Privacy Policy

Last updated: 24th December 2025

1) Who we are (Controller)

“Sanipex Group”, acting through the legal entity named on the Imprint/Company Information page of the relevant storefront, is the controller for the processing described in this Notice.

Privacy contact: [email protected]

Postal address: as per the Imprint for the applicable storefront.

Where required by law, we will identify our Data Protection Officer and any EU/UK representative in the Imprint and the Regional Annexes.

2) Scope and how to read this Notice

This Notice applies to website visitors, account-holders, customers and prospective customers, delivery/installation/warranty recipients, and marketing/event contacts. Applicant data may be covered by a separate Applicant Privacy Notice.

Read this together with:

• Terms & Conditions of Sale

• Cookie Policy & Preferences Centre

• Returns & Refunds Policy, Shipping & Delivery Policy, Installation Terms & Work Order, Warranty Policy

Regional Annexes prevail where they apply (UAE/MEA, UK/EU, KSA, Qatar, GCC-Other, Wider MEA).

3) Categories of personal data we collect

• Identity & contact: name, title, addresses, email, phone; company/role for B2B.

• Account: login, hashed password, saved addresses, preferences.

• Orders & payments: cart contents, order history, invoices, delivery/collection instructions, payment authorisation tokens handled by payment providers; we do not store full card numbers.

• Installation & site: appointments, site readiness/access notes, and photographs shared by you or taken with your permission for diagnosis.

• Warranty & after-sales: product serial numbers, fault descriptions, service history, correspondence.

• Device/usage: IP address, device identifiers, browser type, analytics events, cookie IDs per the Cookie Policy.

• Marketing & events: marketing preferences, engagement metrics, event RSVPs and attendance.

• B2B trade details: purchasing authority, VAT/Tax ID, trade references.

• Loyalty/benefits (if applicable): loyalty identifiers and profile attributes where you choose to link them to your account.

• CCTV/visit logs: if you attend our premises, subject to local signage/notice.

Special-category and criminal-conviction data (limited). We do not seek special-category data. If you provide such data voluntarily, or where law requires checks, we process it only on the narrow grounds permitted by law and with appropriate safeguards.

4) Sources of personal data

• Directly from you (forms, checkout, email/phone/chat, in-store).

• Automatically via cookies/SDKs/analytics (see Cookie Policy).

• From third parties: payment providers, delivery and installation partners, anti-fraud and security services, CRM/marketing platforms, Sanipex affiliates, and public sources.

5) Purposes and lawful bases

We process your data for the purposes below, under the listed lawful bases (regional equivalents appear in the annexes):

• Account setup & management — Contract; Legitimate interests (secure accounts).

• Order intake, payment & invoicing — Contract; Legal obligation (tax); Legitimate interests (fraud prevention).

• Delivery/collection & scheduling — Contract; Legitimate interests (efficient fulfilment, safety).

• Installation & exceptional works — Contract; Legitimate interests (quality/safety); Consent where photos are optional.

• Warranty, returns & recalls — Contract; Legal obligation (product safety); Legitimate interests.

• Customer service & disputes — Contract; Legitimate interests (service, evidence).

• Marketing (email/SMS/WhatsApp/push) — Consent where required; Legitimate interests where permitted with opt-out.

• Personalisation & analytics — Consent for non-essential cookies; Legitimate interests for essential analytics.

• Security & fraud prevention — Legitimate interests; Legal obligation where mandated.

• Regulatory compliance & audit — Legal obligation; Legitimate interests (compliance).

Where we rely on consent, you may withdraw it at any time via the Preferences Centre or unsubscribe links.

6) Cookies and tracking

We use cookies and similar technologies for functionality, performance, analytics and advertising in line with our Cookie Policy & Preferences Centre. Non-essential cookies operate on a prior-consent basis and can be changed at any time.

7) Disclosures and international transfers

Disclosures. We share personal data, as necessary, with service providers (hosting, payments, logistics/installation, customer support, CRM/marketing, analytics, warranty and product-safety partners), Sanipex affiliates for consolidated operations and security, professional advisers, authorities/regulators and dispute-resolution bodies, and potential successors subject to confidentiality.

Cross-border storage and transfers. We operate internationally and may store or process data in the GCC and other countries. Where personal data moves cross-border, we implement appropriate safeguards: EU/UK Standard Contractual Clauses and/or UK Addendum with supplementary measures where appropriate; recognised transfer grounds under UAE Mainland/DIFC/ADGM, KSA and Qatar frameworks; or contractual safeguards with recipients. You may request high-level information about the relevant safeguards.

8) Retention

We retain personal data only as long as needed for the purpose collected, including: orders/tax records typically 6–10 years (jurisdiction-specific); warranty/product-safety records for the warranty term plus a safety buffer; accounts for the life of the account and a defined archival period; marketing until you withdraw consent/object or after defined inactivity; CCTV/visit logs for short periods unless an incident requires longer. When retention ends, we securely delete or anonymise data.

9) Your rights

Subject to law and region, you may have rights to: access, rectification, erasure, restriction, portability, objection (including to direct marketing), and to withdraw consent. We may verify identity/authority before acting.

You also have the right to complain to your supervisory authority; details appear in the Regional Annexes.

10) Automated decision-making and profiling

We do not conduct decisions based solely on automated processing that produce legal or similarly significant effects. Any personalisation used for marketing is optional and subject to your preferences.

11) Children

Our e-commerce services are not directed to children. If a child has provided data without appropriate consent, contact us and we will take appropriate steps.

12) Security

We implement technical and organisational measures appropriate to the risk, including access controls, encryption in transit and at rest where appropriate, network segregation, backup/recovery, and vendor due diligence. No system is perfectly secure; please use our security contact route for responsible vulnerability reporting.

13) Third-party links and social media

Our sites may link to third-party websites, plug-ins and apps. Their privacy statements govern those services; review them before providing data.

14) Changes to this Notice

We may update this Notice to reflect legal, technical or business changes. Material changes will be signposted reasonably in advance. The Effective date and Version indicate the current edition.

Regional Annexes

Annex A — UAE Mainland (PDPL), DIFC DP Law 2020, ADGM DPR 2021

Lawful bases: consent, performance of a contract, legal obligation, legitimate interests balanced against your rights.

Transfers: adequacy decisions, appropriate safeguards or permitted derogations under the applicable UAE/DIFC/ADGM frameworks.

Rights: access, correction, erasure, restriction, portability (where available), objection (including to direct marketing), and withdrawal of consent.

Authorities: UAE Data Office (PDPL), DIFC Commissioner of Data Protection, ADGM Office of Data Protection.

Marketing: we follow local e-marketing and telecoms rules; you can opt-out at any time.

Annex B — Kingdom of Saudi Arabia (KSA)

We process data in accordance with KSA data-protection and consumer-protection rules. Where data leaves KSA, we use legally recognised mechanisms (for example, contractual safeguards or other permitted grounds).

Rights: access, rectification, erasure and marketing opt-out can be exercised per Section 9.

Annex C — State of Qatar

We process data in accordance with applicable Qatari data-protection and consumer-protection requirements. Where data is transferred abroad, we apply appropriate safeguards or other lawful mechanisms.

Rights requests and complaints can be made via the contact in Section 1.

Annex D — United Kingdom and European Union (UK GDPR / EU GDPR; PECR/ePrivacy)

Controller/representative: the UK storefront is controlled by the UK entity named on the Imprint. Where required, we appoint an EU representative and/or UK representative.

Transfers: EU Standard Contractual Clauses and/or UK Addendum plus supplementary measures where needed.

Rights & complaints: full GDPR rights as listed above, with the right to complain to the ICO (UK) or your local DPA (EU).

Cookies/marketing: non-essential cookies only with consent; direct electronic marketing aligned with PECR/ePrivacy with opt-out controls.

Annex E — GCC (Other Member States)

Applies when the customer is located in, or a sale is concluded via a storefront serving, GCC states other than the UAE, KSA and Qatar (e.g., Bahrain, Oman, Kuwait).

Controller: the Sanipex entity shown on the local storefront Imprint (or, where no local entity trades, the UAE entity shown on the Imprint acts as controller for that storefront).

Lawful bases: as set out in Section 5 of this Notice (performance of contract, legal obligation, legitimate interests balanced against your rights, and consent where required).

Transfers: where personal data is transferred outside the customer’s country, we use appropriate safeguards (for example, contractual protections with recipients or other legally recognised mechanisms).

Rights: subject to local law, individuals may request access, correction, erasure, restriction, objection (including to direct marketing), portability where applicable, and withdrawal of consent. Requests can be made via the contact in Section 1.

Complaints: individuals may raise concerns with us using the contact in Section 1. Where a local supervisory authority accepts privacy complaints, details can be provided on request or via our website.

Cookies/marketing: non-essential cookies operate on prior consent using our Preferences Centre. Direct electronic marketing follows applicable telecoms/e-marketing rules; you may opt out at any time.

Annex F — Wider MEA (Middle East & Africa)

Applies when customers are located in, or sales are concluded via, Sanipex storefronts serving countries in the Middle East and Africa outside the GCC.

Controller: the Sanipex entity named on the relevant storefront Imprint (or, if none is listed for that territory, the UAE entity shown on the Imprint).

Lawful bases: as set out in Section 5 (contract, legal obligation, legitimate interests, consent).

Transfers: operations may require storage or processing in other countries. When transferring personal data across borders, we apply appropriate safeguards (for example, contractual protections with recipients or other legally recognised mechanisms).

Rights: depending on local law, you may be entitled to request access, correction, erasure, restriction, objection (including to direct marketing), portability where available, and to withdraw consent. Exercise these rights via the contact in Section 1.

Complaints: you may contact us using the details in Section 1. Where a national privacy regulator or consumer authority accepts complaints, we will provide their details on request.

Cookies/marketing: our Preferences Centre lets you grant or withdraw consent for non-essential cookies at any time. You can unsubscribe from electronic marketing at any time using the methods provided in each message.