Privacy policy

Last updated: 20 May 2026

Privacy Policy

OnlyRoses KSA operates this store and website, including all related information, content, features, tools, products, and services (the “Services”). This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you visit our boutique, use our website or app, place an order, or otherwise communicate with us.

This Privacy Policy is governed by the Personal Data Protection Law of the Kingdom of Saudi Arabia (Royal Decree No. M/19 of 1443H / 2021, as amended by Royal Decree No. M/148 of 1444H / 2023) and its Implementing Regulations issued by the Saudi Data & Artificial Intelligence Authority (“SDAIA”).

If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal data. By using or accessing the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described below.

1. Who We Are (Data Controller)

For the purposes of the Personal Data Protection Law, the data controller of your personal data is:

Luqah Company For Flowers (شركة لقاح للزهور شخص واحد)

Trading as OnlyRoses KSA

Commercial Registration No. 1010941532

VAT Registration No. 3119035673

Registered office: Riyadh, King Saud University, Al Shaikh Hassan ibn Abdullah Al Shaikh

Privacy contact: shopify-ksa@only-roses.com

References in this Privacy Policy to “OnlyRoses”, “we”, “us”, and “our” mean Luqah Company For Flowers trading as OnlyRoses KSA. Our Services are hosted by Shopify Inc., which acts as a data processor on our behalf in respect of personal data processed through the Services.

2. Personal Data We Collect

Under the Personal Data Protection Law, “personal data” means any data, of whatever source or form, that may directly or indirectly identify an individual. Depending on how you interact with the Services, we may collect or process the following categories of personal data:

  • Contact details: name, billing address, shipping address, recipient address (for gift orders), phone number, and email address.
  • Account information: username, password (stored in encrypted form), security questions, preferences, and settings.
  • Order & transaction information: items viewed, added to cart or wishlist, purchased, returned, exchanged, or cancelled; gift messages; delivery instructions; and past transactions.
  • Payment information: payment method, transaction details, and payment confirmation. Full card numbers are processed directly by our PCI DSS-compliant payment providers and are not stored on our systems.
  • Communications with us: the content of messages you send via WhatsApp, email, customer support enquiries, or in-store interactions.
  • Device & technical information: IP address, device type, browser, operating system, language settings, and similar identifiers.
  • Usage information: how and when you interact with the Services, pages visited, links clicked, referral source, and similar analytics data.
  • Marketing preferences: your consent status for marketing communications, opt-ins and opt-outs.

We do not knowingly collect sensitive personal data as defined under the Personal Data Protection Law (which includes data revealing ethnic origin, religious or political beliefs, criminal records, biometric data, genetic data, health data, or credit data). Please do not provide such information through the Services. If you do, we will delete it unless required to retain it by law.

3. Where We Collect Personal Data From

We collect personal data from the following sources:

  • Directly from you — when you create an account, place an order, contact us, visit our boutique, or otherwise interact with the Services.
  • From the order sender — if someone sends you a gift through OnlyRoses, we receive your delivery contact details from the sender for the sole purpose of fulfilling that order.
  • Automatically — through your device and through cookies and similar technologies when you visit our website (see Section 9).
  • From our service providers — including Shopify, payment processors, delivery couriers, and analytics providers, who process personal data on our behalf.
  • From marketing and advertising partners — in limited circumstances, where you have consented to such sharing with those partners.

4. How We Use Your Personal Data & Legal Bases

Under the Personal Data Protection Law, we may only process your personal data on a lawful basis. We rely on the following legal bases, depending on the purpose:

Performance of a contract with you

To process and fulfil your orders, arrange delivery, process payments, manage returns and exchanges, create and maintain your account, and provide customer support. Without this data we cannot deliver the Services to you.

Your consent

For direct marketing communications by email, SMS, or WhatsApp; for non-essential cookies and analytics; and for any sharing of your data with marketing partners. You may withdraw your consent at any time (see Section 11).

Compliance with legal obligations

To retain tax and accounting records as required by the Zakat, Tax and Customs Authority; to respond to lawful requests from regulators, courts, or law enforcement; and to meet obligations under the Consumer Protection Law and the E-Commerce Law.

Our legitimate interests

To secure our systems and detect, investigate, and prevent fraud; to improve and tailor the Services; to maintain business records; and to defend our legal rights. We balance these interests against your privacy and only process data on this basis where your rights do not override our interest.

Vital interests or public interest

In rare and limited circumstances, to protect your vital interests or those of another person, or where required to serve a clear public interest under Saudi law.

5. How We Disclose Your Personal Data

We do not sell your personal data. We may disclose your personal data to the following categories of recipients, only where necessary and subject to appropriate safeguards:

  • Shopify Inc. — our e-commerce platform provider, which hosts the Services and processes personal data on our behalf as a data processor.
  • Payment processors — to process your payments securely, in accordance with PCI DSS and the requirements of the Saudi Central Bank (SAMA).
  • Delivery providers — courier partners for deliveries outside Riyadh, and our in-house delivery team for deliveries within Riyadh.
  • IT, cloud, and analytics service providers — for hosting, IT support, data backup, and aggregate analytics, all engaged under written data processing agreements.
  • Marketing partners — only with your prior consent, and only for the specific marketing purposes you have agreed to.
  • Professional advisers — lawyers, auditors, accountants, and insurers, where strictly necessary.
  • Regulatory and law enforcement authorities — where required by Saudi law, valid legal process, or to protect public safety.
  • In connection with a business transaction — such as a merger, acquisition, restructuring, or sale of assets, in which case we will require the recipient to honour this Privacy Policy.

Every third-party processor we engage is required, by written agreement, to process your personal data only on our instructions and to implement appropriate technical and organisational measures consistent with the Personal Data Protection Law.

6. Relationship with Shopify

Our Services are hosted by Shopify Inc. To provide and improve the Services, Shopify collects and processes personal data about your access to and use of the Services. Information you submit may be transmitted to and shared with Shopify and with third-party processors that may be located outside the Kingdom of Saudi Arabia, subject to the safeguards described in Section 10 below.

To learn more about how Shopify handles personal data and the rights you may have in relation to data processed by Shopify, you can visit the Shopify Consumer Privacy Policy and the Shopify Privacy Portal.

7. Children's Data

The Services are intended for adults. We do not knowingly collect personal data from individuals under eighteen (18) years of age, which is the age of majority in the Kingdom of Saudi Arabia. If you are a parent or legal guardian and believe that a child under your guardianship has provided us with their personal data, please contact us at shopify-ksa@only-roses.com and we will delete it promptly unless we are required to retain it by law.

8. Security & Retention

Security. We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage — including encryption in transit (TLS), access controls, role-based permissions, and regular review of our security practices. Shopify maintains its own platform-level security controls as our data processor. However, no method of transmission over the internet is completely secure; we recommend that you do not send sensitive or confidential information through unsecured channels.

Breach notification. In the event of a personal data breach that is likely to cause harm to you or affect your rights, we will notify SDAIA within seventy-two (72) hours of becoming aware of it, in line with Article 24 of the Implementing Regulations of the Personal Data Protection Law, and we will notify affected individuals without undue delay where required.

Retention. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with our legal, accounting, and tax obligations (typically a minimum of ten years for tax records in the Kingdom of Saudi Arabia), resolve disputes, and enforce our agreements. When personal data is no longer required, we will securely delete or anonymise it in accordance with our retention schedule.

9. Cookies & Similar Technologies

Our website uses cookies and similar technologies to operate the Services, remember your preferences, secure your session, analyse usage, and — with your consent — deliver personalised marketing.

Cookies fall into the following categories: strictly necessary cookies (required for the Services to function), functional cookies (to remember your preferences), analytics cookies (to understand how the Services are used), and marketing cookies (to deliver tailored advertising).

We will obtain your consent before placing non-essential cookies on your device. You can manage your cookie preferences at any time using the cookie banner on our website or through your browser settings. Disabling certain cookies may affect the functionality of the Services.

10. International Transfers of Personal Data

Some of our service providers — including Shopify, certain payment processors, and analytics providers — may store or process your personal data on servers located outside the Kingdom of Saudi Arabia.

When we transfer your personal data outside the Kingdom, we comply with the Regulation on the Transfer of Personal Data Outside the Kingdom issued by SDAIA. Depending on the destination, we rely on one or more of the following safeguards:

  • Transfers to countries determined by SDAIA to provide an adequate level of personal data protection;
  • SDAIA-approved Standard Contractual Clauses with the recipient;
  • Where required, a documented risk assessment prior to the transfer;
  • Other safeguards or exceptions permitted under the Personal Data Protection Law and its Implementing Regulations.

You may request a copy of the safeguards we apply to a specific international transfer by contacting us using the details at the end of this Policy.

11. Your Rights Under the Personal Data Protection Law

Subject to the conditions and exceptions set out in the Personal Data Protection Law, you have the following rights in relation to your personal data:

  • Right to be informed — to know the legal basis and purpose of processing your personal data (this Privacy Policy is part of how we satisfy that right).
  • Right of access — to request confirmation of whether we process your personal data and to obtain access to it.
  • Right to obtain a copy — to receive a copy of your personal data in a clear and readable format.
  • Right to correction — to request correction of personal data that is inaccurate, incomplete, or out of date.
  • Right to deletion — to request the deletion of your personal data where it is no longer needed for the purposes for which it was collected, where you have withdrawn consent (and there is no other legal basis), or where the data has been processed unlawfully. This right is subject to retention obligations under Saudi law.
  • Right to withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Right to opt out of marketing — you can opt out of marketing communications at any time using the unsubscribe link in any marketing email or by replying STOP to marketing SMS or WhatsApp messages. You may still receive non-promotional communications related to your orders or account.
  • Right to lodge a complaint — you have the right to lodge a complaint with SDAIA (see Section 13).

These rights are not absolute and may be subject to limitations under the Personal Data Protection Law, including where exercising the right would prejudice the rights of others, conflict with a legal obligation, or affect an ongoing investigation.

12. How to Exercise Your Rights

To exercise any of the rights set out above, please contact us at shopify-ksa@only-roses.com. To protect your privacy, we may need to verify your identity before responding — for example, by asking for information that allows us to match your request to an account or order.

You may also authorise an agent to make a request on your behalf. Before accepting such a request, we will require evidence that you have authorised the agent to act for you, and we may verify your identity directly.

We will respond to valid requests within the timeframes required by the Personal Data Protection Law. We will not discriminate against you for exercising any of your rights.

For rights relating to personal data processed by Shopify, please refer to the Shopify Privacy Portal.

13. Complaints & Regulatory Authority

If you have a complaint about how we handle your personal data, please contact us first at shopify-ksa@only-roses.com so we can try to resolve it.

If you are not satisfied with our response, you have the right to lodge a complaint with the Saudi Data & Artificial Intelligence Authority (SDAIA) through its official channels, including the National Data Governance Platform at sdaia.gov.sa.

14. Third-Party Websites & Links

The Services may contain links to websites or platforms operated by third parties. We are not responsible for the privacy practices of these third parties. If you follow a link to a third-party site, please review their privacy notice and terms before providing any personal data. Information you share on social media platforms or other public forums may be visible to other users, and is governed by those platforms' policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for operational, legal, or regulatory reasons. We will post the revised Privacy Policy on this page, update the “Last updated” date, and — where the change is material — provide additional notice as required by applicable law.

16. Contact Us

For any questions about this Privacy Policy or our handling of your personal data, or to exercise any of your rights:

Privacy contact (email): shopify-ksa@only-roses.com

General customer care: riyadh@only-roses.com

WhatsApp: +966 55 221 2401

Boutique: Kingdom Centre Mall, Level 0, King Fahd Road, Al Olaya, Riyadh 11321, Kingdom of Saudi Arabia

Data Controller: Luqah Company For Flowers (شركة لقاح للزهور شخص واحد), CR No. 1010941532, VAT No. 3119035673

This Privacy Policy was last updated on 20 May 2026. In the event of any inconsistency between the English and Arabic versions of this Privacy Policy, the Arabic version shall prevail to the extent required by the laws of the Kingdom of Saudi Arabia. OnlyRoses KSA is a trading name of Luqah Company For Flowers (شركة لقاح للزهور شخص واحد), a single-person company registered in the Kingdom of Saudi Arabia, with its registered office at Riyadh, King Saud University, Al Shaikh Hassan ibn Abdullah Al Shaikh. Commercial Registration No. 1010941532. VAT Registration No. 3119035673. © 2026 OnlyRoses KSA. All rights reserved.