Privacy Policy

1. Introduction

Raffinato for Jewelry Trading ("Raffinato," "we," "our," or "us"), a commercial establishment registered in the Kingdom of Saudi Arabia, is committed to protecting your personal data in accordance with the Saudi Personal Data Protection Law (Royal Decree M/19, the "PDPL") and its implementing regulations, as enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA).

This Privacy Policy explains how we collect, process, store, and share your personal data when you visit our website (hosted on Shopify), visit our boutiques in Jeddah, or engage with our services in any capacity.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as the legal basis for processing, we will obtain it explicitly before any such processing takes place.

2. Information We Collect

2.1 Personal Data You Provide

We collect personal data that you voluntarily provide when you:

• Create an account on our website
• Place an order or complete a purchase
• Subscribe to our newsletter or marketing communications
• Request a bespoke design consultation
• Contact our customer service team
• Visit one of our boutiques and provide your details

The categories of personal data we collect may include:

• Full name and title
• Contact information (email address, phone number, delivery address)
• Billing and shipping addresses
• Payment details (processed securely by our third-party payment processors; we do not store card numbers)
• Order history, product preferences, and sizing information
• Communication history and correspondence with our team

2.2 Data Collected Automatically

When you visit our website, certain data is collected automatically through cookies and similar technologies:

• IP address and approximate geolocation
• Device type, operating system, and browser version
• Pages visited, referring URLs, and navigation patterns
• Date, time, and duration of visits
• Click and scroll behavior
• Language and currency preferences

2.3 Cookies and Tracking Technologies

Our website uses cookies, pixel tags, and similar technologies to provide essential functionality, analyze website performance, and deliver relevant content.

We use the following categories of cookies:

• Essential Cookies: Required for core site functionality such as shopping cart, checkout, and account login. These cannot be disabled.
• Analytics Cookies: Used via Google Analytics to understand how visitors interact with our website, helping us improve your experience.
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness. Deployed only with your consent.

You may manage your cookie preferences through your browser settings at any time. Disabling non-essential cookies will not affect core website functionality.

3. How We Use Your Information

We process your personal data for the following purposes and legal bases:

• Order Fulfillment (contractual necessity): To process, ship, and deliver your orders; process payments via Visa, Mastercard, mada, Apple Pay, Tabby, or Tamara; and provide post-purchase support.
• Account Management (contractual necessity): To create and maintain your account, save your preferences, wishlist, and order history.
• Transactional Communications (contractual necessity): To send order confirmations, shipping notifications via our logistics partners, and respond to your inquiries.
• Marketing Communications (consent): To send promotional messages about new collections, exclusive offers, and events. You may withdraw your consent at any time.
• Website Improvement (legitimate interest): To analyze browsing patterns and improve our website, products, and customer experience.
• Fraud Prevention (legitimate interest): To detect and prevent fraudulent transactions, unauthorized access, and other security threats.
• Legal Compliance (legal obligation): To comply with applicable Saudi laws and regulations, including VAT reporting obligations under ZATCA requirements and anti-money laundering regulations.

We will not process your personal data for purposes beyond those stated above without notifying you and, where required, obtaining your consent.

4. How We Share Your Information

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients, solely to the extent necessary for the stated purposes:

4.1 Service Providers

We engage trusted third-party service providers who process data on our behalf under contractual data-processing agreements:

• Payment processors: Visa, Mastercard, mada network, Apple Pay, Tabby, and Tamara
• Shipping and logistics partners
• E-commerce platform: Shopify Inc. (website hosting, order management, and data storage)
• Analytics: Google Analytics (anonymized website usage data)
• Communication platforms: email and SMS service providers for transactional and marketing messages

4.2 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of business assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and ensure that the receiving party upholds equivalent data-protection standards.

4.3 Legal and Regulatory Disclosure

We may disclose your data when required by law, regulation, court order, or a request from a competent Saudi government authority, including SDAIA, ZATCA, or law-enforcement agencies.

4.4 Protection of Rights

We may disclose data where necessary to protect our legal rights, enforce our terms and conditions, or safeguard the safety of our customers, employees, or the public.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• 256-bit TLS/SSL encryption for all data in transit
• PCI DSS-compliant payment processing (card data is handled entirely by certified payment processors)
• Regular security assessments and vulnerability testing
• Role-based access controls limiting employee access to personal data on a need-to-know basis
• Staff training on data-protection obligations and incident-response procedures

While we employ industry-standard security practices, no method of electronic transmission or storage is completely secure. We continually review and enhance our security measures.

In the event of a data breach that poses a serious risk to your rights, we will notify the relevant authorities and affected individuals without undue delay, in accordance with PDPL requirements.

6. Your Privacy Rights

Under the Saudi Personal Data Protection Law (PDPL), you are entitled to the following rights regarding your personal data. We are committed to honoring these rights promptly and free of charge:

6.1 Right of Access

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data in a clear, readable format.

6.2 Right to Correction

You have the right to request correction, completion, or updating of inaccurate or incomplete personal data we hold about you.

6.3 Right to Deletion

You may request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations (such as VAT and financial records).

6.4 Right to Withdraw Consent

Where processing is based on your consent (e.g., marketing communications), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

6.5 Right to Object

You have the right to object to the processing of your personal data where such processing is based on our legitimate interests, and we will cease processing unless we have compelling legitimate grounds.

6.6 Right to Data Portability

You may request a copy of your personal data in a structured, commonly used, and machine-readable format for transfer to another controller.

6.7 Marketing Opt-Out

You can unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in any promotional email or by contacting us directly. We will process your opt-out request within five (5) business days.

To exercise any of these rights, please contact us using the details provided in Section 12 below. We will respond to your request within thirty (30) days. We may need to verify your identity before processing your request.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law. The following retention periods apply:

• Account data: retained for the duration of your account and for two (2) years following account closure
• Order and transaction records: retained for seven (7) years as required by ZATCA for VAT and tax-compliance purposes
• Marketing consent records: retained for the duration of your subscription plus one (1) year after withdrawal of consent
• Website analytics data: retained in anonymized form for up to twenty-six (26) months

Upon expiry of the applicable retention period, your data will be securely deleted or irreversibly anonymized.

8. International Data Transfers

Our website is hosted on the Shopify platform, whose servers are located in Canada and the United States. As a result, your personal data may be transferred to and processed in jurisdictions outside the Kingdom of Saudi Arabia. Additionally, some of our service providers (such as Google Analytics and payment processors) may process data in other countries.

In accordance with the PDPL, we ensure that any cross-border transfer of personal data is subject to appropriate safeguards, including contractual commitments from the receiving parties to maintain a level of data protection equivalent to that required under Saudi law.

9. Children's Privacy

Our products and services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us immediately so that we may take appropriate steps to delete such data.

10. Third-Party Links

Our website may contain links to third-party websites, including social-media platforms and external payment services. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party website before providing your personal data.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be posted on this page with an updated "Last Updated" date. Where significant changes affect how we process your data, we will notify you via email or a prominent notice on our website. Your continued use of our services following such notification constitutes your acceptance of the updated Policy.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or need to submit a complaint regarding the handling of your personal data, please contact us:

If you believe your data-protection rights have not been adequately addressed, you have the right to lodge a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA), the competent supervisory authority for data-protection matters in the Kingdom of Saudi Arabia.