Privacy Policy
Effective date: March 9, 2026
1. Data Controller Identity
The data controller responsible for processing your personal data is Symbiose, a sole proprietorship registered in the United Arab Emirates.
- Company name: Symbiose
- Trade License: [TRADE LICENSE: TO BE COMPLETED]
- Registered Emirate: [EMIRATE: TO BE COMPLETED]
- Contact email: contact@symbiose.club
- Website: https://symbiose.club
As data controller, Symbiose determines the purposes and means of processing your personal data, in accordance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (hereinafter "UAE PDPL").
2. Data Collected, Legal Bases, and Retention Periods
We process the following categories of personal data:
2.1 Order and Identity Data
- Data: first name, birth name, date of birth, gender, email address, order amount, payment status.
- Purpose: performance of the service contract (preparation of the personalized numerology theme and delivery by email).
- Legal basis: performance of a contract to which the data subject is party (UAE PDPL, Art. 6; GDPR, Art. 6(1)(b) for EU residents).
- Retention period: 5 years from the date of the order (applicable accounting and tax obligations).
2.2 Payment Data
- Data: Stripe session ID, payment intent ID, payment status, payment method (e.g. card). Raw banking data (card number, CVV) never transits through our servers and is processed exclusively by Stripe, Inc.
- Purpose: secure payment processing and fraud prevention.
- Legal basis: performance of contract; legitimate interest (security and fraud prevention).
- Retention period: 5 years from the transaction date.
2.3 Navigation and Performance Data
- Data: aggregated navigation data collected via Vercel Analytics (Speed Insights) — no personally identifiable data is collected without your consent.
- Purpose: improvement of website performance.
- Legal basis: consent (UAE PDPL, Art. 6; GDPR, Art. 6(1)(a) for EU residents).
- Retention period: aggregated data retained for 12 months.
2.4 Contact Requests
- Data: first name, email address, message.
- Purpose: processing your request and responding to your inquiry.
- Legal basis: legitimate interest of the data controller in responding to inquiries; implicit consent of the data subject.
- Retention period: 3 years from the last interaction.
3. Recipients and Sub-processors
Your data may be shared with the following sub-processors, strictly within the scope of their functions:
| Sub-processor | Role | Location |
|---|---|---|
| Stripe, Inc. | Secure payment processing | United States (PCI DSS certified) |
| Vercel, Inc. | Web application hosting and analytics | United States / EU |
| Neon (Neon, Inc.) | Serverless PostgreSQL database | United States / EU |
| Resend (Resend, Inc.) | Transactional email delivery | United States |
We never sell, rent, or otherwise commercialize your personal data to third parties. We share your data only with the sub-processors listed above, to the extent strictly necessary for the performance of our services.
4. International Data Transfers
Some of our sub-processors are established outside the United Arab Emirates. In accordance with Art. 12 of the UAE PDPL, these transfers are governed by appropriate safeguards:
- Stripe: complies with Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework; PCI DSS Level 1 certified.
- Vercel: provides contractual guarantees compliant with GDPR; data may be processed in data centers located in Europe or the United States.
- Neon: uses SCCs for transfers to the United States; offers European hosting regions.
- Resend: governs transfers through SCCs.
For European Union residents, these transfers are also governed by the Standard Contractual Clauses adopted by the European Commission under Art. 46 of the GDPR.
5. Data Subject Rights
In accordance with the UAE PDPL (Art. 8, 13 et seq.), you have the following rights:
- Right of access: to obtain a copy of the personal data we process about you.
- Right to rectification: to have any inaccurate or incomplete data corrected.
- Right to erasure: to request the deletion of your data, subject to our legal retention obligations.
- Right to restriction of processing: to request the temporary suspension of the processing of your data.
- Right to data portability: to receive your data in a structured, commonly used, machine-readable format.
- Right to object: to object to processing based on our legitimate interest.
- Right to withdraw consent: to withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to that withdrawal.
To exercise your rights, send your request by email to: contact@symbiose.club.
We commit to responding to your request within 30 days of receipt. This period may be extended by two additional months if necessary, taking into account the complexity and number of requests.
6. Cookies and Similar Technologies
Our website uses the following types of cookies:
- Strictly necessary cookies: essential for the operation of the website (session management, security). They do not require your consent and cannot be disabled.
- Performance and analytics cookies: Vercel Analytics / Speed Insights collects aggregated performance data (loading times, Web Vitals). These cookies are only placed with your explicit consent, expressed via the cookie banner on our website.
You can manage your cookie preferences at any time via the cookie banner or by clearing your browser data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to that withdrawal.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data against loss, unauthorized access, disclosure, alteration, or destruction, in accordance with Art. 4 of the UAE PDPL. These measures include:
- Encryption of communications via TLS/SSL (HTTPS).
- Data stored in secure databases with strict access controls.
- Payment data processed exclusively by Stripe, PCI DSS Level 1 certified.
- Administrator passwords hashed and salted (bcrypt).
- Data access restricted to authorized personnel on a need-to-know basis (principle of least privilege).
In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to notifying you as soon as possible, in accordance with applicable legal obligations.
8. Contact and Complaints
For any questions regarding this privacy policy or the processing of your personal data, contact us at: contact@symbiose.club.
If you believe that the processing of your personal data infringes applicable law, you have the right to lodge a complaint with the competent supervisory authority. In the United Arab Emirates, the competent authority is the UAE Data Office (uaedataoffice.ae). For European Union residents, you may contact the data protection authority of your Member State of residence.
9. UAE PDPL Specific Provisions
This privacy policy is established in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations, including the Personal Data Protection Regulation adopted by the Council of Ministers.
Sensitive Data
We do not collect sensitive personal data as defined in Art. 1 of the UAE PDPL (data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal convictions, genetic or biometric data, sex life or sexual orientation).
Automated Decision-Making
We do not subject your data to fully automated decision-making processes that produce legal effects or significantly affect you.
Data Protection Officer
Given the size and nature of our operations, the designation of a Data Protection Officer (DPO) is not mandatory at this stage. For any data protection queries, please contact us directly at the address provided in Section 8.
10. GDPR-Specific Provisions (European Union Residents)
To the extent that we process personal data of European Union residents in connection with an offer of services, Regulation (EU) 2016/679 (GDPR) also applies to such processing, in addition to the UAE PDPL.
Additional Legal Bases (Art. 6 GDPR)
- Art. 6(1)(b): performance of contract — processing of order and payment data.
- Art. 6(1)(a): consent — performance cookies.
- Art. 6(1)(f): legitimate interests — security, fraud prevention, service improvement.
Additional Rights for EU Residents
In addition to the rights set out in Section 5, EU residents benefit from the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects them (Art. 22 GDPR), and may lodge a complaint with the supervisory authority of their Member State of residence.
EU Representative
Given the limited volume of our processing of EU residents' data, the designation of a representative in the European Union (Art. 27 GDPR) is currently under assessment. In the meantime, EU residents may contact Symbiose directly at contact@symbiose.club.
11. Changes to This Privacy Policy
We reserve the right to modify this privacy policy at any time, in particular to comply with changes in applicable law or our processing practices. Any material change will be notified to you by email (if you are a customer) and/or by a prominent notice on our website, at least 30 days before it takes effect.
The version in force is the one displayed on this page, with the effective date indicated at the top of the document. We encourage you to review this page regularly.
See also: Legal Notice · Terms of Use