Privacy Policy
Gift of Flowers respects your privacy and is fully committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the rights you have over it — in full compliance with the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL), issued under Royal Decree No. M/19.
Last Updated: May 2025 | Effective Date: May 2025 | Applies to all users of giftoflowers.com
Please read this policy carefully. By using our website or placing an order with us, you confirm that you have read, understood, and agree to the collection and use of your personal data as described in this Privacy Policy.
Contents
- Who We Are
- What Personal Data We Collect
- How We Collect Your Data
- Why We Use Your Data (Purposes & Legal Basis)
- Who We Share Your Data With
- Marketing & Communications
- Cookies & Tracking Technologies
- How We Protect Your Data
- How Long We Keep Your Data
- Cross-Border Data Transfers
- Your Rights Under the KSA PDPL
- Children’s Privacy
- Changes to This Policy
- How to Contact Us
1. Who We Are
Gift of Flowers is an online flower and gift delivery business operating in Jeddah, Saudi Arabia, accessible through giftoflowers.com. We are the data controller responsible for your personal data — meaning we decide how and why your personal data is processed.
- Business Name: Gift of Flowers
- Website: giftoflowers.com
- Operating Location: Jeddah, Saudi Arabia
- Email: [email protected]
- Phone / WhatsApp: +966 58 128 5938
If you have any questions about how we handle your data, please contact us using the details above or refer to Section 14.
2. What Personal Data We Collect
We collect only the personal data that is necessary to provide our services. This includes:
a) Identity Data
Your first name, last name, and username or account identifier when you register or place an order.
b) Contact Data
Your billing address, delivery address, email address, and telephone/WhatsApp number.
c) Recipient Data
When you send flowers or gifts to another person, you provide us with the recipient’s name, delivery address, and phone number. You are responsible for ensuring you have the right to share this person’s data with us. We use this data solely to complete your delivery.
d) Financial Data
Payment card details, bank information, or other payment method information. We do not store your full card details on our servers — all payment transactions are processed through encrypted, PCI-DSS-compliant payment gateways.
e) Transaction Data
Details of orders you have placed with us, including products purchased, delivery dates, order value, and order history.
f) Technical Data
Your IP address, browser type and version, device type, time zone, pages visited, and how you arrived at our website (e.g., via search engine or social media). This is collected automatically via cookies and similar technologies.
g) Usage Data
Information about how you navigate and interact with our website, including which products you view, how long you spend on pages, and what you add to your cart.
h) Communications Data
Any messages, emails, WhatsApp conversations, or feedback you send us, including customer service interactions and order-related communications.
i) Marketing Preferences
Your preferences regarding receiving marketing communications from us, and any opt-in or opt-out choices you have made.
We do not collect: sensitive personal data such as national ID numbers, health data, biometric data, or any information about minors under the age of 18.
3. How We Collect Your Data
We collect your data through the following means:
- Direct interactions: When you create an account, place an order, contact us by email or WhatsApp, subscribe to our newsletter, or fill in a form on our website.
- Automated technologies: As you browse our website, we automatically collect technical and usage data using cookies, server logs, and similar tracking technologies (see Section 7).
- Third-party sources: We may receive data about you from payment processors, delivery partners, analytics providers, and social media platforms if you interact with our content or ads.
4. Why We Use Your Data (Purposes & Legal Basis)
Under the KSA Personal Data Protection Law (PDPL), we must have a lawful basis for processing your personal data. The table below explains what we use your data for and the legal basis for each purpose:
| Purpose | Data Used | Legal Basis (PDPL) |
|---|---|---|
| Process and fulfil your order (flowers, cakes, gifts) | Identity, Contact, Recipient, Financial, Transaction | Contract performance |
| Process your payment securely | Financial, Identity | Contract performance / Legal obligation |
| Arrange delivery of your order | Contact, Recipient, Transaction | Contract performance |
| Send you order confirmations, delivery updates, and receipts | Identity, Contact, Transaction | Contract performance |
| Manage your account and order history | Identity, Contact, Transaction | Contract performance / Legitimate interest |
| Handle returns, refund claims, and customer complaints | Identity, Contact, Transaction, Communications | Contract performance / Legal obligation |
| Comply with legal and tax obligations (e.g., VAT records, ZATCA) | Identity, Financial, Transaction | Legal obligation |
| Send marketing emails, WhatsApp messages, or SMS (only with your consent) | Identity, Contact, Marketing Preferences | Consent (opt-in required) |
| Improve our website and user experience | Technical, Usage | Legitimate interest |
| Fraud prevention and security monitoring | Identity, Technical, Transaction | Legitimate interest / Legal obligation |
| Respond to your enquiries and customer service requests | Identity, Contact, Communications | Contract performance / Legitimate interest |
We will only use your data for the purposes listed above. If we need to use your data for a new purpose, we will update this policy and notify you where required by law.
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data to any third party. We share your data only where necessary to deliver your order or comply with legal requirements, and only with trusted parties who are bound by confidentiality and data protection obligations.
Parties we may share your data with:
- Delivery drivers and logistics partners — Your name, delivery address, and phone number are shared with our delivery team to fulfil your order.
- Payment processors — Your payment data is transmitted securely to our payment gateway provider (e.g., Mada, PayTabs, HyperPay) in encrypted format. We do not store full card details.
- IT and website service providers — Providers who host our website, manage our database, or provide technical support may access data as part of their service to us. They act only on our instructions.
- Email and communication platforms — Services used to send order confirmation emails or marketing messages (e.g., Mailchimp, WhatsApp Business API).
- Analytics providers — Tools such as Google Analytics that help us understand how visitors use our website. Data used in analytics is aggregated and anonymised where possible.
- Government and regulatory authorities — We may be legally required to disclose your data to Saudi government bodies, law enforcement, SDAIA, ZATCA, or courts when legally obligated to do so. We document all such requests as required by the PDPL Implementing Regulations.
We communicate only the minimum information necessary in each case. Nothing in this policy imposes any responsibility on Gift of Flowers for how third-party recipients handle data beyond the scope of our instructions.
6. Marketing & Communications
We will only send you marketing communications — including promotional emails, WhatsApp messages, or SMS — if you have explicitly opted in to receive them. This is a requirement of both the KSA PDPL and the Saudi E-Commerce Law.
You may receive the following types of communications:
- Order confirmations and delivery updates (these are transactional, not marketing, and do not require opt-in)
- Seasonal promotions and offers (Eid, Valentine’s Day, Mother’s Day, etc.) — opt-in only
- New product launches and featured arrangements — opt-in only
- Loyalty rewards and discount codes — opt-in only
Opting Out
You can unsubscribe from marketing messages at any time by:
- Clicking the “Unsubscribe” link at the bottom of any marketing email
- Replying “STOP” to any marketing WhatsApp or SMS message
- Emailing us at [email protected] with the subject: “Unsubscribe”
Opting out of marketing does not affect transactional messages about your orders. We process opt-out requests within 5 business days.
7. Cookies & Tracking Technologies
Our website uses cookies — small text files placed on your device — to help us operate the website, remember your preferences, and understand how visitors use our site.
Types of cookies we use:
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Required for the website to function (e.g., keeping items in your cart, login sessions) | No — essential to service |
| Functional | Remember your preferences (e.g., language, location, saved addresses) | Yes |
| Analytics | Understand how visitors use our site (e.g., Google Analytics — data is anonymised) | Yes |
| Marketing / Targeting | Track visits across websites for advertising purposes (e.g., retargeting ads on Instagram/Google) | Yes |
You can control and manage cookies through your browser settings. Disabling certain cookies may affect the functionality of our website. For more information on managing cookies, visit allaboutcookies.org.
8. How We Protect Your Data
We take data security seriously and have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These include:
- SSL encryption (HTTPS) on all pages of our website to protect data in transit
- Encrypted payment processing — card data is transmitted directly to PCI-DSS-compliant payment gateways and is never stored on our servers
- Access controls — only authorised staff who need access to fulfil orders can access customer data
- Password protection and secure authentication for internal systems
- Regular review of our data handling practices and security measures
Data Breach Notification
In the event of a personal data breach that may harm your rights or interests, we will notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of the breach, as required by the PDPL Implementing Regulations. If the breach poses a high risk to your rights, we will also notify you directly without undue delay.
9. How Long We Keep Your Data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, and in compliance with applicable KSA laws and regulations.
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and transaction records | 5 years | ZATCA / VAT compliance and legal obligations |
| Customer account data | Duration of account + 2 years after closure | Contract performance and dispute resolution |
| Payment data (tokenised) | As required by payment processor | Fraud prevention and chargebacks |
| Marketing preferences & opt-ins | Until you opt out + 1 year | Proof of consent |
| Customer support communications | 2 years | Record of service and dispute resolution |
| Website analytics data | 14 months (Google Analytics default) | Website improvement |
| Cookies (session) | Deleted when you close your browser | Session management |
When data is no longer required, we will delete or anonymise it securely. If deletion is not immediately possible (e.g., data in backup archives), we will isolate it from further processing until deletion is possible.
10. Cross-Border Data Transfers
Some of our service providers — such as website hosting platforms, email services, and analytics tools — may be based outside of Saudi Arabia. Where your data is transferred outside the Kingdom, we ensure this is done in compliance with the KSA PDPL Data Transfer Regulations, including:
- Ensuring the receiving country provides an adequate level of data protection, or
- Implementing SDAIA-approved Standard Contractual Clauses (SCCs) with third-party recipients to safeguard your data, or
- Ensuring the transfer is necessary for the performance of your order (e.g., an international payment processor).
All cross-border transfers are conducted in a manner that does not conflict with the national interests or security of the Kingdom of Saudi Arabia.
11. Your Rights Under the KSA Personal Data Protection Law (PDPL)
Under the Saudi PDPL, you have the following rights regarding your personal data:
| Your Right | What It Means |
|---|---|
| Right of Access | You can request confirmation of whether we hold your personal data, and receive a copy of it. |
| Right to Correction | You can request that we correct any inaccurate or incomplete personal data we hold about you. |
| Right to Deletion | You can request that we delete your personal data when it is no longer necessary for the purpose it was collected, unless we are legally required to retain it. |
| Right to Withdraw Consent | Where our processing is based on your consent (e.g., marketing), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right to Restrict Processing | You can request that we restrict how we use your data in certain circumstances (e.g., while a correction request is being verified). |
| Right to Object to Marketing | You can object to us using your data for direct marketing purposes at any time. We must stop immediately upon your request. |
| Right to Data Portability | You can request a copy of the personal data you provided to us in a structured, machine-readable format. |
| Right to Lodge a Complaint | If you believe we have not handled your data lawfully, you have the right to file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) at sdaia.gov.sa. |
How to Exercise Your Rights
To exercise any of the above rights, please contact us at:
- 📧 Email: [email protected]
- 📱 WhatsApp: +966 58 128 5938
We will respond to all verified requests within 30 days as required by the PDPL. If your request is complex or numerous, we may extend this by a further 30 days, and we will notify you accordingly. We may need to verify your identity before processing a request.
12. Children’s Privacy
Our website and services are not directed at or intended for children under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data without appropriate consent, please contact us immediately at [email protected] and we will take steps to delete that data promptly.
13. Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our operations, legal obligations, or regulatory requirements. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Post a clear notice on our website
- Where appropriate, notify registered customers by email
Your continued use of our website after any changes have been posted constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically.
14. Contact Us & Data Protection Enquiries
If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:
- 📧 Email: [email protected]
- 📱 WhatsApp / Tel: +966 58 128 5938
- 🕐 Response Hours: Saturday – Thursday, 9:00 AM – 9:00 PM (AST)
- 📍 Location: Jeddah, Saudi Arabia
If you are not satisfied with our response, you have the right to escalate your complaint to the Saudi Data and Artificial Intelligence Authority (SDAIA):
This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) issued under Royal Decree No. M/19 of 16 September 2021, as amended, and its Implementing Regulations issued by the Saudi Data and Artificial Intelligence Authority (SDAIA).