant effects in GDPR terms. Fraud heuristics flag orders for human review rather than automatic denial in ambiguous cases.
Children
Eluvo products target adults. We do not knowingly profile minors under sixteen for marketing. If you believe a child submitted data, contact us so we can delete non-essential records.
Changes and contact
Material updates receive a revised publication timestamp and, when legally necessary, proactive email notice to active account holders. Continued use after summary notification constitutes awareness of non-material clarifications.
For all privacy matters: ask@brandoadesign.world · Vetrlidsallmenningen 11, 5014 Bergen, Norway.