Privacy Policy
Privacy Policy
This Privacy Policy explains how GenRugs collects, uses, and protects your personal data. By using our website or placing an order, you acknowledge this policy.
1. Who We Are
GenRugs is a UAE-based online retailer specialising in premium handcrafted and designer rugs, operating under the commercial laws of the United Arab Emirates. We are the data controller responsible for your personal data collected through our website, mobile channels, and customer communications.
2. Information We Collect
| Category | Examples | When Collected |
|---|---|---|
| Identity & Contact | Full name, email address, phone number, delivery & billing address | Account registration, checkout |
| Identity Verification | Emirates ID / passport number (high-value orders or customs clearance only) | Large orders, export shipments |
| Payment Data | Card type, last 4 digits, payment reference (full card numbers never stored) | Checkout – via PCI-DSS gateway |
| Transaction Data | Order history, products purchased, returns & exchange records, invoices | Every order placed |
| Technical & Usage | IP address, browser, device type, pages visited, session duration | Automatic on site visit |
| Communications | Emails, live chat, support tickets, reviews, feedback | When you contact us |
| Marketing Preferences | Consent status, email open rates, ad interaction data | With your consent only |
3. How We Use Your Data
- Order Fulfilment — Processing, packing, and delivering orders within the UAE and internationally, including customs documentation
- Payment Processing — Verifying and completing transactions; fraud detection and prevention
- Account Management — Creating and maintaining your GenRugs customer account
- Customer Support — Responding to enquiries, complaints, returns, and exchange requests
- Legal & Regulatory Compliance — Meeting obligations under UAE commercial law, VAT regulations (FTA), consumer protection rules, and customs requirements
- Marketing & Promotions — Sending newsletters, offers, and product launches only where you have given explicit consent
- Website Improvement — Analysing usage data to enhance site performance and usability
- Personalisation — Displaying relevant products and recommendations based on your browsing and purchase history
- Security — Detecting and preventing fraudulent or unauthorised access to our systems
4. Legal Basis for Processing
Under UAE PDPL (Federal Decree-Law No. 45 of 2021), we process your personal data on the following lawful grounds:
- Contractual Necessity — Processing required to fulfil your purchase orders and deliver our services
- Legal Obligation — Compliance with UAE federal and emirate-level laws including VAT, customs, anti-money laundering (AML), and consumer protection legislation
- Legitimate Interests — Fraud prevention, security, and improving our services, where our interests are not overridden by your fundamental rights
- Consent — Direct marketing communications and non-essential cookies — freely given and withdrawable at any time
5. Cookies & Tracking Technologies
- Strictly Necessary Cookies — Essential for website functionality (cart, sessions, security). No consent required.
- Analytics Cookies — Help us understand how visitors use our site (e.g. Google Analytics). Require your prior consent.
- Marketing & Retargeting Cookies — Used to deliver relevant advertisements. Require explicit consent before activation.
- Preference Cookies — Remember your language, region, and display settings. Require consent.
You may manage cookie preferences via our Cookie Consent Banner or your browser settings. Disabling non-essential cookies will not affect your ability to shop.
6. Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We may share it only with:
- Delivery Partners — UAE and international courier services (e.g. Aramex, DHL) for order fulfilment and tracking
- Payment Processors — PCI-DSS compliant payment gateways for secure transaction processing
- Technology Providers — Cloud hosting, email, CRM, and analytics platforms bound by Data Processing Agreements (DPAs)
- UAE Government & Regulatory Authorities — When required by law, court order, the Federal Tax Authority (FTA), or another competent authority
- Professional Advisors — Auditors, lawyers, and accountants operating under strict confidentiality obligations
- Business Transfers — In the event of a merger, acquisition, or asset sale. You will be notified in advance.
7. International Data Transfers
Where personal data is transferred outside the UAE, we ensure one or more of the following safeguards are in place:
- Transfers to countries recognised by the UAE Data Office as providing adequate protection
- Binding Data Processing Agreements incorporating standard contractual clauses as approved under UAE PDPL
- Binding Corporate Rules for intra-group transfers, where applicable
8. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Order & transaction records | 5 years | UAE Commercial Transactions Law |
| VAT invoices & financial records | 5 years minimum | Federal Tax Authority (FTA) requirements |
| Customer account data | Duration of account + 2 years post-closure | Contractual / Legitimate interest |
| Marketing & consent records | Until consent is withdrawn | Consent |
| Customer service communications | 3 years from last interaction | Legitimate interest |
| Security & fraud logs | 12 months | Legal obligation / Legitimate interest |
Upon expiry, data is securely deleted or irreversibly anonymised in accordance with UAE PDPL requirements.
9. Your Rights Under UAE PDPL
Under Federal Decree-Law No. 45 of 2021, you hold the following rights:
Right to Access
Request a copy of the personal data we hold about you and how it is used.
Right to Correction
Request correction of inaccurate, outdated, or incomplete data without undue delay.
Right to Erasure
Request deletion where there is no longer a lawful basis for retention.
Right to Restriction
Request that we limit processing in specific circumstances defined under PDPL.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Withdraw any previously given consent at any time.
Lodge a Complaint
File a complaint with the UAE Data Office if your rights have been infringed.
10. Children's Privacy
GenRugs does not knowingly collect personal data from individuals under the age of 18. Our services are intended solely for adults. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@genrugs.com and we will delete it promptly.
11. Security
We implement industry-standard security measures including:
- SSL/TLS Encryption — All data transmitted between your device and our servers is encrypted in transit
- PCI-DSS Compliance — Payments processed exclusively via certified gateways; full card numbers are never stored
- Access Controls — Role-based access to personal data, limited to authorised personnel only
- Regular Audits — Periodic vulnerability assessments and penetration testing
- Breach Notification — In the event of a breach affecting your rights, we will notify you and the UAE Data Office within the timeframes required by PDPL
12. Contact & Complaints
For all privacy-related requests, questions, or complaints, please contact our Data Protection Officer:
- Email: privacy@genrugs.com
- Phone: +971 XX XXX XXXX
- Address: GenRugs, [Business Address], United Arab Emirates
- Response Time: Within 30 days of receipt
If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office at uaedataoffice.gov.ae. This Privacy Policy may be updated periodically. Material changes will be communicated via email or a prominent website notice.