Privacy Policy

1. Introduction & Data Controller

This Privacy Policy explains how Elyvora US (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you visit our website at elyvora.us (the “Website”).

The data controller responsible for your personal data is:

We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679), Romanian Law No. 190/2018 implementing the GDPR, the ePrivacy Directive (2002/58/EC), and applicable United States privacy laws including the California Consumer Privacy Act (CCPA) where relevant.

2. Information We Collect

We collect only the minimum data necessary to operate our Website and provide our services. We do not require you to create an account. The data we collect depends on how you interact with us:

2.1 Newsletter Subscription Data

When you subscribe to our newsletter, we collect and store:

• Email address
• Subscription status (pending, confirmed, or unsubscribed)
• Confirmation token and expiration (for double opt-in verification)
• Source page (which page you subscribed from)
• Timestamps (subscription date, confirmation date, unsubscription date)

We use a double opt-in process: after you enter your email, we send a confirmation link that you must click to activate your subscription. Your data is stored securely in our database.

2.2 Contact Form Data

When you submit our contact form, we collect:

• Name
• Email address
• Subject
• Message content
• Submission timestamp

2.3 Automatically Collected Data

When you browse our Website, certain data is collected automatically through cookies and analytics tools:

• IP address (anonymized by Google Analytics 4)
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system
• Pages visited, time on page, scroll depth
• Referring website URL
• Approximate geographic location (country/region level only)

2.4 Interactive Tools Data

Our interactive tools (such as the Oral Care Upgrader) process your quiz answers entirely on your device (client-side). We do not collect, store, or transmit your quiz answers or tool results to our servers. Anonymous aggregate usage counts (e.g., “tool was used X times”) may be recorded for analytics purposes.

3. Legal Basis for Processing (GDPR Article 6)

Under the GDPR, we process your personal data based on the following legal grounds:

• Consent (Art. 6(1)(a)): Newsletter subscription — you explicitly opt in via double opt-in and can withdraw consent at any time by unsubscribing.
• Legitimate Interest (Art. 6(1)(f)): Website analytics (Google Analytics 4) to understand traffic patterns and improve content; affiliate link click tracking to measure the effectiveness of our recommendations; website security and fraud prevention.
• Contractual Necessity (Art. 6(1)(b)): Processing contact form submissions to respond to your inquiries.
• Legal Obligation (Art. 6(1)(c)): Retaining certain records as required by Romanian tax and commercial law.

4. How We Use Your Information

We use the data we collect for the following purposes:

• To send newsletter emails to confirmed subscribers
• To respond to contact form inquiries (within 5 business days)
• To analyze website traffic and user behavior via Google Analytics 4
• To track affiliate link performance and commission attribution
• To improve our content, product recommendations, and interactive tools
• To detect and prevent abuse, fraud, and security threats
• To comply with legal obligations under Romanian and EU law

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We do not use your data for automated decision-making or profiling that produces legal effects.

5. Cookies & Tracking Technologies

Our Website uses cookies — small text files stored on your device — to enable functionality and analyze usage. Here are the specific cookies we use:

5.1 Essential Cookies

These are necessary for the Website to function and cannot be disabled.

• cookie_consent — Stores your cookie preference choice

5.2 Analytics Cookies (Google Analytics 4)

We use Google Analytics 4 (Measurement ID: G-7FS95JT847) to understand how visitors interact with our Website. GA4 cookies include:

• _ga — Distinguishes unique users (expires: 2 years)
• _ga_* — Maintains session state (expires: 2 years)

GA4 collects data such as page views, session duration, scroll depth, outbound clicks, and custom events (e.g., affiliate link clicks, blog engagement, tool usage). Google Analytics 4 anonymizes IP addresses by default. For more details, see Google's Privacy Policy and Google Analytics Data Practices.

5.3 Affiliate Cookies

When you click on affiliate links to online retailers, those retailers may set cookies on your device to track purchases and attribute them to our referral. These cookies are governed by the respective retailer's privacy policy. Typical affiliate cookies expire within 24 hours of clicking a link.

5.4 Managing Cookies

You can manage or delete cookies through your browser settings:

• Chrome
• Firefox
• Safari
• Microsoft Edge

You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on. Additionally, you can opt out of personalized advertising at the NAI Opt-Out page.

6. Third-Party Services & Data Sharing

We use a limited number of third-party services to operate our Website. We only share data with these services as necessary for their specific function:

• Google Analytics 4 (Google LLC): Website analytics and traffic measurement. Data processed: anonymized IP, page views, events, device info. Google acts as a data processor. Google Privacy Policy
• Affiliate Retail Partners: When you click an affiliate link, you are redirected to an online retailer's website. That retailer may set cookies on your device governed by their own privacy policy. We receive only aggregated, anonymized commission reports — we do not receive your personal purchase details, payment information, or shipping address.
• Hosting & Infrastructure (Abacus.AI): Our Website is hosted on infrastructure provided by Abacus.AI. Server logs may include IP addresses and request data for security and performance monitoring.

We do not use any social media tracking pixels, retargeting services, ad networks, or data brokers.

7. International Data Transfers

FLASH SHIP SRL is based in Romania (European Union). Some of the third-party services we use may process data outside the European Economic Area (EEA), specifically in the United States:

• Google LLC (Google Analytics): Transfers are covered by the EU-U.S. Data Privacy Framework and Google's Standard Contractual Clauses (SCCs).
• Affiliate retail partners: Cookie data is processed on their servers, which may be located in the United States or other jurisdictions.

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V, including adequacy decisions, Standard Contractual Clauses, or other approved transfer mechanisms.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy:

• Newsletter subscriber data: Retained while your subscription is active. If you unsubscribe, we retain a record of your email and unsubscription date for up to 12 months to prevent accidental re-subscription, then permanently delete it.
• Contact form submissions: Retained for up to 24 months after our last communication, then permanently deleted.
• Analytics data (GA4): Governed by Google's data retention settings. We have configured GA4 to retain user-level data for 14 months.
• Server logs: Retained for up to 90 days for security monitoring, then automatically purged.

9. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), you have the following rights under GDPR Articles 15–22:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / “Right to be Forgotten” (Art. 17): Request deletion of your personal data. For newsletter subscribers, email us and we will permanently delete your data within 30 days.
• Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format (e.g., CSV or JSON).
• Right to Object (Art. 21): Object to processing based on legitimate interest, including analytics tracking. You can exercise this right by disabling cookies or using the Google Analytics opt-out add-on.
• Right to Withdraw Consent (Art. 7(3)): Withdraw your consent at any time (e.g., by unsubscribing from the newsletter). Withdrawal does not affect the lawfulness of processing performed before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days as required by the GDPR.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

10. Additional Rights for US Residents

If you are a resident of California or another US state with comprehensive privacy laws (e.g., CCPA/CPRA, Virginia VCDPA, Colorado CPA), you may have additional rights including:

• The right to know what personal information we collect and how we use it
• The right to request deletion of your personal information
• The right to opt out of the “sale” or “sharing” of personal information
• The right to non-discrimination for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request.

11. Children's Privacy

Our Website is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected personal data from a child under the applicable minimum age without verifiable parental consent, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• HTTPS/TLS encryption for all data in transit
• Encrypted database connections
• Access controls limiting data access to authorized personnel only
• Regular security reviews of third-party service configurations
• Secure token-based verification for newsletter double opt-in

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify affected users and relevant authorities of any data breach as required by GDPR Article 33 (within 72 hours of becoming aware).

13. “Do Not Track” Signals

Some browsers transmit a “Do Not Track” (DNT) signal. There is currently no industry standard for how websites should respond to DNT signals. Our Website uses Google Analytics 4 which has its own mechanisms for limiting data collection. We recommend using the Google Analytics Opt-out Add-on or adjusting your browser's cookie settings for the most effective control over analytics tracking.

14. Links to Other Websites

Our Website contains links to third-party websites, including online retailers and external reference sources (e.g., scientific publications). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policy of every website you visit after leaving ours.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page. For significant changes that affect how we process your data, we will notify newsletter subscribers via email. We encourage you to review this Privacy Policy periodically.

16. Related Policies

This Privacy Policy should be read in conjunction with our other legal documents:

• Terms of Service — Governs your use of our Website
• Affiliate Disclosure — Details our affiliate relationships and editorial independence

17. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days. For formal GDPR requests (access, erasure, portability), we will respond within the legally required 30-day period.