Privacy Policy

Effective Date: 1 March 2026

Data Controller: Apex Vault Online Selling, a sole establishment licensed by the Dubai Department of Economy and Tourism (DET), Trade License No. 1547228. Address: Wadi Al Safa 6, Villa 526, Dubai, UAE. Email: support@apexvault.ae.

This policy is issued in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).¹

1. Information We Collect

When you place an order on Apex Vault, we collect the information necessary to fulfil your purchase:

Name and contact details (email address, phone number)
Shipping address within the UAE
Payment information (processed securely by Stripe — we never store your card details)²
Order history and preferences

We do not collect sensitive personal data as defined in Article 7 of the PDPL (e.g., health data, biometric data, religious or political beliefs).

2. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 5 of the PDPL:³

Contract performance — processing necessary to fulfil your order and deliver products
Legal obligation — processing required to comply with UAE tax and commercial regulations
Legitimate interest — analytics and website improvement, provided this does not override your rights

3. How We Use Your Information

We use your information to:

Process and fulfil your orders
Communicate order status and shipping updates
Provide customer support via WhatsApp or email
Improve our store and services through aggregated analytics
Comply with legal and regulatory obligations

4. Payment Security

All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor.² Your credit card information is encrypted and transmitted directly to Stripe — Apex Vault never has access to your full card number. Stripe's privacy policy governs their handling of your payment data.

5. Data Sharing & Processors

We do not sell or rent your personal information. We share data only with service providers (data processors) necessary to operate our business:

Stripe (USA) — payment processing
Shipping carriers (UAE) — order delivery
Vercel (USA) — website hosting and infrastructure
Neon (USA) — database hosting
Resend (USA) — transactional email delivery
Google Analytics (USA) — website analytics⁴

Each processor is contractually obligated to handle your data in accordance with this policy and applicable data protection requirements.

6. Cookies & Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our website.⁴ GA4 uses first-party cookies (e.g., _ga, _ga_*) to distinguish unique users and sessions. These cookies do not contain personally identifiable information.

We ask for your consent before setting analytics cookies. You can accept or decline when you first visit the site. You may change your preference at any time by clearing your browser cookies and revisiting the site. You can also opt out using the Google Analytics Opt-out Browser Add-on. Declining analytics cookies does not affect the functionality of the website or your ability to place orders.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy. Specific retention periods:

Order records — retained for 5 years as required by UAE commercial and tax regulations⁵
Analytics data — automatically deleted after 14 months in Google Analytics
Customer support logs — retained for 2 years, then deleted or anonymised

When data is no longer needed, it is securely deleted or anonymised.

8. Cross-Border Data Transfers

Some of our service providers process data outside the UAE (see Section 5). In accordance with Article 22 of the PDPL,⁶ we ensure that appropriate contractual safeguards are in place — including standard contractual clauses and processor data protection agreements — to protect your personal information during transfer and processing abroad.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (TLS 1.3), access controls, and regular security reviews. No method of transmission over the internet is 100% secure; however, we strive to protect your data to the highest commercially reasonable standard.

In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the UAE Data Office without undue delay and, where required, inform affected individuals in accordance with Article 9 of the PDPL.¹⁰

10. Your Rights

Under Article 12 of the PDPL,⁷ you have the right to:

Access your personal data and obtain a copy
Request correction of inaccurate data
Request deletion of your personal data
Request restriction of processing
Data portability — receive your data in a structured, machine-readable format
Object to processing based on legitimate interest
Object to automated decision-making
Withdraw consent at any time — where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal⁹

To exercise any of these rights, contact us via WhatsApp or email us at support@apexvault.ae. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the UAE Data Office.⁸

11. Children's Privacy

Our website is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this policy from time to time. The revised version will be posted on this page with an updated "Effective Date." We encourage you to review this page periodically. Material changes will be communicated via email to existing customers where required.

13. Contact

For any privacy-related questions, reach out to us on WhatsApp or email us at support@apexvault.ae.

¹ UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) — the UAE's comprehensive data protection legislation, enforced by the UAE Data Office.

² Payment Card Industry Data Security Standard (PCI DSS) Level 1 — the highest level of certification for organisations handling cardholder data. Stripe is audited annually by a Qualified Security Assessor.

³ PDPL Article 5 — establishes the lawful bases for processing personal data, including consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interest.

⁴ Google Analytics 4 (GA4) — a web analytics service provided by Google LLC. GA4 processes data in accordance with the Google Ads Data Processing Terms. Data retention is set to 14 months.

⁵ UAE Federal Law No. 1 of 2006 on Electronic Commerce and Transactions, and UAE Commercial Transactions Law — require businesses to retain financial and commercial records for a minimum of 5 years.

⁶ PDPL Article 22 — governs the transfer of personal data outside the UAE, requiring adequate safeguards or the data subject's explicit consent.

⁷ PDPL Article 12 — enumerates data subject rights including access, rectification, erasure, restriction, portability, and the right to object.

⁸ The UAE Data Office is the federal authority responsible for supervising compliance with the PDPL and handling data protection complaints.

⁹ PDPL Article 6 — the data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

¹⁰ PDPL Article 9 — requires the data controller to notify the UAE Data Office of any personal data breach likely to cause harm, and to inform affected data subjects where the breach poses a high risk to their rights.