2. Personal Data We Collect

Depending on how you use the Platform, we may collect:

•        Identity and contact data: name, email address, phone number, delivery and billing address.

•        Account data: login credentials and account preferences.

•        Order and transaction data: products ordered, order history, amounts, and delivery details.

•        Payment data: processed by our authorised payment service provider. We do not store full payment card numbers on our own systems.

•        Personalisation data: any custom text or initials you submit for personalised Products.

•        Technical and usage data: IP address, device and browser information, and interactions with the Platform, collected through cookies and similar technologies (see Section 9).

•        Communications: messages you send us and customer-service correspondence.

Sensitive personal data. We do not intentionally collect special-category or sensitive personal data. Under the PDPPL, sensitive personal data may be processed only with explicit consent and, where required, prior permission from the Competent Department. If processing of such data ever becomes necessary, we will obtain explicit consent and any required permission first. [PLACEHOLDER — confirm no sensitive data is collected by any feature, including future KYC/identity verification.]

3. How and Why We Use Your Data (Lawful Basis)

We process personal data on the following bases, consistent with the PDPPL principles of lawfulness, fairness, and transparency:

1.     Performance of a contract: to process and deliver your Orders, manage returns, and provide customer support.

2.     Consent: for direct marketing communications and non-essential cookies. Consent is obtained on an opt-in basis and may be withdrawn at any time.

3.     Legal obligation: to comply with tax, accounting, consumer-protection, and other legal requirements in Qatar.

4.     Legitimate operational purposes: to secure the Platform, prevent fraud, and improve our services, in a manner consistent with your rights and the PDPPL.

4. Marketing Communications

We send marketing communications only where you have opted in. Every marketing message includes a clear way to unsubscribe, and you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawing marketing consent does not affect processing necessary to fulfil your Orders.

5. Sharing and Disclosure

We share personal data only as necessary and with appropriate safeguards, including with:

•        Payment service providers, to process payments.

•        Delivery and logistics providers, to fulfil deliveries (our own delivery operation in Qatar and third-party couriers internationally).

•        Technology and hosting providers that operate the Platform on our behalf as data processors under written agreements.

•        Professional advisers and authorities, where required by Qatari law or to protect our legal rights.

We do not sell personal data. Processors act only on our documented instructions and are bound to protect personal data to the standard required by the PDPPL.

5. Sharing and Disclosure

We share personal data only as necessary and with appropriate safeguards, including with:

•        Payment service providers, to process payments.

•        Delivery and logistics providers, to fulfil deliveries (our own delivery operation in Qatar and third-party couriers internationally).

•        Technology and hosting providers that operate the Platform on our behalf as data processors under written agreements.

•        Professional advisers and authorities, where required by Qatari law or to protect our legal rights.

We do not sell personal data. Processors act only on our documented instructions and are bound to protect personal data to the standard required by the PDPPL.

6. International Transfers and Hosting

The Platform may operate on cloud infrastructure located outside the State of Qatar (for example, during the initial phase, hosting within the European Union; with a planned migration to infrastructure located in Qatar at a later stage).

1.     Where personal data is transferred outside Qatar, we apply safeguards required by the PDPPL and its guidelines, including ensuring an adequate level of protection and using contractual protections with processors.

2.     Transfers necessary for the performance of your contract (for example, international delivery) are carried out in accordance with the PDPPL.

3.     [PLACEHOLDER — Specify hosting location(s), processor names, and the transfer safeguard relied upon. Confirm position with a data protection adviser, particularly before and after the planned migration to Qatar-located infrastructure.]

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by Qatari law (for example, tax and commercial record-keeping obligations). When data is no longer required, it is securely deleted or anonymised. [PLACEHOLDER — Insert specific retention periods per data category.]

8. Your Rights Under the PDPPL

Subject to the conditions and exceptions in the PDPPL, you have the right to:

•        Be informed about how your personal data is processed (this Policy).

•        Access the personal data we hold about you and obtain a copy (a fee may apply where permitted).

•        Request correction of inaccurate or incomplete personal data.

•        Request erasure of your personal data where there is no lawful basis to retain it.

•        Object to or request that we stop processing that is unnecessary or excessive for the purpose.

•        Withdraw consent at any time where processing is based on consent.

To exercise any right, contact us using the details in Section 12. We will respond within the period required by the PDPPL. You also have the right to lodge a complaint with the Competent Department (NCGAA / National Data Privacy Office) if you believe your data has been processed unlawfully.

9. Cookies and Similar Technologies

We use strictly necessary cookies to operate the Platform and, with your opt-in consent, analytics and marketing cookies. You can manage non-essential cookies through our cookie banner and your browser settings. Declining non-essential cookies will not prevent you from purchasing. [PLACEHOLDER — Attach or link a full cookie schedule listing each cookie, purpose, and duration.]

10. Data Security

We implement administrative, technical, and organisational measures appropriate to the risk, consistent with the PDPPL’s privacy-by-design and privacy-by-default requirements, including access controls, encryption in transit, and supplier due diligence.

Breach notification. If a personal data breach occurs, we will notify the Competent Department (NCGAA) within 72 hours of becoming aware of it, and will notify affected individuals where required. Our processors are required to notify us without undue delay of any breach.

11. Children’s Privacy

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from children without the involvement of a parent or legal guardian. If you believe a child has provided personal data, contact us and we will take appropriate steps.

12. How to Contact Us

For privacy questions or to exercise your rights:

•        Email: [INSERT PRIVACY CONTACT EMAIL]

•        Phone: [INSERT PHONE]

•        Postal: [INSERT REGISTERED ADDRESS], Doha, State of Qatar

•        Data protection contact / officer: [INSERT NAME OR ROLE, IF APPOINTED]

13. Changes to This Policy

We may update this Policy from time to time. The current version will always be available on the Platform with its effective date. Material changes will be communicated through the Platform.