Effective date: 1 November 2025

Website: arcanabh.com (the “Site”)
Controller: [Exact legal entity name in English & Arabic], CR: 50012‑2 (“Arcana”, “we”, “us”, “our”)
Registered office: RIFFA / BUKOWARAH, Block 927, Road 27, Building 47, Kingdom of Bahrain
Contact: [info@arcanabh.com] • [+973 xxx xxx

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the Site, purchase our products, contact us, or interact with us by any channel. It is designed to meet the requirements of Bahrain’s Personal Data Protection Law No. 30 of 2018 (“PDPL”).

1) What data we collect

We collect the following categories of personal data: – Identity & contact data – name, email, phone number, address, nationality (if required for delivery/customs).
– Order & transaction data – items purchased, order IDs, invoice details, payment status, refund/return records.
– Payment data – tokenized card details or reference IDs from payment providers (we do not store full card numbers on our servers).
– Delivery data – shipping/billing addresses, courier references, delivery notes, proof of delivery.
– Support data – messages, call/WhatsApp logs, RMA forms, warranty/DOA details, service center outcomes.
– Technical & usage data – IP address, device identifiers, browser type, pages viewed, session data, cookies/SDKs, crash logs.
– Marketing preferences – newsletter opt‑ins, campaign interactions, discount code usage.
– Account data (if you register) – login, password (hashed), order history, saved addresses.

We may also process CCTV footage and in‑store recordings for security and fraud prevention where applicable.

2) How we collect data

• Directly from you (checkout, account signup, forms, email/phone/WhatsApp, in‑store).
• Automatically via cookies, SDKs, and analytics when you browse the Site.
• From third parties (payment providers, couriers, analytics/ads partners, anti‑fraud tools, social platforms when you interact with our pages, and public sources where lawful).

3) Why we use your data (purposes)

We process personal data to: – Provide and fulfill orders (order processing, payment, delivery, returns, warranties).
– Manage your account (authentication, preferences, order history).
– Customer care (answer inquiries, troubleshoot issues, DOA/RMA handling).
– Operate and secure the Site (fraud monitoring, diagnostics, cybersecurity, performance).
– Legal & compliance (tax/VAT invoices, bookkeeping, consumer protection, lawful requests).
– Marketing with consent (emails/SMS/WhatsApp, retargeting, promotions) and to stop marketing if you opt‑out.
– Analytics & service improvement (understand usage to improve products, UX, logistics).

4) Our legal bases (PDPL)

We rely on one or more of the following legal grounds under the PDPL:
– Consent (e.g., newsletters, certain cookies).
– Contract necessity (to process your order, deliver products, provide support).
– Legal obligation (e.g., tax/VAT, accounting, consumer protection).
– Legitimate interests (e.g., site security, fraud prevention, limited direct marketing—balanced against your rights).
– Vital interests / public interest (only where strictly applicable).
You may withdraw consent at any time, and you may object to processing for direct marketing (see your rights below).

5) Cookies & tracking technologies

We use cookies/SDKs to run the Site and measure performance. Categories include:
– Strictly necessary (cart, checkout, security).
– Functional (remember settings).
– Performance/analytics (traffic, page performance).
– Ads/retargeting (only where consented).

6) Sharing your data

We share personal data with: – Payment processors

– Couriers & logistics (for deliveries, returns).
– Service providers (hosting, CRM, email/SMS, cloud storage, analytics, security, backup).
– Professional advisors (auditors, accountants, legal counsel).
– Authorities and regulators when required by law or to protect rights/safety.
– Business transfers (in the event of a merger, acquisition, or asset sale, under confidentiality safeguards).

We do not sell personal data.

7) International transfers

Some providers may process data outside the Kingdom of Bahrain. Where this occurs, we implement appropriate safeguards permitted under the PDPL (e.g., adequacy decisions, contractual safeguards/standard clauses, your explicit consent where applicable). Details are available on request.

8) Data retention

We keep data only as long as necessary for the purposes stated above, including to satisfy legal, accounting, and tax requirements, and to defend legal claims. Typical periods (subject to applicable law and our retention schedule):
– Orders & invoices: 5–10 years.
– Support/RMA records: 1–3 years after case closure.
– Marketing consents & opt‑outs: kept while active and for a limited period to respect your opt‑out.
– Analytics logs: 3–24 months, aggregated/anonymized earlier where feasible.

9) Your rights (PDPL)

Subject to conditions and exceptions under the PDPL, you may have the right to: – Be informed about processing and obtain a copy of your personal data;
– Access your data and request correction/rectification of inaccuracies;
– Request erasure/blocking where data is inaccurate, incomplete, outdated, or unlawfully processed;
– Restrict or object to processing, including objecting to direct marketing at any time;
– Withdraw consent where processing is based on consent;
– Complain to the Personal Data Protection Authority (PDPA) in Bahrain.

We will respond within the timelines required by law. To exercise these rights, contact us (see Section 12).

10) Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data and risks involved (e.g., encryption in transit, tokenized payments, access controls, logging, backups, secure development and vendor due diligence). No system is 100% secure; we continuously improve our controls.

11) Third‑party links & social media

Our Site may link to third‑party sites, plug‑ins, or apps. These are governed by their own privacy notices. We are not responsible for their policies or practices.

12) How to contact us or exercise your rights

Controller:

CR: 50012‑2
Address: RIFFA / BUKOWARAH, Block 927, Road 27, Building 47, Kingdom of Bahrain
Email: info@arcanabh.com
Phone/WhatsApp: [+973 xxx xxxx]

13) Changes to this Policy

We may update this Policy from time to time. The version posted on the Site includes the “Effective date” above. Material changes will be highlighted on the Site or notified by email where appropriate.

Short‑form summary (non‑binding)

• We collect identity, contact, order, payment token, delivery, support, technical and marketing preference data to run our e‑commerce services.
• We rely on consent, contract, legal obligations, and legitimate interests under the PDPL.
• You can opt‑out of direct marketing and manage cookies.
• We share data with payment providers, couriers, and service vendors; we don’t sell your data.
• You can access, correct, erase/block, restrict or object to processing (including direct marketing), withdraw consent, and complain to the PDPA.

Note: Replace bracketed placeholders before publishing. This Policy is provided for general informational purposes and is not legal advice; please consider local counsel review prior to publication.