Privacy Policy

Last updated: 18 March 2025

This Privacy Policy describes how Chakrelloz ("we", "us", "our") collects, uses, stores and protects your personal data when you use our website https://chakrelloz.world (the "Site") and our services. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (personopplysningsloven), and other applicable data protection laws.

1. Data controller

The data controller responsible for your personal data is:

Chakrelloz
Jernbanetorget 1, 0154 Sentralhallen S, Norway
Email: contact@chakrelloz.world
Phone: +47 22 05 38 20

If you have questions about this policy or your data, please contact us using the details above.

2. What personal data we collect

We may collect and process the following categories of personal data:

• Identity and contact data: name, email address, telephone number (if you provide it), and delivery address when you place an order or contact us.
• Transaction and order data: order details, payment-related information (e.g. payment method; we do not store full card numbers), and correspondence relating to orders and returns.
• Technical and usage data: IP address, browser type and version, device type, time zone, pages visited, time and date of access, and referral source. This may be collected via cookies and similar technologies as described in our Cookie Policy.
• Marketing and communication preferences: if you have opted in to receive marketing, we record your preferences and any consent given.

We do not collect special categories of data (e.g. health, race, religion) unless you voluntarily provide such information (e.g. in a message) and we have a lawful basis to process it.

3. Purposes and legal bases for processing

We process your personal data only for specified, explicit and legitimate purposes. The main purposes and legal bases are:

• Performance of a contract: to process and deliver your orders, manage payments, and handle returns or complaints. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Legitimate interests: to operate and improve our website, prevent fraud, ensure security, and defend our legal rights. Legal basis: legitimate interests (Art. 6(1)(f) GDPR), where our interests are balanced against your rights.
• Legal obligation: to comply with accounting, tax and other legal obligations (e.g. in Norway and the EEA). Legal basis: legal obligation (Art. 6(1)(c) GDPR).
• Consent: where we use non-essential cookies, analytics or marketing, we rely on your consent where required by law. Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

If we need to use your data for a new purpose that is not compatible with the original purpose, we will inform you and, where required, obtain your consent or rely on another lawful basis.

4. How we collect your data

We collect data:

• Directly from you when you fill in forms on the Site (e.g. order form, contact form), when you contact us by email or phone, or when you subscribe to communications.
• Automatically when you use the Site, via cookies and similar technologies (see our Cookie Policy).
• From third parties only where necessary (e.g. payment service providers, delivery partners) to fulfil orders or comply with law.

5. Retention periods

We keep your personal data only for as long as necessary to fulfil the purposes set out in this policy and to comply with legal obligations.

• Order and customer data: typically for the duration of the contractual relationship plus a period required for warranty, returns and legal claims (e.g. up to 7 years for accounting and tax in Norway, unless a shorter or longer period is required by law).
• Contact and enquiry data: for the time needed to handle your enquiry and any follow-up; if no contract follows, we may retain minimal data for a short period for record-keeping and legal defence.
• Marketing and consent records: until you withdraw consent or object, and for a short period thereafter to document consent and comply with accountability obligations.
• Cookies and analytics: as specified in our Cookie Policy (e.g. session cookies until you close the browser; persistent cookies for the periods stated there).
• Logs and security: as required for security and fraud prevention, usually for a limited period (e.g. up to 12–24 months) unless longer retention is required by law.

After the retention period, we securely delete or anonymise your data so that it can no longer identify you.

6. Your rights under GDPR and Norwegian law

Under the GDPR and the Norwegian Personal Data Act, you have the following rights in relation to your personal data:

• Right of access (Art. 15 GDPR): you may request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art. 16 GDPR): you may request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") (Art. 17 GDPR): in certain circumstances you may request that we delete your personal data (e.g. where it is no longer necessary, where you withdraw consent, or where it was processed unlawfully). This right is not absolute; we may need to retain data to comply with legal obligations or establish, exercise or defend legal claims.
• Right to restriction of processing (Art. 18 GDPR): in certain situations you may request that we restrict the processing of your data (e.g. while we verify accuracy or while you object to processing).
• Right to data portability (Art. 20 GDPR): where processing is based on contract or consent and carried out by automated means, you may request to receive your data in a structured, commonly used and machine-readable format, or to have it transmitted to another controller where technically feasible.
• Right to object (Art. 21 GDPR): you may object to processing based on legitimate interests (including profiling). You may also object at any time to processing for direct marketing; in that case we will stop such processing.
• Right to withdraw consent: where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority. In Norway, the supervisory authority is Datatilsynet (the Norwegian Data Protection Authority): www.datatilsynet.no. If you are in another EEA country, you may lodge a complaint with the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at contact@chakrelloz.world or at the address above. We will respond within one month (or inform you of any extension and the reasons). We may need to verify your identity before processing your request.

7. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss or destruction. Measures include:

• Use of HTTPS and encryption (e.g. TLS/SSL) for data transmitted between your browser and our servers.
• Access controls and authentication so that only authorised personnel can access personal data where necessary.
• Secure storage and handling of data, including regular reviews of our security practices.
• Where we use third-party processors (e.g. hosting, payment providers), we choose providers that offer adequate security and, where required under GDPR, we enter into data processing agreements.

Despite our efforts, no method of transmission or storage over the internet is completely secure. We encourage you to use strong passwords and to protect your account and device.

8. International transfers

Your data is primarily processed within the European Economic Area (EEA). If we transfer data to countries outside the EEA, we ensure appropriate safeguards are in place, such as:

• An adequacy decision by the European Commission (e.g. that the country ensures an adequate level of protection).
• Standard contractual clauses (SCCs) approved by the European Commission or the relevant authority.
• Other mechanisms permitted under Chapter V of the GDPR.

You may request details of the safeguards we use for any specific transfer by contacting us.

9. Children

Our Site and services are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete such data.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law or the Site. The "Last updated" date at the top will be revised when we make material changes. We encourage you to review this page periodically. Where required by law, we will seek your consent to any material change in how we use your data.

11. Contact

For any questions about this Privacy Policy or our processing of your personal data, please contact:

Chakrelloz
Jernbanetorget 1, 0154 Sentralhallen S, Norway
Email: contact@chakrelloz.world
Phone: +47 22 05 38 20