Plain-English summary: we keep the absolute minimum data needed to ship your order, encrypt it while we hold it, and delete it on a strict schedule. No tracking pixels, no ad platforms, no cross-site profiling.
Last updated: April 2026. This policy applies to every visitor, customer, and email subscriber of vitalquests.org (the “Site”). If anything here is unclear, email support@vitalquests.org and a human will reply.
1. Who We Are
Vital Quests is a European research-compound retailer operating out of EU-based fulfilment centres. Under GDPR we act as the data controller for information collected through this Site. Registered contact: support@vitalquests.org.
2. What We Collect and Why
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Name and delivery address | To print the parcel label and route it through the courier | Contract performance (Art. 6(1)(b)) |
| Phone number | Courier SMS and last-mile delivery contact only | Contract performance |
| Email address | Order confirmation, tracking, dispute resolution | Contract performance |
| Order contents and amount | Fulfilment, accounting, EU consumer-law dispute window | Legal obligation (Art. 6(1)(c)) |
| Crypto transaction confirmation ID | Match your payment to your order until it ships | Contract performance |
| Technical cookies (session, cart, consent) | Keep you logged in, remember cart, store consent choice | Strictly necessary — no consent required |
| Self-hosted analytics (Matomo) | Aggregate page views, referrers — IP anonymised, no cookies | Legitimate interest, with opt-out in our consent banner |
3. What We Deliberately Don’t Collect
- Credit card data. We don’t accept cards. There is nothing to collect.
- Long-term IP addresses. Server access logs rotate every 24 hours.
- Browser fingerprints. No fingerprinting scripts run on this Site.
- Ad-network identifiers. No Meta Pixel, no Google Ads tag, no TikTok pixel, no affiliate tracking cookies.
- Cross-device profiles. We don’t build a “user graph” across your phone and laptop.
- Messaging platform IDs. If you contact us via Telegram or WhatsApp, those handles are never linked back to your order record.
4. Data Retention Schedule
Data is deleted on the earlier of these dates — not “as long as we want”:
| Data | Retained for | Then |
|---|---|---|
| Server access logs (IP, User-Agent) | 24 hours | Overwritten |
| Delivery address and phone | 30 days after delivery confirmation | Scrubbed from the order record; encrypted traces overwritten |
| Order contents and amount | 6 months (EU Directive 2011/83/EU dispute window) | Purged from live database |
| Customer email (if you created an account) | Until you request deletion | Deleted within 72 hours of request |
| Support email conversations | 12 months | Archived off-database for 6 more months, then destroyed |
| Cryptocurrency confirmation ID | Until the order ships | Deleted; we never archive wallet addresses |
5. How We Protect It
- All personal data is encrypted at rest with AES-256; keys are stored separately from the data volume.
- Traffic is TLS 1.3 end-to-end with HSTS enforced; no plaintext endpoints exist.
- Checkout pages are served direct-origin — no third-party CDN proxies customer-submitted content.
- Administrative access is limited to a named engineering team and protected by hardware security keys (WebAuthn).
- Monthly penetration tests run against staging; critical findings block deployment.
6. Third Parties Who Briefly Touch Your Data
We use as few sub-processors as possible. The complete list:
- Couriers (DHL, DPD, GLS, InPost) — receive only what’s printed on the parcel label. GDPR data-processing agreements in place. Governed by the courier’s own privacy policy.
- BTCPay Server — self-hosted on our infrastructure, not a third party. Your wallet address never leaves your wallet; we see only the confirmation ID.
- Matomo Analytics — self-hosted on our infrastructure. IP addresses are anonymised (last octet masked) before storage, no cookies, no cross-site tracking. Opt out in the consent banner or via Do Not Track.
- Transactional email provider — an EU-based, GDPR-compliant SMTP relay handles order confirmations and tracking updates. The relay sees your email address and the message body only; it doesn’t mine them or advertise to you.
We do not share data with marketing networks, social-media companies, or AI-training data aggregators. We have never received a government data request and publish an annual warrant canary confirming that status.
7. Your GDPR Rights
Regardless of where you live, if we hold data on you, you have the right to:
- Access (Art. 15) — request a machine-readable JSON export of everything on you.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17, “right to be forgotten”) — demand deletion within 72 hours, barring legal retention obligations.
- Restriction (Art. 18) — pause processing while a dispute is resolved.
- Data portability (Art. 20) — receive your data in a format reusable by another service.
- Object (Art. 21) — stop any processing based on legitimate interest, including the Matomo analytics.
- Lodge a complaint with your national data-protection authority if we mishandle any of the above.
To exercise any of these rights, email support@vitalquests.org with the subject prefix [GDPR]. Response target: 72 hours for acknowledgement, 30 days for resolution. No identity verification is required beyond control of the email address tied to your order — we deliberately avoid demanding ID documents for a data request.
8. Cookies and Similar Technologies
See the separate Cookie Policy for names, purposes, and durations. Short version: strictly-necessary cookies for cart and login; optional anonymised Matomo counter; nothing else. You can disable even the optional cookie in our consent banner at any time.
9. International Data Transfers
All personal data is stored and processed inside the European Economic Area (EEA) on dedicated bare-metal hardware. We do not transfer data to the United States, China, or any jurisdiction not covered by an EU adequacy decision.
10. Age Requirement
This Site is intended for visitors aged 18 or older. We do not knowingly collect data from minors. If you believe a minor has provided us information, email support and we will delete the record immediately.
11. Changes to This Policy
When we change anything material, we update the “Last updated” date at the top and, for subscribers, email a notice before the change takes effect. Minor clarifications (typo fixes, rewording) go live without notice.
12. Contact
For any privacy question — including hypothetical “how would you respond to X scenario” queries — reach us at support@vitalquests.org. For especially sensitive correspondence, request our PGP public key in your first message.
Related reading: Data Privacy & Security (architecture deep-dive), Cookie Policy, Terms & Conditions.