Identity & contact
Full name, invoice name, email, optional phone, shipping address, company registry numbers, VAT identifiers, and unstructured text inside message bodies.
Transparency archive GDPR Chapter III & IV
Privacy Policy
Xexvalonuequidza.world operates Movira digital channels under the EU General Data Protection Regulation, the Dutch GDPR Implementation Act (UAVG), and sector guidance from the Autoriteit Persoonsgegevens. The notice explains every category we touch, why it exists, how long it stays, and which parties assist us.
Current document date:
1. Data controller identity
The controller responsible for personal data on https://xexvalonuequidza.world/ and related Movira services is:
Xexvalonuequidza.world
Lijnbaan 140, 3012 ER Rotterdam, Netherlands
Email: chat@xexvalonuequidza.world
Lijnbaan 140, 3012 ER Rotterdam, Netherlands
Email: chat@xexvalonuequidza.world
Representatives for supervisory correspondence may be appointed in writing; until published, address requests to the postal line above.
2. Material scope
The policy covers ecommerce visitors, testers, wholesale buyers, press contacts, prospective employees who email speculative CVs, and anyone submitting the Movira request form. It complements the Cookie Policy, which governs consent storage and analytics identifiers.
Offline events, paper contracts, or voice calls may generate additional records; when those diverge, we issue a supplemental notice at collection time.
3. Categories of personal data
Transaction metadata
Order identifiers, SKU lists, payment confirmation tokens (never full card numbers), chargeback references, and voluntary survey responses.
Technical telemetry
IP address, approximate geolocation derived from IP, browser family, device type, referrer URL, crash logs if you opt into diagnostics.
Compliance artifacts
Age attestations, copies of identity documents when fraud teams require verification, customs paperwork, and regulator correspondence.
We discourage embedding sensitive health details in free-text fields. If you volunteer such content, we segregate it and delete it once the request concludes unless a distinct legal duty mandates retention.
4. Purposes and legal bases
Contract & pre-contract (Art. 6(1)(b)): quotes, fulfilment, subscription renewals, merchant-of-record payouts.
Legal obligation (Art. 6(1)(c)): tax books, consumer cooling-off evidence, product traceability, court orders.
Legitimate interests (Art. 6(1)(f)): cybersecurity, duplicate detection, internal reporting, limited brand protection scans balanced against your rights.
Consent (Art. 6(1)(a)): optional newsletters, non-essential cookies, testimonials featuring your name.
Where national implementations require impact assessments, we document them internally and provide excerpts to regulators upon request.
5. Recipients and processors
We rely on vetted vendors for hosting, transactional email, CRM, payment facilitation, translation, and customer support chat. Each relationship sits under Article 28 GDPR terms featuring confidentiality clauses, subprocess or notification obligations, and assistance with data subject inquiries.
Employees access data on a need-to-know basis through hardware security modules and single sign-on policies audited quarterly.
6. International transfers
Some subprocessors operate in the United Kingdom or the United States. We transfer only when adequate safeguards exist: adequacy decisions, approved standard contractual clauses plus supplementary technical measures such as TLS 1.2 minimum, field-level encryption for crown-jewel columns, and data minimization exports.
You may request a summary of mechanisms through the contact channel below.
7. Retention schedule (non-exhaustive)
- Marketing consents and unsubscribe evidence: three years from last send.
- Accounting ledgers: seven years from book closure or shorter if law updates.
- Support transcripts: twenty-four months unless litigation holds apply.
- Security monitoring logs: ninety rolling days except forensics snapshots.
- Cookie preference proofs: aligned with ePrivacy guidance, typically thirteen months from last update.
8. Security measures
We implement encryption in transit, encrypted backups, key rotation, least-privilege secrets management, phishing-resistant admin MFA, endpoint detection on corporate devices, and annual penetration testing scoped to production-equivalent environments.
No control eliminates residual risk; when a breach likely affects your rights, we inform the AP within seventy-two hours where feasible and communicate with impacted individuals without undue delay.
9. Data subject rights
You may request access, rectification, erasure, restriction, portability, objection to certain processing, and withdrawal of consent without affecting prior lawful processing. To reduce spoofing, we may require signed PDFs or video identification for destructive actions.
Lodge complaints with the Dutch DPA (Autoriteit Persoonsgegevens) at Bezuidenhoutseweg 30, 2594 AV The Hague, or another EU supervisory authority under the GDPR forum rules.
10. Automated decision-making
We do not deploy solely automated decisions that produce legal or similarly significant effects regarding individuals. Fraud heuristics flag cases for humans; they never auto-block accounts without manual validation.
11. Policy maintenance
Material updates surface here with a refreshed publication date above. Continued use after notification where consent is unnecessary constitutes acknowledgement of non-substantive edits; substantive changes may require renewed consent for optional processing.
12. Escalation contacts
Privacy specialists monitor chat@xexvalonuequidza.world. Postal mail remains the preferred channel for formal legal service. Include enough identifiers for us to locate records without excessive data collection.