Privacy Policy

How GHOHARY collects, uses, stores, and protects your information — written to comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and UAE Federal Decree-Law No. 45/2021 on Personal Data Protection.

Data Controller

GHOHARY (“we”, “us”, “our”) operates the website at www.ghohary.com and our atelier in Deira, Dubai, United Arab Emirates. We are the data controller for personal information collected through this site. For all privacy enquiries: s.ghohary@gmail.com.

Information We Collect

When you place an order, create an account, contact our atelier, or interact with our site, we may collect: your name, email address, telephone number, shipping and billing address, country of residence, order history, communication preferences, and a reference to your payment method (Stripe processes and stores card details directly — we never see or store full card numbers). We also collect technical information automatically, including IP address, device type, and pages viewed, for security and analytics purposes.

Lawful Basis for Processing

Under Article 6 GDPR, we rely on the following lawful bases:

  • Performance of a contract — to process and fulfil your order, arrange delivery, handle returns of faulty goods, and respond to enquiries you initiate.
  • Legal obligation — to retain order, invoice, and tax records as required by UAE and applicable international tax law.
  • Legitimate interest — to secure our website, prevent fraud, and improve our service.
  • Consent — for marketing communications, optional cookies, and any processing not covered above. You may withdraw consent at any time.

How We Use Your Information

We use your information to fulfil orders, arrange delivery, communicate about your purchase, respond to enquiries, prevent fraud, comply with legal obligations, and (with your consent) send occasional updates about new collections and atelier events. We do not use automated decision-making or profiling that produces legal effects.

Sharing With Third Parties

We share information only with the service providers required to operate our business, under written contracts that restrict their use of your data:

  • Stripe (Ireland / United States) — payment processing.
  • Resend (United States) — transactional email delivery.
  • Cloudflare R2 (United States) — image hosting.
  • Vercel (United States) — website hosting.
  • Upstash / Redis Cloud — encrypted order and account storage.
  • Shipping couriers (FedEx, DHL, Aramex, or local equivalent) — only the address and contact details required to deliver your order.

We do not sell, rent, or trade your personal information.

International Data Transfers

Some of our service providers operate outside the UAE and the European Economic Area. Where personal data is transferred to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under UAE and UK law, to ensure your data is protected to the same standard as in your home jurisdiction.

Data Retention

We retain personal data only as long as necessary for the purpose it was collected:

  • Order and invoice records — seven (7) years from the date of the order, to satisfy tax and accounting obligations.
  • Account information — for as long as your account is active, plus thirty (30) days after deletion to complete the erasure across our backups.
  • Marketing preferences — until you unsubscribe.
  • Customer service correspondence — up to three (3) years from your last contact, for warranty and dispute resolution.

Your Rights

Subject to applicable law, you have the right to: access the personal data we hold about you, correct inaccuracies, request erasure, restrict or object to processing, request portability of your data in a machine-readable format, and withdraw any consent you have given. To exercise any of these rights, write to s.ghohary@gmail.com. We will respond within thirty (30) days.

If you are based in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local supervisory authority — for example, the Irish Data Protection Commission (dataprotection.ie), the French CNIL (cnil.fr), the German BfDI, or the UK ICO (ico.org.uk) — if you believe we have not handled your data correctly. UAE residents may contact the UAE Data Office (uaedataoffice.gov.ae).

Cookies

Our cookie banner asks for your consent before any non-essential cookie is placed. Strictly necessary cookies (used for cart state, currency selection, and authentication) are required for the site to function and do not require consent. You can change your cookie preferences at any time via the “Cookie Preferences” link in our footer.

Security

We use industry-standard safeguards to protect your data, including TLS encryption in transit, encrypted storage at rest where applicable, restricted access for our team, and regular security review of our service providers. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you and the relevant supervisory authority within seventy-two (72) hours, as required by GDPR Article 33.

Children

GHOHARY does not knowingly collect personal data from anyone under sixteen (16) years of age. If you believe a minor has provided us with personal information, please write to s.ghohary@gmail.com and we will delete it.

Changes to This Policy

We may update this policy from time to time. The “Last updated” date below tells you when the most recent change was made. Material changes will be communicated by email to registered customers and shown as a banner on the site for thirty (30) days.

Contact

Privacy enquiries: s.ghohary@gmail.com. General support: s.ghohary@gmail.com or on WhatsApp. For our Terms & Conditions, see terms.html.

Last updated 6 May 2026.