Last materially updated: 31 March 2026 · Version suitable for visitors in the EEA and United Kingdom where compatible local law applies.
Overview and scope
The Site publishes general lifestyle information about small daily actions related to energy and rhythm. The Privacy Policy applies to personal data collected through the Site, email, phone callbacks you initiate, and paper correspondence if you choose postal channels. It does not govern independent processors you engage separately, such as your own email provider’s routing logs, except where we act as a controller for inbound messages addressed to us.
If you collaborate with us under a contract, additional schedules may specify categories of data, subprocessors, or audit rights. Those schedules prevail over conflicting summaries in this Policy only for the signed relationship they are attached to.
Quick signal. We do not sell personal data in the sense of exchanging lists for cash. We may use tools from vendors who process data on our instructions or their own legal bases as described under Cookies and optional marketing.
Data controller identity
The controller responsible under the GDPR is Chivrealdlox, with its principal contact point at Marnixstraat 168, 1016 TG Amsterdam, Netherlands. You may phone us at +31 20 623 1051 or email touch@chivrealdlox.world for privacy requests.
Where national law requires a trade register identifier or VAT number for formal notices, insert the values applicable to your live entity in the production version of this page. The static template you are reading emphasises narrative clarity for reviewers.
Represented data subjects
Visitors, prospective partners, journalists, and individuals who email us are all data subjects when we can distinguish them in logs or messages.
Languages
We may reply to requests in English or Dutch first. Translations of this Policy into other languages are convenience copies; the English GDPR framing remains authoritative for contractual interpretation unless local law mandates otherwise.
Categories of personal data
Depending on interaction paths, we may process identifiers (name, online handle if you choose one, email address, phone number), content data (free text you type into the contact form, attachments meta if applicable), technical data (IP address truncated or pseudonymised where feasible, user agent, device hints), usage data (pages opened, sequence, scroll depth through optional analytics), and consent records (timestamps, version of banners accepted).
We do not ask you to upload identity documents through the public Site. If you voluntarily mail scans, we will treat them under the same retention principles as other correspondence but discourage sending passports unless absolutely necessary.
Special categories
Article 9 GDPR covers data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for ID, health data, or sex life and orientation. Our lifestyle articles are not designed to solicit that information. If you embed health details inside a message, we will restrict access and delete when retention ends, but we cannot retroactively erase what unknown mail relays logged.
Where the data comes from
Most records originate directly from you: filling fields, clicking cookie choices, or placing a phone call. Indirect sources include server infrastructure, content delivery networks that terminate TLS, and—if enabled—analytics partners that assign pseudonymous IDs.
Public sources rarely matter for this Site, but we might note a corporate email domain when evaluating partnership seriousness. We do not scrape social networks to enrich visitor profiles for the static brochure experience described on the home page.
Legal bases in plain English
Consent. Optional analytics and marketing cookies, some newsletter flows if introduced later, and secondary uses beyond core browsing depend on your freely given, specific choice recorded through the banner or form tick boxes.
Leg interests. Network security, spam prevention, aggregated statistics derived without persistent identifiers, and limited internal business analytics may fall under Article 6(1)(f). We balance them against your expectations and offer objection routes where feasible.
Contract. If you order paid services in the future, fulfilment processing shifts toward Article 6(1)(b). Today’s contact form alone rarely forms a contract until mutual written confirmation exists.
Legal Obligation. Tax archives, law enforcement requests vetted by counsel, or sector regulators can force retention beyond ordinary marketing schedules.
Purposes and compatibility
We process data to operate the Site, respond to communications, demonstrate consent compliance, improve content structure using aggregated metrics, defend legal claims, and—only after permission—measure campaigns. Further processing for archival purposes in the public interest or scientific research is not a current focus; should that change, we would update this Policy and consent prompts.
Delivery
Sending HTML, static assets, fonts, and cached images to your browser, adjusting compression by connection quality.
Trust
Rate limits, bot challenges if abuse appears, and correlation with abuse databases at the IP level for short windows.
Insight
Heatmaps or funnel diagnostics if analytics cookies are enabled, always reviewed at aggregate level before UX decisions.
Retention benchmarks
Contact messages: up to twenty-four months after the last inbound or outbound email in a thread unless litigation holds apply. Server access logs: rolling ninety days unless security review extends narrowly identified entries. Consent strings: twenty-four months from last update so we can prove banner wording shown to you.
Backup tapes may delay physical erasure by one additional backup cycle; restoration tests validate that expired records do not reappear in production databases. When anonymisation is possible, we prefer that over deletion if analytics usefulness remains.
Recipients and subprocessors
Hosting providers, transactional email gateways, ticketing or CRM tools, analytics and advertising networks upon consent, accountants, auditors, insurers, and legal counsel may access subsets of data under contracts requiring confidentiality and purpose limitation.
We publish or provide on request an indicative subprocessor list for enterprise clients. Consumer visitors may email us for the latest version rather than monitoring every infrastructure migration in real time on the public Site.
Advertising and measurement
If you opt in to marketing or analytics cookies, technology partners (for example Google) may process device or usage data for ad measurement, frequency capping, or aggregated reporting. Their processing is also described in their own policies, such as Google’s advertising and cookie information. You can withdraw consent at any time via our cookie controls and your browser settings.
International transfers
If personal data leaves the EEA to countries without an adequacy decision, we rely on Standard Contractual Clauses (2021/914) or successor instruments, supplemented by technical measures such as encryption in transit and authentication for administrative consoles. Copies of redacted transfer impact assessments may be available to regulators or, under strict confidentiality, to corporate counterparties.
UK extensions or Swiss adaptations of those clauses may be added where required post-Brexit or under FADP contexts.
Security measures
We implement TLS for public pages when hosting permits, password policies with hardware factors for staff, least-privilege IAM roles, logging of administrative actions, vulnerability patching within vendor-recommended windows, and annual policy refresh training. Penetration tests may be commissioned for major releases.
No programme eliminates risk. If we discover an incident likely to affect your rights, we will evaluate Article 33 and 34 GDPR reporting duties and notify affected users when legally required or ethically advisable.
Your GDPR rights
You may request access, rectification, erasure, restriction, portability (for automated processing based on contract or consent), object to certain leg-interest processing, withdraw consent without retroactive invalidity, and lodge a complaint with the Autoriteit Persoonsgegevens or your habitual residence authority. Automated decision-making with legal or similar effect is not used on this Site today.
Identity verification may involve confirming control of an email address or answering security questions proportionate to request sensitivity. We answer within one month unless complexity allows a two-month extension per Article 12(3).
Automation and profiling
We do not score individuals for credit or insurance through the Site. Marketing segmentation, if introduced, would rely on coarse labels such as country or content topic interest without covert behavioural manipulation forbidden by fairness principles in the Digital Services Act conversation.
Children
The Site targets adults deciding their own routines. We do not knowingly invite children under sixteen to submit data. Parents or guardians who believe a minor disclosed information should contact us for prompt review and deletion where feasible.
Third-party destinations
Outbound links may lead to social networks, press clippings, or tools we admire. Their controllers apply separate policies. Opening a new tab does not automatically share this Site's cookies with them unless embedded widgets load; we avoid surprise embeds where possible.
Complaints pathway
We prefer you email first so engineers can correct misunderstandings quickly. If unsatisfied, supervisory authorities offer no-cost dispute doors. Cross-border cases may be handled through the one-stop-shop mechanism when we establish main establishment in the Netherlands.
How we notify you of changes
Material edits get a fresh “Last materially updated” line and, when appropriate, a short banner or inbox notice to active subscribers. Continued browsing after a reasonable notice period can constitute acceptance for non-privacy Terms; privacy changes that reduce rights will seek fresh consent where the law demands.
Privacy request contact
Route formal requests to the email above with “GDPR Request” in the subject. Describe the right invoked, relevant time window, and preferred response channel. We do not charge fees for unfounded repetitive requests; manifestly excessive volumes may incur administrative costs permitted by Article 12(5).