Privacy Policy

Last updated: June 2026

1. Who We Are

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Data You Provide Directly

• Account data: name, email address, password (hashed), and account preferences when you register.
• Order data: billing name, billing address, delivery address, phone number, and order history.
• Payment data: card type and last four digits. Full card details are processed by Stripe and never stored on our servers.
• Communications: messages you send us by email, contact form, or WhatsApp.
• Marketing preferences: email newsletter opt-in / opt-out status.
• Bespoke commission data: design specifications and measurements you provide for custom orders.

2.2 Data Collected Automatically

• Technical data: IP address, browser type and version, time zone, browser plug-in types, operating system.
• Usage data: pages visited, time spent, links clicked, referral source.
• Cookie data: session identifiers, preferences, and analytics cookies (see our Cookie Policy).

2.3 Data From Third Parties

• Payment verification: Stripe provides us with payment confirmation, card type, and fraud-risk signals.
• Analytics providers: Google Analytics provides aggregated traffic and behaviour data.
• Social platforms: if you follow or interact with us on Instagram, Facebook, Telegram, Threads, or WhatsApp, those platforms' own privacy policies apply.

3. How We Use Your Data

We process your personal data on the following legal bases:

3.1 Contract Performance (UK GDPR Article 6(1)(b))

• Processing and fulfilling your orders
• Managing returns and refunds
• Providing customer service and responding to enquiries
• Managing bespoke commission projects

3.2 Legitimate Interests (UK GDPR Article 6(1)(f))

• Fraud prevention and transaction security
• Improving our website and services
• Detecting and preventing technical errors
• Business analytics and reporting (aggregated, anonymised data)

3.3 Consent (UK GDPR Article 6(1)(a))

• Sending marketing emails and newsletters (where you have opted in)
• Placing non-essential cookies on your device
• Re-targeting advertising (where consented)

3.4 Legal Obligation (UK GDPR Article 6(1)(c))

• Tax records and accounting obligations
• Responding to lawful requests from regulators or law enforcement

4. Payment Processing — Stripe

We use Stripe, Inc. to process all card payments. Stripe is a PCI-DSS Level 1 certified payment service provider. When you make a purchase:

• Your card details are entered directly on Stripe-hosted payment fields (Stripe Elements).
• Your full card number, CVC, and expiry are transmitted directly to Stripe and are never seen or stored by Azar Rugs.
• We receive only a payment token, card type, and last four digits.
• Stripe may share fraud-risk data with us to help prevent fraudulent transactions.

For full details of how Stripe processes your data, please review Stripe's Privacy Policy.

5. Sharing Your Data

We do not sell your personal data. We share it only with:

• Stripe — for payment processing.
• Delivery partners — your name and delivery address are shared with our logistics partners to fulfil your order.
• Email service providers — to send transactional and marketing emails (where consented).
• Analytics providers — Google Analytics (anonymised, aggregated data only).
• Legal / regulatory authorities — if required by law.

All third-party processors are bound by data processing agreements and may not use your data for their own purposes.

6. International Data Transfers

Some of our service providers (including Stripe and Google) may process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO, to ensure your data receives an equivalent level of protection.

7. Data Retention

• Order data: retained for 7 years for tax and accounting compliance.
• Account data: retained for as long as your account is active, plus 2 years after last activity.
• Marketing data: retained until you unsubscribe.
• Technical logs: retained for up to 12 months.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your data where there is no legitimate reason for us to retain it.
• Right to restrict processing: ask us to pause processing of your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making: we do not use solely automated decision-making that produces significant legal effects.

To exercise any of these rights, please contact us at info@azarrugs.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Cookies

We use cookies and similar tracking technologies to operate and improve our website. For full details, please see our Cookie Policy. You can manage your cookie preferences at any time via our Data Preferences page.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption for data in transit, hashed passwords, access controls, and regular security reviews. No internet transmission is 100% secure; we cannot guarantee absolute security.

11. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or a prominent notice on our website. The date at the top of this page indicates when the policy was last revised.

Privacy questions? Contact our data team at info@azarrugs.co.uk