Legal

Privacy & Data Protection Policy

Last updated: July 12, 2026

Whether you buy from Gaba Direct or our Amazon storefront, we limit personal data to defined purposes, protect it throughout its lifecycle, and respect the rights provided by applicable UAE and EU data-protection law.

Both sales channels

This notice covers purchases from Gaba Direct and our Amazon marketplace storefront.

Purpose-limited

We use order data to complete your purchase, support you, prevent misuse, and meet legal duties.

Protected end to end

Personal data is encrypted in transit and at rest, with access limited by role and business need.

Rights respected

Applicable UAE and EU data-protection rights are supported across both store and marketplace systems.

1. Who we are and what this notice covers

Gaba General Trading ("Gaba", "we", "us", or "our") is the controller of personal data described in this notice. We sell consumer products through Gaba Direct, our online store, and through our storefront on the Amazon marketplace.

This notice applies to personal data we receive from Amazon and personal data we collect through Gaba Direct, including checkout, account activity, order fulfilment, customer service, returns, refunds, tax records, website security, retention, and deletion.

We adopt this notice to support compliance with UAE Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data (UAE PDPL) and, where it applies to our processing, the EU General Data Protection Regulation (GDPR). The GDPR may apply, for example, where we offer goods or services to individuals in the EU or EEA. Marketplace data is also handled under Amazon's Data Protection Policy and applicable API terms.

2. Personal data we collect

The information we process depends on how you interact with us. We collect only data that is relevant and reasonably necessary for the stated purposes.

  • Identity and contact data: name, delivery and billing address, email address, and telephone number.
  • Order data: products, quantities, order identifiers, delivery status, returns, refunds, correspondence, and tax-invoice information.
  • Payment references: transaction status and provider references. We do not receive or store your full payment-card number when payment is handled by Amazon or our payment provider.
  • Store and device data: account information, consent choices, IP address, browser or device information, security events, and essential cookie or session identifiers used to operate and protect Gaba Direct.
  • Communications: messages and information you provide when contacting customer support or exercising a privacy right.

3. Where the data comes from

We receive personal data directly from you when you use Gaba Direct or contact us, from Amazon when you order from our marketplace storefront, and from service providers involved in payment, fraud prevention, delivery, or technical operation. Amazon data is requested only through authenticated, purpose-scoped access authorized for the relevant operation.

4. Why we use personal data and our legal bases

We document a lawful basis for each processing activity under the UAE PDPL and, where applicable, Article 6 GDPR. Depending on the activity, we process personal data because it is necessary to enter into or perform our contract with you, necessary to comply with a legal obligation, supported by a legitimate interest that does not override your rights, or based on your valid consent.

  • Orders and delivery: to accept, pack, ship, deliver, return, or refund an order and provide related customer support.
  • Tax and accounting: to calculate tax and create and retain invoices or records required by law.
  • Store operation and security: to authenticate sessions, prevent misuse, maintain availability, investigate errors, and protect customers and systems.
  • Legal claims and compliance: to respond to lawful requests, establish or defend legal rights, and satisfy regulatory or contractual duties.
  • Optional activities: non-essential analytics or direct marketing only where permitted, transparently disclosed, and subject to any required consent or right to object.

5. Purpose limitation

We do not sell personal data. Amazon marketplace data is not used for marketing, advertising, profiling, resale, enrichment, or an unauthorized secondary purpose. Direct-store data is not used for a new incompatible purpose. If we propose a materially different use, we will identify a lawful basis and provide any notice or choice required before that use begins.

6. Cookies and similar technologies

Gaba Direct may use cookies or similar technologies that are necessary for checkout, security, preferences, and session continuity. Non-essential analytics or advertising technologies, if introduced, will be described in an appropriate cookie notice and activated only with the choice required by applicable law. You may withdraw consent as easily as you gave it.

7. How personal data is protected

Personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest. Access is role-based, need-to-know, and protected by named accounts and multi-factor authentication. We use managed secrets, security logging, monitoring, vulnerability management, backups, and written incident-response procedures. We periodically review access and the service providers that handle protected data.

No security measure can eliminate every risk. We maintain safeguards designed to be appropriate to the nature of the data, the processing, and reasonably foreseeable threats.

8. Who receives personal data

We disclose only the information necessary for an authorized purpose. Recipient categories include delivery carriers, payment providers, infrastructure and security providers, email services, professional advisers, and public authorities where disclosure is legally required. For marketplace orders, Amazon separately processes information under its own privacy notice.

Our relevant technology providers may include Railway for application hosting and databases, Amazon Web Services for protected storage and email delivery, Cloudflare for network security and content delivery, and Sentry for technical error monitoring. They are contractually and technically limited to the service they provide.

9. International transfers

Some recipients or infrastructure may be located outside your country. Before an international transfer, we assess the destination and use a mechanism permitted by applicable law. For UAE personal data, this may include a recognized adequate-protection destination or another safeguard or exception permitted by the UAE PDPL. For data subject to the GDPR, we use an applicable adequacy decision, approved Standard Contractual Clauses with required assessments and supplementary measures, or another mechanism permitted by Chapter V GDPR.

You may contact us to ask about the transfer safeguards applicable to your personal data.

10. How long we keep personal data

We retain personal data only for a documented period necessary for the purpose described above and applicable legal obligations. Direct-store records follow a category-specific retention schedule covering orders, support, tax records, disputes, consent, objections, and security records. When no lawful purpose remains, data is securely deleted or irreversibly anonymised.

For Amazon marketplace orders, we retain Amazon PII for no longer than 30 days after order delivery, unless and only to the extent a specific law requires longer retention for tax, regulatory, or other legal compliance. Amazon non-PII is deleted within 18 months unless a longer period is legally required. If Amazon issues a deletion notice, we securely delete covered information within the applicable Amazon deadline, subject only to a documented legal-retention requirement.

Secure deletion follows practices aligned with NIST SP 800-88. Legally required records are placed in a restricted archive and deleted when the statutory period ends.

11. Your privacy rights

Depending on the law that applies, you may have the right to be informed, obtain access, correct inaccurate data, erase data, restrict or stop processing, object to processing including direct marketing, withdraw consent, receive eligible data in a portable format, or request human review of a qualifying automated decision. You may also complain to the UAE Data Office, a competent EU or EEA supervisory authority, or another competent regulator.

Rights are not absolute. A legal obligation may require us to retain limited information, and we will explain an applicable restriction or refusal where required. We may request information reasonably necessary to verify your identity and protect your data.

12. How to exercise your rights

Email cs@gabadirect.com with your request. We respond without undue delay and within the period required by applicable law. Where GDPR applies, this is normally within one month, subject to its permitted extension and notice rules. Requests involving marketplace information may also involve Amazon's platform procedures, but we will not direct you elsewhere where we remain responsible for responding.

13. Automated decisions

We do not currently make decisions producing legal or similarly significant effects about customers solely through automated processing. If that changes, we will provide the information, safeguards, and ability to obtain human review required by applicable law.

14. Children's data

Our store is not intentionally directed to children, and we do not knowingly collect a child's personal data where parental or guardian authorization is required. If we learn that such data was collected without the required authorization, we will take appropriate steps to delete it.

15. Personal data breaches

We maintain a written incident-response plan. If a personal data breach occurs, we investigate, contain, preserve evidence, and notify affected individuals and competent authorities when required. For Amazon marketplace data, Amazon is notified within its required 24-hour period. Where GDPR applies, we assess notification to the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a reportable breach.

16. Contact

For a privacy question, rights request, or security concern, email cs@gabadirect.com. Gaba General Trading's registered address and any required Data Protection Officer or EU representative contact details will be made available here when applicable.

17. Changes to this notice

We may update this notice to reflect changes in our processing, providers, or legal obligations. We will publish the updated version and date here. Where required, we will provide additional notice or obtain consent before a material new use takes effect.