Retention window: marketing consent
Maintained until withdrawal or twenty-four consecutive months without meaningful interaction, after which identifiers undergo irreversible pseudonymization.
Transparency archive
Privacy Policy
This document explains how Vorpalonaixleux.world processes personal data when you explore Elenor, request documentation, or complete a purchase. It is written for shoppers in New Zealand as well as international visitors who benefit from GDPR-aligned clarity.
Current as of
Controller and verified contacts
The data controller is Vorpalonaixleux.world, trading from Tenancy T10a, Albany Mega Centre, 140 Don McKinnon Drive, Albany 0632, New Zealand. For privacy requests, email ask@vorpalonaixleux.world with copy sufficient to confirm identity without oversharing government identifiers in the initial thread.
We maintain an internal register of processing activities, including subprocessors that assist with hosting, transactional email, analytics (when consented), and payment capture. Subprocessor reviews occur at least quarterly or whenever contractual terms materially shift.
Categories of data we handle
- Identity markers such as full name, preferred pronouns if you volunteer them, and salutation preferences captured in free-form messages.
- Contact coordinates including email, phone when supplied, delivery sites, and pickup notes for restricted addresses.
- Transactional metadata including basket composition, order identifiers, refund references, and courier tracking tokens.
- Technical identifiers such as truncated IP addresses, user agent strings, screen metrics used solely for responsive debugging, and consent receipts stored in tamper-evident logs.
- Communications you initiate, including attachments, voice memo transcripts if you later reference them in writing, and escalation threads forwarded to supervisory teams.
Legal bases mapped to everyday actions
Contract performance: Shipping Elenor, validating payments, issuing compliant invoices, coordinating batch-specific questions.
Consent: Optional newsletters, non-essential cookies, anonymized testimonial quotes where you explicitly opt in.
Legitimate interests: Fraud screening with proportionate signals, feedback analysis to prioritize UX debt, documenting incidents for insurers.
Legal obligation: Tax filings, responses to lawful regulator orders, preservation orders tied to active disputes.
International transfers and safeguards
Infrastructure partners may process limited datasets in Australia, the United States, Singapore, the Republic of Ireland, or Germany depending on routing efficiency. Where GDPR or UK GDPR requires additional mechanisms, we rely on Standard Contractual Clauses, supplementary technical measures such as TLS 1.2 or better, and due diligence questionnaires updated when vendors release new subprocessors.
Transfers purely for transient caching inside content delivery networks still respect storage minimization: payloads exclude special category data unless you knowingly supplied health-adjacent context and we acknowledged the sensitivity in writing.
Retention window: order ledgers
Seven years to align with Inland Revenue requirements and consumer guarantee traceability, unless law mandates extension.
Retention window: support transcripts
Thirty-six months after closure unless tied to litigation holds or chargeback investigations that require longer preservation.
Security measures in plain terms
We combine role-based access with hardware security tokens for privileged staff, segregated production environments, nightly encrypted backups tested semi-annually, and dependency scanning within CI pipelines. Incident response playbooks include customer notification thresholds consistent with NZ Privacy Act 2020 expectations and GDPR Article 33 timing when EU residents are affected.
While no online transmission is impervious to novel threats, we monitor certificate transparency logs, subscribe to vendor advisories, and rehearse tabletop exercises covering ransomware and insider risk scenarios.
Rights you may exercise
Subject to verification, you may request access, rectification, erasure where no overriding duty persists, restriction of certain processing, portability for machine-readable exports we can realistically generate, objection to profiling that does not occur today, and withdrawal of marketing consent at any time without impacting lawfulness of earlier processing.
EU and UK residents may escalate to their supervisory authority; New Zealand residents may contact the Office of the Privacy Commissioner. We respond within statutory timelines and document outcomes inside our privacy ticketing system.
Children and sensitive contexts
Elenor marketing addresses adults. We do not knowingly profile minors under sixteen without guardian authorization. If you believe we collected juvenile data inadvertently, alert us promptly so we can erase it and review upstream forms.
Automated decision-making
We do not execute solely automated decisions with legal or similarly significant effects regarding your orders. Fraud heuristics flag transactions for human review rather than auto-declining without oversight.
Policy evolution
When substantive edits appear, we revise the “current as of” date, highlight major deltas inside the inbox newsletter when you subscribe, and archive prior PDF snapshots for regulators upon request.