Tholmareeixla.world

Privacy Policy

Legal Last reviewed:

This Privacy Policy explains how Tholmareeixla.world, operating the Veroa brand, processes personal data when you interact with our website, customer service channels, and order flows. We wrote it to support transparency expectations under the EU GDPR, the UK GDPR, the California Consumer Privacy Act as amended, and comparable U.S. state privacy statutes.

1. Data controller and contact channels

The controller responsible for personal data collected through https://tholmareeixla.world is Tholmareeixla.world, with postal address 9858 International Dr, Orlando, FL 32819, United States, and email ask@tholmareeixla.world.

Residents of the European Economic Area, Switzerland, or the United Kingdom may contact us at the same address to exercise GDPR or UK GDPR rights. We verify requests to prevent unauthorized disclosure and respond within statutory timelines unless an extension applies.

If you believe someone submitted an order or inquiry impersonating you, notify us immediately with any transaction identifiers so we can freeze related activities while facts are reviewed.

2. Scope of this Policy

This Policy covers personal data we collect directly from you, indirectly through technology when you browse, and from partners that help us fulfill orders. It does not govern third-party sites linked from our pages; their operators maintain separate privacy notices.

Employees, contractors, and temporary staff may have separate notices describing workplace monitoring and human resources processing.

3. Categories of personal data

Depending on your interactions, we may process:

  • Identity and contact information: legal name, shipping address, billing address, email, phone number, company details for B2B invoices if applicable.
  • Transaction data: order identifiers, SKUs purchased, discounts applied, refunds issued, and communications about shipments.
  • Payment data: payment method token or last four card digits through our processor; we do not store full payment card numbers on Veroa servers.
  • Support content: free-text you supply in forms, chats, or email threads, including attachments you choose to send.
  • Technical identifiers: IP address, device type, operating system, browser version, rough geolocation derived from IP, HTTP referrer, and timestamps.
  • Preference signals: cookie consent logs, newsletter choices, locale, and saved communication settings.

Orders

Minimal data needed to invoice, ship, and prove delivery.

Marketing

Optional channels activated only with appropriate consent or soft opt-in where legally allowed.

Security

Short-lived logs to block automated attacks and replay fraud.

4. Purposes and legal bases

When GDPR applies we rely on:

  • Contract performance: processing necessary to conclude and perform purchase agreements, including payment authentication, fulfillment, returns, and contractual notices.
  • Legitimate interests: service improvement, fraud analytics that minimize false positives, first-party audience insights that do not require consent cookies under ePrivacy implementation, and network defense.
  • Consent: non-essential cookies, certain marketing emails, voluntary surveys, or optional product waitlists.
  • Legal obligation: tax documentation, lawful demands from courts, and product traceability when regulators inquire.

In scenarios where multiple bases could apply, we document the primary basis and restrict processing accordingly.

5. Recipients and onward transfers

We share personal data with subprocessors that provide infrastructure, payment acceptance, shipping manifests, email delivery, ticketing, and security monitoring. Contracts require confidentiality, purpose limitation, and assistance with data subject requests.

We do not sell personal information as the term is defined under the CCPA/CPRA. We do not knowingly sell data about minors.

Corporate transactions such as mergers may involve transferring data to a successor entity subject to confidentiality and continuance obligations.

6. International transfers

Because our primary operations are in the United States, data you submit may be processed on U.S. servers. For EEA, UK, or Swiss residents we implement appropriate safeguards such as Standard Contractual Clauses, supplemented by technical measures where required by precedential guidance.

You may request a summary of relevant transfer mechanisms by emailing us with “Transfer Question” in the subject line.

7. Retention periods

  • Transactional archives: up to seven years where tax or commercial law mandates proof of sale and refund.
  • Marketing suppression lists: indefinitely hashed identifiers to honor unsubscribe requests even if you later re-register.
  • Security logs: rolling ninety-day windows unless an active investigation extends custody.
  • Consent evidence: three years from withdrawal or policy change, whichever is later, to demonstrate compliance.

8. Security measures

We maintain administrative policies, role-based access controls, encryption for data in transit, segmentation between environments, vulnerability scanning cadence, and annual reviews of vendor certifications relevant to cardholder or health-adjacent workloads.

No online transmission is perfectly secure; you should protect account credentials and avoid sending sensitive health data to retail support inboxes unless strictly necessary.

9. Your privacy rights

Subject to applicable law you may request access, rectification, erasure, restriction, portability, objection to certain processing, withdrawal of consent, and explanation regarding automated decision-making (we do not employ purely automated decisions with legal effect).

To exercise rights, email ask@tholmareeixla.world using the subject “Data Rights Request” and include enough data for verification without over-collection.

10. California residents

California consumers may request the categories and specific pieces of personal information collected, deletion subject to exceptions, correction of inaccurate data, and information about disclosures for cross-context behavioral advertising if ever introduced.

Authorized agents must provide signed permission; we may deny requests that cannot be verified.

11. Children

The Site is not directed to individuals under eighteen. If we learn we collected data from a child without verifiable parental consent we will delete it promptly where deletion is consistent with law.

12. Changes and document integrity

We may revise this Policy to reflect new products, regulators’ interpretations, or corporate structure adjustments. Material updates will display a refreshed review stamp and, where appropriate, a short summary banner on the homepage.

The dynamically displayed calendar date at the top of this page reflects when your browser loaded the document; substantive edits are reflected in our internal changelog maintained for audit readiness.

Return home

We use strictly necessary cookies to run the site and optional analytics or marketing cookies if you allow them. Read the Cookie Policy.