Privacy Policy

What data we collect, why we collect it, who we share it with, and the rights you have over it.

1. What we collect

When you visit the site or place an order, we collect only what we need to serve you:

Order details — your full name, email address, phone number, shipping and billing addresses, the products you ordered, and the total amount paid.
Payment information — handled entirely by Stripe. We never see or store your full card number, CVV, or PIN. Stripe gives us a token and the last four digits for our records.
Communications — anything you send us by email, WhatsApp, or contact form.
Technical data — your IP address, browser and device type, and pages visited. This is used to display the right currency for your region, prevent fraud, and keep the site fast.
Local browser storage — your cart contents and your chosen display currency are saved in your browser's localStorage so they persist between visits. This data lives on your device, not ours.

2. Why we collect it

To process your order, take payment, and ship your device.
To send you order-confirmation, shipping, and customer-service emails.
To comply with applicable tax and accounting law, which requires us to keep transactional records.
To detect and prevent fraudulent orders.
To show prices in your local currency automatically (best-effort, based on your IP).

We do not sell, rent, or trade your data to anyone for marketing purposes. We don't run an advertising network, we don't build tracking profiles, and we don't use your data to retarget you on other sites.

3. Who we share it with

To run the business, we use a small number of trusted service providers — each of them only sees the part of your data they need to do their job:

Stripe — processes your payment. Sees your name, email, billing/shipping address, and card details.
Resend — delivers transactional email (order confirmations, shipping updates). Sees your name and email.
Supabase — our database. Stores your order record (name, email, phone, addresses, items ordered, total) in encrypted form.
Vercel — hosts the website and our serverless functions. Receives request data (IP, headers, URL) for the duration of each request.
ipapi.co — used once when you first visit, to guess your country so we can display prices in your local currency. Receives your IP address only.
Courier (DHL, FedEx, Aramex, etc.) — receives your name, shipping address, and phone number to deliver the package.

If law enforcement makes a lawful request supported by valid jurisdiction (e.g. a court order from a competent authority), we will comply — but only to the extent required.

4. Cookies & tracking

The site itself does not set any tracking cookies. Stripe sets cookies on its own checkout pages for fraud prevention, which is outside our control. Browser localStorage is used (as noted above) for your cart and currency preference — these are functional, not tracking, and can be cleared at any time from your browser settings.

5. Data retention

Order records are retained for at least 5 years after the order date, in line with applicable accounting and tax regulations.
Communications (WhatsApp / email threads) are kept as long as the conversation remains relevant for customer service — typically up to 2 years after the last reply.
Marketing-style data: we don't collect any. There's nothing to retain on that front.

6. Your rights

Wherever you live, you have the right to:

Access — ask for a copy of the personal data we hold about you.
Correct — ask us to fix anything inaccurate (e.g. updated shipping address before dispatch).
Delete — ask us to delete your data. We will do so promptly, except for the parts we are legally required to retain (order records for tax purposes — see above).
Object / restrict — ask us to stop using your data in a particular way.
Withdraw consent — for anything we do that relies on your consent.

To exercise any of these rights, email orders@unlockedbyoutflex.com from the email address on your order. We will respond within 30 days.

If you are in the European Union or United Kingdom, you also have the right to lodge a complaint with your local data-protection authority if you believe we have mishandled your data. We'd appreciate the chance to fix things ourselves first, though — just message us.

7. Security

The site is served over HTTPS end-to-end. All traffic between you and us is encrypted.
Payments are processed by Stripe, which is PCI-DSS Level 1 certified — the highest standard for handling card data.
Our database (Supabase) encrypts data at rest. Access is restricted via row-level security and a short list of authorised administrators.
We don't store passwords on the site — there are no customer accounts. Each order stands alone.

No system is 100% secure, but we take reasonable steps to keep your data safe and will notify affected customers promptly if a breach ever occurs.

8. International data transfers

Our service providers (Stripe, Vercel, Supabase, Resend) operate in the United States, Europe, and elsewhere. By placing an order, you understand that your data may be transferred to and processed in countries outside your own. We rely on the service providers' standard contractual clauses and certifications to maintain adequate protection.

9. Children's privacy

We don't knowingly collect data from anyone under 18. If you believe a minor has placed an order or contacted us, let us know and we'll delete the relevant data.

10. Changes to this policy

We may update this Privacy Policy from time to time — for example, if we add a new service provider or change how we handle a particular piece of data. The "Last updated" date at the top of this page will reflect any changes. Material changes will be highlighted on the site for a reasonable period.

11. Contact

Questions, requests, or concerns about your data? Email orders@unlockedbyoutflex.com or message us on WhatsApp (+971 58 673 7050). We read every message.