Privacy policy





Privacy Policy




1) General Information and Controller Details



1.1 Thank you for visiting our website and for your interest in our company. In this notice, we explain how your personal information is handled when you use our website. “Personal data” means any information that can identify you as an individual.


1.2 The data controller responsible for processing your personal data under the General Data Protection Regulation (GDPR) is:


Bassaffine F.Z.E
Freezone Establishment - Limited Liability

Ajman Freezone C1 Building
Office - C1 - 1F - SF4130
United Arab Emirates

E-mail: info@bassaffine.co


The data controller is the individual or legal entity who, alone or together with others, determines the purposes and means of processing personal data.




2) Data Collection When Visiting Our Website



2.1 Server log files

When you access our website purely for information purposes (without registering or providing information in other ways), we only collect the data that your browser automatically sends to our server (known as “server log files”). These include:


  • Website visited

  • Date and time of access

  • Data volume transferred

  • Referring page (referrer URL)

  • Browser type and version

  • Operating system used

  • IP address (possibly in anonymised form)



This processing is carried out under Art. 6(1)(f) GDPR based on our legitimate interest in ensuring website stability and security. Your data will not be shared with third parties or used otherwise. However, we may review log files later if there are concrete signs of unlawful use.


2.2 SSL/TLS encryption

To protect the transmission of personal data and other confidential content (e.g. orders or contact requests), our website uses SSL/TLS encryption. An encrypted connection is recognisable by “https://” and the padlock symbol in your browser.




3) Hosting & Content Delivery Network



Shopify

We host our website using the service of Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.


Data may also be processed by:


  • Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada

  • Shopify Data Processing (USA) Inc.

  • Shopify Payments (USA) Inc.

  • Shopify (USA) Inc.



All information collected on this site is processed on Shopify’s servers. We have signed a Data Processing Agreement with Shopify to ensure that visitor data is handled securely and is not shared with unauthorised third parties.


  • For transfers to the USA, Shopify relies on the EU Commission’s Standard Contractual Clauses.

  • For transfers to Canada, an adequacy decision of the EU Commission guarantees an equivalent level of data protection.





4) Cookies



We use cookies (small text files stored on your device) to improve your browsing experience and to enable certain website functions.


  • Session cookies are deleted once you close your browser.

  • Persistent cookies remain stored and allow us to remember your preferences; their storage duration can be checked in your browser’s cookie settings.



Where cookies involve processing of personal data, the legal basis is:


  • Art. 6(1)(b) GDPR (performance of contract),

  • Art. 6(1)(a) GDPR (consent), or

  • Art. 6(1)(f) GDPR (legitimate interests in optimal website performance and user experience).



You may configure your browser to notify you when cookies are set, to allow cookies only in certain cases, or to block them entirely. Please note that disabling cookies may limit the functionality of this website.




5) Contacting Us



5.1 WhatsApp Business

Visitors to our website may contact us through WhatsApp, operated by WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. We use the “Business” version of the app.


  • If you contact us regarding a specific order, we process your WhatsApp phone number and, if provided, your name, under Art. 6(1)(b) GDPR to handle your request. Additional data (such as order number or address) may be requested to allocate your inquiry.

  • For general inquiries, we rely on Art. 6(1)(f) GDPR, as it is in our legitimate interest to provide quick responses.



Data is only used to respond to your query and is never shared with third parties.


Please note: WhatsApp Business has access to our device’s contact list and transfers these numbers to servers of its parent company Meta Platforms Inc. in the US. To avoid unrelated data transfers, our business device only stores contacts of users who have contacted us through WhatsApp.


Further details: WhatsApp Privacy Policy.


For data transfers to the US, Meta participates in the EU-US Data Privacy Framework, which ensures compliance with European standards.


5.2 Contact via form or e-mail

When you contact us via a form or e-mail, we collect only the data necessary to process and respond to your request. The legal basis is:


  • Art. 6(1)(f) GDPR (legitimate interest in handling inquiries), or

  • Art. 6(1)(b) GDPR (contract-related requests).



Your information will be deleted once your query has been fully resolved, provided no statutory obligations require longer storage.




6) Comment Function



If you leave comments on our website, we will store and display the comment, the chosen username, and the date of posting. For security reasons, we also log your IP address, which may be used in the event of unlawful content or rights violations. We also require your e-mail address in case we need to contact you.


The legal basis is Art. 6(1)(b) and (f) GDPR. We reserve the right to delete comments reported as unlawful.



Amazing — I’ll finish the entire remainder (Sections 7–14) in one go, keeping the legal meaning intact while rewording everything so it’s clearly your own text. This continues seamlessly after the Sections 1–6 I already rewrote.




7) Use of Customer Data for Direct Marketing



7.1 Newsletter subscription

If you sign up for our email newsletter, we will send you regular updates about our products and offers. Only your email address is required; any additional details are optional and help us personalise messages. We use a double opt-in process: you will receive an email asking you to confirm your subscription by clicking a link.

By activating the confirmation link, you consent to processing under Art. 6(1)(a) GDPR. For security and documentation, we also store your IP address provided by your ISP as well as the date and time of registration. We use the data collected during registration solely for newsletter delivery.

You may unsubscribe at any time using the link included in each newsletter or by contacting us. Upon unsubscribing, your email address will be promptly removed from our distribution list unless you explicitly consent to further use, or we are legally entitled to continued processing as stated in this policy.


7.2 Newsletter to existing customers

If you have provided your email address during a purchase, we may send you email offers for products similar to those already purchased. This occurs on the basis of § 7(3) UWG and Art. 6(1)(f) GDPR (our legitimate interest in direct advertising). You can object at any time with effect for the future by notifying us; we will then stop sending such emails.




8) Processing of Data for Order Fulfilment



8.1 Submitting image files by email for customisation

Where our services include personalising products using images you provide, you may send one or more image files to the email address published on our website. We collect, store and use these files exclusively to produce the customised item as described on the site. If we need to pass the files to specialised service providers to complete your order, we will inform you accordingly below. No further disclosure takes place. If the files contain personal data (e.g., identifiable persons), processing is performed solely to fulfil your order under Art. 6(1)(b) GDPR. After your order has been completed, the image files are automatically and fully deleted.


8.2 Essential sharing with shipping and payment providers

To deliver goods and process payments, we transfer necessary personal data to the contracted shipping company and financial institution pursuant to Art. 6(1)(b) GDPR.

If we are legally required to provide updates for goods with digital elements or digital products, we process your contact data (name, address, email) to inform you about such updates within the statutory timeframe (Art. 6(1)(c) GDPR). We use these details strictly for this purpose.


8.3 External shipping partners

For delivery, we cooperate with external carriers. We transmit your name and delivery address (and, where required for delivery, your phone number) to the selected shipping partner solely for that purpose, under Art. 6(1)(b) GDPR.


8.4 easybill

We use easybill GmbH, Düsselstr. 21, 41564 Kaarst, Germany to process orders. Name, address and—where necessary—other personal data are shared under Art. 6(1)(b) GDPR exclusively to manage your order. Data is only transferred insofar as required.


8.5 Shopify Order Printer

We use Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland for order documentation (Order Printer). Name, address and where applicable other details are transmitted to process your order under Art. 6(1)(b) GDPR, and only to the extent necessary. The provider also supports bookkeeping workflows. If personal data is processed in that context, it is based on our legitimate interest in efficient organisation and documentation of business transactions (Art. 6(1)(f) GDPR).


8.6 Payment service providers


  • Amazon Pay (Amazon Payments Europe s.c.a., 38 avenue J. F. Kennedy, L-1855 Luxembourg)

    For advance-payment methods (e.g., credit card), we transmit payment data you provide during checkout (name, address, bank/card info, currency, transaction number) and order details to the provider exclusively for payment processing (Art. 6(1)(b) GDPR).

  • PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg)

    For advance-payment methods, the same categories of data are transmitted solely to process the payment (Art. 6(1)(b) GDPR).

    For methods where the provider grants advance performance (e.g., invoice/instalments), you may be asked for additional personal details. To protect our legitimate interest in assessing credit risk, we may transmit your data to the provider for a credit check (Art. 6(1)(f) GDPR). You may object at any time, but the provider may still process data where necessary to fulfil payment processing.

  • Shopify Payments (Shopify International Limited, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland)

    For advance-payment methods, payment and order data are transmitted solely for payment execution (Art. 6(1)(b) GDPR). The provider may involve additional payment services; related conditions will be indicated where relevant.





9) Online Marketing



Google AdSense

We use Google AdSense, a service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). AdSense uses cookies and web beacons to analyse use of the website and measure ad performance. Information (including your IP address) may be transmitted to and processed on Google servers; transfers to Google LLC in the USA may occur.

All processing described—especially reading/storing information on your device—occurs only with your consent (Art. 6(1)(a) GDPR) via our Cookie Consent Tool. You can withdraw consent at any time with future effect by disabling the service in that tool.

For US transfers, Google participates in the EU-US Data Privacy Framework (DPF). Further information on Google’s privacy controls: https://privacy.google.com/intl/en-GB/take-control.html?categories_activeEl=sign-in




10) Web Analytics



10.1 Google (Universal) Analytics

This site may use Google (Universal) Analytics (Google Ireland Limited). The service uses cookies; data (including a shortened IP address) may be transmitted to Google servers and, where applicable, to Google LLC in the USA. We use the “_anonymizeIp()” feature, which truncates IPs within the EU/EEA to remove direct personal reference.

On our behalf, Google compiles reports on website usage and provides related services. The IP address transmitted via Google Analytics is not merged with other Google data.

Processing—especially cookie placement—occurs only with your prior consent (Art. 6(1)(a) GDPR). You can revoke consent anytime via the Cookie Consent Tool.

We have a Data Processing Agreement with Google. For US transfers, Google participates in the EU-US DPF.

More info: https://policies.google.com/privacy and https://policies.google.com/technologies/partner-sites


Demographics

Google Analytics may use the “Demographics” feature to create aggregated statistics on age, gender and interests for audience segmentation. These datasets are not attributable to specific individuals.


Google Signals

If enabled and you consent (Art. 6(1)(a) GDPR), Google can generate cross-device reports for users who are signed into a Google account and have “personalised ads” activated. We receive only aggregated statistics. You can disable personalised ads in your Google account settings.


User IDs

If you create an on-site account and consent to Analytics, we may use User IDs to analyse usage across devices. We see aggregated reports only.


10.2 Google Analytics 4 (GA4)

We may also use Google Analytics 4. GA4 cookies collect information on site use; the IP address transmitted by your device is automatically anonymised by truncation (last digits removed) within the EU/EEA.

On our behalf, Google generates usage reports and related services. The truncated IP address is not combined with other Google data. GA4 data collected for these purposes is typically retained for 2 months then deleted. The “Demographic” reports in GA4 (if used) are retained for 2 months and are not person-specific.

GA4 runs only with your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via the Cookie Consent Tool. We have a DPA with Google; for US transfers, Google participates in the EU-US DPF.

Further information: https://policies.google.com/privacy and https://policies.google.com/technologies/partner-sites




11) Retargeting / Remarketing / Referral Advertising



Google Ads Remarketing & Conversion Tracking

We use Google Ads (Google Ireland Limited) to display interest-based advertising and to measure conversions. When you click a Google ad, a conversion cookie is set (valid typically for 30 days). This enables Google and us to recognise that someone clicked the ad and reached a tagged page. Each Ads customer receives a different cookie; cross-site tracking across different customers’ sites does not occur.

We receive aggregated statistics only—no information that personally identifies users. Transfers to Google LLC in the USA may occur.

Processing—especially setting cookies—occurs only with consent (Art. 6(1)(a) GDPR), which you can revoke in the Cookie Consent Tool. You can also opt out persistently via the browser add-on: https://support.google.com/ads/answer/7395996

Google privacy info: https://www.google.com/policies/technologies/ads/

Google participates in the EU-US DPF.




12) Tools and Miscellaneous



12.1 DATEV

We use the cloud-based accounting service of DATEV eG, Paumgartnerstr. 6–14, 90429 Nuremberg, Germany. The provider processes invoices and, where applicable, bank transactions to record documents, match them to transactions and generate accounting records in a semi-automated process. Where personal data is processed, this is based on our legitimate interest in efficient administration and documentation (Art. 6(1)(f) GDPR).


12.2 Cookie Consent Tool

We use a consent management solution to obtain valid user consent for cookies and similar technologies that require consent. The tool appears as an interactive interface when you visit the site and loads such services only after you opt in. Technically necessary cookies are used to store your preferences.

If, in individual cases, personal data (e.g., IP address) is processed for storing, mapping or logging consent, processing is based on our legitimate interest in compliant, user-specific consent management (Art. 6(1)(f) GDPR) and on our legal obligation to obtain consent for non-essential cookies (Art. 6(1)(c) GDPR). Further details can be found directly in the tool’s interface.




13) Your Rights



Under the GDPR, you have the following rights with regard to your personal data:


  • Right of access (Art. 15)

  • Right to rectification (Art. 16)

  • Right to erasure (Art. 17)

  • Right to restriction of processing (Art. 18)

  • Right to be informed (Art. 19)

  • Right to data portability (Art. 20)

  • Right to withdraw consent (Art. 7(3))

  • Right to lodge a complaint with a supervisory authority (Art. 77)



Right to object (Art. 21 GDPR)

If we process your data based on our legitimate interests, you may object at any time on grounds relating to your particular situation, with effect for the future. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is needed to assert, exercise or defend legal claims.

Where we process your data for direct marketing, you may object at any time; if you do so, we will cease processing for those purposes.




14) Storage Period



The retention period for personal data depends on the legal basis, the processing purpose and—if applicable—statutory retention duties (e.g., commercial and tax laws).


  • Where processing is based on consent (Art. 6(1)(a) GDPR), we store the data until consent is withdrawn.

  • Where statutory retention periods apply to data processed under Art. 6(1)(b) GDPR, we delete the data after those periods end, unless continued storage is necessary for contract performance/initiation or we have a legitimate interest in further retention.

  • For processing based on legitimate interests (Art. 6(1)(f) GDPR), we retain data until you object pursuant to Art. 21(1) GDPR, unless we demonstrate overriding legitimate grounds or need the data for legal claims.

  • For direct marketing under Art. 6(1)(f) GDPR, data is retained until you object under Art. 21(2) GDPR.



Unless otherwise stated in this policy for specific processing situations, we delete personal data when it is no longer necessary for the purposes for which it was collected or otherwise processed.