Payments at Umay Luxe are processed by Stripe, a Level 1 PCI-DSS certified payment provider. All card data is transmitted over TLS 1.2+ with 256-bit SSL encryption. We never see, store, or have access to your full card number, expiry date, or CVC — these details are tokenised by Stripe at the point of entry.

Every transaction is screened with Stripe Radar for fraud, and every customer-not-present payment is authenticated with 3-D Secure 2 where supported by your bank. Chargeback and dispute handling is managed via Stripe's regulated framework.

• Order details — name, shipping address, email, items purchased. Used to fulfil and ship your order.
• Payment metadata — last 4 digits of your card, brand, country. Stored only as a Stripe reference for refunds and customer support. Never the full PAN.
• Account data — email and (optionally) password hash. Used to access order history.
• Marketing preferences — only when you opt in. Unsubscribe at any time from any email footer.

We do not sell, rent, or share your personal data with third parties for advertising. We share data only with the processors required to deliver your order (Stripe for payment, DHL Express for shipping, our email platform for transactional messages).

We use a minimal set of first-party cookies to keep you signed in, remember your cart, and measure aggregate site performance. We do not run ad-tech tracking pixels, behavioural retargeting, or sell event data to third parties.

You have the right to:

• Request a copy of the personal data we hold about you.
• Correct or update inaccurate data.
• Request deletion of your account and associated data.
• Withdraw consent for marketing at any time.
• Lodge a complaint with your local supervisory authority.

To exercise any right, email hello@umayluxe.com. We respond within 30 days.

Data controller: Umay Luxe, operated by Twin M Group Ltd.
Data Protection contact: hello@umayluxe.com.