Privacy Policy
Last updated · 14 July 2026
Dulaxa is a digital experience studio based in the Arab Republic of Egypt. This policy explains what personal data we collect when you visit dulaxa.com, submit an enquiry, or hold an account in the client studio — and what we do with it.
We have written this to be read, not to be survived. If anything here is unclear, write to us at hello@dulaxa.com and we will explain it plainly.
1. Who is responsible for your data
Dulaxa is the data controller for the personal data described in this policy — meaning we decide why and how it is processed.
Dulaxa — Cairo, Arab Republic of Egypt. Email: hello@dulaxa.com. WhatsApp: +20 10 1191 1502.
2. What we collect
We collect only what the service actually needs. Concretely:
- Enquiry details — when you submit the Start form: your name, email address, the occasion, your event date, and the description of your vision.
- Account details — if you create an account: your email address, an encrypted password (we never see or store the plaintext), and optionally your full name, phone number, and profile photo.
- Project data — the invitations, media, and other content we create with you or that you upload, including images you add to a project.
- Messages — the contents of the conversation between you and the studio inside your dashboard.
- Billing records — invoice numbers, amounts, currency, status, and due dates. We do not process or store card details (see §7).
- Technical and performance data — your IP address and browser user-agent are processed transiently by our host to serve the site securely. We also collect anonymous Core Web Vitals (page-load and responsiveness measurements) via our own endpoint; these contain no identifiers and are not linked to you.
3. Why we process it, and on what legal basis
| Purpose | Data used | Legal basis |
|---|---|---|
| Respond to your enquiry and prepare a proposal | Enquiry details | Steps taken at your request prior to entering a contract |
| Design, build, and host your experience | Account, project data, media | Performance of our contract with you |
| Operate your account, dashboard, and studio messaging | Account, messages | Performance of our contract |
| Send transactional email (welcome, enquiry confirmation, project-status updates) | Name, email | Performance of our contract / our legitimate interest in keeping you informed |
| Issue and track invoices; meet accounting obligations | Billing records | Legal obligation and performance of our contract |
| Keep the service secure, fast, and available | Technical and performance data | Our legitimate interest in a secure, performant service |
We do not sell personal data. We do not use it for behavioural advertising, and we do not run third-party advertising or tracking scripts on this site.
4. Who processes data on our behalf
We rely on a small, deliberate set of providers. Each is bound to process data only on our instructions.
| Provider | Purpose | Where data is processed |
|---|---|---|
| Supabase | Database, authentication, and file storage | European Union (eu-west-1, Ireland) |
| Vercel | Website hosting and content delivery | Global edge network |
| Cloudinary | Storage and delivery of images you or we upload | Global content-delivery network |
| Resend | Delivery of transactional email | United States / European Union |
| Optional sign-in with a Google account, if you choose it | Global |
5. International transfers
Our database is hosted in the European Union. Some providers listed above may process data outside Egypt or the EU. Where that happens, we rely on the provider's contractual safeguards (such as Standard Contractual Clauses) to keep the protection of your data intact in transit and at rest.
6. How long we keep it
- Enquiries that do not become projects: up to 24 months, then deleted.
- Account and project data: for as long as your account is open, and for up to 12 months after you close it, so that a project can be restored if you return.
- Invoices and accounting records: retained for the period required by Egyptian tax and commercial law.
- Anonymous performance metrics: retained in aggregate only; they contain no personal identifiers.
- Backups: our database backups roll on a 30-day window, after which deleted data ages out.
7. Payments
We do not currently take card payments through this website, and we never store card numbers, CVVs, or bank credentials. Invoices are issued from your dashboard and settled by the method agreed with you. If we introduce online payments in the future, they will be handled by a PCI-compliant payment processor and this policy will be updated before that happens.
8. How we protect it
- All traffic is served over HTTPS with HSTS enforced.
- The application sends a strict Content-Security-Policy and related hardening headers to defend against injection and clickjacking.
- Database access is governed by row-level security: you can read and write your own records, and nobody else's.
- Passwords are hashed by our authentication provider; the studio never has access to them.
- Administrative access is restricted to authorised studio accounts.
9. Your rights
Under Egypt's Personal Data Protection Law (Law No. 151 of 2020) — and, where it applies to you, the EU/UK GDPR — you have the right to:
- Know what personal data we hold about you and obtain a copy of it.
- Have inaccurate or incomplete data corrected.
- Have your data erased where we no longer have a lawful reason to keep it.
- Restrict or object to certain processing.
- Withdraw consent at any time, where we relied on consent.
- Receive your data in a portable, machine-readable format.
- Lodge a complaint with the Egyptian Personal Data Protection Centre, or with your local supervisory authority.
10. Exercising your rights
Write to hello@dulaxa.com from the address associated with your account. We will respond within 30 days. We may ask you to verify your identity before acting, so that nobody else can make a request in your name. Exercising these rights is free.
11. Children
Dulaxa is a service for adults commissioning professional work. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, contact us and we will delete it.
12. Changes to this policy
We will update this page when our practices change, and we will move the “last updated” date at the top. If a change materially affects your rights, we will tell you directly — by email to account holders — rather than relying on you to notice.