Controller and representative details
The data controller responsible for this website and related walking services is Chimvlexryxanord, trading from 128 Willis Street, Te Aro, Wellington 6011, New Zealand. For privacy enquiries and data subject requests you may email contact@chimvlexryxanord.world or telephone +64 4 385 2626. Please include enough detail for us to verify your identity when you exercise rights that require confirmation.
Response target. We aim to acknowledge substantive GDPR-related requests within five business days and complete them within one calendar month unless complexity or volume requires an extension, in which case we will explain the delay.
Scope of this policy
This policy applies to personal data processed through the public website, email, telephone, and in-person interactions that relate to our walking and movement education offerings. It does not govern third-party platforms that we may link to; those services publish their own notices.
Categories of personal data
Depending on how you engage with us, we may process:
- Identity and contact data: name, email address, phone number, organisation, and similar fields you supply.
- Message content: free-text descriptions of your enquiry, scheduling preferences, or accessibility considerations you choose to share.
- Technical data: IP address, browser user agent, device category, approximate location derived at regional level, and referral URLs when analytics cookies are enabled with your consent.
- Usage data: aggregated statistics about page views and navigation paths produced by analytics tools you approve.
- Preference data: cookie consent selections stored locally in your browser via localStorage.
- Relationship data: notes of meetings, agreements, and invoicing references necessary to deliver contracted services.
We do not ask for special categories of data (such as health data) through the public contact form. If you voluntarily include sensitive information, we will restrict access and delete it when no longer needed for the purpose you specified, unless a separate lawful basis applies.
Lawful bases under the GDPR
| Activity | Typical lawful basis |
|---|---|
| Answering contact form messages | Article 6(1)(b) steps at your request prior to a contract, and/or Article 6(1)(f) legitimate interests in operating a professional inbox |
| Delivering booked workshops or route reviews | Article 6(1)(b) performance of a contract |
| Optional analytics cookies | Article 6(1)(a) consent |
| Optional marketing cookies or newsletters where used | Article 6(1)(a) consent, plus ePrivacy rules for electronic marketing |
| Security monitoring and abuse prevention | Article 6(1)(f) legitimate interests in system integrity |
| Legal claims and regulatory obligations | Article 6(1)(c) legal obligation and Article 6(1)(f) establishment of legal claims |
Where we rely on legitimate interests, you may object on grounds relating to your particular situation. We will assess whether our compelling interests override your rights.
Purposes of processing
We process personal data to respond to enquiries, schedule sessions, issue documentation, improve site clarity, comply with law, defend legal rights, and—only where permitted—send marketing you have opted into. We do not sell personal data.
Retention periods
- General enquiry emails: up to twenty-four months from last contact unless a contract or dispute requires longer retention.
- Contractual project files: up to seven years from project completion where tax and accounting rules may apply, unless a shorter period suffices.
- Analytics aggregates: according to the analytics provider’s settings, commonly between fourteen and twenty-six months for event-level data when consent is active.
- Consent logs in localStorage: until you clear site storage or refresh preferences through our cookie interface.
- Security logs: rolling ninety days unless an investigation extends the need.
When retention expires we delete or irreversibly anonymise records, except where statute mandates archival.
International transfers
Our operations are based in New Zealand, which the European Commission has recognised as providing adequate protection. If we use tools that process data in the United States, United Kingdom, or other regions, we implement appropriate safeguards such as Standard Contractual Clauses, supplementary measures where required, and transfer impact assessments for high-risk arrangements.
Your rights
Subject to applicable law, you may request access, rectification, erasure, restriction of processing, data portability, and objection. Where processing is consent-based, you may withdraw consent at any time without affecting prior lawful processing. You may lodge a complaint with a supervisory authority; we welcome the chance to resolve concerns directly first.
Security measures
We apply role-based access, secure transport protocols, password hygiene training for staff, vendor security reviews, and incident response procedures. No online system is flawless; we review controls as threats evolve.
Children
Our services are not directed at individuals under sixteen. If you believe we collected a child’s data inadvertently, contact us and we will delete it promptly.
Automated decision-making
We do not use solely automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
Updates and questions
We revise this policy when our practices or legal requirements change. Material updates will be reflected on this page; the dynamic date shown in the hero illustrates when you are viewing the site but does not alone reset legal versioning—refer to version notes we may add in the body when substantive edits ship.
Questions: contact@chimvlexryxanord.world · +64 4 385 2626 · 128 Willis Street, Te Aro, Wellington 6011, New Zealand.