Privacy Policy
This Privacy Policy explains how Brume collects, uses, stores, and protects your personal information when you visit brume.com (the “Site”) or buy our products. It also sets out the rights you have over your information.
Brume is operated by GC ONE TRADING FZE, a registered company. In this Policy, “Brume,” “we,” “us,” and “our” refer to this company. “You” or “your” means anyone who visits the Site or buys from us.
We take your privacy seriously. We do not sell your personal information. We share it only with the service providers we need to operate the business (such as our payment processor and shipping partners), and only to the extent needed to deliver what you’ve asked for.
1. What we collect
We collect three categories of information:
Information you give us when you buy or contact us: name, billing and shipping address, email address, phone number, payment details (handled by our payment processor, not stored on our servers), and the contents of any messages you send to us.
Information collected automatically when you visit the Site: IP address, device type, browser type and version, operating system, time zone, pages viewed, items added to your cart, referring website, and the time and date of your visit. This is collected through cookies and similar technologies, described in Section 8 below.
Information from third parties: if you reach us through a social media platform, email link, or advertising network, that platform may share basic information with us (such as which ad you clicked). We may also receive fraud-prevention signals from our payment processor.
We do not knowingly collect special categories of personal data (such as health information, religious beliefs, or political opinions). Please do not send us this kind of information through the Site or customer service channels.
2. Why we collect it and the legal basis
For customers in the EU and UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to identify a lawful basis for each purpose for which we use your data. Here is the breakdown:
| Purpose | Lawful basis |
|---|---|
| Processing your order, taking payment, arranging shipping, providing customer support | Performance of the contract between you and us |
| Sending order confirmations, shipping updates, and other transactional emails | Performance of the contract |
| Sending marketing emails about new products and offers | Your consent (which you can withdraw at any time) |
| Operating, securing, and improving the Site; analytics; fraud prevention | Our legitimate interest in running a viable, secure business |
| Complying with tax, accounting, and other legal obligations | Legal obligation |
| Defending or pursuing legal claims | Legitimate interest |
If you are outside the EU/UK, equivalent principles apply under the privacy laws that govern your country of residence.
3. Who we share it with
We share your information only with the parties needed to run the business and only to the extent required for the relevant task. The main categories are:
Payment processor: to take payment securely. We use a PCI DSS compliant processor that handles your card details directly; we never see or store your full card number.
Fulfilment and shipping partners: to pack and deliver your order. They receive your name, shipping address, contact details, and order contents.
Hosting and platform providers: Shopify hosts the Site and processes orders. Shopify’s own privacy practices are available at shopify.com/legal/privacy.
Tax and compliance providers: our fiscal representatives and accountants receive transaction-level data needed to file VAT, sales tax, and corporate tax returns where required by law.
Analytics and advertising providers: see Section 8 on cookies for the specific tools we use.
Customer service tools: the platforms we use to manage emails and support tickets.
Authorities and regulators: if required by a valid legal request, court order, or regulatory obligation, or to protect our legal rights, the safety of our customers, or the integrity of our business.
We do not sell your personal information to third parties for marketing purposes.
4. International transfers
Brume is based in the UAE. Our customers are based in many countries, primarily the UK, EU, and GCC. Inevitably, this means your personal information will be transferred and processed across borders.
Where data is transferred outside the EU or UK, we rely on one of the following safeguards:
- The country has been recognised by the European Commission or UK government as providing an adequate level of data protection
- Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) are in place with the receiving party
- The transfer is necessary for the performance of our contract with you (for example, shipping your order to a destination outside the EU/UK)
The UAE is not currently on the EU’s adequacy list. For transfers of EU/UK customer data to our UAE operations, we rely on SCCs/IDTA and, where applicable, your consent.
5. How long we keep it
We keep personal information only as long as we need it for the purposes for which it was collected, or for as long as required by law.
Order and transaction records: retained for 7 years to comply with UAE corporate tax, EU VAT, and UK VAT record-keeping obligations.
Customer accounts: retained while your account is active. If you delete your account or request erasure, we will remove your data within 30 days, subject to records we are legally required to retain.
Marketing preferences: retained until you unsubscribe, after which we keep a minimal record of your unsubscribe request to ensure we don’t email you again.
Customer service correspondence: retained for 2 years from the date of the last interaction.
Cookie data and analytics: retained according to the retention periods set in each individual tool (typically 14 months to 26 months).
6. Your rights
If you are in the EU, UK, or another jurisdiction that grants similar rights, you have the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate or incomplete
- Delete your information (subject to records we are legally required to keep)
- Restrict or object to certain processing, including direct marketing
- Receive your data in a portable format
- Withdraw consent at any time for processing based on consent (such as marketing emails)
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email us at privacy@brume.com from the address you used to place orders or create your account. We will respond within 30 days. We may ask for additional verification before acting on a request.
If you are unsatisfied with our response, you may complain to your local data protection authority. In the UK that is the Information Commissioner’s Office (ico.org.uk). In the EU, you can find your national authority via edpb.europa.eu.
7. Security
We use appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. This includes encrypted connections to the Site, restricted access to customer data among our team, and reliance on PCI DSS compliant payment processors.
No method of online transmission or storage is 100% secure. If we ever become aware of a personal data breach affecting your information, we will notify you and the relevant authorities in line with applicable law.
8. Cookies and similar technologies
Cookies are small text files placed on your device when you visit the Site. We use them for three purposes:
Essential cookies: required for the Site to function, including remembering items in your cart, keeping you logged in, and processing your checkout. These are always active because the Site doesn’t work without them.
Analytics cookies: help us understand how visitors use the Site so we can improve it. We use Shopify’s built-in analytics and may use Google Analytics. These are used only with your consent where required.
Advertising cookies: allow us to show you relevant ads on Meta (Facebook, Instagram), TikTok, and other platforms, and to measure how those ads perform. These are used only with your consent.
You can manage cookies through the cookie banner shown on your first visit and through your browser settings. Disabling non-essential cookies will not break the Site, but may reduce personalisation.
You can also opt out of personalised advertising directly with the main platforms:
- Meta: facebook.com/adpreferences
- Google: adssettings.google.com
- TikTok: tiktok.com/legal/page/global/personalized-ads-help/en
9. Children
The Site is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@brume.com and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. The current version will always be available at brume.com/privacy, with the effective date at the top. Significant changes will be communicated through a notice on the Site or by email where appropriate.
11. Contact
For any privacy-related question or to exercise your rights:
Email: hello@brume.com
We aim to respond to privacy queries within 30 days.