Who is the data controller
Khaleeja is the data controller for personal data collected through khaleeja.com. For privacy questions, contact our Data Protection lead at privacy@khaleeja.com.
What we collect
| Category | Examples | Source |
|---|---|---|
| Identity | Name, email, phone | You provide on signup |
| Account | Password (hashed), preferred language, currency | You provide / set |
| Order | Shipping address, items, totals, payment method | You provide at checkout |
| Maker | Trade licence, founder ID, ownership details, IBAN | You provide on application |
| Behavioural | Pages viewed, products saved, search queries | Collected automatically |
| Device | IP address, browser, device type, language | Collected automatically |
Why we use your data (lawful basis)
- Performance of contract — to create your account, process your orders, and provide support.
- Legal obligation — to comply with VAT, anti-money-laundering, and consumer-protection laws.
- Legitimate interest — to keep the marketplace safe, prevent fraud, and improve the product.
- Consent — to send marketing emails (you can withdraw consent at any time).
How we share your data
We share data only with parties who help us deliver the service:
- Makers — receive your name, shipping address, phone, and items ordered, so they can fulfil your order.
- Aramex — receives your shipping details to deliver the parcel.
- Stripe — processes card payments and receives the minimum data required (name, email, address, amount).
- Supabase — provides our database and authentication infrastructure (data hosted in EU).
- Resend / Email provider — delivers transactional emails (receipts, confirmations).
- Government authorities, when required by law.
We do not sell your personal data to advertisers or data brokers.
International transfers
Some of our processors (e.g. Supabase, Stripe) are based outside the GCC. Where data is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards required by UAE PDPL and the data-protection rules of KSA, Bahrain, Qatar and Oman.
How long we keep data
| Data | Retention |
|---|---|
| Order records (incl. address, totals) | 7 years (VAT recordkeeping requirement) |
| Account profile | Until you delete your account, then 30 days |
| Maker KYC documents | 5 years after the maker leaves Khaleeja |
| Browsing logs | 12 months |
| Marketing email opt-in | Until you unsubscribe |
Your rights
Under UAE PDPL and analogous GCC laws you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to legal retention rules above)
- Object to or restrict certain processing
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent for marketing at any time
- Lodge a complaint with the UAE Data Office or your local data-protection authority
To exercise any of these rights, email privacy@khaleeja.com. We respond within 30 days.
Security
We use industry-standard measures to protect your data: TLS encryption in transit, encryption at rest for sensitive fields, hashed passwords (never stored in plain text), row-level security on the database, and access logging. No system is perfectly secure — if you believe your account has been compromised, contact us immediately.
Children
Khaleeja is not intended for children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, contact us and we will delete the account.
Cookies
See our Cookie Policy for details on cookies and similar technologies.
Changes to this policy
We post material changes at the top of this page with an updated “last updated” date. For changes that materially expand how we use your data, we notify you by email and ask for renewed consent where required.