Legal

Privacy Policy

Last updated: May 2026

AL WASAT ("we", "us", "our") is a premium Tunisian extra virgin olive oil brand based in Tunisia, selling to customers in the United Kingdom. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit al-wasat.co.uk. Because we sell to UK customers, UK GDPR and the Data Protection Act 2018 apply to our processing of your data.

Please read this policy carefully. By using our website you acknowledge that you have read and understood its contents.

1. Data We Collect

We collect the following categories of personal data:

  • Identity & contact data — your name and email address, provided when you place an order or sign up for our newsletter.
  • Delivery data — your delivery address, collected by Stripe during checkout and passed to our fulfilment partner.
  • Browsing & device data — IP address, browser type, operating system, referring URL, pages visited, and session duration, collected automatically by Google Analytics 4 in anonymised form.
  • Local storage data — cart contents (alwasat_cart), language preference (alwasat_lang), cookie consent status, and promo code data (alwasat_promo) stored in your browser's localStorage. This data never leaves your device unless you proceed to checkout.

We do not collect sensitive personal data (health information, biometric data, etc.) and we do not use automated decision-making or profiling that produces legal or similarly significant effects.

2. Payment Data

All payment processing is handled by Stripe. When you click "Pay Securely with Stripe" you are redirected to Stripe's hosted checkout. AL WASAT never sees, receives, or stores your card number, CVV, or any other raw payment credential. Stripe is PCI-DSS Level 1 compliant. For information on how Stripe processes your data, please review Stripe's Privacy Policy.

3. How We Use Your Data

  • Fulfilling your order — processing payment, arranging delivery, and sending you a confirmation email (legal basis: performance of a contract).
  • Customer service — responding to enquiries and handling returns (legal basis: legitimate interests).
  • Analytics — understanding how visitors use our site so we can improve it (legal basis: legitimate interests, with anonymisation).
  • Legal compliance — retaining records as required by UK tax and accounting law (legal basis: legal obligation).
  • Marketing — sending promotional emails only where you have given explicit consent, and only to the email address you provided.

4. Analytics — Google Analytics 4

We use Google Analytics 4 (property ID: G-TFTLQ2TYJV) to collect anonymised usage statistics. GA4 uses first-party cookies and does not use cross-site tracking cookies. IP addresses are anonymised before being stored. The data collected includes page views, session duration, referral source, and device/browser type. No personally identifiable information is sent to Google Analytics.

You may opt out by installing the Google Analytics Opt-out Browser Add-on or by declining cookies in our cookie banner.

5. localStorage & Browser Storage

We use your browser's localStorage — not traditional cookies — for several site functions. The following keys are stored locally on your device:

  • alwasat_cart — the contents of your shopping cart
  • alwasat_lang — your selected display language (EN / FR / AR)
  • cookieConsent — your cookie preference (accepted or declined)
  • alwasat_promo — any applied promotional code and its discount rate

This data is stored entirely in your browser and is not transmitted to our servers except where required to complete a transaction (e.g. cart contents sent to our payment function at checkout). You can clear this data at any time via your browser's developer tools.

6. International Data Transfers

Your data may be processed by the following third parties, some of which are based outside the UK or EEA:

  • Stripe (USA / EU) — payment processing. Covered by Stripe's standard contractual clauses and UK adequacy decisions.
  • Resend — transactional email delivery (order confirmations). Data is processed in compliance with GDPR standard contractual clauses.
  • Google (USA) — Google Analytics 4. Google LLC participates in the EU–US Data Privacy Framework and uses standard contractual clauses for UK transfers.
  • Netlify — website hosting and serverless functions. Processes request logs in accordance with their data processing agreement.

All third-party processors are required to process your data only on our instructions and in accordance with applicable data protection law.

7. Data Retention

  • Order data — retained for 7 years to comply with HMRC record-keeping requirements.
  • Analytics data — retained per Google Analytics 4 default retention settings (up to 14 months for user-level data).
  • Email marketing data — retained until you withdraw consent or unsubscribe.
  • localStorage data — persists in your browser until you clear it or it is programmatically removed (e.g. cart is cleared after a successful order).

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — request deletion of your data where we no longer have a lawful basis to hold it.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to withdraw consent — where processing is based on consent (e.g. marketing emails), you may withdraw at any time without affecting the lawfulness of prior processing.
  • Right to object — object to processing based on legitimate interests.
  • Right to restrict processing — request that we limit how we use your data in certain circumstances.

To exercise any of these rights, email us at jamel.derbali@gmail.com. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

Our website is served over HTTPS. We do not store payment card data. Access to order data is restricted to authorised personnel only. While we take reasonable technical and organisational measures to protect your data, no transmission over the internet is completely secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the site after a policy update constitutes acceptance of the revised terms.

11. Contact Us

If you have any questions about this Privacy Policy or your data, please contact:

AL WASAT
Email: jamel.derbali@gmail.com