Privacy Policy

Last updated October 16, 2025

This privacy notice for Maslool Hunting Requisites Trading (“we,” “us,” or “our“), describes how and why we might collect, store, use, and/or share (“process“) your information when you use our services (“Services“), such as when you:

Visit our website at maslool.ae, or any website of ours that links to this privacy notice
Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at info@maslool.ae.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about the personal information you disclose to us.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we receive any information from third parties? We do not receive any information from third parties.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties. Learn more about when and with whom we share your personal information.

How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your rights is by visiting maslool.ae, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

Want to learn more about what we do with any information we collect? Review the privacy notice in full.

1. INTRODUCTION & SCOPE

In-Short: This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Services, visit our Website or Store, or interact with us. We comply with UAE data protection law and international standards where applicable.

1.1 Purpose and Applicability

1.1.1 Purpose of This Privacy Policy

This Privacy Policy describes:

(a) What personal data we collect from you or about you;

(b) How and why we collect, process, use, and store your personal data;

(d) How long we retain your personal data;

(e) Your rights regarding your personal data and how to exercise them;

(f) Security measures we employ to protect your personal data;

(g) Cross-border transfers of your personal data (if applicable);

(h) Cookies and tracking technologies we use;

(i) CCTV surveillance at our physical Store premises;

(j) Contact information for data protection inquiries and data subject rights requests;

1.1.2 Services Covered

This Privacy Policy applies to all personal data collected, processed, or used in connection with:

(a) Our Website: www.maslool.ae and any subdomains, microsites, or related websites;

(b) Mobile Application: Maslool mobile app (iOS, Android, or other platforms);

(c) Physical Store: Shop No. 49, M-Floor, Al Rais Shopping Centre, 74 Al Mankhool Road, Al Raffa, Bur Dubai, Dubai, UAE;

(d) E-commerce Platform: Online ordering, checkout, payment processing, and account management systems;

(e) Customer Service: Email, telephone, WhatsApp, social media, or in-person interactions;

(f) Marketing Communications: Newsletters, promotional emails, SMS, WhatsApp messages, or social media advertising;

(g) Events and Activities: Participation in promotions, contests, surveys, loyalty programs, or events;

(h) All other channels, platforms, or methods through which you interact with Maslool or provide personal data to us;

(Collectively, the “Services“).

1.1.3 Data Controller

Maslool Hunting Requisites Trading is the data controller responsible for your personal data collected and processed through the Services.

Business Details:

Legal Name: Maslool Hunting Requisites Trading
Business Type: Sole Proprietorship
Trade License: [License Number] issued by Dubai Department of Economy and Tourism
Registered Address: Shop No. 49, M-Floor, Al Rais Shopping Centre, 74 Al Mankhool Road, Al Raffa, Bur Dubai, Dubai, United Arab Emirates
Contact Email: info@maslool.ae
Contact Telephone: +971 50 504 1792

1.1.4 Governing Law and Jurisdiction

(a) Primary Governing Law: This Privacy Policy and all data processing activities are governed by and conducted in accordance with:

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE Personal Data Protection Law – “PDPL“);
Cabinet Resolution No. 44 of 2023 Concerning the Regulation of the Processing of Personal Data (Implementing Regulation of PDPL);
UAE Data Office guidance, directives, and regulatory requirements;

(b) Additional Applicable Laws: Where applicable and to the extent required by law, we also comply with:

EU General Data Protection Regulation (GDPR) (Regulation 2016/679) for data subjects located in the European Union;
UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 for data subjects located in the United Kingdom;
Other applicable data protection, privacy, or consumer protection laws in jurisdictions where we conduct business or where our customers are located;

(c) Jurisdiction: Any disputes, claims, or legal matters arising from or relating to data protection, privacy, or this Privacy Policy shall be subject to the exclusive jurisdiction of the Dubai Courts and governed by UAE law, except where mandatory data protection laws of other jurisdictions confer non-waivable rights or jurisdiction (see Terms and Conditions, Section 23 – Governing Law & Dispute Resolution).

1.2 Questions, Concerns, or Objections

If you have any questions, concerns, objections, or requests regarding this Privacy Policy, our data processing practices, or your privacy rights, please contact us:

Email: info@maslool.ae (Subject: “Privacy Inquiry” or “Data Protection Request”)
Telephone: +971 50 504 1792
Postal Address:
Maslool Hunting Requisites Trading
Attn: Data Protection / Privacy Officer
Shop No. 49, M-Floor, Al Rais Shopping Centre
74 Al Mankhool Road, Al Raffa, Bur Dubai
Dubai, United Arab Emirates

Response Time: We will respond to privacy inquiries and data subject rights requests within thirty (30) calendar days of receipt, as required by UAE PDPL Article 15 (see Section 9 – Your Privacy Rights for detailed rights and procedures).

2. INFORMATION WE COLLECT

In-Short: We collect personal data that you voluntarily provide to us (account registration, orders, communications), data automatically collected through your use of Services (device data, usage data, location data), and limited data from third parties (payment processors). We do not collect sensitive personal data.

2.1 Personal Data You Provide to Us

2.1.1 Categories of Personal Data Provided

We collect personal data that you voluntarily provide to us when you:

(a) Register for an account on the Website or mobile app; (b) Place an order or make a purchase (online or in-store); (c) Subscribe to newsletters, marketing communications, or promotional offers; (d) Contact us via email, telephone, WhatsApp, social media, or in-person; (e) Participate in surveys, contests, promotions, or loyalty programs; (f) Submit reviews, ratings, feedback, or user-generated content; (g) Apply for employment or submit business inquiries; (h) Otherwise interact with us or provide information;

Personal data categories we may collect include:

(a) Identity and Contact Data:

Full name (first name, last name, middle name, title);
Email address;
Mobile telephone number (with country code);
Postal address (billing address, shipping address, residential address);
Date of birth (for age verification purposes);
Nationality or country of residence;
Emirates ID number (where required for age verification, compliance screening, or regulatory purposes);
Passport number or other government-issued ID number (where required);

(b) Account and Authentication Data:

Username or account name;
Password (stored in encrypted/hashed form);
Security questions and answers;
Two-factor authentication (2FA) credentials or tokens (where enabled);
Account preferences, settings, and configurations;

(c) Financial and Payment Data:

Credit card or debit card number (last 4 digits only; full card data processed and stored by payment processors);
Card expiration date and CVV/CVC security code (processed by payment processors, not stored by us);
Billing address;
Payment method preferences;
Bank account details (for bank transfer payments);
Transaction history, order history, and purchase records;

(d) Order and Transaction Data:

Products purchased, quantities, prices, and order values;
Shipping addresses and delivery instructions;
Special requests, customizations, or personalization instructions (engraving text, custom designs, specifications);
Order dates, dispatch dates, delivery dates, and tracking information;
Returns, refunds, exchanges, or warranty claims;

(e) Communications and Correspondence:

Content of emails, messages, WhatsApp chats, phone calls (where recorded), or other communications you send to us;
Customer service inquiries, complaints, feedback, or support requests;
Survey responses, contest entries, or event registrations;

(f) User-Generated Content:

Reviews, ratings, testimonials, comments, photos, videos, or other content you submit or post (see Terms and Conditions, Section 11 – User-Generated Content);
Social media posts, tags, mentions, or shares involving Maslool or our products;

(g) Professional and Business Data (for B2B customers or business inquiries):

Company name, business name, or trading name;
Trade license number or business registration number;
Job title, role, or position;
Business email address and business telephone number;
VAT registration number or tax identification number;

(h) Marketing and Preference Data:

Email marketing subscription preferences (opt-in/opt-out);
SMS or WhatsApp marketing consent;
Communication preferences (email, phone, post, SMS);
Product interests, preferences, or wish lists;

2.1.2 Sensitive Personal Data – Not Collected

We do not intentionally collect, request, or process “sensitive personal data” as defined under UAE PDPL Article 1 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sex life or sexual orientation).

Exception: Where you voluntarily provide sensitive personal data to us (e.g., health information in a customer service inquiry about product safety), we will process such data only for the specific purpose for which you provided it, with your explicit consent, and in accordance with UAE PDPL Article 23 (Special Categories of Personal Data).

2.1.3 Accuracy and Updates

(a) You represent and warrant that all personal data you provide to us is true, accurate, current, and complete at the time of provision (see Terms and Conditions, Section 3.1.1 – Accuracy of Information).

(b) You agree to promptly update your personal data whenever it changes, becomes inaccurate, or becomes incomplete, by:

Updating your account settings on the Website or mobile app;
Contacting us at info@maslool.ae or +971 50 504 1792;

Delivery failures, mis-deliveries, or order delays;
Inability to contact you for important order updates or compliance matters;
Account suspension or transaction refusal due to compliance screening concerns;
Other adverse consequences;

(See Terms and Conditions, Section 3.2 – Continuing Obligations to Update).

2.2 Information Automatically Collected

2.2.1 Device and Usage Data

When you visit, access, or use our Website, mobile app, or Services, we automatically collect certain technical and usage information through:

(a) Web server logs; (b) Cookies and similar tracking technologies (see Section 11 – Cookies & Tracking Technologies); (c) Mobile app analytics and SDKs (software development kits); (d) Third-party analytics services (e.g., Google Analytics);

Data automatically collected includes:

(a) Device Data:

Device type (smartphone, tablet, desktop computer, laptop);
Device model, manufacturer, and hardware specifications;
Operating system (OS) and version (iOS, Android, Windows, macOS, Linux);
Browser type and version (Chrome, Safari, Firefox, Edge, etc.);
Screen resolution, display size, and color depth;
Device identifiers (IMEI, UDID, Android ID, Advertising ID, or similar unique identifiers);
Mobile carrier or internet service provider (ISP);

(b) Network and Connection Data:

IP address (Internet Protocol address);
MAC address (Media Access Control address) (where available);
Network connection type (Wi-Fi, cellular, 3G, 4G, 5G);
Internet service provider (ISP) or mobile network operator;

(c) Log and Usage Data:

Date and time of access (timestamp);
Pages visited, URLs accessed, and navigation paths (clickstream data);
Referring URL (website or source that directed you to our Website);
Search queries entered on our Website;
Actions taken (button clicks, form submissions, downloads, purchases);
Files viewed, downloaded, or uploaded;
Features used, functions accessed, or services utilized;
Session duration, time spent on pages, and engagement metrics;
Error reports, crash logs, or diagnostic data (for troubleshooting and performance improvement);

(d) Location Data:

Approximate location (country, region, city, or postal code) derived from IP address;
Precise location (GPS coordinates, latitude, longitude) only if you grant location access permission on your mobile device;

(See Section 2.2.2 – Location Data and Consent below).

2.2.2 Location Data and Consent

(a) IP-Based Location (Approximate): We automatically collect approximate location data (country, region, city) derived from your IP address for purposes of:

Displaying region-appropriate content, pricing, and currency;
Fraud detection and security (detecting suspicious login locations);
Compliance screening and sanctions checks;
Website analytics and traffic analysis;

No separate consent required (legitimate interest and technical necessity).

(b) GPS-Based Location (Precise): We may request access to your device’s precise location (GPS coordinates) only if you use certain features of our mobile app (e.g., “Find Nearest Store,” “Local Delivery Options,” or location-based services).

Consent required: You must explicitly grant location access permission in your device settings. You can opt-out or revoke permission at any time by:

Disabling location services in your device settings (Settings > Privacy > Location Services on iOS; Settings > Location on Android);
Uninstalling the mobile app;

Consequence of opt-out: Location-dependent features may not function properly or may be unavailable.

2.2.3 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, local storage, and similar tracking technologies to collect data about your use of the Website and mobile app.

For detailed information on cookies, types of cookies we use, purposes, third-party cookies, and your cookie choices, see Section 11 – Cookies & Tracking Technologies.

2.3 Information from Third Parties

2.3.1 Payment Processors

We receive limited personal data and transaction data from third-party payment processors that process payments on our behalf, including:

(a) WooCommerce (payment gateway and e-commerce platform); (b) Stripe (payment processing service);

Data received from payment processors:

Payment confirmation status (approved, declined, pending);
Transaction ID and payment reference number;
Last 4 digits of card number (for order identification and customer service);
Payment method type (Visa, Mastercard, American Express, etc.);
Payment amount, currency, and timestamp;
Billing address verification results;
Fraud risk scores or indicators (where provided by payment processor);

Full payment card data (complete card number, expiration date, CVV) is processed and stored directly by payment processors (WooCommerce, Stripe) in compliance with PCI DSS (Payment Card Industry Data Security Standard). We do not collect, store, or have access to full payment card data.

Privacy Policies of Payment Processors:

WooCommerce Privacy Policy: https://woocommerce.com/privacy-policy/
Stripe Privacy Policy: https://stripe.com/ae/privacy

2.3.2 Analytics and Marketing Services

We receive aggregated, anonymized, or pseudonymized usage data, analytics data, and marketing performance data from:

(a) Google Analytics (website analytics and visitor tracking); (b) Google Ads (advertising and marketing analytics); (c) Social media platforms (Facebook, Instagram) (advertising performance, audience insights);

Data received typically includes:

Aggregated user demographics (age ranges, gender distributions, geographic regions);
Aggregated interests and behavior patterns;
Website traffic metrics (page views, sessions, bounce rates);
Marketing campaign performance (click-through rates, conversions, ROI);

Such data is typically anonymized or pseudonymized and does not directly identify you personally.

Privacy Policies:

Google Privacy Policy: https://policies.google.com/privacy
Facebook Data Policy: https://www.facebook.com/privacy/policy/

2.3.3 No Other Third-Party Data Sources

We do not routinely purchase, obtain, or receive personal data about you from:

Data brokers, data aggregators, or marketing list providers;
Credit reference agencies or background check services (except where required for specific compliance screening or fraud prevention in high-risk transactions);
Social media platforms (except as described in Section 2.3.2 – aggregated analytics);
Public records or open-source intelligence (OSINT) (except where required for compliance screening under AML/CFT or sanctions laws – see Terms and Conditions, Section 18 – Sanctions, AML/CFT & Compliance Screening).

3. HOW WE COLLECT INFORMATION

In-Short: We collect personal data directly from you (when you provide it), automatically through your use of Services (cookies, logs, analytics), from payment processors, and through CCTV surveillance at our Store.

3.1 Direct Collection from You

We collect personal data directly from you when you:

(a) Create an account or register on the Website or mobile app;

(b) Place an order or make a purchase (online, in-store, via phone, or via WhatsApp);

(d) Subscribe to newsletters, marketing communications, or promotional offers;

(e) Contact us via email (info@maslool.ae), telephone (+971 50 504 1792), WhatsApp, social media (Instagram, Facebook), or in-person at our Store;

(f) Participate in surveys, contests, promotions, loyalty programs, or events;

(g) Submit content (reviews, ratings, testimonials, comments, photos, videos, feedback);

(h) Apply for employment or submit business proposals or partnership inquiries;

(i) Request customer service or support (warranty claims, returns, refunds, product inquiries);

(j) Provide verification documents (Emirates ID, passport, trade license) for age verification, compliance screening, or identity verification purposes (see Terms and Conditions, Section 3.3 – Verification & Requests for Evidence and Section 18.2 – Compliance Screening and Verification Procedures);

3.2 Automatic Collection Through Technology

3.2.1 Web Server Logs and Access Logs

Our web servers and hosting infrastructure automatically record certain data in log files when you access the Website or mobile app, including:

IP address, timestamp, URL requested, HTTP method (GET, POST), HTTP status code, user agent string, referring URL, and bytes transferred;

Purpose: Security monitoring, fraud detection, troubleshooting, performance optimization, and website analytics.

Legal Basis: Legitimate interest (security, fraud prevention, technical necessity) and compliance with legal obligations (cybersecurity, incident response).

3.2.2 Cookies and Similar Technologies

We use cookies, web beacons, pixels, local storage, session storage, and similar tracking technologies to collect data about your browsing behavior, preferences, and interactions with the Website and mobile app.

For comprehensive details, see Section 11 – Cookies & Tracking Technologies.

3.2.3 Third-Party Analytics Services

We use Google Analytics (and potentially other analytics services) to collect aggregated usage data, traffic data, and visitor behavior data for purposes of:

Understanding how visitors use the Website (page views, sessions, bounce rates, navigation paths);
Identifying popular products, pages, or features;
Improving website design, user experience, and content;
Measuring marketing campaign effectiveness;

Google Analytics: Google Analytics may collect data through cookies and similar technologies. You can opt-out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-On: https://tools.google.com/dlpage/gaoptout

Google Privacy Policy: https://policies.google.com/privacy

(See Section 11.4 – Third-Party Analytics and Advertising Cookies for detailed information on Google Analytics and opt-out options).

3.2.4 Mobile App SDKs and Analytics

Our mobile application (if applicable) may incorporate Software Development Kits (SDKs) or Application Programming Interfaces (APIs) from third-party service providers for purposes of:

App analytics (usage tracking, crash reporting, performance monitoring);
Push notifications (where you have consented);
In-app messaging or customer support chat;
Payment processing or authentication services;

Such SDKs may collect device data, usage data, location data (if permitted), and other technical data as described in Section 2.2 – Information Automatically Collected.

Your Control: You can disable certain app permissions (location, camera, notifications) in your device settings.

3.3 Collection from Third Parties

3.3.1 Payment Processors

We receive limited transaction data and payment confirmation data from WooCommerce and Stripe as described in Section 2.3.1 – Payment Processors.

3.3.2 Compliance and Screening Services

Where required for sanctions screening, AML/CFT compliance, or fraud prevention (see Terms and Conditions, Section 18 – Sanctions, AML/CFT & Compliance Screening), we may use third-party compliance screening services, databases, or verification services to:

Screen customers against sanctions lists, PEP (Politically Exposed Persons) lists, or adverse media databases;
Verify identity, address, or business credentials;
Assess fraud risk or transaction risk scores;

Such services may provide us with:

Sanctions screening results (match/no match, risk scores);
PEP status or adverse media hits;
Identity verification results (verified/not verified, confidence scores);

Legal Basis: Legal obligation (AML/CFT, sanctions compliance) and legitimate interest (fraud prevention, security).

3.3.3 Public Records and Open-Source Intelligence (Limited Use)

In exceptional circumstances (high-risk transactions, suspected fraud, compliance concerns, or law enforcement requests), we may collect publicly available information about you from:

Public records (company registries, trade license databases, court records);
Open-source intelligence (OSINT) (public social media profiles, news articles, public databases);

Purpose: Compliance verification, fraud investigation, sanctions screening, or response to law enforcement requests.

Legal Basis: Legal obligation or legitimate interest (fraud prevention, security, law enforcement cooperation).

3.4 CCTV Surveillance at Physical Store

3.4.1 CCTV Coverage

We operate Closed-Circuit Television (CCTV) surveillance cameras at our physical Store premises (Shop No. 49, M-Floor, Al Rais Shopping Centre, 74 Al Mankhool Road, Bur Dubai) for purposes of:

Security and crime prevention (theft, vandalism, assault, trespassing);
Safety monitoring (accidents, emergencies, crowd management);
Staff safety and conduct monitoring;
Dispute resolution (customer disputes, incident investigations);
Law enforcement assistance (providing footage to police or authorities when required or requested);

3.4.2 CCTV Data Collected

CCTV cameras capture:

Video footage (images of your face, body, clothing, movements, and activities within the Store);
Audio recordings (if cameras have audio capabilities) (limited use, primarily for security incident documentation);
Date and time stamps (when footage is recorded);

3.4.3 CCTV Signage and Notice

Prominent signage is displayed at the Store entrance and within the Store notifying visitors that CCTV surveillance is in operation, in compliance with UAE PDPL Article 6 (Transparency Principle).

By entering the Store premises, you are deemed to have been notified of CCTV surveillance and to have consented to being recorded for the purposes stated above.

3.4.4 CCTV Retention and Access

Retention Period: CCTV footage is retained for ninety (90) calendar days from the date of recording, unless footage is relevant to an active investigation, dispute, incident, or law enforcement matter, in which case retention is extended as necessary.
Access: CCTV footage is accessed only by authorized Maslool staff, management, law enforcement (upon lawful request), or legal advisors (where necessary for dispute resolution or legal proceedings).
Disclosure: CCTV footage may be disclosed to Dubai Police, UAE law enforcement, courts, prosecutors, or other competent authorities upon lawful request or legal obligation.

For comprehensive CCTV terms, see Terms and Conditions, Section 12.4 – CCTV Surveillance and In-Store Monitoring and Section 14 – In-Store Conduct, Safety & Access Rights.

4. HOW WE USE YOUR INFORMATION

In-Short: We use your personal data to provide Services, process orders, communicate with you, improve our business, ensure security and fraud prevention, comply with legal obligations, and (with your consent) send marketing communications.

4.1 Primary Processing Purposes

We process your personal data for the following purposes:

4.1.1 Account Creation and Management

Creating and maintaining your user account on the Website or mobile app;
Authentication and login (verifying your identity, securing your account);
Account settings and preferences (saving your preferences, addresses, payment methods);
Account security (monitoring for unauthorized access, detecting suspicious activity);

Legal Basis: Contractual necessity (to perform the contract – Terms and Conditions); Consent (where account creation is optional).

4.1.2 Order Processing and Fulfillment

Processing and fulfilling your orders, purchases, and transactions;
Payment processing (authorizing, capturing, and settling payments);
Order confirmation (sending order confirmation emails or messages);
Shipping and delivery (arranging shipping, courier services, delivery to your address);
Order tracking and updates (providing tracking information, dispatch notifications, delivery confirmations);
Collection notifications (notifying you when orders are ready for in-store collection);
Customs documentation and export/import compliance (for international orders) (see Terms and Conditions, Section 6.4 – Regulatory & Cross-Border Compliance);

Legal Basis: Contractual necessity (to perform the contract – Terms and Conditions).

4.1.3 Customer Service and Support

Responding to your inquiries, questions, requests, complaints, or feedback;
Providing customer service and technical support (troubleshooting, assistance, guidance);
Processing returns, refunds, exchanges, or warranty claims (see Terms and Conditions, Section 9.3 – Return Policy and Procedures);
Resolving disputes (addressing complaints, disputes, chargebacks, or claims);
Investigating incidents (product defects, delivery issues, service complaints);

Legal Basis: Contractual necessity; Legitimate interest (customer satisfaction, service quality, dispute resolution).

4.1.4 Communication and Correspondence

Sending transactional communications (order confirmations, shipping notifications, account updates, password resets, service announcements);
Responding to emails, phone calls, WhatsApp messages, or other communications you send to us;
Providing information about products, services, policies, or changes;

Legal Basis: Contractual necessity; Legitimate interest (effective communication, service delivery).

4.1.5 Marketing and Promotional Communications (With Consent)

Sending marketing emails, newsletters, or promotional offers (with your opt-in consent);
Sending SMS or WhatsApp marketing messages (with your explicit consent);
Personalized marketing (tailoring offers, recommendations, or content based on your preferences, purchase history, or browsing behavior);
Advertising and retargeting (displaying ads on third-party websites, social media platforms, or search engines);

Legal Basis: Consent (opt-in for marketing communications).

Your Right to Opt-Out: You can unsubscribe from marketing communications at any time by:

Clicking the “Unsubscribe” link in marketing emails;
Replying “STOP” to SMS marketing messages;
Contacting us at info@maslool.ae or +971 50 504 1792;
Updating your communication preferences in your account settings;

Note: Even if you opt-out of marketing communications, we may still send you transactional or service-related communications (order confirmations, shipping notifications, account updates, legal notices) as these are necessary for service delivery and contractual performance.

(See Section 9.6 – Marketing and Promotional Communications Opt-Out).

4.1.6 Personalization and User Experience Improvement

Personalizing your experience (remembering your preferences, language, currency, saved addresses);
Recommending products (suggesting products based on your browsing history, purchase history, or similar customers’ behavior);
Improving website and app usability (analyzing user behavior, navigation patterns, feature usage);
A/B testing and optimization (testing different layouts, designs, or features to improve user experience);

Legal Basis: Consent (cookies and tracking); Legitimate interest (service improvement, user experience enhancement).

4.1.7 Business Analytics and Performance Monitoring

Analyzing website traffic, visitor behavior, and usage patterns (page views, sessions, bounce rates, conversion rates);
Measuring marketing campaign performance (ROI, click-through rates, conversion tracking);
Product performance analysis (best-sellers, popular categories, inventory management);
Business intelligence and strategic planning (market trends, customer demographics, sales forecasting);

Legal Basis: Legitimate interest (business operations, performance improvement, strategic planning).

4.1.8 Security, Fraud Prevention, and Risk Management

Detecting and preventing fraud (payment fraud, account takeover, identity theft, chargebacks);
Monitoring for security threats (hacking attempts, unauthorized access, malware, cyberattacks);
Account security (detecting suspicious login locations, unusual activity patterns, or compromised credentials);
Compliance screening (sanctions screening, AML/CFT screening, PEP screening, adverse media screening) (see Terms and Conditions, Section 18 – Sanctions, AML/CFT & Compliance Screening);
Risk assessment (assessing transaction risk, customer risk, or compliance risk);
Incident response and investigation (investigating security incidents, fraud incidents, or policy violations);

Legal Basis: Legal obligation (AML/CFT, sanctions compliance, cybersecurity); Legitimate interest (fraud prevention, security, risk management).

4.1.9 Legal Compliance and Law Enforcement

Complying with legal obligations (UAE PDPL, AML/CFT law, sanctions laws, tax laws, consumer protection laws, customs laws);
Responding to law enforcement requests (police investigations, court orders, subpoenas, regulatory inquiries);
Suspicious transaction reporting (reporting suspicious activities to UAE Central Bank FIU or other authorities) (see Terms and Conditions, Section 18.4.4 – Suspicious Transaction Reporting);
Record-keeping and documentation (maintaining records for tax, accounting, legal, or regulatory purposes);
Legal proceedings (using personal data as evidence in arbitration, litigation, or dispute resolution);

Legal Basis: Legal obligation; Legitimate interest (law enforcement cooperation, legal defense, regulatory compliance).

4.1.10 Product Development and Innovation

Developing new products, services, or features (based on customer feedback, market research, usage data);
Testing and improving existing products or services (quality assurance, performance optimization);
Research and development (analyzing trends, customer needs, or market opportunities);

Legal Basis: Legitimate interest (product innovation, service improvement, business development).

4.2 Purposes Requiring Explicit Consent

Certain data processing activities require your explicit, informed, opt-in consent, including:

(a) Marketing communications (email marketing, SMS marketing, WhatsApp marketing) (see Section 4.1.5);

(b) Precise location tracking (GPS-based location data) (see Section 2.2.2 – Location Data and Consent);

(c) Non-essential cookies (marketing cookies, advertising cookies, social media cookies) (see Section 11 – Cookies & Tracking Technologies);

(d) Use of personal data for purposes not disclosed at the time of collection (where consent is the only lawful basis);

How We Obtain Consent:

Opt-in checkboxes (clearly labeled, unchecked by default, with link to Privacy Policy);
Email confirmation or double opt-in (for newsletter subscriptions);
Device permissions (for mobile app location, camera, notifications);
Cookie consent banners or preference centers;

Your Right to Withdraw Consent: You can withdraw consent at any time by:

Clicking “Unsubscribe” in marketing emails;
Disabling device permissions in your device settings;
Managing cookie preferences in your browser or via our cookie consent tool;
Contacting us at info@maslool.ae;

Effect of Withdrawal: Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal. However, we may be unable to provide certain services or features if consent is withdrawn.

4.3 Processing Only When Lawful

We process your personal data only when we have a valid legal basis to do so, in compliance with:

UAE PDPL Article 5 (Lawfulness Principle);
UAE PDPL Article 7 (Legal Bases for Processing);
GDPR Article 6 (Lawfulness of Processing) (where applicable to EU/UK data subjects);

No processing for incompatible purposes: We do not process your personal data for purposes that are incompatible with the purposes for which it was originally collected, unless:

You provide explicit consent for the new purpose; OR
The new purpose is legally required or authorized by law; OR
The new purpose is necessary for vital interests, public interest, or legal proceeding.

5. LEGAL BASIS FOR PROCESSING

In Short: We process your personal data based on one or more legal bases recognized under UAE PDPL and international data protection laws: consent, contractual necessity, legal obligation, vital interests, or legitimate interests. Different processing activities rely on different legal bases.

5.1 Legal Bases Under UAE PDPL

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL), Article 7, personal data may be processed on one or more of the following legal bases:

5.1.1 Consent

(a) Definition: You have given explicit, informed, freely given, specific, and unambiguous consent to the processing of your personal data for one or more specific purposes.

(b) When We Rely on Consent:

Marketing communications (email, SMS, WhatsApp marketing);
Non-essential cookies (marketing, advertising, analytics cookies);
Precise location tracking (GPS-based location);
Optional data collection (surveys, contests, feedback);

(c) Your Right to Withdraw: You can withdraw consent at any time (see Section 9.7 – Right to Withdraw Consent).

5.1.2 Contractual Necessity

(a) Definition: Processing is necessary for the performance of a contract to which you are a party (Terms and Conditions), or to take steps at your request prior to entering into a contract.

(b) When We Rely on Contractual Necessity:

Account creation and management;
Order processing, payment processing, and fulfillment;
Shipping, delivery, and collection;
Customer service and support;
Returns, refunds, exchanges, warranty claims;

(c) Note: If you refuse to provide personal data necessary for contractual performance, we may be unable to provide Services or fulfill orders.

5.1.3 Legal Obligation

(a) Definition: Processing is necessary for compliance with a legal obligation to which Maslool is subject under UAE law or other applicable laws.

(b) When We Rely on Legal Obligation:

AML/CFT compliance (Customer Due Diligence, suspicious transaction reporting) (Federal Decree-Law No. 20 of 2018);
Sanctions compliance (screening, blocking, reporting) (Cabinet Resolution No. 74 of 2020);
Tax compliance (VAT records, invoicing, reporting) (Federal Decree-Law No. 8 of 2017 on VAT);
Customs and export control compliance (Cabinet Resolution No. 22 of 2023);
Responding to law enforcement requests (court orders, subpoenas, police requests);
Data protection compliance (UAE PDPL record-keeping, breach notification);

5.1.4 Vital Interests

(a) Definition: Processing is necessary to protect the vital interests of you or another person (life, health, safety, or physical integrity).

(b) When We Rely on Vital Interests:

Emergency situations (medical emergencies, safety threats, imminent harm);
Reporting safety concerns or product defects to authorities;
Preventing harm to you or others;

(c) Note: Vital interests are invoked only where necessary and where other legal bases are not applicable.

5.1.5 Legitimate Interests

(a) Definition: Processing is necessary for the purposes of legitimate interests pursued by Maslool or a third party, except where such interests are overridden by your fundamental rights and freedoms, particularly where you are a child.

(b) When We Rely on Legitimate Interests:

Security and fraud prevention (protecting Maslool’s systems, customers, and business from fraud, cyberattacks, or abuse);
Business operations and administration (website analytics, business intelligence, performance monitoring);
Service improvement (analyzing user behavior, improving website usability, product recommendations);
Customer service quality (monitoring customer service interactions, training staff, quality assurance);
Direct marketing to existing customers (where permitted by law and where you have not opted out);
Legal defense and dispute resolution (defending legal claims, enforcing Terms and Conditions, arbitration proceedings);
CCTV surveillance (Store security, crime prevention, staff safety, incident investigation);

(c) Balancing Test: Before relying on legitimate interests, we assess whether:

The legitimate interest is real, present, and sufficiently important;
The processing is necessary and proportionate to achieve the legitimate interest;
Your rights and freedoms are not unduly impacted;
You would reasonably expect the processing in the context;

(d) Your Right to Object: You have the right to object to processing based on legitimate interests (see Section 9.8 – Right to Object to Processing).

5.2 Legal Bases Under GDPR (For EU/UK Data Subjects)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data.

5.2.1 GDPR Legal Bases (Article 6(1))

We rely on the following GDPR legal bases:

(a) Consent (Article 6(1)(a)): As described in Section 5.1.1;

(b) Contractual Necessity (Article 6(1)(b)): As described in Section 5.1.2;

(c) Legal Obligation (Article 6(1)(c)): As described in Section 5.1.3;

(d) Vital Interests (Article 6(1)(d)): As described in Section 5.1.4;

(e) Public Task (Article 6(1)(e)): Not applicable (Maslool is a private commercial entity, not a public authority);

(f) Legitimate Interests (Article 6(1)(f)): As described in Section 5.1.5;

5.2.2 Special Categories of Personal Data (GDPR Article 9)

We do not intentionally process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life, or sexual orientation) as defined under GDPR Article 9.

Exception: If you voluntarily provide such data (e.g., health information in a customer service inquiry), we process it only:

With your explicit consent (GDPR Article 9(2)(a)); OR
Where necessary for establishment, exercise, or defense of legal claims (GDPR Article 9(2)(f));

5.2.3 Your GDPR Rights

If you are an EU/UK/Switzerland data subject, you have enhanced rights under GDPR, including:

Right of access, rectification, erasure, restriction, data portability, and objection (see Section 9 – Your Privacy Rights);
Right to lodge a complaint with your EU Member State Data Protection Authority, UK Information Commissioner’s Office (ICO), or Swiss Federal Data Protection and Information Commissioner (FDPIC);

Supervisory Authorities:

EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en
UK ICO: https://ico.org.uk/
Switzerland FDPIC: https://www.edoeb.admin.ch/edoeb/en/home.html

5.3 Legal Bases Under Canadian Law (For Canadian Residents – If Applicable)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) or applicable provincial privacy laws (e.g., Quebec’s Bill 64) may apply.

5.3.1 Consent (Express or Implied)

We may process your personal data based on:

(a) Express Consent: Where you have given explicit, affirmative consent (opt-in checkboxes, signed agreements, verbal consent);

(b) Implied Consent: Where consent can reasonably be inferred from your actions or conduct (e.g., providing your email address in a “Contact Us” form implies consent to receive a response);

5.3.2 Exceptions to Consent (PIPEDA Section 7(1))

In certain exceptional cases, we may process personal data without consent where:

Collection is clearly in your interests and consent cannot be obtained in a timely manner;
For investigations and fraud detection and prevention;
For business transactions (mergers, acquisitions) provided certain conditions are met;
Contained in witness statements for insurance claims;
For identifying injured, ill, or deceased persons and communicating with next of kin;
Reasonable grounds to believe you are a victim of financial abuse;
Reasonable expectation that collection with consent would compromise availability or accuracy of information (investigating breach of agreement or law);
Required to comply with subpoena, warrant, court order, or rules of court;
Produced in the course of employment, business, or profession and collection is consistent with purposes for which information was produced;
Solely for journalistic, artistic, or literary purposes;
Information is publicly available and specified by regulations.

6. INFORMATION SHARING & DISCLOSURE

In Short: We may share your personal data with service providers (payment processors, shipping carriers, analytics providers), business partners, affiliates, legal and regulatory authorities (when required by law or for compliance), and in business transfers (mergers, acquisitions). We do not sell your personal data to third parties.

6.1 Categories of Recipients

We may share or disclose your personal data to the following categories of recipients:

6.1.1 Service Providers and Third-Party Processors

We engage third-party service providers to perform functions, services, or operations on our behalf. These service providers act as data processors and process personal data only on our instructions and for the purposes specified in written agreements.

Categories of service providers include:

(a) Payment Processing Service Providers:

WooCommerce (e-commerce platform and payment gateway);
Stripe (payment processing, card tokenization, fraud detection);
Banks and financial institutions (transaction processing, settlement, currency conversion);

Data Shared: Name, email, billing address, payment instrument data (last 4 digits), transaction amount, order details;

Purpose: Payment authorization, processing, settlement, fraud prevention, chargeback management;

(b) Shipping and Logistics Providers:

Courier services (e.g., Aramex, DHL, Emirates Post, FedEx, or other carriers);
Freight forwarders (for international shipments);
Last-mile delivery services (local delivery partners);

Data Shared: Name, shipping address, telephone number, email address, order details, tracking information;

Purpose: Order fulfillment, shipping, delivery, tracking, proof of delivery, customs clearance;

(c) Web Hosting and Cloud Infrastructure Providers:

Website hosting providers (servers, storage, bandwidth);
Cloud storage providers (data storage, backups, disaster recovery);
Content Delivery Networks (CDNs) (static content delivery, caching);

Data Shared: All personal data stored on or transmitted through our Website, systems, or databases;

Purpose: Website operation, hosting, storage, backup, technical infrastructure;

(d) Email and Communication Service Providers:

Email service providers (email delivery, newsletter management, transactional emails);
SMS and WhatsApp messaging platforms (for order notifications, OTPs, marketing);
Customer support platforms (help desk, ticketing, live chat);

Data Shared: Name, email address, telephone number, message content, support inquiries;

Purpose: Sending transactional emails, marketing communications, customer support, notifications;

(e) Analytics and Marketing Service Providers:

Google Analytics (website analytics, visitor tracking, behavior analysis);
Google Ads, Facebook Ads, Instagram Ads (advertising, remarketing, campaign management);
Social media platforms (Facebook, Instagram) (advertising, audience insights, engagement tracking);

Data Shared: Aggregated or pseudonymized usage data, device data, cookie data, marketing performance data;

Purpose: Website analytics, marketing analytics, advertising, campaign optimization, audience targeting;

Note: These providers typically process data as independent data controllers under their own privacy policies (see Section 6.1.7 – Third-Party Privacy Policies).

(f) Compliance and Screening Service Providers:

Sanctions screening providers (e.g., Dow Jones Risk & Compliance, ComplyAdvantage, World-Check);
Identity verification services (e.g., Jumio, Onfido, Trulioo);
Fraud detection and prevention services (e.g., Sift, Kount, Riskified);

Data Shared: Name, address, date of birth, nationality, Emirates ID number, passport number, business details;

Purpose: Sanctions screening, AML/CFT compliance, PEP screening, identity verification, fraud detection, risk assessment;

(See Terms and Conditions, Section 18 – Sanctions, AML/CFT & Compliance Screening).

(g) IT and Security Service Providers:

Cybersecurity providers (firewalls, intrusion detection, DDoS protection, vulnerability scanning);
IT support and maintenance providers (technical support, system administration, updates);

Data Shared: System logs, access logs, security incident data, technical data;

Purpose: Security monitoring, incident response, IT maintenance, technical support;

(h) Professional Advisors and Consultants:

Legal advisors and attorneys (for legal advice, dispute resolution, regulatory compliance);
Accountants and auditors (for financial audits, tax compliance, accounting);
Business consultants (for business strategy, operations improvement, due diligence);

Data Shared: Personal data relevant to legal matters, disputes, audits, or consulting engagements;

Purpose: Legal advice, legal representation, financial audits, tax compliance, business consulting;

6.1.2 Affiliates and Group Companies

We may share your personal data with our affiliates, parent company, subsidiaries, or other entities under common control or ownership (if applicable), for purposes of:

Consolidated business operations, administration, and management;
Shared IT infrastructure, systems, or services;
Group-wide compliance, risk management, or internal audit;
Joint marketing, promotions, or loyalty programs;

Safeguards: Affiliates are required to honor this Privacy Policy and process personal data in accordance with UAE PDPL and applicable data protection laws.

Note: As of the Effective Date of this Privacy Policy, Maslool Hunting Requisites Trading operates as a sole proprietorship and does not have affiliates or group companies. This provision is included for potential future applicability.

6.1.3 Business Partners and Joint Ventures

We may share personal data with business partners, joint venture partners, or strategic partners for purposes of:

Co-marketing, co-promotions, or joint events;
Collaborative product development or sourcing;
Referral programs or affiliate marketing;

Disclosure: Where personal data is shared with business partners, we will inform you at the time of data collection or obtain your consent where required.

6.1.4 Legal and Regulatory Authorities

We may disclose your personal data to government authorities, law enforcement agencies, regulators, courts, or other competent legal entities when:

(a) Required by Law or Legal Process:

Court orders, subpoenas, warrants, or judicial orders (civil or criminal proceedings);
Regulatory inquiries, audits, or investigations (UAE Data Office, Dubai Police, UAE Central Bank, Dubai Customs, Dubai Department of Economy and Tourism, or other regulators);
Statutory reporting obligations (Suspicious Transaction Reports to UAE Central Bank FIU under AML/CFT law);

(b) Law Enforcement Cooperation:

Dubai Police (Criminal Investigation Department, Counter-Terrorism Department, Financial Crimes Unit, Cybercrime Department);
UAE Federal authorities (Ministry of Interior, Federal Public Prosecution, UAE Customs);
International law enforcement (INTERPOL, foreign police or authorities) (via mutual legal assistance treaties (MLATs) or formal cooperation channels);

(c) Compliance and Regulatory Purposes:

Sanctions compliance (reporting to sanctions authorities, freezing assets, blocking transactions);
AML/CFT compliance (reporting suspicious transactions, responding to FIU requests);
Tax compliance (responding to tax authority requests, providing tax records);
Customs and export control compliance (providing export documentation, customs declarations);

(d) Protection of Rights, Property, or Safety:

Defending legal claims (arbitration, litigation, dispute resolution);
Enforcing Terms and Conditions (pursuing breaches, violations, fraud, or misconduct);
Protecting Maslool’s rights, property, business, or reputation (intellectual property enforcement, fraud investigation);
Protecting safety of customers, staff, or the public (reporting threats, violence, safety hazards);

Legal Basis: Legal obligation (UAE PDPL Article 7(1)(c)); Legitimate interest (law enforcement cooperation, legal defense, protection of rights).

Tipping-Off Prohibition: Where disclosure relates to suspicious transaction reporting (STR/SAR) under AML/CFT law, we are legally prohibited from informing you that a report has been filed (Federal Decree-Law No. 20 of 2018, Article 16 – Tipping Off Prohibition) (see Terms and Conditions, Section 18.4.3 – Tipping Off Prohibition).

6.1.5 Business Transfers and Corporate Transactions

We may share or transfer your personal data in connection with:

(a) Mergers, Acquisitions, or Sales:

Merger with another company;
Acquisition of Maslool by another company;
Sale of all or part of Maslool’s business, assets, or operations;

(b) Financing, Investment, or Restructuring:

Raising capital, seeking investment, or financing transactions;
Corporate restructuring, reorganization, or insolvency proceedings;

(c) Due Diligence and Negotiations:

Prospective buyers, investors, or transaction advisors conducting due diligence;

Safeguards:

Prospective buyers or transaction parties are bound by confidentiality agreements (NDAs) and required to use personal data only for due diligence purposes;
In the event of a completed transaction, the acquiring entity or successor will be bound by this Privacy Policy (or will provide notice of a new privacy policy);
We will notify you of business transfers that materially affect your personal data (via email or Website notice);

Legal Basis: Legitimate interest (business transactions, continuity of services); Contractual necessity (transfer of contractual relationships).

6.1.6 With Your Consent or at Your Direction

We may share your personal data with third parties where you have provided explicit consent or at your direction, including:

Sharing your order details with a gift recipient (where you provide their address);
Sharing your contact information with a third-party service provider you select (e.g., extended warranty provider, insurance provider);
Publicly posting your user-generated content (reviews, testimonials, photos) with your consent (see Terms and Conditions, Section 11 – User-Generated Content);

Your Control: You can withdraw consent or request removal of publicly posted content by contacting us at info@maslool.ae.

6.1.7 Third-Party Privacy Policies

Where we share personal data with third-party service providers, analytics providers, or advertising platforms, those third parties have their own privacy policies governing their use of personal data.

We encourage you to review the privacy policies of third parties:

WooCommerce Privacy Policy: https://woocommerce.com/privacy-policy/
Stripe Privacy Policy: https://stripe.com/ae/privacy
Google Privacy Policy: https://policies.google.com/privacy
Facebook Data Policy: https://www.facebook.com/privacy/policy/

We are not responsible for the privacy practices, policies, or security measures of third-party service providers, platforms, or websites.

6.2 No Sale of Personal Data

We do not sell, rent, trade, or otherwise monetize your personal data to third parties for their own marketing or commercial purposes.

Clarification:

Sharing data with service providers (as described in Section 6.1.1) for operational purposes (payment processing, shipping, analytics) is not considered a “sale”;
Sharing aggregated, anonymized, or de-identified data (that does not identify you personally) with business partners or researchers is not considered a “sale” of personal data;

Commitment: We will not sell your personal data in the future. If our practices change, we will update this Privacy Policy and notify you (see Section 17 – Changes to This Privacy Policy).

6.3 Aggregated or Anonymized Data

We may share aggregated, anonymized, or de-identified data (data that does not identify you personally) with:

Business partners, researchers, or industry organizations (for market research, trend analysis, benchmarking);
Suppliers or manufacturers (for product development, market insights, inventory planning);
Media, analysts, or journalists (for press releases, reports, or industry publications);

No Re-Identification: Aggregated or anonymized data is processed to ensure it cannot reasonably be re-identified to you personally.

7. INTERNATIONAL DATA TRANSFERS

In-Short: Your personal data may be transferred to, stored on, or processed by servers, service providers, or entities located outside the United Arab Emirates, including in countries that may not offer the same level of data protection. We implement safeguards (Standard Contractual Clauses, adequacy decisions, or other mechanisms) to protect your data during international transfers.

7.1 Cross-Border Transfers Overview

7.1.1 UAE as Primary Location

Maslool Hunting Requisites Trading is based in the United Arab Emirates (UAE), and our primary servers, systems, and data storage facilities are located within the UAE.

7.1.2 International Transfers May Occur

However, your personal data may be transferred to, accessed from, or processed in countries or jurisdictions outside the UAE, including:

(a) Service Provider Locations:

Payment processors (Stripe, WooCommerce) may process data in the United States, European Union, or other jurisdictions;
Cloud hosting providers may store data on servers located in multiple countries (data center regions);
Analytics providers (Google Analytics) may process data in the United States or other Google data center locations;
Email service providers may operate servers in various jurisdictions;

(b) Business Operations:

Group companies or affiliates (if applicable) located in other countries;
Business partners or suppliers located outside the UAE;

(c) Delivery Destinations:

International shipping (where you order products for delivery to addresses outside the UAE, your personal data may be shared with carriers, customs authorities, or delivery partners in destination countries);

7.1.3 Data Protection Levels Vary

Countries outside the UAE may have different data protection laws and may not offer the same level of data protection as:

UAE PDPL (Federal Decree-Law No. 45 of 2021);
EU GDPR (Regulation 2016/679);
UK GDPR and UK Data Protection Act 2018;
Other comprehensive data protection regimes;

Some jurisdictions may have weaker data protection standards, less stringent enforcement, or government surveillance practices that differ from UAE or EU/UK standards.

7.2 Safeguards for International Transfers

7.2.1 UAE PDPL Transfer Requirements (Article 28)

Under UAE PDPL Article 28 (Cross-Border Transfer of Personal Data), we may transfer personal data outside the UAE where:

(a) Adequacy Decision (Article 28(1)(a)):

The destination country has been recognized by the UAE Cabinet as providing an adequate level of data protection (equivalent to UAE PDPL);

(b) Appropriate Safeguards (Article 28(1)(b)):

We have implemented appropriate safeguards to protect the personal data, such as:
- Standard Contractual Clauses (SCCs) approved by the UAE Data Office;
- Binding Corporate Rules (BCRs) (for intra-group transfers);
- Codes of conduct or certification mechanisms approved by the UAE Data Office;

(c) Your Explicit Consent (Article 28(1)(c)):

You have provided explicit, informed consent to the international transfer, after being informed of the risks;

(d) Necessary for Contract Performance (Article 28(1)(d)):

The transfer is necessary for the performance of a contract between you and Maslool (e.g., international shipping to your destination);

(e) Legal Obligations or Public Interest (Article 28(1)(e), (f)):

The transfer is necessary for compliance with legal obligations or for reasons of public interest;

7.2.2 GDPR Transfer Requirements (Chapter V)

For EU/UK data subjects, international transfers must comply with GDPR Chapter V (Transfer of Personal Data to Third Countries):

(a) Adequacy Decisions (GDPR Article 45):

European Commission has recognized the destination country as providing adequate protection (e.g., UK, Switzerland, Canada, Japan, certain other countries);

(b) Appropriate Safeguards (GDPR Article 46):

Standard Contractual Clauses (SCCs) adopted by the European Commission (2021 SCCs);
Binding Corporate Rules (BCRs) approved by EU data protection authorities;
UK International Data Transfer Agreement (IDTA) (for UK GDPR transfers);

(c) Derogations (GDPR Article 49):

Explicit consent;
Necessary for contract performance;
Important reasons of public interest;
Legal claims or protection of vital interests;

7.2.3 Our Transfer Mechanisms

We implement the following safeguards for international transfers:

(a) Standard Contractual Clauses (SCCs):

Where we transfer personal data to service providers or business partners in countries without adequacy decisions, we execute Standard Contractual Clauses (EU SCCs 2021; UAE-approved SCCs where available);

(b) Processor Agreements:

All third-party service providers that process personal data on our behalf are bound by data processing agreements (DPAs) requiring:
- Processing only on our instructions;
- Implementing appropriate technical and organizational security measures;
- Ensuring sub-processors (if any) provide equivalent protection;
- Notification of data breaches;
- Deletion or return of data upon termination;

(c) Technical and Organizational Measures:

Encryption (data in transit via TLS/SSL; data at rest where feasible);
Access controls (limiting access to personal data to authorized personnel only);
Secure data centers (physical security, redundancy, disaster recovery);
Contractual obligations on service providers to maintain ISO 27001, SOC 2, or equivalent security standards;

(d) Due Diligence on Service Providers:

We conduct due diligence on service providers’ data protection practices, security measures, and compliance certifications before engaging them;

7.3 Your Rights Regarding International Transfers

7.3.1 Right to Information

You have the right to request information about:

Which of your personal data has been transferred internationally;
Which countries or recipients your data has been transferred to;
What safeguards are in place (SCCs, adequacy decisions, or other mechanisms);

How to Exercise: Contact us at info@maslool.ae with subject line “International Transfer Inquiry”.

7.3.2 Right to Object or Withdraw Consent

If international transfers are based on your consent, you have the right to withdraw consent at any time (see Section 9.7 – Right to Withdraw Consent).

Consequence: Withdrawal of consent may result in the inability to provide certain services (e.g., international shipping, payment processing via international processors).

7.3.3 Right to Lodge Complaint

If you are an EU/UK data subject and believe international transfers of your personal data violate GDPR, you have the right to lodge a complaint with your supervisory authority (Data Protection Authority in your EU Member State or UK ICO).

8. DATA RETENTION

In-Short: We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations (tax, accounting, AML/CFT, legal claims), or resolve disputes. Retention periods vary by data type (account data, transaction data, CCTV footage, marketing data). After retention periods expire, we securely delete or anonymize data.

8.1 General Retention Principles

8.1.1 Retention Only As Long As Necessary

We retain your personal data only for as long as reasonably necessary to:

(a) Fulfill the purposes for which the personal data was collected (as described in Section 4 – How We Use Your Information);

(b) Comply with legal obligations (retention periods required by UAE law or other applicable laws);

(d) Protect our legal rights, property, or interests (evidence preservation, defense of claims, regulatory compliance);

8.1.2 No Longer Than Necessary

Once personal data is no longer necessary for the purposes above, and no legal retention obligation or legitimate interest requires continued retention, we will:

(a) Securely delete the personal data from active databases, systems, and backups; OR

(b) Anonymize or de-identify the personal data such that it cannot reasonably be re-identified to you personally;

8.2 Specific Retention Periods by Data Category

8.2.1 Account Data (Active Accounts)

Data: Name, email, username, password, account settings, saved addresses, payment methods, preferences;

Retention Period: For the duration of your active account (as long as your account remains open and active);

Rationale: Necessary for account management, authentication, service delivery, and contractual performance;

Deletion: Upon account closure or deletion request (see Section 9.4 – Right to Erasure (Right to be Forgotten)), account data is deleted within thirty (30) days, except for data subject to longer retention for legal obligations (see Section 8.2.2);

8.2.2 Transaction and Order Data

Data: Order history, purchase records, invoices, receipts, payment records, product details, shipping addresses, tracking information;

Retention Period: Seven (7) years from the date of transaction or last activity on the order;

Rationale:

Tax and accounting obligations (UAE Federal Tax Authority record-keeping requirements under Federal Decree-Law No. 8 of 2017 on VAT – 5 years; extended to 7 years for prudence and international best practices);
Legal claims and disputes (UAE Civil Transactions Law limitation periods – up to 15 years for certain claims; we retain 7 years as commercially reasonable balance);
Warranty claims and after-sales support (manufacturer warranties typically 1-5 years; we retain records to facilitate warranty claims);
AML/CFT compliance (Federal Decree-Law No. 20 of 2018 requires 5 years; extended to 7 years for consistency with tax retention);

Exceptions:

Where an order is involved in an active dispute, legal claim, arbitration, or investigation, retention is extended until resolution plus applicable limitation period;
Where mandatory law requires longer retention (e.g., 10 years for certain financial crimes investigations), we comply with such longer period;

8.2.3 Customer Service and Communication Records

Data: Emails, phone call recordings (if recorded), WhatsApp messages, support tickets, inquiries, complaints, feedback;

Retention Period: Three (3) years from the date of the communication or resolution of the inquiry/complaint;

Rationale:

Dispute resolution (preserving evidence of customer service interactions, agreements, or resolutions);
Quality assurance and training (reviewing customer service performance, identifying improvement opportunities);
Legal claims (within typical limitation periods for contractual or consumer protection claims);

Exceptions: Communications related to active disputes, legal claims, or investigations are retained longer as necessary;

8.2.4 Marketing and Communication Consent Data

Data: Email marketing subscriptions, SMS consent, communication preferences, opt-in/opt-out records;

Retention Period: Three (3) years from the date of consent or last interaction (last email opened, last click, last purchase);

Deletion Upon Opt-Out: If you unsubscribe or opt-out of marketing communications, your contact information is:

Removed from active marketing lists immediately (within 48 hours);
Retained in a suppression list (do-not-contact list) for three (3) years to ensure we do not re-add you to marketing lists or send you marketing communications by mistake;

Rationale: Suppression list retention is necessary to honor your opt-out preference and comply with anti-spam laws;

8.2.5 CCTV Footage (In-Store Surveillance)

Data: Video recordings from CCTV cameras at the Store premises (Shop No. 49, Al Rais Shopping Centre, Bur Dubai);

Retention Period: Ninety (90) calendar days from the date of recording;

Exceptions:

Active investigations (theft, assault, vandalism, accidents, disputes, or incidents under investigation) – footage is retained until investigation is concluded, legal proceedings are finalized, or insurance claims are settled;
Law enforcement requests (footage relevant to police investigations, court proceedings, or regulatory inquiries) – retained as long as required by authorities or legal process;

Automatic Deletion: Footage older than 90 days (and not subject to exceptions) is automatically overwritten or deleted;

Rationale: 90-day retention balances security and investigation needs with privacy principles and storage limitations;

(See Terms and Conditions, Section 12.4.4 – CCTV Retention and Access for comprehensive CCTV terms).

8.2.6 Website Analytics and Usage Data

Data: IP addresses, device data, browser data, cookie data, page views, clickstream data, session data;

Retention Period:

Google Analytics: Twenty-six (26) months (default Google Analytics retention period for user-level and event-level data);
Server logs: Twelve (12) months (for security monitoring, troubleshooting, and performance analysis);

Rationale: Analytics data is used for website improvement, user experience optimization, and security monitoring; retention is limited to periods necessary for meaningful analysis;

Anonymization: After retention periods, analytics data may be retained in aggregated, anonymized form (not personally identifiable) indefinitely for long-term trend analysis;

8.2.7 Compliance and Screening Records

Data: Sanctions screening results, AML/CFT due diligence records, identity verification records, PEP screening results, fraud risk assessments;

Retention Period: Seven (7) years from the date of transaction or last customer interaction;

Rationale:

AML/CFT legal obligations (Federal Decree-Law No. 20 of 2018, Article 26 requires 5 years; extended to 7 years for consistency);
Regulatory audits and inspections (UAE Central Bank, Financial Intelligence Unit, or other regulators may audit AML/CFT compliance for past years);
Defense of regulatory enforcement actions (demonstrating compliance with screening obligations);

8.2.8 Legal and Dispute Records

Data: Legal correspondence, arbitration records, litigation documents, dispute resolution records, evidence, witness statements;

Retention Period: Indefinitely or until the longer of:

Conclusion of legal proceedings (trial, arbitration, settlement) plus applicable limitation period for appeals or enforcement (typically 3-5 years);
Expiration of limitation periods for related claims (up to 15 years under UAE Civil Transactions Law for certain claims);

Rationale: Legal records must be retained to defend claims, enforce judgments, respond to appeals, or comply with court orders;

8.3 Backup and Archival Data

8.3.1 Backup Retention

We maintain backup copies of databases, systems, and data for disaster recovery, business continuity, and data integrity purposes.

Backup Retention: Backups are retained for ninety (90) days to one (1) year, depending on backup type (daily, weekly, monthly backups);

Data in Backups: Personal data stored in backups is subject to the same retention periods as active data. However, technical limitations may prevent immediate deletion from backups:

Backups are typically immutable (cannot be selectively edited or deleted);
Data deletion requests or account deletions are implemented in active systems immediately, but may remain in backups until the backup retention period expires;

Secure Storage: Backups are stored securely (encrypted, access-controlled) and are not used for operational purposes;

8.3.2 Archival for Legal or Regulatory Purposes

Where legal obligations, regulatory requirements, or pending legal claims require extended retention beyond standard periods, we may archive personal data in secure, segregated storage with restricted access.

Access: Archived data is accessed only when necessary for legal, regulatory, or dispute resolution purposes;

8.4 Deletion and Anonymization Procedures

8.4.1 Secure Deletion

When personal data reaches the end of its retention period (and no legal obligation or legitimate interest requires continued retention), we securely delete the data using:

Soft deletion (marking data as deleted in databases, rendering it inaccessible to applications and users, scheduled for permanent overwrite);
Hard deletion (permanently removing data from databases, overwriting storage media);
Physical destruction (for physical media – hard drives, backup tapes – shredding, degaussing, or incineration where appropriate);

8.4.2 Anonymization or De-Identification

Alternatively, we may anonymize or de-identify personal data such that:

It cannot reasonably be re-identified to you personally;
It no longer constitutes “personal data” under UAE PDPL or GDPR;
It can be retained indefinitely for statistical, research, or business intelligence purposes;

Techniques: Aggregation, generalization, masking, hashing, pseudonymization (with key destruction), or data minimization;

8.5 Your Right to Request Deletion

You have the right to request deletion of your personal data before the expiration of standard retention periods, subject to certain exceptions (see Section 9.4 – Right to Erasure (Right to be Forgotten)).

How to Request: Contact us at info@maslool.ae with subject line “Data Deletion Request” (see Section 19 – Data Subject Rights Requests for detailed procedures).

9. YOUR PRIVACY RIGHTS

In-Short: Depending on your location, you have rights to access, correct, delete, restrict, port, object to processing, withdraw consent, and lodge complaints about your personal data. UAE residents have rights under PDPL; EU/UK residents have enhanced rights under GDPR; other jurisdictions may provide additional rights. Exercise your rights by contacting us at info@maslool.ae.

9.1 Overview of Data Subject Rights

Under UAE PDPL and other applicable data protection laws (GDPR, UK GDPR, Canadian PIPEDA, etc.), you may have the following rights regarding your personal data:

(a) Right of Access (Section 9.2); (b) Right to Rectification (Correction) (Section 9.3); (c) Right to Erasure (Right to be Forgotten) (Section 9.4); (d) Right to Restriction of Processing (Section 9.5); (e) Right to Data Portability (Section 9.6); (f) Right to Object to Processing (Section 9.8); (g) Right to Withdraw Consent (Section 9.7); (h) Right to Lodge a Complaint (Section 9.9); (i) Right Not to Be Subject to Automated Decision-Making (Section 9.10);

Availability of Rights: The availability and scope of these rights depend on:

Your location (UAE, EU/UK, Canada, other jurisdictions);
The legal basis for processing (consent, contractual necessity, legal obligation, legitimate interests);
The type of data and processing activity;
Applicable exceptions or limitations under law;

9.2 Right of Access (Right to Know)

9.2.1 What This Right Includes

You have the right to request confirmation of whether we process your personal data and, if so, to obtain access to:

(a) Categories of personal data we collect about you; (b) Specific personal data we hold about you (a copy of your personal data); (c) Purposes of processing (why we collect and use your data); (d) Categories of recipients (who we share your data with); (e) Retention periods (how long we keep your data); (f) Sources of data (where we obtained your data from, if not directly from you); (g) Existence of automated decision-making (if any) and logic involved; (h) Cross-border transfers (if your data is transferred internationally); (i) Your rights (rights to rectification, erasure, restriction, objection, complaint);

9.2.2 How to Exercise

Method: Send a written request to info@maslool.ae with subject line “Data Access Request” or “Subject Access Request (SAR)“, including:

Your full name, email address, and contact details;
Description of the data you wish to access (e.g., “all personal data,” “order history,” “CCTV footage”);
Proof of identity (copy of Emirates ID, passport, or government-issued ID) (required to verify your identity and prevent unauthorized disclosure);

Response Time: We will respond within thirty (30) calendar days of receiving your verified request, as required by UAE PDPL Article 15(1).

Format: We will provide the data in a structured, commonly used, and machine-readable format (e.g., PDF, CSV, JSON) where technically feasible.

Free of Charge: The first access request within a twelve (12) month period is free of charge. For subsequent requests within the same period, or for manifestly unfounded or excessive requests, we may charge a reasonable administrative fee (based on administrative costs) or refuse the request.

9.2.3 Exceptions and Limitations

We may refuse or limit access requests where:

(a) Disclosure would adversely affect the rights and freedoms of others (e.g., revealing personal data of other individuals, trade secrets, proprietary information);

(b) Legal privilege or legal proceedings (attorney-client privileged communications, documents protected by litigation privilege);

(c) Law enforcement or regulatory investigations (disclosure would prejudice ongoing investigations, interfere with law enforcement, or violate tipping-off prohibitions under AML/CFT law);

(d) Manifestly unfounded or excessive requests (repetitive, vexatious, or abusive requests);

(e) Technical impossibility (data has been permanently deleted or anonymized);

Explanation: If we refuse or limit your request, we will provide written explanation of the reasons and inform you of your right to lodge a complaint with the UAE Data Office or other supervisory authority.

9.3 Right to Rectification (Right to Correction)

9.3.1 What This Right Includes

You have the right to request correction or rectification of:

(a) Inaccurate personal data (data that is factually incorrect, outdated, or erroneous);

(b) Incomplete personal data (data that is missing relevant information necessary for the processing purposes);

9.3.2 How to Exercise

Method:

Online: Log in to your account on the Website or mobile app and update your account information, addresses, or preferences in account settings;
Email: Send a request to info@maslool.ae with subject line “Data Correction Request“, specifying:
- The inaccurate or incomplete data;
- The corrected or complete data;
- Supporting evidence (if applicable) (e.g., updated Emirates ID, proof of address);

Response Time: We will respond within thirty (30) calendar days and implement corrections where verified and appropriate.

Notification to Third Parties: Where we have disclosed the inaccurate data to third parties (service providers, shipping carriers, etc.), we will notify them of the correction, where practicable and not disproportionately burdensome.

9.3.3 Ongoing Obligation

You have an ongoing obligation to ensure your personal data is accurate and up-to-date by promptly updating it when changes occur (see Terms and Conditions, Section 3.2 – Continuing Obligations to Update).

9.4 Right to Erasure (Right to be Forgotten)

9.4.1 What This Right Includes

You have the right to request deletion or erasure of your personal data where one of the following grounds applies:

(a) No longer necessary: The personal data is no longer necessary for the purposes for which it was collected or processed;

(b) Withdrawal of consent: You withdraw consent (where consent is the legal basis for processing) and there is no other legal ground for processing;

(c) Objection to processing: You object to processing based on legitimate interests (and there are no overriding legitimate grounds) or object to direct marketing;

(d) Unlawful processing: The personal data has been processed unlawfully (in violation of UAE PDPL or other applicable law);

(e) Legal obligation to erase: Erasure is required to comply with a legal obligation under UAE law or other applicable law;

(f) Data collected from a child: The personal data was collected from a minor (under 18 years) in violation of child data protection rules;

9.4.2 How to Exercise

Method: Send a written request to info@maslool.ae with subject line “Data Deletion Request” or “Right to be Forgotten Request“, including:

Your full name, email address, and contact details;
Reason for deletion (which ground applies from Section 9.4.1);
Proof of identity (copy of Emirates ID, passport, or government-issued ID);

Account Closure: If you wish to close your account (which includes deletion of account data), you may also:

Use the “Delete Account” or “Close Account” feature in your account settings (if available);
Send a request to info@maslool.ae with subject line “Account Closure Request“;

(See Terms and Conditions, Section 24.2 – Your Right to Close or Deactivate Your Account).

Response Time: We will respond within thirty (30) calendar days and implement deletion where legally permissible.

9.4.3 Exceptions and Limitations (Right to Erasure Does Not Apply)

We may refuse or limit erasure requests where retention is necessary for:

(a) Legal Obligations:

Tax and accounting records (7 years retention for invoices, transaction records);
AML/CFT compliance records (5-7 years retention for due diligence, screening records);
Sanctions and export control records (required retention periods);

(b) Legal Claims and Disputes:

Defense or pursuit of legal claims (arbitration, litigation, dispute resolution) (retention until conclusion plus limitation periods);
Evidence preservation (where personal data is relevant evidence in pending or potential legal proceedings);

(c) Freedom of Expression and Information:

Journalistic, academic, artistic, or literary purposes (where applicable and protected by law);
Public interest, scientific, historical, or statistical research (where deletion would render research impossible or seriously impair research objectives, and safeguards are in place);

(d) Public Health and Safety:

Public health emergencies (e.g., contact tracing, disease outbreak management);
Product safety recalls (retention necessary to contact affected customers);

(e) Contractual Performance:

Ongoing contractual obligations (e.g., active orders, warranties, service agreements) (retention until obligations are fulfilled);

(f) Backup and Archival Data:

Technical limitations (data may remain in backups for up to 90 days-1 year until backup retention period expires) (see Section 8.3.1 – Backup Retention);

Partial Deletion: Where full deletion is not permissible, we may partially delete or anonymize data that is no longer necessary, while retaining data required for legal obligations.

Explanation: If we refuse or limit your deletion request, we will provide written explanation of the reasons and inform you of your right to lodge a complaint.

9.5 Right to Restriction of Processing

9.5.1 What This Right Includes

You have the right to request restriction of processing (temporary limitation of processing activities) where:

(a) Accuracy is contested: You dispute the accuracy of personal data (restriction applies for the period necessary for us to verify accuracy);

(b) Unlawful processing: Processing is unlawful, but you do not want the data erased and instead request restriction;

(d) Objection to processing: You have objected to processing based on legitimate interests (restriction applies pending verification of whether our legitimate grounds override yours);

9.5.2 Effect of Restriction

When processing is restricted, we:

Store the data but do not further process it (except with your consent or for specific permitted purposes);
May process only for:
- Legal claims (establishment, exercise, or defense of legal claims);
- Protection of rights of another person or entity;
- Important public interest;
Notify you before lifting the restriction;

9.5.3 How to Exercise

Method: Send a request to info@maslool.ae with subject line “Request for Restriction of Processing“, specifying:

The personal data to be restricted;
The reason (which ground applies from Section 9.5.1);

Response Time: We will respond within thirty (30) calendar days.

9.6 Right to Data Portability

9.6.1 What This Right Includes (EU/UK GDPR Right)

If you are an EU or UK data subject, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where:

(a) Processing is based on consent or contract; AND

(b) Processing is carried out by automated means (not manual filing systems);

Examples: Requesting your account data, order history, or contact information in CSV, JSON, or XML format to transfer to another e-commerce platform or service provider.

9.6.2 Direct Transmission (Where Technically Feasible)

You may request that we transmit your data directly to another controller (e.g., another e-commerce platform), where technically feasible.

9.6.3 How to Exercise

Method: Send a request to info@maslool.ae with subject line “Data Portability Request“, specifying:

The personal data you wish to receive or transmit;
The format you prefer (CSV, JSON, XML, PDF);
The recipient controller (if you wish direct transmission);

Response Time: We will respond within thirty (30) calendar days and provide the data in the requested format where technically feasible.

9.6.4 Limitations

Data portability does not apply to:

Personal data processed on legal bases other than consent or contract (legitimate interests, legal obligations);
Personal data that is not processed by automated means (paper records, manually processed data);
Data that would adversely affect the rights and freedoms of others (revealing third-party personal data);

Note for UAE Residents: UAE PDPL does not explicitly provide a “right to data portability.” However, we may provide portable data formats as a courtesy or where required by international contracts or business practices.

9.7 Right to Withdraw Consent

9.7.1 What This Right Includes

Where processing is based on your consent (see Section 5.1.1 – Consent and Section 4.2 – Purposes Requiring Explicit Consent), you have the right to withdraw consent at any time, as easily as consent was given.

Processing activities based on consent include:

Marketing communications (email, SMS, WhatsApp);
Non-essential cookies (marketing, advertising, social media cookies);
Precise location tracking (GPS-based location);
Optional surveys, contests, or feedback;

9.7.2 How to Withdraw Consent

Marketing Communications:

Click “Unsubscribe” link in marketing emails;
Reply “STOP” to SMS marketing messages;
Update communication preferences in your account settings;
Contact info@maslool.ae with subject line “Opt-Out of Marketing“;

Cookies:

Adjust cookie preferences in your browser settings;
Use cookie consent tools or preference centers on the Website (if available);
Delete cookies or disable cookies in browser settings (see Section 11.5 – Your Cookie Choices and Control);

Location Tracking:

Disable location permissions in your device settings (Settings > Privacy > Location Services on iOS; Settings > Location on Android);

General Consent Withdrawal:

Contact info@maslool.ae with subject line “Withdraw Consent“, specifying which processing activity;

9.7.3 Effect of Withdrawal

(a) Lawfulness of Prior Processing: Withdrawal of consent does not affect the lawfulness of processing before withdrawal;

(b) Continued Processing on Other Bases: We may continue processing your personal data if we have another legal basis for processing (contractual necessity, legal obligation, legitimate interests) unrelated to the withdrawn consent;

Inability to provide certain services or features (e.g., withdrawing location consent may disable location-based features);
Inability to process orders or fulfill contracts (if consent is required for payment processing or shipping);

9.8 Right to Object to Processing

9.8.1 What This Right Includes

You have the right to object to processing of your personal data where:

(a) Objection to Processing Based on Legitimate Interests (General Objection):

Processing is based on legitimate interests (see Section 5.1.5 – Legitimate Interests);
You object on grounds relating to your particular situation;

Examples: Objecting to use of your data for profiling, automated decision-making, or business analytics that you consider intrusive or disproportionate;

Our Response: We will cease processing unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing is necessary for legal claims;

(b) Objection to Direct Marketing (Absolute Right):

You have an absolute right to object to processing for direct marketing purposes (including profiling for marketing);

Our Response: We will immediately cease processing your personal data for direct marketing upon receiving your objection;

9.8.2 How to Exercise

Direct Marketing Objection (easiest):

Click “Unsubscribe” in marketing emails;
Reply “STOP” to SMS;
Contact info@maslool.ae with subject line “Opt-Out of Marketing” or “Unsubscribe“;

General Objection (to processing based on legitimate interests):

Send a request to info@maslool.ae with subject line “Objection to Processing“, specifying:
- The processing activity you object to;
- Reasons related to your particular situation;

Response Time: We will respond within thirty (30) calendar days and cease processing or provide justification for continued processing (where compelling legitimate grounds exist);

9.9 Right to Lodge a Complaint

9.9.1 UAE Data Office (For UAE Residents)

If you believe we have violated your privacy rights or UAE PDPL, you have the right to lodge a complaint with the UAE Data Office (the supervisory authority for data protection in the UAE).

Contact UAE Data Office:

Website: https://u.ae/en/about-the-uae/digital-uae/data/the-uae-data-office
Email: dataoffice@tdra.gov.ae (or as updated on official UAE Data Office website)
Telephone: +971 4 230 5555 (Telecommunications and Digital Government Regulatory Authority – TDRA)

Complaint Process: The UAE Data Office will investigate complaints, mediate disputes, and may impose administrative sanctions or corrective measures on non-compliant data controllers.

9.9.2 EU/UK Supervisory Authorities (For EU/UK Residents)

If you are an EU or UK data subject, you have the right to lodge a complaint with:

(a) EU Member State Data Protection Authority (DPA) in your country of habitual residence, place of work, or place of alleged infringement:

List of EU DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en

(b) UK Information Commissioner’s Office (ICO):

Website: https://ico.org.uk/
Telephone: +44 303 123 1113
Report a Concern: https://ico.org.uk/make-a-complaint/

9.9.3 Other Jurisdictions

If you are in Canada, Australia, New Zealand, South Africa, or other jurisdictions with data protection or privacy laws, you may have the right to lodge a complaint with your local privacy commissioner, data protection authority, or regulatory body (see Section 16 – Regional Privacy Rights for contact details).

9.9.4 Internal Complaint Process

Before lodging a complaint with a supervisory authority, we encourage you to contact us directly to resolve the issue:

Email: info@maslool.ae (Subject: “Privacy Complaint” or “Data Protection Concern”)
Response Time: We will respond within thirty (30) calendar days and work with you to address and resolve the complaint;

9.10 Right Not to Be Subject to Automated Decision-Making

9.10.1 Automated Decision-Making Defined

Automated decision-making means making decisions about you solely by automated means (algorithms, artificial intelligence, profiling) without human intervention, where the decision produces legal effects or similarly significant effects (e.g., automatic rejection of credit application, automated hiring decisions, automated insurance pricing).

9.10.2 Our Practices

We do not currently engage in fully automated decision-making (without human intervention) that produces legal or similarly significant effects.

Limited Automated Processing (with human oversight):

Fraud detection and risk scoring (automated fraud risk scores or red flags are generated, but human review is conducted before refusing orders or blocking accounts);
Marketing personalization (automated product recommendations or personalized offers, but these do not produce legal effects or significantly affect you);

9.10.3 Your Right

If we were to introduce fully automated decision-making in the future, you would have the right to:

(a) Not be subject to such decisions (unless necessary for contract, authorized by law, or based on explicit consent);

(b) Obtain human intervention (request human review of automated decisions);

(d) Obtain an explanation of the decision and the logic involved;

We will notify you and update this Privacy Policy if automated decision-making practices change.

10. SECURITY MEASURES

In-Short: We implement technical and organizational security measures (encryption, access controls, firewalls, monitoring) to protect your personal data from unauthorized access, loss, or misuse. However, no system is 100% secure, and we cannot guarantee absolute security. You are responsible for securing your own devices and credentials.

10.1 Our Commitment to Data Security

10.1.1 Security Principles

We are committed to protecting your personal data through appropriate technical and organizational security measures in compliance with:

UAE PDPL Article 9 (Security Principle);
Cabinet Resolution No. 44 of 2023, Article 14 (Security Measures);
GDPR Article 32 (Security of Processing) (where applicable);
Industry best practices (ISO 27001, NIST Cybersecurity Framework, OWASP guidelines);

10.1.2 Security Objectives

Our security measures aim to protect personal data against:

(a) Unauthorized access (hacking, intrusion, unauthorized login);

(b) Accidental or unlawful destruction (data loss, system failures, disasters);

(d) Misuse or abuse (insider threats, unauthorized processing, data exfiltration);

(e) Cyberattacks (malware, ransomware, DDoS attacks, phishing, SQL injection);

10.2 Technical Security Measures

10.2.1 Encryption

(a) Data in Transit (Network Encryption):

TLS/SSL encryption (Transport Layer Security / Secure Sockets Layer) for all data transmitted between your browser/device and our servers (HTTPS protocol);
Minimum TLS 1.2 or higher (TLS 1.3 where supported);
Certificate-based authentication (valid SSL certificates issued by trusted Certificate Authorities);

(b) Data at Rest (Storage Encryption):

Database encryption (sensitive fields encrypted using AES-256 or equivalent encryption standards);
Password hashing (passwords stored using strong one-way hashing algorithms – bcrypt, Argon2, or PBKDF2 – never stored in plain text);
Payment data encryption (handled by PCI DSS-compliant payment processors – Stripe, WooCommerce);

(c) Backup Encryption:

Backups encrypted during storage and transmission;

10.2.2 Access Controls and Authentication

(a) User Authentication:

Password requirements (minimum 8-12 characters, complexity requirements enforced);
Two-Factor Authentication (2FA) / Multi-Factor Authentication (MFA) (available for user accounts where technically implemented);
Session management (secure session tokens, automatic timeout after inactivity, session invalidation upon logout);

(b) Internal Access Controls:

Role-Based Access Control (RBAC) (staff access limited to personal data necessary for their role and responsibilities);
Principle of Least Privilege (minimal access rights granted, elevated privileges only when necessary);
Authentication and authorization (strong passwords, MFA for administrative access, unique user accounts);

(c) Access Logging and Monitoring:

Audit logs (logging of access to personal data, system changes, administrative actions);
Monitoring and alerting (real-time monitoring for suspicious access patterns, unauthorized access attempts);

10.2.3 Network and Infrastructure Security

(a) Firewalls and Intrusion Detection:

Web Application Firewall (WAF) (filtering malicious traffic, blocking common attacks – SQL injection, XSS, CSRF);
Network firewalls (restricting network access, segmenting networks);
Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) (detecting and blocking suspicious network activity);

(b) DDoS Protection:

Distributed Denial of Service (DDoS) mitigation (using CDN providers, DDoS protection services);

(c) Vulnerability Management:

Regular security updates and patches (operating systems, software, frameworks, libraries);
Vulnerability scanning (periodic automated scans for known vulnerabilities);
Penetration testing (periodic third-party security assessments where feasible);

10.2.4 Malware and Threat Protection

(a) Anti-Malware and Antivirus:

Endpoint protection (antivirus, anti-malware software on servers and workstations);
Email filtering (spam filters, malware detection, phishing detection);

(b) Secure Development Practices:

Secure coding standards (following OWASP guidelines, input validation, output encoding);
Code reviews and security testing (manual code review, automated security testing);

10.2.5 Data Backup and Disaster Recovery

(a) Regular Backups:

Automated backups (daily, weekly, or monthly backups of databases and systems);
Offsite backup storage (backups stored in geographically separate locations);
Backup encryption (see Section 10.2.1(c));

(b) Disaster Recovery Plan:

Business Continuity Plan (BCP) (procedures for maintaining operations during disruptions);
Disaster Recovery Plan (DRP) (procedures for restoring systems and data after incidents);
Backup restoration testing (periodic testing to ensure backups can be successfully restored);

10.3 Organizational Security Measures

10.3.1 Security Policies and Procedures

We maintain written information security policies and data protection procedures, including:

(a) Data Protection Policy (internal policy governing personal data processing);

(b) Access Control Policy (rules for granting, reviewing, and revoking access);

(d) Data Retention and Deletion Policy (see Section 8 – Data Retention);

(e) Vendor Management Policy (due diligence, security requirements, data processing agreements for service providers);

10.3.2 Staff Training and Awareness

(a) Data Protection Training:

All staff with access to personal data receive mandatory training on:
- UAE PDPL requirements and obligations;
- Data protection principles and best practices;
- Security awareness (phishing, social engineering, password security);
- Incident reporting procedures;

(b) Confidentiality Obligations:

Staff sign confidentiality agreements (NDAs) and acceptable use policies (AUPs);
Staff are bound by contractual obligations to protect personal data and maintain confidentiality;

10.3.3 Third-Party Security Requirements

(a) Vendor Due Diligence:

We conduct security due diligence on service providers before engagement (reviewing security certifications, policies, practices);

(b) Data Processing Agreements (DPAs):

All service providers that process personal data sign Data Processing Agreements (DPAs) requiring:
- Compliance with UAE PDPL and applicable data protection laws;
- Implementation of appropriate technical and organizational security measures;
- Notification of data breaches;
- Deletion or return of data upon termination;

(c) Security Certifications:

We prefer service providers with recognized security certifications:
- ISO 27001 (Information Security Management System);
- SOC 2 (Service Organization Control 2 – Type II);
- PCI DSS (Payment Card Industry Data Security Standard) (for payment processors);

10.3.4 Physical Security (Store and Office)

(a) Physical Access Controls:

Restricted access to Store premises, back-office areas, and data storage locations;
Locks, secure doors, access badges, or key controls;

(b) CCTV Surveillance:

CCTV cameras for security monitoring and incident investigation (see Section 12 – CCTV & In-Store Surveillance);

(c) Equipment Security:

Secure storage of computers, servers, hard drives, backup media, and documents containing personal data;
Lockable cabinets, safes, or secure rooms;

10.4 Data Breach Response and Notification

10.4.1 Incident Detection and Response

We have procedures in place to:

(a) Detect data breaches or security incidents (monitoring, alerts, anomaly detection);

(b) Contain breaches (isolating affected systems, stopping unauthorized access);

(d) Remediate vulnerabilities (patching, securing systems, preventing recurrence);

10.4.2 Notification to Data Subjects (You)

If a data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with UAE PDPL Article 10 and GDPR Article 34 (where applicable).

Notification will include:

Description of the breach (what happened, what data was affected);
Contact point for more information (info@maslool.ae or designated Data Protection Officer);
Likely consequences of the breach;
Measures taken or proposed to address the breach and mitigate adverse effects;
Recommendations for steps you can take to protect yourself (e.g., change passwords, monitor accounts);

Timing: Notification to affected data subjects within seventy-two (72) hours of becoming aware of the breach (or as soon as reasonably practicable), where notification is required.

10.4.3 Notification to Supervisory Authorities

If a notifiable data breach occurs (breach likely to result in risk to rights and freedoms), we will notify the UAE Data Office (and other applicable supervisory authorities – EU DPAs, UK ICO) within seventy-two (72) hours of becoming aware of the breach, as required by:

UAE PDPL Article 10 (Data Breach Notification);
Cabinet Resolution No. 44 of 2023, Article 15 (Breach Notification Procedures);
GDPR Article 33 (Notification to Supervisory Authority) (where applicable);

10.5 Limitations and Disclaimers

10.5.1 No Guarantee of Absolute Security

Despite our security measures, we cannot guarantee and do not promise 100% security or absolute protection of your personal data.

Reasons:

No system is impenetrable (determined attackers, zero-day vulnerabilities, advanced persistent threats);
Internet inherently insecure (data transmitted over the Internet may be intercepted, monitored, or accessed by third parties);
Human error (mistakes, negligence, or social engineering attacks can compromise security);
Third-party risks (security breaches or vulnerabilities at service providers, partners, or other third parties outside our control);

Acknowledgment: By using the Services, you acknowledge and accept these inherent risks and limitations (see Terms and Conditions, Section 20.6.2 – Inherent Risks of Internet and Digital Services).

10.5.2 Transmission at Your Own Risk

Transmission of personal data to and from the Services is at your own risk. You should:

(a) Use secure networks (avoid public, unsecured, or untrusted Wi-Fi networks for accessing accounts or entering sensitive information);

(b) Keep devices secure (use device passwords, antivirus software, software updates, secure operating systems);

(c) Protect credentials (use strong, unique passwords; enable 2FA; never share passwords; be vigilant against phishing);

(d) Monitor accounts (regularly review account activity, transaction history, and credit card statements for unauthorized activity);

10.5.3 Your Responsibilities

You are responsible for:

(a) Maintaining the security of your devices, accounts, and credentials (see Terms and Conditions, Section 4.4 – Security Obligations and Best Practices);

(b) Promptly reporting suspected security incidents, unauthorized access, or compromised credentials to us (see Terms and Conditions, Section 4.5 – Reporting Unauthorized Access or Compromise);

Our Disclaimer: We disclaim liability for unauthorized access, data breaches, or losses resulting from:

Your failure to secure your devices or credentials;
Your use of weak, reused, or compromised passwords;
Malware or viruses on your devices;
Social engineering attacks targeting you;
Your failure to report security incidents promptly;

(See Terms and Conditions, Section 4.11 – Disclaimer of Liability and Section 20.6 – Disclaimer of Website Operation and Availability).

11. COOKIES & TRACKING TECHNOLOGIES

In-Short: We use cookies, web beacons, pixels, and similar technologies to collect data about your browsing behavior, preferences, and device for purposes of website functionality, analytics, personalization, and marketing. You can control or disable cookies through browser settings or cookie consent tools. Some cookies are essential for website operation; disabling them may affect functionality.

11.1 What Are Cookies and Tracking Technologies?

11.1.1 Cookies Defined

Cookies are small text files placed on your device (computer, smartphone, tablet) by websites you visit. Cookies store information about your visit, preferences, session, or interactions with the website.

Types of Cookies (by Duration):

(a) Session Cookies (Temporary Cookies):

Stored temporarily in your browser’s memory during your browsing session;
Automatically deleted when you close your browser;
Used for session management (login sessions, shopping cart contents);

(b) Persistent Cookies (Permanent Cookies):

Stored on your device for a set period (days, months, or years);
Remain on your device after you close your browser;
Used for remembering preferences, login credentials (if “Remember Me” selected), tracking return visits;

Types of Cookies (by Purpose):

(a) Strictly Necessary Cookies (Essential Cookies):

Required for website operation and functionality;
Enable core features (secure login, shopping cart, payment processing, session management);
Cannot be disabled without severely affecting website functionality;
No consent required (legitimate interest / technical necessity);

(b) Functional Cookies (Preference Cookies):

Enhance functionality and personalization (remember language, currency, region preferences);
Improve user experience but not strictly necessary;
Consent recommended (depending on jurisdiction);

(c) Analytics / Performance Cookies:

Collect data about website usage, traffic, visitor behavior (page views, bounce rates, navigation paths);
Help us understand how visitors use the Website and improve performance;
Consent required (in most jurisdictions);

(d) Marketing / Advertising Cookies (Targeting Cookies):

Track browsing behavior across websites to deliver personalized ads or measure ad effectiveness;
Used for remarketing, retargeting, and behavioral advertising;
Consent required;

11.1.2 Other Tracking Technologies

In addition to cookies, we use:

(a) Web Beacons (Pixels, Tracking Pixels, Clear GIFs):

Tiny invisible images embedded in web pages or emails;
Track whether emails are opened, pages are viewed, or actions are taken;
Used for email analytics, conversion tracking, ad performance measurement;

(b) Local Storage (HTML5 Local Storage, Web Storage):

Browser-based storage mechanism for storing data locally on your device;
Larger storage capacity than cookies;
Used for caching, session persistence, offline functionality;

(c) Device Fingerprinting:

Collecting device and browser characteristics (screen resolution, fonts, plugins, OS, browser version) to create a unique “fingerprint” for tracking;
Used for fraud detection, security, analytics;
More privacy-intrusive (difficult to opt-out);

11.2 Cookies We Use

11.2.1 First-Party Cookies (Set by Maslool)

We set first-party cookies directly on our Website domain (maslool.ae) for purposes of:

(a) Strictly Necessary / Essential Cookies:

Cookie Name	Purpose	Duration	Category
`session_id`	Maintain logged-in session, shopping cart contents	Session	Essential
`csrf_token`	Cross-Site Request Forgery (CSRF) protection (security)	Session	Essential
`cookie_consent`	Remember your cookie consent preferences	12 months	Essential
`language_pref`	Remember language preference (English, Arabic)	12 months	Functional
`currency_pref`	Remember currency preference (AED, USD, EUR)	12 months	Functional

(b) Analytics / Performance Cookies:

Cookie Name	Purpose	Duration	Category
`_ga`	Google Analytics – distinguish users, track sessions	2 years	Analytics
`_gid`	Google Analytics – distinguish users	24 hours	Analytics
`_gat`	Google Analytics – throttle request rate	1 minute	Analytics

(See Section 11.4 – Third-Party Analytics and Advertising Cookies for Google Analytics details).

11.2.2 Third-Party Cookies (Set by Service Providers)

We allow third-party service providers to set cookies on our Website for analytics, advertising, and payment processing:

(a) Payment Processing Cookies (Stripe, WooCommerce):

Set by payment processors for payment authentication, fraud detection, and transaction processing;
Essential for payment functionality;

(b) Analytics Cookies (Google Analytics):

Set by Google for website analytics, visitor tracking, behavior analysis;
Consent required (see Section 11.4);

(c) Advertising / Marketing Cookies (Google Ads, Facebook Pixel):

Set by advertising platforms for ad targeting, remarketing, conversion tracking, audience building;
Consent required (see Section 11.4);

(d) Social Media Cookies (Facebook, Instagram):

Set by social media platforms when you interact with social media widgets or share buttons on our Website;
Used for social media integration, tracking social interactions, building audience profiles;
Consent required;

11.3 Purposes of Cookie Usage

We use cookies and tracking technologies for the following purposes:

11.3.1 Essential Website Functionality

Authentication and login (maintaining logged-in sessions, recognizing returning users);
Shopping cart and checkout (remembering items in cart, order information, payment flow);
Security (CSRF protection, session security, fraud detection);
Load balancing and performance (distributing traffic, caching, optimizing page load times);

Legal Basis: Legitimate interest (technical necessity); Contractual necessity (to provide Services).

11.3.2 Personalization and User Experience

Language and currency preferences (displaying content in your preferred language and currency);
Saved preferences (product view preferences, filter settings, saved addresses);
Customized content (displaying relevant products, categories, or content based on browsing history or location);

Legal Basis: Consent (for non-essential personalization); Legitimate interest (improving user experience).

11.3.3 Website Analytics and Performance Monitoring

Traffic analysis (measuring website traffic, visitor demographics, page views, sessions);
Behavior analysis (understanding how visitors navigate the Website, which pages are popular, where visitors drop off);
Performance monitoring (identifying slow-loading pages, errors, technical issues);
A/B testing (testing different layouts, designs, or features to optimize user experience);

Legal Basis: Consent (for analytics cookies in most jurisdictions).

Service Provider: Google Analytics (see Section 11.4.1).

11.3.4 Marketing and Advertising

Remarketing and retargeting (showing ads to visitors who previously visited our Website or viewed specific products);
Conversion tracking (measuring effectiveness of ads, tracking which ads lead to purchases or actions);
Audience building (creating custom audiences for targeted advertising on Google, Facebook, Instagram);
Ad performance measurement (measuring impressions, clicks, conversions, ROI of advertising campaigns);

Legal Basis: Consent (explicit opt-in required for marketing cookies).

Service Providers: Google Ads, Facebook Ads, Instagram Ads (see Section 11.4.2).

11.4 Third-Party Analytics and Advertising Cookies

11.4.1 Google Analytics

We use Google Analytics (a web analytics service provided by Google LLC) to collect and analyze Website usage data.

Data Collected by Google Analytics:

IP address (anonymized where possible);
Device data (browser type, OS, screen resolution, device type);
Usage data (pages visited, time on site, bounce rate, referral source, exit pages);
Demographics and interests (where Google Analytics Demographics and Interests Reporting is enabled);

Cookies Set: _ga, _gid, _gat, and other Google Analytics cookies (see Section 11.2.1(b)).

Data Retention: Google Analytics retains data for 26 months (user-level and event-level data) (default retention period).

Google Privacy Policy: https://policies.google.com/privacy

How to Opt-Out of Google Analytics:

(a) Google Analytics Opt-Out Browser Add-On:

Install the Google Analytics Opt-Out Browser Add-On: https://tools.google.com/dlpage/gaoptout
Prevents Google Analytics JavaScript from sharing data with Google Analytics;

(b) Browser Cookie Settings:

Block or delete Google Analytics cookies in your browser settings (see Section 11.5);

(c) Advertising Settings:

Google Ads Settings: https://adssettings.google.com/
Opt-out of personalized advertising (Google will still collect data for analytics but won’t use it for personalized ads);

11.4.2 Google Ads and Remarketing

We use Google Ads (formerly Google AdWords) and Google Remarketing to display targeted ads to visitors who have previously visited our Website.

Data Collected:

Cookies, device identifiers, browsing behavior, pages visited, products viewed;
Used to show relevant ads on Google Search, Google Display Network, YouTube, and partner websites;

Cookies Set: Google Ads cookies (e.g., _gcl_au, IDE, test_cookie, etc.).

How to Opt-Out:

Google Ads Settings: https://adssettings.google.com/ (opt-out of personalized ads);
Network Advertising Initiative (NAI) Opt-Out: http://optout.networkadvertising.org/
Digital Advertising Alliance (DAA) Opt-Out: http://optout.aboutads.info/

11.4.3 Facebook Pixel and Social Media Cookies

We may use Facebook Pixel (and similar pixels from Instagram or other social media platforms) to:

Track conversions (purchases, sign-ups) from Facebook/Instagram ads;
Build custom audiences for retargeting (showing ads to Website visitors on Facebook/Instagram);
Measure ad performance and ROI;

Data Collected: IP address, device data, browsing behavior, pages visited, actions taken (add to cart, purchase);

Cookies Set: Facebook cookies (e.g., _fbp, fr, etc.).

How to Opt-Out:

Facebook Ad Preferences: https://www.facebook.com/ads/preferences/ (manage ad settings, opt-out of interest-based ads);
Browser Cookie Settings: Block or delete Facebook cookies;

Facebook Data Policy: https://www.facebook.com/privacy/policy/

11.5 Your Cookie Choices and Control

11.5.1 Cookie Consent Management

When you first visit our Website, a cookie consent banner or cookie preference center (where implemented) will appear, allowing you to:

Accept all cookies (including analytics, advertising, and marketing cookies);
Reject non-essential cookies (only essential cookies will be set);
Manage cookie preferences (select which categories of cookies to accept or reject);

You can change your cookie preferences at any time by:

Accessing the cookie preference center (link in website footer or privacy settings);
Contacting us at info@maslool.ae;

11.5.2 Browser Cookie Settings

You can control, block, or delete cookies using your web browser settings:

How to Manage Cookies in Common Browsers:

(a) Google Chrome:

Settings > Privacy and security > Cookies and other site data > See all cookies and site data;
Block, allow, or delete specific cookies;

(b) Safari (macOS / iOS):

Preferences > Privacy > Manage Website Data (macOS);
Settings > Safari > Block All Cookies (iOS);

(c) Mozilla Firefox:

Options > Privacy & Security > Cookies and Site Data > Manage Data;
Delete cookies or set cookie preferences;

(d) Microsoft Edge:

Settings > Cookies and site permissions > Manage and delete cookies and site data;

(e) Mobile Browsers:

Access cookie settings through browser settings or privacy settings on your mobile device;

Note: Blocking or deleting essential cookies may impair website functionality (login, checkout, shopping cart may not work properly).

11.5.3 Do Not Track (DNT) Signals

Most browsers offer a “Do Not Track” (DNT) setting that sends a signal to websites requesting not to track your browsing.

Our Response to DNT: We do not currently respond to DNT browser signals due to lack of uniform industry standards for recognizing and implementing DNT (see Section 15 – Do-Not-Track Signals).

Alternative Opt-Out Methods: Use the opt-out methods described in Sections 11.4.1 (Google Analytics opt-out), 11.4.2 (Google Ads opt-out), and 11.4.3 (Facebook opt-out).

11.5.4 Mobile Device Advertising IDs

Mobile devices (iOS, Android) assign advertising identifiers (IDFAs on iOS, AAIDs on Android) used for tracking and personalized advertising.

How to Limit Ad Tracking or Reset Advertising ID:

(a) iOS (iPhone, iPad):

Settings > Privacy > Tracking > Toggle off “Allow Apps to Request to Track”;
Settings > Privacy > Apple Advertising > Toggle on “Personalized Ads” (to opt-out);

(b) Android:

Settings > Google > Ads > Opt out of Ads Personalization;
Settings > Google > Ads > Reset advertising ID;

11.6 Cookie Policy Updates

We may update our cookie usage, add new cookies or tracking technologies, or change cookie purposes from time to time.

Notification: We will update this Section 11 (Cookies & Tracking Technologies) and the Privacy Policy effective date. Material changes will be notified via cookie consent banner or email (see Section 17 – Changes to This Privacy Policy).

12. CCTV & IN-STORE SURVEILLANCE

In-Short: We operate CCTV surveillance cameras at our physical Store premises for security, crime prevention, safety monitoring, and incident investigation. CCTV footage is retained for 90 days (unless required for investigations or legal proceedings). By entering the Store, you consent to being recorded. For full CCTV terms, see Terms and Conditions, Section 12.4 and Section 14.

12.1 CCTV Surveillance at Store Premises

12.1.1 Purpose of CCTV Surveillance

We operate Closed-Circuit Television (CCTV) surveillance cameras at our physical Store premises:

Location: Shop No. 49, M-Floor, Al Rais Shopping Centre, 74 Al Mankhool Road, Al Raffa, Bur Dubai, Dubai, United Arab Emirates

Purposes:

Security and crime prevention (deterring and detecting theft, robbery, vandalism, trespassing, assault, or other criminal activity);
Staff safety (monitoring for threats to staff, ensuring safe working environment);
Customer safety (monitoring for accidents, emergencies, crowd management, fire evacuation);
Incident investigation and evidence (investigating incidents, disputes, accidents, or claims; providing footage to police or authorities);
Dispute resolution (resolving customer disputes, staff disputes, liability claims, insurance claims);
Compliance and regulatory obligations (meeting security requirements, insurance requirements, or regulatory directives);

12.1.2 Legal Basis for CCTV Processing

Legal Bases (UAE PDPL Article 7):

(a) Legitimate Interests (Article 7(1)(e)):

Security, crime prevention, and safety are legitimate interests of Maslool, customers, staff, and the public;
CCTV surveillance is necessary and proportionate to achieve these interests;
Rights and freedoms of data subjects are balanced through transparency (signage, notice), limited retention (90 days), and access controls;

(b) Legal Obligations (Article 7(1)(c)):

Compliance with insurance requirements, security standards, or regulatory directives (where applicable);

By entering the Store premises, you are deemed to consent to CCTV surveillance for the purposes stated, after being notified by signage;

12.2 CCTV Data Collected

12.2.1 Types of Data Captured

CCTV cameras capture:

(a) Video Recordings:

Visual images of your face, body, clothing, movements, and activities within the Store;
Date and time stamps (when footage is recorded);
Camera location and angle (identifying which camera captured the footage);

(b) Audio Recordings (Limited Use):

Audio may be recorded if cameras have audio capability (typically only in areas where necessary for security incident documentation, such as near entrances, exits, or high-value product areas);
Audio recording is limited to what is necessary and proportionate for security purposes;
Private conversations are not intentionally monitored or recorded;

12.2.2 Coverage Areas

CCTV cameras are positioned to cover:

Public areas of the Store (sales floor, aisles, product displays, entrances, exits, checkout counters);
Stock rooms, storage areas, back-office areas (where staff access inventory or handle cash);
Exterior areas (Store entrance, exterior facade, immediately adjacent public areas for security);

Areas NOT Covered:

Restrooms or changing rooms (CCTV cameras are not installed in private areas where individuals have a reasonable expectation of privacy);

12.2.3 Prominent Signage and Notice

Signage is displayed at:

Store entrance (clearly visible before entering premises);
Within the Store (at strategic locations, reminding visitors of CCTV surveillance);

Signage Content:

“CCTV IN OPERATION” or “This Premises is Under Video Surveillance“;
Statement of purposes (security, crime prevention, safety);
Contact information (info@maslool.ae) for privacy inquiries;
Reference to this Privacy Policy for detailed information;

Compliance: Signage complies with UAE PDPL Article 6 (Transparency Principle) and ensures visitors are informed before entering surveilled areas.

12.3 CCTV Retention and Access

12.3.1 Retention Period

CCTV footage is retained for:

Standard Retention: Ninety (90) calendar days from the date of recording;

Extended Retention (Exceptions):

Active investigations (theft, assault, vandalism, accidents, or incidents under investigation by Maslool or authorities) – retained until investigation is concluded;
Legal proceedings (civil claims, criminal prosecutions, arbitration, insurance claims) – retained until proceedings are finalized, appeals are exhausted, and limitation periods expire;
Law enforcement requests (footage requested by Dubai Police, courts, prosecutors, or regulatory authorities) – retained as long as required by authorities;
Insurance claims (footage relevant to liability claims, property damage claims, or injury claims) – retained until claims are settled or resolved;

Automatic Deletion: Footage older than 90 days (not subject to exceptions) is automatically overwritten or deleted from storage systems.

12.3.2 Access to CCTV Footage

Authorized Access (restricted to):

(a) Maslool Staff:

Store managers, security personnel, owners (for security monitoring, incident investigation, safety management);
Access is logged (who accessed, when, for what purpose);

(b) Law Enforcement and Authorities:

Dubai Police, UAE Public Prosecution, courts, or competent regulatory authorities (upon lawful request, court order, subpoena, or legal obligation);

(c) Legal Advisors and Insurance Providers:

Attorneys (where footage is relevant evidence in legal proceedings or disputes);
Insurance companies (where footage is relevant to claims investigation, liability assessment, or claims settlement);

(d) Data Subjects (You):

You may request access to CCTV footage showing you (subject to verification of identity and subject to exceptions in Section 12.3.3);

Secure Storage: CCTV footage is stored on secure servers or storage devices with access controls, encryption, and physical security measures.

12.3.3 Your Right to Access CCTV Footage

You have the right to request access to CCTV footage that captures your image (subject to UAE PDPL Article 15 – Right of Access).

How to Request:

(a) Submit Written Request to info@maslool.ae with subject line “CCTV Footage Access Request“, including:

Your full name, contact details, proof of identity (Emirates ID, passport);
Date, time, and location of your visit to the Store (to help us locate relevant footage);
Description of the incident or reason for request (optional but helpful);

(b) Verification: We will verify your identity and confirm you are the data subject shown in the footage;

(c) Response Time: We will respond within thirty (30) calendar days;

(d) Format: We will provide footage in a viewable format (video file, screenshots, or in-person viewing at our premises, depending on technical feasibility and data protection requirements);

Exceptions and Limitations (we may refuse or redact footage):

**(a) Third-Party Privacy: Where footage shows other individuals (other customers, staff, visitors), we will redact, blur, or obscure their images to protect their privacy (unless they have consented or disclosure is legally required);

**(b) Ongoing Investigations: Where footage is relevant to an active police investigation, criminal prosecution, or regulatory inquiry, and disclosure would prejudice the investigation or violate tipping-off prohibitions, we may delay disclosure or refuse access (with written explanation);

**(c) Legal Proceedings: Where footage is subject to attorney-client privilege, litigation privilege, or court orders, access may be restricted;

**(d) Manifestly Unfounded or Excessive Requests: Repetitive, vexatious, or abusive requests may be refused or subject to administrative fees;

12.4 Cross-Reference to Terms and Conditions

For comprehensive CCTV terms, including:

Detailed purposes of CCTV surveillance;
Notice requirements and signage;
Retention periods and deletion procedures;
Access controls and security measures;
Disclosure to authorities and law enforcement cooperation;
Your rights and remedies;

See Terms and Conditions, Section 12.4 – CCTV Surveillance and In-Store Monitoring and Section 14 – In-Store Conduct, Safety & Access Rights.

13. CHILDREN'S PRIVACY

In-Short: Our Services are not intended for children under 18 years of age (or 21+ for certain regulated products). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. Parents or guardians can contact us to request deletion of children’s data.

13.1 Age Restrictions and Eligibility

13.1.1 Minimum Age for Use of Services

Our Services are not intended for, directed to, or designed to attract children or minors under eighteen (18) years of age.

Age Requirements:

General Minimum Age: You must be at least 18 years old to use the Services, create an account, or make purchases (see Terms and Conditions, Section 3.1.3 – Age Requirements and Section 4.2 – Age Requirements and Eligibility Verification);
Enhanced Age Requirement (Regulated Products): For certain regulated edged, pointed, or specialty items (knives, blades, swords, or similar products subject to age restrictions under UAE law or Dubai Police regulations), you must be at least 21 years old;

13.1.2 No Intentional Collection from Children

We do not knowingly or intentionally collect, request, solicit, or process personal data from individuals under 18 years of age.

If you are under 18 years old, you are prohibited from:

Using the Services (Website, mobile app, Store);
Creating an account or providing personal data;
Making purchases or placing orders;
Submitting reviews, feedback, or user-generated content;

Parental/Guardian Consent Exception: If you are a parent or legal guardian and consent to your minor dependent (child under 18) using the Services under your supervision, you (the parent/guardian) are responsible for:

Providing accurate personal data;
Supervising your child’s use of the Services;
Ensuring compliance with these Terms and this Privacy Policy;
All actions, orders, or transactions conducted by your child;

(See Terms and Conditions, Section 13.1 – Minimum Age for Use of Services).

13.2 No Knowing Collection from Children

13.2.1 Our Policy

We do not knowingly collect personal data from children under 18 years of age through the Services.

Age Verification: We rely on:

User representations (by using the Services, you represent that you are at least 18 years old);
Age verification mechanisms (where implemented – date of birth fields, age confirmation checkboxes, identity document verification for age-restricted products);

13.2.2 If We Learn of Children’s Data

If we learn or become aware that we have collected personal data from a child under 18 years of age (without verified parental/guardian consent), we will:

(a) Promptly delete the data from our systems and databases;

(b) Deactivate any account created by or for the child;

(d) Notify the parent or guardian (if contact information is available);

Response Time: Deletion will occur within thirty (30) calendar days of discovery or notification.

13.3 Parental Rights and Notifications

13.3.1 How to Notify Us

If you are a parent or legal guardian and believe that your child (under 18 years old) has provided personal data to us without your consent, please contact us immediately:

Email: info@maslool.ae
Subject Line: “Child Privacy Concern” or “Minor’s Data Deletion Request“

Information to Provide:

Child’s name, email address, or username (if known);
Description of circumstances (how data was provided, when, what data);
Proof of your relationship (parental/guardian status) and identity (government ID, birth certificate, legal guardianship documents);

13.3.2 Our Response

We will:

(a) Verify your parental/guardian status and identity;

(b) Investigate whether we hold any personal data of the child;

(d) Confirm deletion to you via email;

13.3.3 Parental Consent (Where Applicable)

If parental/guardian consent is required under applicable law (e.g., US COPPA – Children’s Online Privacy Protection Act, if applicable), we will:

(a) Obtain verifiable parental consent before collecting, using, or disclosing personal data from children;

(b) Provide parents with notice of our data practices, purposes, and parental rights;

Note: We do not currently offer services specifically designed for children or intentionally market to children, so parental consent mechanisms are not routinely implemented. If this changes, we will update this Privacy Policy and implement compliant parental consent procedures.

13.4 Compliance with Child Protection Laws

13.4.1 Applicable Laws

We comply with applicable child data protection laws, including:

UAE PDPL (Federal Decree-Law No. 45 of 2021) (general data protection for all individuals, including children);
UAE Child Rights Law (Federal Law No. 3 of 2016 on Child Rights – Wadeema’s Law) (child safety, protection, and welfare);
GDPR Article 8 (Conditions for Children’s Consent – for EU data subjects) (children under 16 require parental consent for information society services; member states may lower to 13);
UK GDPR (similar provisions to GDPR Article 8);
US COPPA (Children’s Online Privacy Protection Act – if applicable to US children);

13.4.2 Age-Appropriate Design

We design the Services with age-appropriate safeguards to discourage use by children:

Age confirmation checkboxes and representations;
Content and product offerings appropriate for adults (18+);
Marketing and communications not targeted to children.

14. THIRD-PARTY LINKS & SERVICES

In-Short: Our Website and Services may contain links to third-party websites, services, or content (payment processors, social media, partner websites) that have their own privacy policies. We are not responsible for the privacy practices, content, or security of third-party websites. Review their privacy policies before providing personal data.

14.1 Links to Third-Party Websites

14.1.1 Third-Party Links May Be Present

Our Website, mobile app, emails, or communications may contain links to third-party websites, services, platforms, or content that are not owned, operated, or controlled by Maslool, including but not limited to:

(a) Payment processors (Stripe, WooCommerce, PayPal);

(b) Social media platforms (Facebook, Instagram, YouTube, Twitter/X, LinkedIn);

(d) Manufacturer websites (product information, warranty registration, support);

(e) Partner websites or affiliates (business partners, distributors, retailers);

(f) Third-party reviews or ratings platforms (Trustpilot, Google Reviews);

(g) Government or regulatory websites (UAE Data Office, Dubai Police, customs authorities);

14.1.2 No Endorsement or Control

Inclusion of links does NOT constitute:

Endorsement, approval, or recommendation of the third-party website, service, or content;
Partnership, affiliation, or sponsorship (unless explicitly stated);
Responsibility or liability for the third party’s practices, content, accuracy, security, or legality;

We do not control and are not responsible for:

Content, accuracy, or legality of third-party websites;
Privacy practices or data protection standards of third parties;
Security measures or data breaches at third-party websites;
Terms of use, policies, or practices of third parties;

14.2 Third-Party Privacy Policies

14.2.1 Separate Privacy Policies Apply

Third-party websites, services, and platforms have their own privacy policies, terms of use, and data practices that govern how they collect, use, store, share, and protect your personal data.

We strongly encourage you to:

(a) Read and review the privacy policies and terms of use of any third-party website or service before providing personal data, creating accounts, or making purchases;

(b) Understand how third parties collect, use, and protect your data;

14.2.2 Key Third-Party Privacy Policies

For convenience, we provide links to privacy policies of major third-party service providers we use (as of the Effective Date of this Privacy Policy):

Stripe Privacy Policy: https://stripe.com/ae/privacy
WooCommerce Privacy Policy: https://woocommerce.com/privacy-policy/
Google Privacy Policy: https://policies.google.com/privacy
Facebook Data Policy: https://www.facebook.com/privacy/policy/
PayPal Privacy Statement: https://www.paypal.com/ae/webapps/mpp/ua/privacy-full

Note: Third-party privacy policies may change, and links may become outdated. Always verify the current, official privacy policy directly on the third party’s website.

14.3 Data Sharing with Third Parties

14.3.1 Limited Data Sharing for Service Delivery

We share your personal data with certain third-party service providers only as necessary to provide Services, process orders, or fulfill our contractual and legal obligations (see Section 6 – Information Sharing & Disclosure).

Data sharing is governed by:

Data Processing Agreements (DPAs) (requiring third parties to process data only on our instructions, maintain security, and comply with data protection laws);
Contractual obligations (confidentiality, data protection, security requirements);
Our instructions and oversight (third parties act as data processors on our behalf, not independent data controllers);

14.3.2 Your Interactions with Third Parties

When you directly interact with third-party websites, services, or platforms (by clicking links, creating accounts, making purchases, or providing data directly to them), your interactions and data are governed by their privacy policies and terms, not this Privacy Policy.

Examples:

Creating an account on Stripe or PayPal to make payments;
Clicking a social media share button and interacting with Facebook or Instagram;
Visiting a manufacturer’s website via a product link;
Tracking a shipment on a carrier’s website (Aramex, DHL);

We have no control over and are not responsible for data collected, used, or shared by third parties during your direct interactions with them.

14.4 Disclaimer of Liability for Third-Party Practices

14.4.1 No Liability for Third-Party Actions

TO THE MAXIMUM EXTENT PERMITTED BY UAE LAW, Maslool disclaims all liability, responsibility, and warranties for:

(a) Privacy practices of third-party websites, services, or platforms (data collection, use, sharing, storage, security);

(b) Data breaches or security incidents at third-party websites or services (unauthorized access, data leaks, cyberattacks);

(c) Content, accuracy, legality, or appropriateness of third-party websites, services, or content (false information, infringing content, illegal content, offensive content);

(d) Losses, damages, or harm arising from your use of third-party websites, services, or provision of data to third parties (financial losses, identity theft, fraud, privacy violations);

(e) Violations of law or your rights by third parties (GDPR violations, consumer protection violations, IP infringement, fraud);

14.4.2 Your Responsibility and Risk

You access and use third-party websites, services, or platforms at your own risk and are solely responsible for:

(a) Evaluating the trustworthiness, security, and legitimacy of third parties;

(b) Reading and understanding third-party privacy policies, terms of use, and data practices;

(c) Protecting your personal data when interacting with third parties (using strong passwords, being cautious with sensitive data, monitoring accounts);

(d) Exercising your rights (if any) under third-party privacy policies or applicable law.

15. DO-NOT-TRACK SIGNALS

In-Short: Most browsers offer a “Do Not Track” (DNT) setting. We do not currently respond to DNT signals due to lack of uniform industry standards. You can control tracking through browser cookie settings, opt-out tools, and third-party opt-out mechanisms.

15.1 What is Do-Not-Track (DNT)?

15.1.1 DNT Feature in Browsers

Most web browsers and some mobile operating systems and mobile applications include a “Do-Not-Track” (DNT) feature or setting that allows you to signal your privacy preference not to have data about your online browsing activities monitored, tracked, or collected.

How DNT Works:

When enabled, your browser sends a DNT signal (HTTP header: DNT: 1) to websites you visit, requesting that they not track your browsing;

User Control:

DNT is a user-activated setting (opt-in) in browser privacy settings;

15.1.2 Lack of Industry Standard

At this time, no uniform technology standard for recognizing and implementing DNT signals has been:

Finalized or adopted by industry, regulators, or standards bodies;
Universally implemented by websites, advertisers, or tracking technology providers;

Challenges:

Different browsers may send DNT signals differently;
Websites interpret and respond to DNT signals inconsistently;
No legal obligation (in most jurisdictions) for websites to honor DNT;
No clear definition of what “tracking” means in the context of DNT;

15.2 Our Response to DNT Signals

15.2.1 We Do Not Currently Respond to DNT

As of the Effective Date of this Privacy Policy, we do not currently respond to or honor DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

Reasons:

Lack of uniform standard (no industry-wide consensus on how to recognize, interpret, or implement DNT);
Technical challenges (difficulty distinguishing DNT from legitimate browser settings or user preferences);
Legal uncertainty (no legal obligation in UAE or most jurisdictions to honor DNT);

15.2.2 Future Changes

If a standard for online tracking is adopted and finalized in the future that we are legally required or technically able to follow, we will:

(a) Implement DNT recognition and response mechanisms;

(b) Update this Privacy Policy to inform you about the practice and how DNT signals will be honored;

(c) Notify you of the change via Website notice, email, or updated Privacy Policy (see Section 17 – Changes to This Privacy Policy);

15.3 Alternative Methods to Control Tracking

15.3.1 Browser Cookie Settings

You can control or block cookies and tracking technologies through your browser settings (see Section 11.5.2 – Browser Cookie Settings):

Block third-party cookies (prevent third-party advertisers and trackers from setting cookies);
Delete cookies (clear existing cookies);
Disable cookies (block all cookies – may affect website functionality);

15.3.2 Opt-Out Tools and Mechanisms

You can opt-out of specific tracking and advertising using industry opt-out tools:

(a) Google Analytics Opt-Out:

Install Google Analytics Opt-Out Browser Add-On: https://tools.google.com/dlpage/gaoptout

(b) Google Ads and Personalized Advertising Opt-Out:

Google Ads Settings: https://adssettings.google.com/
Opt-out of personalized advertising (Google, Facebook, other platforms);

(c) Industry-Wide Opt-Out Tools:

Network Advertising Initiative (NAI) Opt-Out Tool: http://optout.networkadvertising.org/
Digital Advertising Alliance (DAA) Opt-Out Tool: http://optout.aboutads.info/
European Interactive Digital Advertising Alliance (EDAA) Opt-Out Tool: http://www.youronlinechoices.eu/ (for EU residents)

(d) Mobile Device Opt-Out:

iOS: Settings > Privacy > Tracking > Toggle off “Allow Apps to Request to Track”;
Android: Settings > Google > Ads > Opt out of Ads Personalization;

(See Section 11.5.4 – Mobile Device Advertising IDs for detailed instructions).

15.3.3 Cookie Consent Management

Use our cookie consent banner or preference center (where implemented) to manage your cookie preferences and reject non-essential cookies (analytics, advertising, marketing cookies) (see Section 11.5.1 – Cookie Consent Management).

16. REGIONAL PRIVACY RIGHTS

In-Short: Depending on your location, you may have additional privacy rights under regional laws (EU/UK GDPR, US state laws, Canadian PIPEDA, Australian Privacy Act, etc.). This section provides information about jurisdiction-specific rights and how to exercise them.

16.1 European Union (EU) and United Kingdom (UK) – GDPR Rights

16.1.1 GDPR Applicability

16.1.2 Enhanced GDPR Rights

In addition to the rights described in Section 9 – Your Privacy Rights, EU/UK/Switzerland data subjects have enhanced rights:

(a) Right of Access (GDPR Article 15) – including right to obtain a copy of personal data;

(b) Right to Rectification (GDPR Article 16) – correction of inaccurate or incomplete data;

(c) Right to Erasure (“Right to be Forgotten”) (GDPR Article 17) – deletion where specific grounds apply;

(d) Right to Restriction of Processing (GDPR Article 18) – temporary limitation of processing;

(e) Right to Data Portability (GDPR Article 20) – receive data in structured, machine-readable format and transmit to another controller;

(f) Right to Object (GDPR Article 21) – object to processing based on legitimate interests or direct marketing;

(g) Right to Withdraw Consent (GDPR Article 7(3)) – withdraw consent at any time where processing is based on consent;

(h) Right Not to Be Subject to Automated Decision-Making (GDPR Article 22) – including profiling producing legal or similarly significant effects;

(i) Right to Lodge a Complaint (GDPR Article 77) – complain to supervisory authority (Data Protection Authority or ICO);

(See Section 9 – Your Privacy Rights for detailed descriptions and procedures).

16.1.3 Legal Bases Under GDPR

We process your personal data under the following GDPR legal bases (see Section 5.2 – Legal Bases Under GDPR):

Consent (GDPR Article 6(1)(a));
Contractual Necessity (GDPR Article 6(1)(b));
Legal Obligation (GDPR Article 6(1)(c));
Vital Interests (GDPR Article 6(1)(d));
Legitimate Interests (GDPR Article 6(1)(f));

16.1.4 International Transfers (GDPR Chapter V)

International transfers of EU/UK personal data to the UAE or other third countries are governed by GDPR Chapter V (see Section 7 – International Data Transfers), with safeguards such as:

Standard Contractual Clauses (SCCs) (EU Commission 2021 SCCs or UK IDTA);
Adequacy decisions (where applicable);
Derogations for specific situations (consent, contract performance, legal claims);

16.1.5 EU/UK Supervisory Authorities

Right to Lodge Complaint with:

(a) EU Member State Data Protection Authorities (DPAs):

List of EU DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en
Lodge complaint with DPA in your country of habitual residence, place of work, or place of alleged infringement;

(b) UK Information Commissioner’s Office (ICO):

Website: https://ico.org.uk/
Report a Concern: https://ico.org.uk/make-a-complaint/
Telephone: +44 303 123 1113

(c) Swiss Federal Data Protection and Information Commissioner (FDPIC):

Website: https://www.edoeb.admin.ch/edoeb/en/home.html

16.2 United States – State-Specific Privacy Rights

16.2.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights:

(a) Right to Know (Categories and Specific Pieces):

Right to know what personal information is collected, used, shared, or sold;
Right to obtain a copy of specific pieces of personal information;

(b) Right to Delete:

Right to request deletion of personal information (subject to exceptions);

(c) Right to Correct:

Right to request correction of inaccurate personal information;

(d) Right to Opt-Out of Sale or Sharing:

Right to opt-out of “sale” or “sharing” of personal information for cross-context behavioral advertising;
Note: We do not sell personal information as defined under CCPA (see Section 6.2 – No Sale of Personal Data);

(e) Right to Limit Use of Sensitive Personal Information:

Right to limit use of sensitive personal information (SPI);
Note: We do not collect or process sensitive personal information as defined under CCPA;

(f) Right to Non-Discrimination:

Right not to be discriminated against for exercising CCPA rights;

How to Exercise California Rights:

Email: info@maslool.ae (Subject: “California Privacy Rights Request” or “CCPA Request”)
Verification: We will verify your identity before processing requests;
Response Time: 45 days (extendable by 45 days if necessary, with notice);

California Privacy Notice: For detailed California-specific disclosures (categories of data collected, purposes, sources, recipients, retention periods), see Section 2 – Information We Collect, Section 4 – How We Use Your Information, Section 6 – Information Sharing & Disclosure, and Section 8 – Data Retention.

16.2.2 Other US States (Virginia, Colorado, Connecticut, Utah, etc.)

Several US states have enacted comprehensive privacy laws with rights similar to CCPA:

Virginia (VCDPA) – Consumer Data Protection Act
Colorado (CPA) – Privacy Act
Connecticut (CTDPA) – Data Privacy Act
Utah (UCPA) – Consumer Privacy Act
And others enacting or considering similar laws

Rights under state laws (generally include):

Right to access, correct, delete, and obtain copies of personal data;
Right to opt-out of targeted advertising or sale of personal data;
Right to lodge complaints with state attorneys general or consumer protection agencies;

How to Exercise State-Specific Rights:

Contact us at info@maslool.ae with subject line identifying your state (e.g., “Virginia Privacy Rights Request”);
We will respond in accordance with applicable state law requirements;

16.3 Canada – PIPEDA and Provincial Laws

16.3.1 PIPEDA Applicability

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) or applicable provincial privacy laws (e.g., Quebec’s Bill 64 / Law 25) apply to our processing of your personal data.

16.3.2 Canadian Privacy Rights

(a) Right of Access:

Right to access personal information held about you;
Right to know how your personal information is used and to whom it has been disclosed;

(b) Right to Correction:

Right to request correction of inaccurate or incomplete personal information;

(c) Right to Withdraw Consent:

Right to withdraw consent at any time (subject to legal or contractual restrictions);

(d) Right to Lodge a Complaint:

Right to complain to the Office of the Privacy Commissioner of Canada (OPC) or provincial privacy commissioners;

How to Exercise Canadian Rights:

Email: info@maslool.ae (Subject: “Canadian Privacy Rights Request” or “PIPEDA Request”)
Response Time: 30 days (as required by PIPEDA)

16.3.3 Office of the Privacy Commissioner of Canada (OPC)

Contact OPC:

Website: https://www.priv.gc.ca/
File a Complaint: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/
Telephone: 1-800-282-1376 (toll-free in Canada)

Provincial Privacy Commissioners (for provincially regulated sectors):

Quebec: Commission d’accès à l’information du Québec (CAI) – https://www.cai.gouv.qc.ca/
British Columbia: Office of the Information and Privacy Commissioner – https://www.oipc.bc.ca/
Alberta: Office of the Information and Privacy Commissioner – https://www.oipc.ab.ca/

16.4 Australia and New Zealand

16.4.1 Australia – Privacy Act 1988

If you are an Australian resident, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply to our collection and handling of your personal information.

Australian Privacy Rights:

(a) Right of Access (APP 12):

Right to request access to personal information held about you;

(b) Right to Correction (APP 13):

Right to request correction of inaccurate, out-of-date, incomplete, or misleading personal information;

(c) Right to Lodge a Complaint:

Right to complain to the Office of the Australian Information Commissioner (OAIC);

How to Exercise Australian Rights:

Email: info@maslool.ae (Subject: “Australian Privacy Rights Request”)
Response Time: 30 days (as required under APPs)

Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au/
File a Complaint: https://www.oaic.gov.au/privacy/privacy-complaints
Telephone: 1300 363 992 (within Australia)

16.4.2 New Zealand – Privacy Act 2020

If you are a New Zealand resident, the Privacy Act 2020 and Privacy Principles apply to our collection and handling of your personal information.

New Zealand Privacy Rights:

(a) Right of Access (Privacy Principle 6):

Right to request access to personal information held about you;

(b) Right to Correction (Privacy Principle 7):

Right to request correction of personal information;

(c) Right to Lodge a Complaint:

Right to complain to the Office of the New Zealand Privacy Commissioner;

How to Exercise New Zealand Rights:

Email: info@maslool.ae (Subject: “New Zealand Privacy Rights Request”)
Response Time: 20 working days (as required under Privacy Act 2020)

Office of the New Zealand Privacy Commissioner:

Website: https://www.privacy.org.nz/
File a Complaint: https://www.privacy.org.nz/your-rights/making-a-complaint/
Email: enquiries@privacy.org.nz
Telephone: 0800 803 909 (within New Zealand)

16.5 Republic of South Africa – POPIA

16.5.1 POPIA Applicability

If you are a South African resident, the Protection of Personal Information Act (POPIA) applies to our processing of your personal information.

16.5.2 South African Privacy Rights

(a) Right of Access (Section 23):

Right to request confirmation of processing and access to personal information;

(b) Right to Correction or Deletion (Section 24):

Right to request correction, destruction, or deletion of personal information;

(c) Right to Object (Section 11(3)):

Right to object to processing on reasonable grounds;

(d) Right to Lodge a Complaint:

Right to lodge a complaint with the Information Regulator (South Africa);

How to Exercise South African Rights:

Email: info@maslool.ae (Subject: “South African Privacy Rights Request” or “POPIA Request”)
Response Time: As soon as reasonably practicable (POPIA does not specify exact timeframe; we aim for 30 days)

16.5.3 Information Regulator (South Africa)

Contact Information Regulator:

General Enquiries: enquiries@inforegulator.org.za
Complaints (POPIA): POPIAComplaints@inforegulator.org.za
Complaints (PAIA – Access to Information): PAIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za/
Telephone: +27 10 023 5207

Complaint Forms: Complete POPIA Complaint Form (Form 5) available on Information Regulator website.

16.6 Other Jurisdictions

16.6.1 Residents of Other Countries

If you are located in a jurisdiction not specifically covered above (e.g., Asia-Pacific, Middle East, Latin America, Africa), you may have privacy rights under your local data protection, privacy, or consumer protection laws.

General Approach:

We will respond to privacy rights requests in accordance with UAE PDPL (as our primary governing law) and any applicable mandatory provisions of your local law;
Contact us at info@maslool.ae to inquire about your specific rights;

16.6.2 No Waiver of Mandatory Local Rights

Nothing in this Privacy Policy waives, limits, or restricts any mandatory, non-waivable privacy rights you have under the laws of your country or jurisdiction of residence, to the extent such rights apply and cannot be lawfully excluded.

Where mandatory local law conflicts with a provision of this Privacy Policy, the mandatory local law prevails solely for the protected matter.

17. CHANGES TO THIS PRIVACY POLICY

In-Short: We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. We will notify you of material changes via email or Website notice. Continued use after changes constitutes acceptance. Review the “Last Updated” date at the top to see when the Policy was last revised.

17.1 Right to Modify Privacy Policy

17.1.1 Updates and Revisions

We may update, revise, amend, or modify this Privacy Policy from time to time, at our sole discretion, to reflect:

(a) Changes in our data processing practices (new services, features, data collection methods, processing purposes);

(b) Changes in applicable laws or regulations (new data protection laws, regulatory guidance, court decisions, or legal requirements);

(d) Changes in our business operations (mergers, acquisitions, new service providers, business restructuring);

(e) Clarifications or corrections (clarifying existing provisions, correcting errors, improving readability);

17.1.2 Effective Date of Changes

The “Last Updated” date at the top of this Privacy Policy indicates when the Privacy Policy was last revised.

When changes take effect:

(a) For Non-Material Changes (minor clarifications, corrections, formatting, or updates that do not materially affect your rights or our practices):

Changes are effective immediately upon posting the updated Privacy Policy on the Website;

(b) For Material Changes (significant changes to data collection, processing purposes, sharing practices, retention periods, or your rights):

Changes are effective thirty (30) days after posting the updated Privacy Policy and notifying you (see Section 17.2 – Notification of Material Changes), or as otherwise specified in the notice;

17.2 Notification of Material Changes

17.2.1 How We Notify You

For material changes to this Privacy Policy, we will notify you by:

(a) Email Notification:

Sending an email to the email address registered in your account (if you have an account);
Email subject line: “Updated Privacy Policy – Maslool” or “Important Changes to Privacy Policy“;
Email will include a summary of key changes and a link to the updated Privacy Policy;

(b) Website Notice:

Displaying a prominent notice or banner on the Website homepage or throughout the Website announcing the updated Privacy Policy;
Notice will remain visible for at least 30 days after posting;

(c) In-App Notification (if applicable):

Push notification or in-app message (for mobile app users);

(d) At Login or Checkout:

Displaying a consent prompt or acknowledgment screen requiring you to review and accept the updated Privacy Policy before continuing to use Services (where appropriate for significant changes);

17.2.2 What Constitutes Material Changes

Examples of material changes include (but are not limited to):

Collecting new categories of personal data (e.g., biometric data, health data, precise geolocation);
Using personal data for new purposes not previously disclosed (e.g., using data for AI training, selling data to third parties);
Sharing personal data with new categories of third parties (e.g., new service providers, business partners, advertisers);
Materially increasing data retention periods (e.g., from 1 year to 5 years);
Transferring personal data to new countries or jurisdictions with lower data protection standards;
Materially reducing your privacy rights or our responsibilities;

Non-material changes include:

Updating contact information, links, or references;
Clarifying existing provisions without changing substance;
Minor formatting, grammar, or readability improvements;
Adding new sections that do not change existing practices (e.g., adding FAQ section);

17.3 Your Acceptance of Changes

17.3.1 Deemed Acceptance by Continued Use

By continuing to access or use the Services after the effective date of the updated Privacy Policy (following notification and expiration of any applicable notice period), you are deemed to have accepted the updated Privacy Policy and consent to the revised data processing practices.

Your Options if You Disagree:

(a) Object or Withdraw Consent:

If you do not agree with the updated Privacy Policy, you may:
- Object to specific processing activities (see Section 9.8 – Right to Object to Processing);
- Withdraw consent where processing is based on consent (see Section 9.7 – Right to Withdraw Consent);

(b) Request Data Deletion:

Request deletion of your personal data and cease using the Services (see Section 9.4 – Right to Erasure);

(c) Close Your Account:

Close your account and discontinue use of the Services (see Terms and Conditions, Section 24.2 – Your Right to Close or Deactivate Your Account);

Consequence: If you cease using the Services or close your account, we will process your personal data in accordance with Section 8 – Data Retention (retaining data only as long as necessary for legal obligations, dispute resolution, or legitimate interests).

17.3.2 No Retroactive Application (Generally)

Updated Privacy Policy provisions apply to personal data collected or processed after the effective date of the update, unless:

**(a) You provide explicit consent to apply updated provisions retroactively to previously collected data; OR

**(b) Changes are required by law or legal obligation (e.g., new legal retention requirements, mandatory data breach notification procedures); OR

**(c) Changes are necessary to protect your rights, safety, or vital interests or those of others;

Personal data collected and processed before the effective date remains governed by the Privacy Policy in effect at the time of collection, except as noted above.

17.4 Review and Stay Informed

17.4.1 Encourage Regular Review

We encourage you to review this Privacy Policy periodically (at least every 6-12 months, or whenever you use the Services after a period of inactivity) to stay informed about:

How we collect, use, share, and protect your personal data;
Your privacy rights and how to exercise them;
Changes or updates to our practices or policies;

17.4.2 Version History (Optional)

Where feasible, we may maintain a version history or archive of previous Privacy Policy versions on our Website, allowing you to compare changes or review historical policies.

Access: Previous versions (if available) may be accessed via a link at the bottom of the Privacy Policy page (e.g., “View Previous Versions”) or by contacting us at info@maslool.ae.

18. CONTACT INFORMATION

In-Short: For questions, concerns, or requests about this Privacy Policy, data protection, or your privacy rights, contact us via email (info@maslool.ae), telephone (+971 50 504 1792), or postal mail. We will respond within 30 days.

18.1 Data Controller Contact Details

Maslool Hunting Requisites Trading is the data controller responsible for your personal data.

Business Name: Maslool Hunting Requisites Trading

Legal Form: Sole Proprietorship

Trade License: 1246575 issued by the Dubai Department of Economy and Tourism

Registered Business Address:
Shop No. 49, M-Floor
Al Rais Shopping Centre
74 Al Mankhool Road, Al Raffa
Bur Dubai, Dubai
United Arab Emirates

Postal Address (for correspondence):
Maslool Hunting Requisites Trading
P.O. Box 50919
Dubai, United Arab Emirates

Email: info@maslool.ae

Telephone: +971 50 504 1792

Website: www.maslool.ae

18.2 Privacy and Data Protection Inquiries

18.2.1 General Privacy Questions

For general questions, concerns, or inquiries about this Privacy Policy, our data processing practices, or data protection:

Email: info@maslool.ae
Subject Line: “Privacy Inquiry” or “Data Protection Question“

Include in Your Message:

Your name and contact details;
Nature of your inquiry or concern;
Any relevant details (order number, account email, specific data or processing activity);

Response Time: We will respond to general privacy inquiries within thirty (30) calendar days of receipt.

18.2.2 Data Subject Rights Requests

For data subject rights requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent):

See Section 19 – Data Subject Rights Requests below for detailed procedures, required information, verification requirements, and response timeframes.

18.2.3 Data Breach Notifications or Security Concerns

To report a suspected data breach, security incident, or security vulnerability:

Email: info@maslool.ae
Subject Line: “URGENT – Security Incident” or “Data Breach Report“

Include:

Description of the suspected breach or incident;
Date and time of discovery;
Type of data potentially affected;
Your contact information for follow-up;

Response: We will acknowledge receipt within 24-48 hours and investigate promptly.

18.3 Data Protection Officer (DPO) or Privacy Officer

18.3.1 DPO Designation

As of the Effective Date of this Privacy Policy, Maslool has not designated a formal Data Protection Officer (DPO), as we are a small-to-medium enterprise (SME) and DPO appointment is not mandatory under UAE PDPL for businesses of our size and scope.

18.3.2 Privacy Contact Point

All privacy and data protection inquiries, requests, and correspondence should be directed to:

Privacy Contact: info@maslool.ae (Attention: Data Protection / Privacy Officer)

Internal Responsibility: Privacy and data protection matters are handled by senior management and legal advisors in consultation with external data protection counsel or consultants where necessary.

18.3.3 Future DPO Appointment

If we appoint a formal Data Protection Officer (DPO) in the future (due to business growth, regulatory requirements, or best practices), we will:

(a) Update this Privacy Policy with DPO contact details; (b) Notify customers via email or Website notice; (c) Ensure DPO is accessible for privacy inquiries and complaints;

18.4 Regulatory Authority Contact (UAE Data Office)

18.4.1 UAE Data Office (Supervisory Authority)

The UAE Data Office is the supervisory authority for data protection in the United Arab Emirates, responsible for:

Enforcing UAE PDPL (Federal Decree-Law No. 45 of 2021);
Investigating complaints and data breaches;
Issuing guidance and regulations;
Imposing administrative sanctions for violations;

UAE Data Office Contact Details:

Website: https://u.ae/en/about-the-uae/digital-uae/data/the-uae-data-office

Email: dataoffice@tdra.gov.ae (or as updated on official website)

Telephone: +971 4 230 5555 (Telecommunications and Digital Government Regulatory Authority – TDRA)

Postal Address:
UAE Data Office
Telecommunications and Digital Government Regulatory Authority (TDRA)
P.O. Box 26662
Dubai, United Arab Emirates

18.4.2 When to Contact UAE Data Office

You may contact the UAE Data Office if:

You believe we have violated your privacy rights or UAE PDPL;
You are dissatisfied with our response to your data subject rights request;
You wish to lodge a formal complaint about our data processing practices;
You have concerns about data breaches, security, or compliance;

Complaint Process: The UAE Data Office will investigate complaints, mediate disputes, and may impose corrective measures, sanctions, or administrative fines for violations.

18.5 Response Time Commitments

18.5.1 Standard Response Times

We are committed to responding to privacy inquiries, data subject rights requests, and complaints within the following timeframes:

(a) General Privacy Inquiries: Thirty (30) calendar days from receipt;

(b) Data Subject Rights Requests (access, rectification, erasure, etc.): Thirty (30) calendar days from receipt of verified request (see Section 19.4 – Response Timeframes for detailed DSR response times);

(c) Security Incidents or Breach Reports: Acknowledgment within 24-48 hours; investigation and follow-up within 72 hours to 7 days (depending on severity);

(d) Urgent or Time-Sensitive Matters: Expedited response (within 5-10 business days) for urgent matters (e.g., imminent harm, legal deadlines, regulatory inquiries);

18.5.2 Extensions for Complex Requests

For complex, voluminous, or multiple requests, we may extend the response time by an additional thirty (30) days (total 60 days), as permitted by UAE PDPL Article 15(2) and GDPR Article 12(3).

Notification: We will notify you of the extension within the initial 30-day period, explain the reasons for the delay, and provide an estimated response date.

18.5.3 Business Days vs. Calendar Days

Unless otherwise specified:

Calendar days include weekends and public holidays (UAE public holidays);
Business days exclude weekends (Friday-Saturday in UAE) and UAE public holidays;

Counting: Timeframes begin on the business day following receipt of your request or inquiry.

19. DATA SUBJECT RIGHTS REQUESTS

In-Short: To exercise your privacy rights (access, correction, deletion, restriction, portability, objection, withdrawal of consent), submit a written request via email (info@maslool.ae) with required information and proof of identity. We will verify your identity, process your request, and respond within 30 days (extendable to 60 days for complex requests). This section provides detailed procedures for submitting and processing data subject rights requests.

19.1 How to Submit a Data Subject Rights Request

19.1.1 Submission Methods

To exercise any of your privacy rights described in Section 9 – Your Privacy Rights, submit a written request via:

(a) Email (Preferred Method):

Email Address: info@maslool.ae

Subject Line: Use a clear, descriptive subject line indicating the type of request:

“Data Access Request” or “Subject Access Request (SAR)“
“Data Correction Request” or “Rectification Request“
“Data Deletion Request” or “Right to be Forgotten Request“
“Data Portability Request“
“Restriction of Processing Request“
“Objection to Processing Request“
“Withdraw Consent Request“
“[Your Jurisdiction] Privacy Rights Request” (e.g., “California Privacy Rights Request,” “GDPR Request”)

(b) Postal Mail:

Mailing Address:
Maslool Hunting Requisites Trading
Attn: Data Protection / Privacy Officer
Shop No. 49, M-Floor, Al Rais Shopping Centre
74 Al Mankhool Road, Al Raffa, Bur Dubai
Dubai, United Arab Emirates

(c) In-Person (for urgent or sensitive matters):

Visit our Store during business hours:
Shop No. 49, M-Floor, Al Rais Shopping Centre
74 Al Mankhool Road, Bur Dubai
Business Hours: [Insert Store Hours] (typically Sunday-Thursday 9:00 AM – 6:00 PM, Saturday 10:00 AM – 5:00 PM; closed Friday)

Note: Email is the preferred and fastest method for processing requests.

19.1.2 Required Information in Your Request

To enable us to verify your identity and process your request efficiently, please include the following information:

(a) Personal Identification Information:

Full Name (first name, last name, middle name if applicable);
Email Address (associated with your account or used in communications with us);
Telephone Number (mobile number with country code);
Postal Address (if relevant to your request or for correspondence);
Account Username or Account Number (if you have an account);

(b) Proof of Identity (Required for Verification):

Copy of Government-Issued Photo ID: Emirates ID (front and back), passport (photo page), driver’s license, or national ID card;
Scanned or photographed copy (clear, legible, and unaltered);
Redaction permitted: You may redact (black out) sensitive information not necessary for identity verification (e.g., ID numbers, passport numbers, except name, photo, date of birth, and document expiration date);

(c) Description of Request:

Type of request (access, rectification, erasure, restriction, portability, objection, withdrawal of consent);
Specific data or processing activity (e.g., “all personal data,” “order history for order #12345,” “marketing email consent,” “CCTV footage from [date and time]”);
Reason or grounds (for certain requests such as objection or erasure, explaining the reason helps us assess and respond appropriately);

(d) Preferred Response Format or Method (optional):

How you would like to receive the response (email, postal mail, in-person);
Format for data access requests (PDF, CSV, JSON, etc.);

19.1.3 Authorized Representatives or Agents

If you are submitting a request on behalf of another person (e.g., parent/guardian on behalf of child, legal representative, attorney, executor of estate), you must provide:

**(a) Proof of your identity (your government-issued ID);

**(b) Proof of your authority to act on behalf of the data subject:

Power of Attorney (notarized or legally valid power of attorney document);
Legal Guardianship Order (court order appointing you as guardian);
Parental Consent or Birth Certificate (for requests on behalf of minor children);
Estate Documents (death certificate, probate documents, letters of administration for deceased persons’ data);
Corporate Authorization (for requests on behalf of employees or entity representatives – signed letter from authorized company officer);

**(c) Consent or authorization from the data subject (signed authorization form or written consent from the data subject permitting you to submit the request on their behalf);

Verification: We will verify the identity of the authorized representative and the authority to act before processing the request.

19.2 Identity Verification Procedures

19.2.1 Why We Verify Identity

To protect your privacy and prevent unauthorized disclosure of personal data to third parties, we must verify your identity before processing data subject rights requests, particularly:

Access requests (to prevent unauthorized access to your personal data);
Deletion requests (to prevent malicious or fraudulent deletion by unauthorized parties);
Correction requests (to prevent unauthorized alteration of data);

Legal Requirement: Identity verification is required under UAE PDPL Article 15 and GDPR Article 12 to ensure requests are made by the data subject or authorized representative.

19.2.2 Verification Methods

We will verify your identity using one or more of the following methods, depending on the sensitivity of the request and the data involved:

(a) Account Authentication (for existing account holders):

Requesting you to log in to your account and submit the request through your authenticated session;
Verifying that the request comes from the registered email address associated with your account;

(b) Government-Issued Photo ID Verification:

Reviewing the copy of your ID submitted with your request;
Comparing name, date of birth, and photo on ID to the personal data we hold;

(c) Email or SMS Verification:

Sending a verification code or link to the email address or mobile number we have on file for you;
Requiring you to confirm receipt and click the link or enter the code;

(d) Knowledge-Based Authentication (KBA):

Asking you to provide additional information only the data subject would know (e.g., recent order details, transaction amounts, account creation date, security questions);

(e) Video Verification or In-Person Verification (for high-sensitivity requests or disputes):

Video call with you to visually verify your identity and ID;
In-person visit to our Store with ID for verification;

19.2.3 Reasonable Verification Standard

We will use reasonable efforts to verify your identity, balancing:

Security and privacy protection (preventing unauthorized disclosure);
Convenience and accessibility (not imposing overly burdensome verification requirements);
Proportionality (using stricter verification for more sensitive requests);

Standard: We will verify identity to a reasonable degree of certainty that you are the data subject or authorized representative.

19.2.4 Failure to Verify Identity

If we cannot verify your identity despite reasonable efforts (e.g., insufficient proof of identity provided, inconsistent information, unresponsive to verification requests), we may:

**(a) Request additional information or documentation to verify identity;

**(b) Refuse the request and explain the reasons for refusal in writing;

**(c) Provide you with instructions on how to complete verification or resubmit the request with additional information;

Your Rights: If we refuse your request due to inability to verify identity, you may:

Provide additional verification information and resubmit;
Lodge a complaint with the UAE Data Office or applicable supervisory authority (see Section 9.9 – Right to Lodge a Complaint);

19.3 Processing Your Request

19.3.1 Acknowledgment of Receipt

Upon receiving your data subject rights request, we will:

**(a) Acknowledge receipt via email (typically within 3-5 business days);

**(b) Provide a reference number or case number for tracking your request;

**(c) Confirm the type of request and expected response timeframe;

**(d) Request additional information or clarification if needed;

19.3.2 Review and Assessment

We will:

**(a) Verify your identity (as described in Section 19.2);

**(b) Assess the validity and scope of your request (whether it is legitimate, reasonable, and within the scope of your rights);

**(c) Identify relevant data (locate and retrieve the personal data subject to the request);

**(d) Check for exceptions or limitations (legal obligations, third-party rights, legitimate interests, pending litigation) that may affect our ability to fulfill the request;

19.3.3 Fulfillment or Refusal

**(a) If Request is Granted:

We will fulfill the request (provide access, correct, delete, restrict, port, or cease processing as requested);
Provide a written response confirming the action taken;
Provide the requested data or information in the requested format (where applicable);

**(b) If Request is Refused or Limited:

We will provide a written explanation of the reasons for refusal or limitation (citing applicable exceptions under UAE PDPL, GDPR, or other applicable law);
Inform you of your right to lodge a complaint with the UAE Data Office or applicable supervisory authority;
Provide contact details for lodging complaints;

19.3.4 Notification to Third Parties

Where we have disclosed your personal data to third parties (service providers, shipping carriers, etc.), and you have requested rectification, erasure, or restriction, we will:

Notify those third parties of the rectification, erasure, or restriction, where practicable and not disproportionately burdensome;
Inform you of the third parties notified (unless this proves impossible or involves disproportionate effort);

19.4 Response Timeframes

19.4.1 Standard Response Time

We will respond to your data subject rights request within:

Thirty (30) calendar days from the date of receiving your verified request (identity verified and all required information provided).

UAE PDPL: Article 15(1) requires response within 30 days.

GDPR: Article 12(3) requires response within one month (approximately 30 days), extendable by two further months (total 3 months / 90 days) for complex requests.

19.4.2 Extensions for Complex Requests

For complex requests, voluminous requests, or multiple simultaneous requests, we may extend the response time by an additional thirty (30) days (total 60 calendar days).

Notification: We will notify you of the extension within the initial 30-day period, explain the reasons for the delay, and provide an estimated response date.

Grounds for Extension:

Request involves large volumes of data (e.g., access request for 10 years of transaction history);
Request is technically complex (e.g., data portability request requiring custom data extraction and formatting);
Multiple requests submitted simultaneously (e.g., access, deletion, and restriction requests);
Need to consult with legal advisors, service providers, or third parties to assess the request;

19.4.3 Urgent Requests

For urgent requests (e.g., suspected data breach affecting you, immediate safety concerns, legal deadline), we will:

Prioritize urgent requests;
Respond as quickly as reasonably possible (typically within 5-10 business days or as soon as practicable given the urgency);

How to Mark as Urgent: Include “URGENT” in the subject line and explain the urgency in your request.

19.5 Fees for Data Subject Rights Requests

19.5.1 Free of Charge (Generally)

First Request: Your first data subject rights request within a twelve (12) month period is processed free of charge, as required by UAE PDPL Article 15 and GDPR Article 12.

No Fees for Reasonable Requests: We do not charge fees for reasonable, legitimate data subject rights requests.

19.5.2 Fees for Manifestly Unfounded or Excessive Requests

We may charge a reasonable administrative fee or refuse the request where the request is:

**(a) Manifestly unfounded (clearly made in bad faith, without legitimate basis, or for purposes other than exercising privacy rights);

**(b) Excessive (repetitive, vexatious, or abusive requests; e.g., submitting identical access requests every week);

**(c) Voluminous or complex beyond normal scope (requiring disproportionate effort or resources to fulfill);

Fee Calculation: Fees (if charged) will be based on administrative costs (staff time, technical resources, copying, postage) and will be reasonable and transparent.

Notification: We will inform you of the fee before processing the request and provide an opportunity to withdraw or modify the request.

19.5.3 Fees for Additional Copies (Access Requests)

If you request multiple copies of your personal data (beyond the first free copy), we may charge a reasonable fee based on administrative costs (see GDPR Article 15(3)).

19.6 Escalation and Complaints

19.6.1 Dissatisfied with Our Response?

If you are dissatisfied with our response to your data subject rights request (e.g., request refused, incomplete response, excessive delay), you may:

**(a) Contact us again to escalate or clarify:

Email info@maslool.ae with subject line “Escalation – DSR Case #[Reference Number]“;
Request review by senior management or legal advisors;

**(b) Lodge a complaint with the UAE Data Office or applicable supervisory authority (see Section 9.9 – Right to Lodge a Complaint and Section 18.4 – Regulatory Authority Contact);

**(c) Seek legal advice or legal remedies (consult a data protection attorney; pursue legal action under UAE PDPL or applicable law);

19.6.2 Internal Escalation Process

Step 1: Submit your concern or complaint to info@maslool.ae with subject “Complaint – DSR Case #[Reference Number]“;

Step 2: We will review your complaint and provide a response within 14 business days, explaining our position and any additional actions we will take;

Step 3: If still unresolved, you may escalate to the UAE Data Office (see Section 18.4.1).

BINDING NATURE OF THIS PRIVACY POLICY

This Privacy Policy constitutes a legally binding agreement between Maslool Hunting Requisites Trading (“Maslool,” “we,” “us,” or “our“) and you (whether an individual or legal entity) governing the collection, processing, use, storage, disclosure, transfer, and protection of your personal data in connection with your access to, use of, or transactions through our Services. By accessing our Website (www.maslool.ae), mobile application, physical Store, or otherwise engaging with our Services, you expressly acknowledge, understand, accept, and consent to the data processing practices, procedures, policies, and terms described in this Privacy Policy. This Privacy Policy is incorporated by reference into and forms an integral part of our Terms and Conditions (see Terms and Conditions, Section 12 – Privacy, Data Protection, CCTV & Electronic Communications). IF YOU DO NOT AGREE WITH OR CONSENT TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY, YOU MUST IMMEDIATELY CEASE ALL USE OF THE SERVICES AND REFRAIN FROM PROVIDING ANY PERSONAL DATA TO US. Failure to read, negligence in reviewing, or claim of lack of understanding does not excuse, invalidate, or waive your obligations or our rights under this Privacy Policy or applicable data protection law. You are deemed to have read and consented to this Privacy Policy upon any use of the Services, provision of personal data, or manifestation of consent, regardless of actual reading.

SUMMARY OF KEY POINTS

Table of Contents

1. INTRODUCTION & SCOPE

1.1 Purpose and Applicability

1.1.1 Purpose of This Privacy Policy

1.1.2 Services Covered

1.1.3 Data Controller

1.1.4 Governing Law and Jurisdiction

1.2 Questions, Concerns, or Objections

2. INFORMATION WE COLLECT

2.1 Personal Data You Provide to Us

2.1.1 Categories of Personal Data Provided

2.1.2 Sensitive Personal Data – Not Collected

2.1.3 Accuracy and Updates

2.2 Information Automatically Collected

2.2.1 Device and Usage Data

2.2.2 Location Data and Consent

2.2.3 Cookies and Tracking Technologies

2.3 Information from Third Parties

2.3.1 Payment Processors

2.3.2 Analytics and Marketing Services

2.3.3 No Other Third-Party Data Sources

3. HOW WE COLLECT INFORMATION

3.1 Direct Collection from You

3.2 Automatic Collection Through Technology

3.2.1 Web Server Logs and Access Logs

3.2.2 Cookies and Similar Technologies

3.2.3 Third-Party Analytics Services

3.2.4 Mobile App SDKs and Analytics

3.3 Collection from Third Parties

3.3.1 Payment Processors

3.3.2 Compliance and Screening Services

3.3.3 Public Records and Open-Source Intelligence (Limited Use)

3.4 CCTV Surveillance at Physical Store

3.4.1 CCTV Coverage

3.4.2 CCTV Data Collected

3.4.3 CCTV Signage and Notice

3.4.4 CCTV Retention and Access

4. HOW WE USE YOUR INFORMATION

4.1 Primary Processing Purposes

4.1.1 Account Creation and Management

4.1.2 Order Processing and Fulfillment

4.1.3 Customer Service and Support

4.1.4 Communication and Correspondence

4.1.5 Marketing and Promotional Communications (With Consent)

4.1.6 Personalization and User Experience Improvement

4.1.7 Business Analytics and Performance Monitoring

4.1.8 Security, Fraud Prevention, and Risk Management

4.1.9 Legal Compliance and Law Enforcement

4.1.10 Product Development and Innovation

4.2 Purposes Requiring Explicit Consent

4.3 Processing Only When Lawful

5. LEGAL BASIS FOR PROCESSING

5.1 Legal Bases Under UAE PDPL

5.1.1 Consent

5.1.2 Contractual Necessity

5.1.3 Legal Obligation

5.1.4 Vital Interests

5.1.5 Legitimate Interests

5.2 Legal Bases Under GDPR (For EU/UK Data Subjects)

5.2.1 GDPR Legal Bases (Article 6(1))

5.2.2 Special Categories of Personal Data (GDPR Article 9)

5.2.3 Your GDPR Rights

5.3 Legal Bases Under Canadian Law (For Canadian Residents – If Applicable)

5.3.1 Consent (Express or Implied)

5.3.2 Exceptions to Consent (PIPEDA Section 7(1))

6. INFORMATION SHARING & DISCLOSURE

6.1 Categories of Recipients

6.1.1 Service Providers and Third-Party Processors

6.1.2 Affiliates and Group Companies

6.1.3 Business Partners and Joint Ventures

6.1.4 Legal and Regulatory Authorities

6.1.5 Business Transfers and Corporate Transactions

6.1.6 With Your Consent or at Your Direction

6.1.7 Third-Party Privacy Policies

6.2 No Sale of Personal Data

6.3 Aggregated or Anonymized Data

7. INTERNATIONAL DATA TRANSFERS

7.1 Cross-Border Transfers Overview