Privacy Policy

Data controller

Red Room, operated by Chahineze Bekhit, is the data controller responsible for your personal data. For any enquiry regarding your data, contact us at fitchahineze@gmail.com.

Legal framework

This policy complies with the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) and its implementing regulations.

Data we collect

• Account information: name, email address.
• Profile information (optional): phone number, date of birth, nationality, emergency contact.
• Session data: IP address and user agent (for security and session management).
• Booking history and package purchases.
• Communication preferences (marketing opt-in).

Data we do NOT collect

• Payment card details (processed exclusively by Stripe).
• Browsing analytics or tracking cookies.
• Location data.

Purpose of processing

• To create and manage your account.
• To process bookings and send confirmations, reminders, and cancellation notices.
• To manage waitlists and notify you of available spots.
• To process payments via Stripe.
• To send marketing communications (only with your explicit consent).
• To improve our services.

Legal basis

We process your data based on: (a) performance of a contract (bookings, account management), (b) your consent (marketing), and (c) legitimate interest (security, service improvement).

Cookies

We use only strictly functional cookies:

• Session cookie: authentication (encrypted, httpOnly, secure).
• NEXT_LOCALE: your language preference (FR/EN), valid for 1 year.

We do not use analytics, advertising, or third-party tracking cookies. No cookie consent banner is required.

Data sharing

We share data only with the following processors, strictly for operating our services:

• Stripe (USA): payment processing.
• Resend (USA): transactional email delivery.
• Vercel (USA): website hosting and edge delivery.
• IONOS (France/EU): database hosting.

We do not sell your data. We do not share it for advertising purposes.

International data transfers

Your data may be processed in France (database) and the United States (hosting, payments, emails). These transfers are necessary for the performance of our contract with you and are protected by the security measures of our processors (encryption in transit and at rest, SOC 2 compliance).

Data retention

Your data is retained for the duration of your active account. If you delete your account, all personal data is removed within 30 days, except where retention is required by law (financial records: 5 years under UAE Commercial Transactions Law).

Your rights under the PDPL

You have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Request deletion of your data.
• Request data portability in a machine-readable format.
• Withdraw consent for marketing at any time.
• Object to processing based on legitimate interest.
• Not be subject to decisions based solely on automated processing.

To exercise any of these rights, email us at fitchahineze@gmail.com. We will respond within 14 days.

Data security

We protect your data through: TLS encryption for all connections, secure httpOnly cookies, database access restricted by IP and SSL, and hashed authentication tokens.

Changes to this policy

We may update this policy periodically. Changes will be published on this page.

Last updated: May 2026.