Privacy Policy | Aish

1. Who we are

Aish (“we”, “us”, “our”) is a UK-based luxury Pakistani fashion brand operating the website www.aishofficial.shop. We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy or your personal data, please contact us at WhatsApp (+44 7500 547532) or via our contact page.

2. Personal data we collect

We collect the following categories of personal data:

Information you provide directly

Identity data: first name, last name.
Contact data: email address, phone number, shipping address, billing address.
Order data: items purchased, order value, sizing preferences, custom-order notes.
Communication data: messages sent via our contact form, WhatsApp or email, including any attachments.
Newsletter data: email address submitted through our newsletter signup form.

Information collected automatically

Technical data: IP address, browser type and version, device type, operating system, screen resolution, time zone setting.
Usage data: pages visited, time spent on pages, click patterns, referral source, exit pages. This data is collected through Google Analytics 4 and is aggregated and anonymised where possible.
Local storage data: your cart contents and wishlist selections are stored in your browser's localStorage. This data stays on your device and is not transmitted to our servers unless you proceed to checkout.

Payment data

We do not collect or store your full payment card details. All payment processing is handled by Stripe, our payment processor. We receive only a transaction reference, a partial card identifier (last four digits) and confirmation of payment status from Stripe.

3. Legal bases for processing

We process your personal data on the following legal grounds under UK GDPR:

Contract performance (Article 6(1)(b)): processing your name, contact details and order information is necessary to fulfil your order, arrange delivery and provide after-sale support.
Legitimate interests (Article 6(1)(f)): we use anonymised analytics data to understand how our website is used and to improve the shopping experience. We also use your contact details to respond to enquiries submitted via our contact form or WhatsApp.
Consent (Article 6(1)(a)): where you voluntarily subscribe to our newsletter, we rely on your consent to send marketing communications. You can withdraw consent at any time using the unsubscribe link in every email.
Legal obligation (Article 6(1)(c)): we retain certain financial and transaction records as required by UK tax and accounting legislation.

4. How we use your data

Order fulfilment: processing your order, arranging stitching and finishing, managing dispatch and delivery, and communicating order updates.
Customer service: responding to enquiries, supporting custom orders, handling returns and exchange requests.
Website analytics: understanding visitor behaviour, identifying popular products and collections, and improving site performance.
Marketing: sending newsletters and promotional communications to subscribers who have opted in, including new collection announcements and seasonal campaigns.
Fraud prevention: protecting against fraudulent transactions and ensuring payment security.
Legal compliance: maintaining records required by law and responding to lawful requests from authorities.

5. Who we share your data with

We share your personal data only with trusted third-party service providers who process it on our behalf and under our instructions. We do not sell your personal data to anyone.

Stripe (payment processing): receives your payment details, name and email to process transactions securely. Stripe is certified to PCI-DSS Level 1. Stripe Privacy Policy.
Supabase (data storage): our order records, customer details and product data are stored securely on Supabase-hosted databases. Supabase Privacy Policy.
Google Analytics 4 (website analytics): collects anonymised browsing data to help us understand how visitors use our site. IP anonymisation is enabled. Google Privacy Policy.
Courier services (delivery): your name, shipping address and phone number are shared with our delivery partners to ship your order.

6. How long we keep your data

Order and financial records: 6 years from the date of the transaction, in line with HMRC requirements and UK tax legislation.
Newsletter subscriber data: until you unsubscribe or request deletion.
Contact form enquiries: up to 24 months from the date of the last communication, unless related to an active order.
Analytics cookies: Google Analytics cookies expire after 30 days. Anonymised analytics data is retained for up to 14 months.
Cart and wishlist (localStorage): stored in your browser until you clear it manually. This data is not held on our servers.

7. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: ask us to correct any inaccurate or incomplete personal data.
Right to erasure: ask us to delete your personal data where there is no compelling reason for continued processing. This does not apply where we are required by law to retain records.
Right to restrict processing: ask us to suspend processing in certain circumstances, for example while we verify accuracy.
Right to data portability: request your personal data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent: where processing is based on consent (such as newsletter marketing), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us via WhatsApp or our contact page. We aim to respond within one calendar month.

8. International data transfers

Some of our third-party service providers are based outside the United Kingdom. Where your data is transferred outside the UK, we ensure it is protected by appropriate safeguards:

Stripe and Supabase process data in regions covered by UK adequacy decisions or operate under Standard Contractual Clauses approved by the Information Commissioner's Office.
Google transfers analytics data under its Data Processing Terms, which include Standard Contractual Clauses.
We ship orders worldwide. Your shipping address and contact details are shared with courier services only as necessary to complete delivery.

9. Cookies and local storage

Analytics cookies

We use Google Analytics 4, which sets cookies on your device to measure how you interact with our website. These cookies collect information in an aggregated, anonymised form and do not identify you personally. Analytics cookies expire after 30 days.

Functional local storage

We use your browser's localStorage to save your shopping cart and wishlist selections. This data remains on your device and is not sent to our servers unless you proceed to checkout. You can clear this data at any time through your browser settings.

Essential cookies

Our website may set cookies strictly necessary for the site to function, such as session management. These do not require consent under the Privacy and Electronic Communications Regulations (PECR).

Managing cookies

You can control and delete cookies through your browser settings. Disabling analytics cookies will not affect the functionality of the website. For more information, visit aboutcookies.org.

10. Children's privacy

Our website and services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will delete it without delay.

11. Information for California residents

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: you may request details of the categories and specific pieces of personal information we have collected about you, the sources of that data, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to delete: you may request that we delete the personal information we have collected from you, subject to certain exceptions (such as data needed to complete a transaction or meet a legal obligation).
Right to opt out of sale: we do not sell your personal information. We do not share your data for cross-context behavioural advertising.
Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, please contact us via WhatsApp or our contact page.

12. Data security

We take reasonable and appropriate measures to protect your personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction. These include:

HTTPS encryption across the entire website.
PCI-DSS Level 1 compliant payment processing through Stripe.
Access controls and authentication for our internal systems and databases.
Regular review of our data processing practices and security measures.

No method of transmission over the internet is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

13. How to contact us

If you have questions, concerns or requests regarding this privacy policy or your personal data, you can reach us through:

WhatsApp: +44 7500 547532
Contact form: aishofficial.shop/contact

We aim to respond to all enquiries within 5 working days.

14. Right to complain

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

We would appreciate the opportunity to address your concerns before you approach the ICO.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the date below and, where appropriate, notify you via email or a notice on our website.

Last updated: 8 June 2026