Privacy Policy – AYTA ATELIER (Seller-Protective, UK GDPR-Compliant)
Last updated: sep 2025
This Privacy Policy explains how AYTA ATELIER (“we”, “us”, “our”) collects and uses personal data for order fulfillment, security, fraud prevention, and customer support. It is drafted for the UK and does not waive your non-excludable statutory rights (UK GDPR & Data Protection Act 2018).
1) Who we are
Controller: AYTA ATELIER

2) Data we collect

3) Why do we use it

4) Strong anti-abuse measures

5) Data sharing (minimal, need-to-know)

6) International transfers
Where data leaves the UK, we use approved safeguards (UK SCCs/addendum, adequacy).
7) Retention (seller-protective)

8) Your rights (with anti-misuse guardrails)
You may access, correct, erase, restrict, port, or object to certain processing, and withdraw consent where relied upon.
Anti-abuse safeguards (per UK GDPR):

9) Cookies & analytics
We use necessary cookies for checkout, security, and account features. Optional analytics/marketing cookies run only with consent (manage via “Cookie Settings”). Blocking necessary cookies may limit site functionality.
10) Security
We apply technical/organisational measures (TLS, access controls, logging, backups). No system is 100% secure—keep your credentials confidential and report suspected misuse promptly.
11) Children
Not intended for under-16s. We do not knowingly collect data from children under 13; contact us to remove any such data.
12) Third-party links
External sites have their own policies; we are not responsible for them.
13) Changes
We may update this Policy; the current version applies on publication. Material changes will be noted here.
14) Contact
Email: info@aytaatelier.com Address: Dubai UAE
Plain-English Summary (anti-abuse)

Identity & contact: name, email, phone, billing/shipping address.

Order & payment meta: items, value, delivery prefs, transaction IDs.

Technical & security: IP address, device/browser data, logs, cookie IDs, fraud-signals.

Comms & preferences: messages, support tickets, marketing opt-ins/outs.

3) Why do we use it

Fulfill orders & support .

Service communications, invoices, tax/audit.

Security, fraud prevention, chargeback defence, IP protection, abuse prevention.

Site performance/analytics where consented.

Legal claims & compliance.

4) Strong anti-abuse measures

We may log IPs, device data, and use automated fraud screening. Suspicious activity can lead to order/account limitation, suspension, or cancellation.

We may flag and block abusive chargebacks and share relevant evidence with processors, banks, anti-fraud services, insurers, law enforcement, or legal counsel.

We may retain and use evidence for dispute resolution and debt recovery.

5) Data sharing (minimal, need-to-know)

Payment processors (e.g., Stripe/PayPal/Apple Pay) – separate controllers.

Operational vendors (hosting, email, CDN, couriers, CRM, anti-fraud/analytics).

Professional advisers & authorities when required by law or to establish/defend legal claims.

Business transfers under proper safeguards. We do not sell personal data.

6) International transfers Where data leaves the UK, we use approved safeguards (UK SCCs/addendum, adequacy). 7) Retention (seller-protective)

Orders, invoices, and evidence for disputes/chargebacks: up to 6 years from the end of the tax year (or longer if a claim is ongoing).

Support tickets: typically 2 years after resolution.

Marketing data: until you unsubscribe or after inactivity. We delete or anonymise when no longer needed.

8) Your rights (with anti-misuse guardrails) You may access, correct, erase, restrict, port, or object to certain processing, and withdraw consent where relied upon. Anti-abuse safeguards (per UK GDPR):

We verify identity before acting.

We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, or repeat requests.

We may withhold or limit data where disclosure would infringe others’ rights, reveal security/fraud controls, or prejudice legal claims.

We may extend response time by up to two further months for complex requests. Contact: privacy@[domain]. You can also complain to the ICO (ico.org.uk).

We collect the minimum data to take orders, prevent fraud, and run the site.

We keep evidence needed to fight chargebacks and misuse.

We may decline abusive or repetitive privacy requests within UK GDPR rules.

We never sell data; payments go through secure providers.

Your statutory rights remain intact; this policy maximises our protection against fraud and abuse within the law.

Business transfers under proper safeguards.
We do not sell personal data.

6) International transfers
Where data leaves the UK, we use approved safeguards (UK SCCs/addendum, adequacy).
7) Retention (seller-protective)

Marketing data: until you unsubscribe or after inactivity.
We delete or anonymise when no longer needed.

8) Your rights (with anti-misuse guardrails)
You may access, correct, erase, restrict, port, or object to certain processing, and withdraw consent where relied upon.
Anti-abuse safeguards (per UK GDPR):

We may extend response time by up to two further months for complex requests.
Contact: privacy@[domain]. You can also complain to the ICO (ico.org.uk).