Privacy Policy

1. Data controller and representative

The controller responsible for processing is:

We do not appoint a representative outside the EU solely for this site; if that changes, this Policy will be updated and the representative’s identity published here.

2. Categories of personal data

Depending on how you interact with us, we may process:

• Identity and contact: name, email, phone if provided, delivery address, billing address, customer reference numbers.
• Transaction data: order contents, payment status references, refund references, correspondence about orders.
• Communication content: free-text messages from forms, email threads, support tickets.
• Technical data: IP address, browser type and version, device type, operating system, timestamps, approximate region from IP.
• Usage data: pages viewed, scroll depth where measured, referral URL, on-site search queries if available.
• Cookie and similar data: as described in the Cookie Policy, including consent records.

We do not ask you to send special categories of data (such as detailed health information) through the general contact form. If you voluntarily include such information, we treat it with additional care and may delete it if it is not needed to handle your request.

3. Purposes of processing

We use personal data for the following main purposes:

• Operating the website, presenting Enerio information, and providing account or session features where offered.
• Processing enquiries, quotes, and orders; delivering goods; managing returns and refunds under our policies.
• Customer support, complaint handling, and dispute resolution.
• Accounting, tax, invoicing, and compliance with legal obligations.
• Fraud prevention, network security, abuse detection, and backup integrity.
• Improving site structure and content using aggregated or pseudonymised analytics where you consent to optional cookies.
• Sending service messages about your order or legal changes; marketing only where permitted and, where required, consented.

4. Legal bases (GDPR Article 6)

We rely on one or more of the following, depending on the activity:

• Contract (Art. 6(1)(b)): processing necessary to take steps at your request before a contract, or to perform a contract (for example fulfilling an order).
• Legitimate interests (Art. 6(1)(f)): for example securing our systems, understanding aggregate site usage in a privacy-preserving way, or defending legal claims, where not overridden by your rights.
• Consent (Art. 6(1)(a)): where required for optional cookies, certain marketing, or non-essential communications.
• Legal obligation (Art. 6(1)(c)): retaining accounting records, responding to lawful requests from authorities.

5. Storage periods and deletion

We keep data only as long as necessary for the purposes above, including statutory retention:

• Marketing consent logs and unsubscribe records: up to three years after the last relevant interaction unless a longer period is required to prove compliance.
• Enquiry and contact form content: typically up to twenty-four months after closure of the thread unless a legal claim requires longer retention.
• Contracts and invoices: for the period required by Finnish bookkeeping and tax law, often six to ten years from the end of the financial period.
• Technical logs: rolling retention, often twelve months, unless extended for security investigations.
• Cookie-related records: as stated in the Cookie Policy, often up to twelve months for consent strings.

When retention ends, we delete or irreversibly anonymise personal data where possible.

6. Your rights

Subject to conditions in the GDPR, you may:

• Request access to your personal data and receive a copy in a structured, commonly used format where applicable.
• Request rectification of inaccurate data and completion of incomplete data.
• Request erasure where grounds apply (for example when data is no longer necessary or you withdraw consent and no other basis applies).
• Request restriction of processing in specific situations.
• Object to processing based on legitimate interests or to direct marketing.
• Request data portability for data you provided where processing is based on consent or contract and is automated.
• Withdraw consent at any time for processing that relies on consent, without affecting lawfulness before withdrawal.
• Lodge a complaint with a supervisory authority; in Finland, the Office of the Data Protection Ombudsman.

To exercise rights, email talk@tluzarinsykrax.world. We may need to verify your identity. We respond within one month in most cases, extendable where permitted by law.

7. Recipients, transfers, and security

We use processors for hosting, email transmission, payment services, customer support tools, and analytics (if consented). Processors are bound by written agreements requiring GDPR-compliant safeguards.

If personal data is transferred outside the European Economic Area, we implement appropriate safeguards such as Standard Contractual Clauses or rely on an adequacy decision under Chapter V GDPR.

We implement technical and organisational measures including HTTPS, access control, principle of least privilege, pseudonymisation where feasible, and review of subprocessors. No online transmission is completely risk-free; we work to reduce risk in line with good industry practice.

8. Children and updates

The site is not directed at children under sixteen. If we learn we have collected personal data from a child without appropriate authority, we delete it promptly upon notice.

We may update this Privacy Policy to reflect legal, technical, or business changes. The displayed date at the top is generated when you load the page; material changes may also be announced on the site. Continued use after updates constitutes acceptance where the law allows.