Privacy & data protection

Document reference date:

Privacy Policy

Shalmexxushoneu publishes general informational content about everyday meal organization. This statement describes how we collect, use, disclose, retain, and secure personal data when you visit shalmexxushoneu.world, join a cohort waitlist, or correspond with our New York studio. It is designed to align with the EU General Data Protection Regulation, the UK GDPR, and complementary U.S. state privacy statutes where they apply to our activities.

Plain summary

We only use your details to operate this site, answer questions, deliver services you request, and—if you opt in—measure readership or send measured reminders. We do not sell personal data as a commercial product. If something here conflicts with a bespoke contract you signed, the contract controls for that engagement.

Identity of the data controller

The data controller responsible for processing described in this policy is Shalmexxushoneu, with a principal studio address at 401 Park Ave S, New York, NY 10016, USA. Telephone inquiries may be directed to +1 212-684-5334. The preferred channel for privacy requests is mailuse@shalmexxushoneu.world because it preserves an auditable thread for both parties.

Where we coordinate workshops jointly with another organization, we identify the lead controller inside the registration workflow before you submit payment or personal identifiers. Joint-controller arrangements are documented in separate addenda that restate each party’s responsibilities for transparency and deletion.

Categories of personal data

The categories we process depend on the interaction path you choose. A non-exhaustive inventory includes identifiers such as name, email address, postal region, and telephone number when you volunteer them; commercial information such as purchase receipts or cohort selections; internet or electronic network activity such as truncated IP addresses, user-agent strings, and page-referral metadata when analytics cookies receive consent; audio, electronic, or visual information when you upload optional pantry photographs as part of a paid workshop; and inferences such as preferred session times derived solely from scheduling forms rather than from health questionnaires.

Sensitive categories

We do not intentionally collect medical record numbers, government identifiers, or precise geolocation histories through this marketing website. If you voluntarily disclose health-related constraints inside a free-text field, we segregate that content in restricted folders, limit access to facilitators who signed confidentiality undertakings, and encourage you to migrate clinical discussions to licensed professionals.

  • Identity & contact: name, email, phone, social handles you supply.
  • Transaction data: SKU references, cohort codes, refund tickets.
  • Technical data: consent timestamps, hashed session identifiers.
  • Communications: message bodies, attachment metadata, coaching notes you authorize.

Purposes and lawful bases

We process personal data for specific, explicit, and legitimate purposes. Contractual necessity under Article 6(1)(b) GDPR supports delivering purchased workshops, issuing invoices, and performing account administration. Legitimate interests under Article 6(1)(f) support network security monitoring, spam deterrence, aggregated audience understanding that does not involve cross-context behavioral advertising, and internal training on anonymized transcripts. Consent under Article 6(1)(a) activates optional analytics pixels, marketing tags, and newsletter sequences that go beyond strictly necessary communications. Legal obligations under Article 6(1)(c) may compel retention of financial records for tax authorities.

When we rely on legitimate interests, we document balancing tests that weigh our organizational needs against potential impacts on individuals. Copies of high-level conclusions are available upon request so regulators or enterprise procurement teams can review them during diligence.

Retention schedule

Personal data is not kept longer than necessary for the purposes collected. The table below summarizes default horizons unless a superseding statute, court order, or active dispute requires a longer window.

Dataset Default retention Deletion mechanics
Contact form threads 24 months after last substantive reply Mailbox purge with backup rotation after 35 days
Cookie consent logs 13 months Automated purge job on consent database shard
Server access logs 90 rolling days Immutable store compaction unless security hold
Workshop attendance sheets 7 years for tax corroboration Encrypted archive with dual-control access

Recipients and subprocessors

We engage vetted service providers for hosting, transactional email, calendar scheduling, customer-relationship logging, and payment capture. Each agreement includes data-processing clauses that mirror GDPR Article 28 obligations, specify permitted purposes, mandate breach notification timelines, and require deletion or return of personal data when services end. A current list of material subprocessors is available by email; we notify active cohort participants of material additions when those partners touch special categories of data you supplied.

We do not permit subprocessors to use personal data obtained through our engagements for independent machine-learning training unrelated to delivering the contracted service unless you provide separate, specific consent.

International transfers

Our primary operations sit in the United States. When personal data originating in the European Economic Area, Switzerland, or the United Kingdom is transferred to the United States or other jurisdictions, we implement appropriate safeguards such as the EU Commission’s standard contractual clauses, the UK International Data Transfer Agreement addendum, or other mechanisms recognized after adequacy reviews. Supplementary measures include encryption in transit and at rest for databases holding contact information, organizational policies restricting download of customer exports to approved devices, and periodic testing of access logs.

Security measures

Security is layered across people, process, and technology. Personnel receive onboarding training on phishing resistance and clean-desk expectations. Production credentials rotate quarterly and require hardware-backed factors for administrators. Customer-visible endpoints enforce HTTPS with modern cipher suites. Backups replicate to geographically distinct data centers with encryption keys stored separately. We maintain written incident response playbooks, including escalation paths to supervisory authorities and affected individuals when notification thresholds trigger.

Data-subject rights

Subject to applicable law, you may request access, rectification, erasure, restriction of processing, data portability, objection to processing grounded in legitimate interests, and withdrawal of consent without affecting the lawfulness of processing prior to withdrawal. We verify identity before fulfilling requests that could expose sensitive records. You may lodge a complaint with your local supervisory authority; within the EU, contact points are published by the European Data Protection Board. Several U.S. states grant analogous rights, including opt-out of certain sales or sharing; because we do not sell personal data, many opt-out signals do not alter our practices, yet we still honor user-enabled global privacy control signals where legally required.

Children

Services are directed to adults coordinating household logistics. We do not knowingly solicit data from children under sixteen. Guardians who believe a minor submitted information should contact us so we can delete the entry and suppress future collection from the same device fingerprint where technically feasible.

Automated decision-making

We do not employ solely automated decision-making, including profiling, that produces legal or similarly significant effects concerning individuals based on data collected through this website.

Changes to this policy

We revise this policy when processing operations, regulatory guidance, or corporate structure changes materially. Historic versions are archived internally with timestamps. When updates affect optional tracking, we refresh cookie consents through the banner workflow before new tags fire.

Privacy contact & supervisory cooperation

Direct privacy requests to mailuse@shalmexxushoneu.world with the subject line “Privacy Request” and enough detail for us to validate ownership of the account or inbox in question. We acknowledge receipt within the timelines required by your jurisdiction and provide substantive responses without undue delay. Regulatory correspondence should copy the postal address above so certified delivery options remain available.