4️⃣ Privacy Policy

Privacy Policy

Last updated: 24 June 2026

Page title: Privacy Policy · Shopify slug: privacy-policy

At NORYX ("we", "us", "our"), the protection of your personal data is a matter of the utmost importance. This Privacy Policy sets out transparently which personal data we collect, why we collect it and how it is handled. The applicable legal frameworks are the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller within the meaning of the UK GDPR is the operator of noryx.com. For any queries relating to this policy or to the handling of your data, please write to us at contact@noryx.com. Full provider details are available in our Legal Notice.

2. Types of Data We Process

In connection with an order or a contact enquiry, we handle the following data:

  • First and last name, together with email address
  • Delivery and billing address
  • Telephone number (optional — used for delivery status notifications)
  • Payment details (securely handled by our payment partners — card data is not stored by us)
  • Your order and purchase history
  • Technical data relating to your device and browsing activity (IP address, browser type, pages visited)

3. Purposes of Processing and Legal Bases

  • Order fulfilment — name, address, email and payment details are necessary to carry out the purchase contract concluded with you (Art. 6(1)(b) UK GDPR).
  • Client communications — for example, order confirmations, despatch notifications and responses to customer service enquiries (Art. 6(1)(b) UK GDPR).
  • Improvement of our offer — usage analysis enables us to continually enhance our website (Art. 6(1)(f) UK GDPR — legitimate interest).
  • Compliance with legal obligations — business records are archived in accordance with applicable tax and commercial law requirements (Art. 6(1)(c) UK GDPR).

4. Payment Processing

Your payments are handled by our partners (including Stripe, PayPal, Klarna and Viva Wallet), all of which hold PCI DSS Level 1 certification. Card details are entered directly within their secure environments — the full card number, CVV and expiry date are at no point visible or accessible to NORYX.

5. Data Retention Period

Order data is retained for between 6 and 10 years in line with applicable UK tax and accounting legislation (in particular HMRC requirements and the Companies Act 2006). Your marketing preferences are kept until you opt out. Non-essential data is deleted or anonymised as soon as the purpose for which it was collected no longer applies.

6. Recipients of the Data

Data is shared with third parties only to the extent required to fulfil your order:

  • Shipping partners (e.g. Royal Mail, DHL, DPD, Evri, UPS) for delivery purposes
  • Payment partners for secure transaction processing
  • Email service providers for transactional communications
  • Hosting providers for the technical operation of the website
  • Accountants and legal advisers, where necessary to meet legal obligations

We have concluded appropriate data processing agreements with all our processors in accordance with Art. 28 UK GDPR.

7. Data Transfers to Third Countries

Transfers of data to countries outside the United Kingdom or the European Economic Area (EEA) occur only where an adequacy decision is in place, or where appropriate safeguards — such as the Standard Contractual Clauses adopted by the UK or EU Commission — are in place in accordance with Art. 45 ff. UK GDPR.

8. Cookies and Tracking

Our website makes use of cookies and similar technologies. Full details are available in our Cookie Policy. Non-essential cookies may be declined or configured at any time via the cookie banner or your browser settings.

9. Your Rights as a Data Subject

You hold the following rights in respect of your personal data:

  • Right of access (Art. 15 UK GDPR) — you may enquire what data we hold about you
  • Right to rectification (Art. 16 UK GDPR) — inaccurate data may be corrected
  • Right to erasure (Art. 17 UK GDPR) — where no legal retention obligation applies
  • Right to restriction of processing (Art. 18 UK GDPR)
  • Right to data portability (Art. 20 UK GDPR)
  • Right to object (Art. 21 UK GDPR) — to processing based on legitimate interest
  • Right to withdraw consent at any time (Art. 7(3) UK GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 UK GDPR)

To exercise any of these rights, please send a brief message to contact@noryx.com.

10. Security of Your Data

To safeguard your data against unauthorised access, loss or misuse, we have put in place appropriate technical and organisational measures, including SSL/TLS encryption, secured server environments, restricted access controls and regular security reviews.

11. Automated Decision-Making

We do not engage in automated decision-making or profiling within the meaning of Art. 22 UK GDPR.

12. Right to Complain

If you consider that the handling of your data infringes the UK GDPR, you have the right to raise a complaint with a data protection supervisory authority — in particular the Information Commissioner's Office (ICO) in the United Kingdom (www.ico.org.uk), or with any supervisory authority in the EU member state of your habitual residence, place of work or the location of the alleged infringement.

13. Updates to This Policy

We may revise this Privacy Policy from time to time to reflect changes in legislation or in our business operations. The version currently in force is always accessible on this page.