Privacy Policy

Juhaynh acts as the Data Controller for personal data you provide when you register an account, place an order, contact our support team, or subscribe to marketing communications. You can contact our Data Protection Officer at dpo@juhaynh.com for any question related to this policy or to exercise your rights under PDPL.

Identity and contact data: name, email address, phone number, billing and shipping addresses.

Transaction data: orders, payment method (tokenised), delivery status, returns, and any related communications.

Technical data: IP address, device identifiers, browser type, operating system, approximate location, and pages viewed.

Marketing data: your communication preferences and responses to campaigns.

The Service is intended for adults. We do not direct it to minors and do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data, contact dpo@juhaynh.com and we will delete the account and related records promptly.

We process your personal data on one or more of the following lawful bases recognised by PDPL: (a) performance of a contract with you (for order fulfilment and account services); (b) compliance with a legal obligation (such as tax, zakat, and anti-money-laundering regulations); (c) our legitimate interests in operating, protecting, and improving the service, where not overridden by your rights; and (d) your explicit consent, for example for marketing communications.

To process and deliver your orders, manage returns, and handle payments; to communicate order status and service notices; to personalise your experience and recommend products; to comply with tax and e-commerce record-keeping obligations; to prevent fraud and secure the platform; and, with your consent, to send you marketing communications, which you may withdraw at any time.

We share personal data only with trusted sub-processors who act on our instructions under written contracts that require PDPL-equivalent protection. Current sub-processors include:

• Shopify (order management, hosted checkout, storefront) • Tap Payments (KSA-licensed payment processor — Mada, Visa, Mastercard, Apple Pay, STC Pay) • Supabase (authentication, customer database) • Vercel (web application hosting and edge network) • Resend (transactional email delivery) • Sentry (error monitoring and observability) • Upstash (rate-limiting and caching)

We never sell personal data.

Some sub-processors operate outside the Kingdom of Saudi Arabia. Specifically:

• Shopify — Canada and the United States • Tap Payments — Kingdom of Saudi Arabia (data residency in-Kingdom) • Supabase — European Union (Frankfurt) for the application database; AWS regions for managed services • Vercel — United States and European Union edge regions • Resend — United States • Sentry — United States • Upstash — European Union (closest region to fra1)

Where personal data is transferred internationally, we rely on mechanisms permitted by PDPL, including assessments of the adequacy of the destination country's data protection regime, standard contractual clauses, and appropriate technical and organisational safeguards (encryption in transit and at rest, access controls, audit logging).

We retain personal data only for as long as necessary to fulfil the purposes described in this policy. Order and invoicing records are kept for a minimum of ten (10) years, in line with Saudi tax and commercial record-keeping requirements. Account data is retained for the life of your account plus a reasonable grace period; marketing preferences are kept until you unsubscribe. After these periods, data is deleted or irreversibly anonymised.

Under PDPL you have the right to: (a) be informed of the collection and processing of your personal data; (b) access your personal data and request a copy; (c) request rectification of inaccurate data; (d) request the erasure of your data; (e) object to, or restrict, certain processing activities; and (f) withdraw consent where processing is based on consent. To exercise any of these rights, email dpo@juhaynh.com. We will respond within the statutory period.

We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, least-privilege administration, logging, and regular security reviews. In the event of a personal data breach likely to cause harm, we will notify SDAIA within seventy-two (72) hours of becoming aware of the breach and, where required, inform affected data subjects without undue delay.

We use strictly necessary cookies for login, cart, and security. With your consent, we also use analytics cookies to measure performance and marketing cookies to deliver relevant communications. See our Cookie Policy for full details and to manage your preferences.

We may update this policy from time to time. Material changes will be highlighted on the site and, where appropriate, communicated by email. The "Last updated" date above always reflects the current version.

For privacy questions, email dpo@juhaynh.com. If you believe your rights have not been respected, you may also lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa.