Privacy Policy

Last updated: 19 March 2026 · Jurisdiction: New Zealand, with GDPR-aligned practices where applicable

This Privacy Policy explains how Throxxeneaglox (“we”, “us”, “our”), trading from Corner Brecon and, Isle Street, Queenstown 9348, New Zealand, collects, uses, stores, shares, and protects personal information when you visit https://throxxeneaglox.world, enquire about Zenovelle, or otherwise interact with our services. We aim to meet the requirements of the New Zealand Privacy Act 2020 and, where the EU or UK General Data Protection Regulation applies to our processing, the GDPR as described below.

1. Data controller and contact

The data controller for personal data described in this Policy is:

• Legal trading name: Throxxeneaglox
• Registered postal address: Corner Brecon and, Isle Street, Queenstown 9348, New Zealand
• Email: feedback@throxxeneaglox.world
• Telephone: +64 3 441 0590

For GDPR-related requests you may contact us at the email above. We do not currently appoint a representative in the European Union; if that changes, this Policy will be updated. If you believe we should designate a representative under Article 27 GDPR, contact us and we will assess the requirement.

2. Scope and relationship to other notices

This Policy applies to processing connected with our website, enquiry forms, email correspondence, telephone enquiries, order handling, customer support, analytics where enabled, marketing where consented, and compliance obligations. It should be read together with our Cookie Policy, Terms of Service, and Return Policy. If you use third-party payment or logistics providers, their privacy notices also apply to data they process as independent controllers or processors.

3. Categories of personal data we collect

Depending on how you interact with us, we may process:

• Identity and contact data: name, email address, telephone number, delivery address, billing address where collected.
• Transaction data: products ordered, order value, payment status references, delivery tracking identifiers, communications about your order.
• Technical data: IP address, browser type and version, time zone, device type, operating system, referring URL, pages viewed, and similar diagnostics.
• Cookie and similar technologies data: as described in our Cookie Policy, including consent choices stored locally in your browser.
• Communication content: messages you send via forms, email, or post, including optional health-related remarks you voluntarily include (we discourage sharing special categories of data unless necessary).
• Marketing preferences: opt-in records, unsubscribe timestamps, campaign interaction metadata where marketing cookies or pixels are used with consent.
• Fraud and security data: logs relating to suspicious activity, failed authentications, and abuse prevention.

We do not intentionally collect special categories of personal data (such as health data) as a routine part of selling food supplements. If you disclose health information, we will treat it with additional care and only retain it where there is a valid legal basis and a clear purpose.

4. Sources of personal data

We obtain personal data directly from you when you submit forms, create or pursue an order, email us, call us, or subscribe to updates. We may receive data from payment service providers, delivery partners, fraud screening tools, and analytics or advertising partners where you have consented to their technologies. We may also receive updated address or contact data from public directories or carriers when necessary to complete delivery.

5. Purposes and legal bases for processing

We process personal data for the following purposes and, under GDPR, on the following legal bases:

• Contract performance (GDPR Art. 6(1)(b)): processing orders, payments, delivery, returns, and contract-related communications.
• Legitimate interests (GDPR Art. 6(1)(f)): website security, service improvement, basic analytics in aggregate form, record-keeping, defending legal claims, and business continuity, balanced against your rights.
• Legal obligation (GDPR Art. 6(1)(c)): tax, accounting, consumer law, product safety, and regulatory compliance.
• Consent (GDPR Art. 6(1)(a)): non-essential cookies, marketing emails, and certain optional profiling where required by law. You may withdraw consent without affecting prior lawful processing.

Under the New Zealand Privacy Act, we only collect information that is necessary for a lawful purpose connected to our functions, and we ensure you know that we are collecting it and why.

6. Use of personal data in detail

We use personal data to: respond to enquiries about Zenovelle; verify identity where needed for high-value orders; process payments through PCI-DSS compliant providers; arrange shipping and customs documentation where applicable; provide customer support; send transactional notices such as order confirmations; maintain internal records; improve website performance and accessibility; detect and prevent fraud, spam, and attacks; comply with court orders and lawful requests from authorities; and, where you opt in, send marketing communications.

7. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects solely by automated means within the meaning of GDPR Article 22. Basic fraud scoring may involve automated checks followed by human review. If this changes, we will update this Policy and provide appropriate notices.

8. Sharing and categories of recipients

We may share personal data with:

• Hosting and infrastructure providers that store website files and databases in secure environments.
• Payment processors that handle card or wallet transactions; we typically do not store full card numbers on our servers.
• Logistics and courier companies to deliver products and provide tracking.
• Email and customer service platforms used to manage tickets and outbound mail.
• Professional advisers including lawyers and accountants under confidentiality obligations.
• Authorities when required by applicable law or to protect vital interests.

We use written agreements with processors that process data on our instructions, including GDPR Article 28 terms where applicable. We do not sell personal data in the conventional sense of selling lists for cash. If we ever engage in activities that constitute “sale” or “sharing” under specific US state laws, we will provide additional disclosures and opt-out mechanisms as required.

9. International transfers

Our primary operations are in New Zealand. Our service providers may process data in New Zealand, the European Economic Area, the United Kingdom, the United States, or other countries. Where GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by technical and organisational measures, or adequacy decisions where available. You may request a copy of relevant transfer mechanisms by emailing us.

10. Retention periods

We retain personal data only as long as necessary for the purposes collected:

• Order and accounting records: up to seven years from the end of the financial year in which the transaction occurred, unless a longer period is required by law or dispute.
• Marketing consents and suppression lists: until you withdraw consent or object, and thereafter only minimal identifiers to honour unsubscribe requests indefinitely.
• Enquiry forms that do not lead to a contract: typically twelve to twenty-four months unless a longer period is justified by a genuine dispute or legal hold.
• Security and server logs: rolling retention, commonly between thirty and one hundred eighty days, unless extended for incident investigation.
• Cookie-related records: as stated in the Cookie Policy, aligned with consent logs where required.

After retention periods expire, we delete or irreversibly anonymise data where feasible.

11. Security measures

We implement administrative, technical, and physical safeguards appropriate to the risk, including HTTPS encryption for data in transit on our site, access controls and authentication for internal systems, principle of least privilege for staff accounts, malware protection on managed devices, secure development practices, vendor due diligence, and staff training on confidentiality. No method of transmission or storage is completely secure; if we become aware of a breach that risks your rights, we will notify supervisory authorities and affected individuals as required by law.

12. Your rights in the European Economic Area and United Kingdom

If GDPR applies to our processing of your data, you have the right to: access your personal data; rectify inaccurate data; erase data in certain circumstances; restrict processing; data portability for data you provided where processing is based on contract or consent and carried out by automated means; object to processing based on legitimate interests or for direct marketing; withdraw consent at any time where processing is consent-based; and lodge a complaint with a supervisory authority in your country of residence, place of work, or place of an alleged infringement.

To exercise these rights, email feedback@throxxeneaglox.world. We may need to verify your identity before fulfilling requests. We will respond within one month, extendable by two further months where complex, and we will explain any refusal with reference to legal grounds.

13. Your rights under the New Zealand Privacy Act 2020

You may request access to personal information we hold about you and ask us to correct it if it is inaccurate. You may complain to us if you believe we have interfered with your privacy. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner in New Zealand.

14. Children

Our website and Zenovelle product are directed at adults. We do not knowingly collect personal information from children under sixteen without parental authority. If you believe a child has provided data, contact us and we will delete it where appropriate.

15. Links to third-party sites

Our website may link to external resources. We are not responsible for the privacy practices of third parties. Review their policies before providing personal data.

16. Changes to this Policy

We may update this Privacy Policy to reflect legal, technical, or business changes. Material changes will be highlighted on our website or communicated where appropriate. The “Last updated” date at the top indicates the latest revision.

17. Regulatory statements regarding Zenovelle

Zenovelle is a food supplement. Personal data you provide in connection with product questions may be used to give factual information about the product and your order. We do not use your data to offer medical diagnosis or treatment advice.

18. Records of processing activities

We maintain internal documentation describing processing purposes, categories of data subjects, categories of personal data, recipients, transfers, and retention periods. This documentation is not published in full for confidentiality reasons but may be summarised for supervisory authorities upon lawful request.

19. Data protection impact assessments

Where processing is likely to result in high risk to individuals and no mitigating measures exist, we assess whether a data protection impact assessment is required under Article 35 GDPR. Routine ecommerce processing with mainstream payment and hosting providers typically does not require a formal DPIA absent additional high-risk profiling; we reassess when introducing new technologies.

20. Breach notification

If we discover a personal data breach likely to result in risk to rights and freedoms, we will notify the relevant supervisory authority within seventy-two hours where feasible, describe the nature of the breach, likely consequences, and measures taken, and notify affected individuals without undue delay when the breach is likely to result in high risk, unless exceptions apply.

21. Direct marketing and profiling

We send commercial email only where permitted by law, typically following explicit opt-in for non-customers or soft opt-in for similar products to existing customers where applicable law allows. You may object to marketing at any time. Profiling, if used, is limited and does not produce legal effects without human review unless disclosed otherwise.

22. Complaints without prejudice

Exercising your rights or filing a complaint does not affect other remedies. EU and UK residents may contact their local supervisory authority. We encourage you to contact us first so we can attempt resolution efficiently.

23. Accessibility of this Policy

We provide this Policy in HTML. If you need an alternative format due to disability, contact us and we will endeavour to provide a reasonable accommodation.

24. Corporate transactions

If we undergo a merger, acquisition, or asset sale, personal data may be transferred to a successor under safeguards consistent with this Policy and applicable law. You will be notified as required.

25. Law enforcement requests

We review law enforcement and government requests for personal data to verify legal validity and narrow scope. We may challenge overbroad requests and disclose only information we are legally compelled to produce, unless a prohibition on notice is lawful and in force.