Phexroxxblox.world
Data stewardship

Privacy Policy

This document explains how Phexroxxblox.world, trading as Lunira, treats personal information when you browse, enquire, or otherwise interact with https://phexroxxblox.world/. We combine transparency obligations from the EU and UK GDPR frameworks with the New Zealand Privacy Act 2020 wherever those laws reach our activities.

Live reference date (updates whenever you open this page):

Scope and intent

The policy covers visitors, prospective customers, journalists, and business partners who engage with Lunira online. It does not govern employees or contractors, who receive separate documentation. If you follow a link to another company, their privacy statement applies instead, even when we recommend that vendor for operational convenience.

We describe practices at a level suitable for informed consent and regulatory review. Nothing here constitutes promotional language about supplement performance. Supplement experiences remain individual and cannot be predicted from privacy disclosures.

Controller identity. The data controller is Phexroxxblox.world, 143 Lake Road, Devonport, Auckland 0622, New Zealand. Email ask@phexroxxblox.world for privacy-related correspondence.

Key definitions

“Personal information” and “personal data” include any detail that identifies or can reasonably be linked to a natural person. Aggregate or de-identified statistics that cannot be re-linked are no longer treated as personal data for GDPR purposes once irreversible masking is applied.

“Processing” covers collection, storage, analysis, disclosure, archiving, or deletion, whether manual or automated. “Processors” are vendors that process information strictly on documented instructions from Lunira.

Data subject

The identifiable individual whose rights we honour.

Legitimate interest

A balanced business need that respects your expectations and rights.

Consent

Freely given permission captured through the cookie banner or forms.

Accountability and oversight

Lunira maintains internal ownership for privacy tasks even without a statutory data protection officer in every jurisdiction. Senior leadership reviews access logs semi-annually and approves new subprocessors before they handle live customer data. We keep records of processing activities available for regulators upon request.

If we appoint a European representative under GDPR Article 27, published contact details will appear in this section together with instructions for addressing correspondence to that office.

Categories of information

  • Identifiers and contact details supplied on forms, including your name, email address, organisation, and the body of your message.
  • Technical identifiers such as IP addresses, operating system hints, browser version strings, approximate location deduced at regional level, and timing metadata.
  • Campaign or referral parameters embedded in URLs when you arrive from partner sites.
  • Cookie identifiers you permit through our banner, including optional analytics and marketing tags.
  • Billing and shipment information when you later purchase physical goods, processed according to payment gateway requirements.

We minimise fields on each form and avoid collecting government identifiers unless a specific transaction demands them for customs documentation.

Purposes of processing

Data enables us to answer questions, send lawful marketing that matches your choices, protect against abusive traffic, compile anonymous performance dashboards, comply with court orders, improve accessibility, and maintain archival evidence for disputes. None of these objectives requires us to infer your health status from browsing behaviour, and we configure analytics to suppress sensitive inferences wherever technically feasible.

Optional surveys may collect preference insights. Participation is voluntary and uses aggregated reporting wherever our sample size protects anonymity.

Legal bases under GDPR

Contract performance applies when you initiate an order or professional engagement, because we must communicate about fulfilment. Legitimate interests support fraud prevention, network security, product improvement, and internal analytics that do not rely on sensitive categories. Legal obligations arise from tax, customs, and law-enforcement cooperation statutes. Consent powers optional marketing emails and non-essential cookies when no other basis fits cleanly.

You may withdraw consent at any time without affecting prior processing that was lawful when it occurred. Withdrawal controls appear in footers of marketing messages and in the cookie settings modal.

Advertising, platforms, and New Zealand expectations

When we run paid advertising (including search or display through platforms such as Google Ads directed at users in New Zealand), we aim for landing pages that clearly identify the advertiser, describe Lunira as a dietary supplement rather than a medicine, and avoid prohibited or unsupported therapeutic claims. We respect platform policies on health-related content, personalised ads, and data use for measurement. Measurement tags fire only within the cookie choices you grant.

We do not use this site to promote prescription medicines or to target minors. Creative and keyword choices are reviewed periodically for alignment with the Fair Trading Act 1986, relevant Advertising Standards Authority guidance, and applicable platform rules.

Cookie and similar technologies

Persistent and session cookies, local storage entries, and pixel trackers fall under this heading. Strictly necessary items power the consent repository and security tokens. Optional categories activate only after affirmative choices. Please read our Cookie Policy for granular lifetimes, vendor names, and browser management tips.

Recipients and categories of processors

Hosting infrastructure may reside in New Zealand, Australia, the United States, or the European Union depending on failover routing. Email deliverability partners, customer relationship tools, analytics suites, and accounting software may also receive limited subsets. Each relationship is governed by a data processing addendum or EU Standard Contractual Clauses as mandated.

We do not sell personal information in the conventional sense of exchanging lists for cash. Where United States state laws define “sale” broadly, you may opt out using the same address listed in the contact section.

Cross-border transfers

When personal data leaves the EEA, UK, or Switzerland, we rely on adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, or other Article 46 mechanisms. Copies of transfer impact assessments are retained internally and summarised upon regulatory request.

New Zealand benefits from an EU adequacy determination as of the 2022 modernised framework, simplifying northbound transfers while we still document supplementary safeguards for sensitive workloads.

Retention schedule

  • Marketing consents and associated identifiers: up to twenty-four months after the latest interaction unless you renew interest sooner.
  • Support transcripts and email threads: thirty-six months unless litigation extends necessity.
  • Security logs: twelve months except when incident investigation requires longer holds.
  • Financial and taxation evidence: up to seven years from transaction close.
  • CVs submitted for recruitment jobs we advertise: eighteen months if no offer is made.

Automated jobs purge expired buckets quarterly. Manual exceptions require written approval from privacy leadership.

Technical and organisational measures

Transport layer encryption uses modern TLS configurations. Access to production databases follows least-privilege rules with multi-factor authentication for administrators. We separate production, staging, and development networks, back up encrypted snapshots daily, and test restore drills twice per year.

Despite diligent controls, no internet transmission is perfectly secure. Report suspected compromises immediately so we can coordinate containment, notification, and regulatory escalations as applicable.

GDPR and UK GDPR rights

Depending on context you may exercise access, rectification, erasure, restriction, objection, and portability rights. We respond within thirty days, extendable by two further months for complex bundles, and explain any refusal with legal citations. Supervisory authorities remain available if you disagree with our assessment.

New Zealand Privacy Act principles

Principle 1 through 13 obligations—including purpose limitation, accuracy, security, transparency, and the right to request access or correction—guide domestic operations. You may escalate complaints to the Office of the Privacy Commissioner if informal resolution fails.

Health and sensitive data

Our enquiry forms are not designed for clinical disclosure. If you accidentally paste diagnostic history, staff will isolate the record, advise you to consult a clinician offline, and delete incidental paragraphs unless law demands preservation.

Age thresholds

The website targets adults. We do not knowingly collect data from anyone under sixteen without verifiable parental consent. Parents may request deletion of inadvertent submissions.

Automated decision making

Lunira does not rely on purely automated decisions that produce legal or similarly significant effects regarding individuals. Future scoring tools would receive updated disclosures before activation.

Incident response

Suspected breaches trigger an internal severity matrix, containment playbook, regulator notifications where legally required, and direct communication to affected individuals when the risk to rights is high. Post-incident reviews feed improvements within ninety days.

Evolution of this Policy

Material updates receive refreshed publication dates and, where consent is the sole legal basis for a processing change, we will recollect permission through prominent notices or banners.

Contact, questions, and complaints

Email ask@phexroxxblox.world or write to 143 Lake Road, Devonport, Auckland 0622, New Zealand. Please allow five business days for initial acknowledgement. Escalate unresolved matters to your local supervisory authority or the New Zealand Office of the Privacy Commissioner.