Gourmestan

The Conscious Choice for a Healthier You | Make a Mindful Move Toward a Healthier You | Intentional Today, Healthier Tomorrow
Menu

Gourmestan Privacy Policy

Effective Date:
Who we are: Gourmestan, Maison Gourmestan , registered at UAE  (“Gourmestan”, “we”, “us”, “our”).
Contact (privacy): Email | Data Protection Officer (DPO): NAME, Email

Scope

This Policy explains how we collect, use, share, secure, and retain personal information when you visit our websites, place orders, sign up for communications, or interact with us online/offline. If a local policy differs (see regional sections), the local policy prevails for residents of that region.

Information We Collect

  • Identity & contact: name, email, phone, delivery/billing address.
  • Order & account: items purchased, payment method, transaction details (from our payment providers), loyalty/points, preferences.
  • Device & usage: IP address, device IDs, browser, cookies, pages viewed, referral/UTM, approximate location.
  • Communications: support chats, emails, call notes, survey responses, contest entries.
  • Marketing preferences: newsletter opt-ins, channel choices.
  • Special categories: we do not intentionally collect health or sensitive data. If you tell us about allergies or intolerances, we use it only to serve you and do not profile on that basis.

How We Use Your Information (Purposes)

  • Fulfilment: process orders, deliver products/services, provide receipts/invoices, handle returns and support.
  • Account & loyalty: manage logins, preferences, rewards, and service notices.
  • Customer care: respond to queries, troubleshoot issues, record service quality.
  • Improvement & analytics: measure performance, fix bugs, develop new features, and improve product quality.
  • Safety & compliance: prevent fraud/abuse, maintain security, comply with audits, tax, and legal requests.
  • Marketing (with consent where required): send updates, offers, surveys, and event invites; show interest-based ads.
  • Research & R&D: aggregate/anonymous analysis to improve recipes, packaging, and operations.

Lawful bases (examples): consent, contract performance, legitimate interests (e.g., service improvement/fraud prevention), legal obligation. EU/EEA bases align to GDPR Art. 6; “special category” processing, if any, complies with Art. 9. 

Cookies & Similar Technologies

We use cookies, local storage, and similar tools to keep you logged in, remember cart contents, measure performance, and personalize content/ads. Manage preferences in our Cookie Settings [link] or via your browser. For EU/EEA, we only drop non-essential cookies after consent (CMP banner).

Data Sharing

We do not sell personal information. We share limited data with:

  • Processors: payment gateways, hosting/CDN, email/SMS platforms, analytics, logistics/last-mile, customer support tools—under contracts that require confidentiality and security.
  • Fraud & security: service providers helping detect/prevent fraud or abuse.
  • Legal: where required by law or to protect rights, safety, or property.
  • Corporate events: in a merger, acquisition, or asset sale, per this Policy.

International Transfers

Where data moves across borders (e.g., India ↔ UAE ↔ other regions), we use appropriate safeguards (data processing agreements, standard contractual clauses or local equivalents) and respect localization rules where applicable. UAE/GCC and India have specific cross-border provisions; see regional sections. 

Security Measures

We use encryption in transit, hardened infrastructure, access controls, least-privilege, secure development practices, regular vulnerability reviews, and vendor due diligence. No method is 100% secure; we work to minimize risk.

Retention

We keep data only as long as necessary for the purpose collected and to meet legal/accounting/reporting obligations, then delete or anonymize it. (For India: erasure when the purpose is served or consent withdrawn, unless law requires retention.)  

Your Rights

Depending on your location, you may have rights to access, correct, delete/erase, port, restrict or object to processing, withdraw consent, and object to direct marketing or automated decisions. To exercise rights, email [privacy@yourdomain]. We will verify your identity before acting on requests. GDPR and GCC frameworks recognize similar rights; see local sections.  

Children

Our services are not directed to children under the local age of consent (typically 13–16). We do not knowingly collect their data; if we learn we have, we’ll delete it.

Automated Decision-Making

We do not make decisions producing legal or similarly significant effects solely by automated means. If this changes, we will provide meaningful information and opt-out/appeal routes.

Data Breaches

If a breach occurs, we will notify impacted users and regulators when required by law (e.g., India’s DPDP Board, EU Supervisory Authorities, or GCC authorities).  

Marketing Preferences

Marketing is opt-in where required. You can unsubscribe anytime via email footer or by contacting us. We may still send transactional/service messages.

Contact (Privacy)

  • Email: “Email”
  • Postal: Address of Privacy Office/DPO
  • UAE DPO (if appointed): Name, email
  • India grievance officer (if applicable): Name, email

Regional Add-Ons

UAE Privacy Add-On (PDPL)

We comply with Federal Decree-Law No. 45 of 2021 and related Executive Regulations. Key points:

  • Consent & transparency: clear purposes, withdrawal any time unless another legal basis applies.
  • Data subject rights: access, correction, erasure, restriction, portability, objection to processing/automated decisions.
  • Cross-border: permitted with adequate safeguards or per UAE requirements.
    Questions for UAE residents? Contact our UAE DPO at “Email”.

Middle East Add-On (GCC: KSA, Qatar, Bahrain, Oman, Kuwait)

We observe applicable GCC privacy frameworks where we operate or target users:

  • KSA PDPL (Royal Decree M/19, amended 2023; in force 2023/2024): consent-centric, rights of access/erasure, breach notice duties.  
  • Qatar Law No. 13 of 2016: privacy rights, controller obligations, guidance by NCSA. 
  • Bahrain PDPL (Law No. 30 of 2018): consent, controller duties, PDPA authority oversight. 
  • Oman PDPL (Royal Decree 6/2022): consent-based, rights incl. withdrawal; enforced by MTCIT. 
  • Kuwait: we align with applicable e-privacy/cyber and sectoral rules; where a comprehensive privacy law applies, we will comply.

Marketing: opt-in; easy unsubscribe.
Transfers: safeguarded by DPAs/SCCs or local equivalents.
Retention: per business need and legal obligations, then deletion/anonymization.

India Add-On (DPDP Act, 2023)

For users in India, we comply with the Digital Personal Data Protection Act, 2023:

  • Consent & notices: clear, specific notices; consent can be withdrawn.
  • Rights: access, correction, erasure, grievance redressal, and nomination.
  • Significant Data Fiduciary obligations apply only if we are designated.
  • Breach notification: to the Data Protection Board and impacted users as per rules.

Contact our India grievance officer at “EMail”. 

EU/EEA Add-On (GDPR)

If we offer goods/services to individuals in the EU/EEA or monitor their behavior, GDPR applies:

  • Legal bases: consent, contract, legal obligation, legitimate interests, vital/public interests.
  • Rights: information, access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
  • Transfers: we use SCCs or other valid mechanisms.
    EU residents may contact “Email” or their local Supervisory Authority. 

Global Policy -Common

Information We Collect

Name, contact details, addresses, order history, payment confirmations (from processors), device/usage data, preferences, and your communications with us.

Use of Information

  • Process and deliver orders/services
  • Provide customer support
  • Improve products, websites, and operations
  • Send marketing (with consent where required)
  • Meet security, fraud-prevention, and legal obligations

Data Sharing

With vetted service providers (payments, hosting, logistics, analytics, communications) under strict contracts. No selling of personal data.

Security

Encryption, secure servers, access controls, regular reviews and audits.

Your Rights

Access, update, erase, withdraw consent, object to marketing, and complain to your local authority. See regional add-ons for specifics.  

Data Retention

Kept only as long as needed for the purpose and applicable laws, then deleted or anonymized.  

Cookies Policy  – SHort Version

  • Essential cookies: site functionality, checkout, security.
  • Analytics: understand usage/performance.

Personalization/ads: show relevant content (consent where required).
Manage your choices via Cookie Settings [link] and your browser. For EU/EEA, we obtain consent before setting non-essential cookies.

How to Reach Us

  • Privacy/DPO: Email
  • India grievance: Email
  • UAE DPO: Email
  • Postal: Full address

Change Log

We may update this Policy from time to time. We will post the revised version with a new “Effective date” and, where material, notify you via email or site banner.

Scroll to Top