Privacy Policy

Last Updated: February 22, 2026

Diyana Boutique ("we", "our", or "us") operates from Switzerland and is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, and how we protect it when you use our online store.

1. Information We Collect

Information you provide

• Account registration: Email address and password
• Orders: Full name, email, phone number, shipping address (street, city, postal code, country)
• Contact form: Name, email, phone (optional), subject, and message
• Newsletter: Email address (and referral code if applicable)

Information collected automatically

• IP address: Used for rate limiting and fraud prevention — not stored long-term
• Browser locale: Used to serve content in your preferred language (English, Dari, or Pashto)

Information we do NOT collect

• We do not use analytics cookies, tracking pixels, or third-party advertising
• We do not store credit card or payment details — all payments are processed directly by Stripe

2. How We Use Your Data

• Fulfil orders: Process your purchase, send order confirmation and shipping updates via email
• Customer support: Respond to your contact form messages
• Referral programme: Track referral codes and award store credit when applicable
• Newsletter: Send promotional emails (only with your consent — you can unsubscribe at any time)

We never sell, rent, or share your personal data with third parties for marketing purposes.

3. Payment Processing

All payments are handled by Stripe, a PCI DSS Level 1 certified payment processor. When you check out, your card details are entered directly into Stripe's secure payment form — they never pass through our servers. We only receive a payment confirmation with a transaction ID.

4. Third-Party Services

We use the following services to operate our store:

• Stripe (stripe.com) — Payment processing
• Supabase (supabase.com) — Database and user authentication
• Cloudinary (cloudinary.com) — Product image hosting
• Resend (resend.com) — Transactional email delivery (order confirmations, status updates)
• Upstash (upstash.com) — Rate limiting (stores only IP hashes, not personal data)

Each service processes data under their own privacy policy. We only share the minimum data required for each service to function.

5. Your Rights (GDPR / Swiss FADP)

Under European and Swiss data protection law, you have the right to:

• Access — Request a copy of the personal data we hold about you
• Rectification — Ask us to correct inaccurate data
• Erasure — Ask us to delete your data ("right to be forgotten")
• Data portability — Receive your data in a machine-readable format
• Withdraw consent — Unsubscribe from marketing emails at any time

6. Data Retention

• Account data: Until you request deletion
• Newsletter subscriptions: Until you unsubscribe
• Contact form messages: 1 year
• Rate-limiting data: Automatically expires within 1 hour

7. Children's Privacy

Our store is not intended for children under 16. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or by posting a notice on our website. The "Last Updated" date at the top reflects when the latest changes were made.